Resubmissions

03-09-2024 14:02

240903-rb57sazdqf 10

03-09-2024 13:51

240903-q59avszclf 10

02-09-2024 19:51

240902-yk8gtsxbpd 10

02-09-2024 02:27

240902-cxh7tazflg 10

02-09-2024 02:26

240902-cwxc2sygll 10

21-06-2024 19:37

240621-yca7cszgnd 10

09-06-2024 17:07

240609-vm7rjadd73 10

13-05-2024 17:36

240513-v6qblafe3y 10

12-05-2024 17:17

240512-vty3zafh5s 10

Analysis

  • max time kernel
    1794s
  • max time network
    1805s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 18:05

General

  • Target

    Ransomware/Client-2.exe

  • Size

    80KB

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

  • SSDEEP

    1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: J8d32huzKVg+Ig4aiITkrInBgEr7jdZGRzgdGuqiHY9kDsx3OE+MxXh9wITplZAL4NDc4OGTgSib+R8bu18LNI0SpNchdulndVEs7Es0wvKixS7q6+IN3IFG44VzrBVZ3zVO+tkpTv7AHoXDAPShjQGIgQP2SmbzD6tymx/3gUm+QG25EyS3HU595S/jYyDf0AQ3Nrfz0WhE/aiTBc6LhfKn4rNMp7B7KE4t4fodZ8tdzH29buuSwvpRfYOXFeiCIDGMBjD283uEVAT61CJvQon6jVQPrQhhbfNqVepNHXIEmseCyHm6t5pc2H52I2KaFUsrNwjb7dVedXestp4SQaADz5YeNYYV8as1bAEzeKhYcTsQUZYQ8Z33aKbt55ohICD4S7qt5pHsUAlbvUdFNMikchDCmRDetZdX2FAD/kRfvMtF03MvLqB6cq8CX52Rd+UPLT4zuKBiAQGFDSyzRPDoC1a2P20g90MSUVnhpefB8U75VacnfsLdnnwMwvNOiP32xz3E7REAXnca3cm/xWBir61NncRRY/EFb2JY0w3zZOiSoCxpd5Voxw9EB+Jd99+0ksyIxc5bDyR//mzrRGa90+4ItH0jFYW63uT4eWzt032dZub2S8i0xadnUAecLGU//1hV3gR2gWpe0kLrD2a/Dne8CzQHO7obb79f1IY= Number of files that were processed is: 441

Signatures

  • Disables service(s) 3 TTPs
  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 47 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
    "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      2⤵
      • Launches sc.exe
      PID:1092
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
      2⤵
      • Launches sc.exe
      PID:4872
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLWriter start= disabled
      2⤵
      • Launches sc.exe
      PID:4544
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SstpSvc start= disabled
      2⤵
      • Launches sc.exe
      PID:3852
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4984
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2272
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
      2⤵
        PID:3780
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:828
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mysqld.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2580
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqbcoreservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2308
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM firefoxconfig.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4284
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM agntsvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3560
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM thebat.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1444
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM steam.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3772
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM encsvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4192
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM excel.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5052
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM CNTAoSMgr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3164
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlwriter.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4572
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM tbirdconfig.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3256
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM dbeng50.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1120
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM thebat64.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4240
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM ocomm.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2172
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM infopath.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4588
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mbamtray.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1964
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM zoolz.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4636
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" IM thunderbird.exe /F
        2⤵
        • Kills process with taskkill
        PID:4548
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM dbsnmp.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4980
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM xfssvccon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3704
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mspub.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1520
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM Ntrtscan.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5100
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM isqlplussvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2636
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM onenote.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:368
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM PccNTMon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2992
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM msaccess.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4672
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM outlook.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3248
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM tmlisten.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:752
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM msftesql.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:872
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM powerpnt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1164
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3220
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM visio.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4028
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3696
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM winword.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1336
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mysqld-nt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4076
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM wordpad.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2708
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mysqld-opt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1428
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM ocautoupds.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1624
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM ocssd.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2324
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM oracle.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3224
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlagent.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3372
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlbrowser.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1852
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlservr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:556
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM synctime.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1492
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4840
      • C:\Windows\System32\notepad.exe
        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:1632
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
        2⤵
          PID:5888
          • C:\Windows\system32\PING.EXE
            ping 127.0.0.7 -n 3
            3⤵
            • Runs ping.exe
            PID:5776
          • C:\Windows\system32\fsutil.exe
            fsutil file setZeroData offset=0 length=524288 “%s”
            3⤵
              PID:5996
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
            2⤵
              PID:2080
              • C:\Windows\system32\choice.exe
                choice /C Y /N /D Y /T 3
                3⤵
                  PID:5132
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4084,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=1680 /prefetch:8
              1⤵
                PID:6700
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1404,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=2468 /prefetch:8
                1⤵
                  PID:3480

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

                  Filesize

                  1.3MB

                  MD5

                  1964c7fb9ebc3dfe7d83955d125c71ff

                  SHA1

                  32eb06f534e5c6dc718c9deeb93bbb768e3eefe9

                  SHA256

                  2912dad15db3290cf595606761bbf70594b23a45b0869cbf2769dc96e76c5357

                  SHA512

                  0038603b0c2251eccdc70adfe02ddebf01eb91319d1ac4cdd94b87cf5577a3ddbee405995efca2062c13a4d006032548e7da0b1edfa5b3a3dd1201330bbf65be

                • C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

                  Filesize

                  28.8MB

                  MD5

                  729780f3e432cbafaaea8de045960377

                  SHA1

                  9f82179cf3d2aaa623d9f68eafc4059e21c3e836

                  SHA256

                  05498bfac74c818c5cf43af25c73ea92f23546f6087712d99ddefd5ed042bf95

                  SHA512

                  0ca497f39d7c02913b285ec06cc9400b4eaf2ea2097430778b09c85f2cd94d4fe1e39383e7a9b6535727b266f10d2ee4db264edbe49d8a622935f44250f58ae4

                • C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

                  Filesize

                  728KB

                  MD5

                  eb28637f05b203758cbf9b614fa331b9

                  SHA1

                  f60aa4f5adf5ba7725fb0df7cb75ee5c096641f3

                  SHA256

                  ddc91e9c08a7f56f24055f4c892f59e3b292e4232fb2888f57a6a507201c761d

                  SHA512

                  837ddf90d26e374692d80785e2da0b7645dfa88f1dfebccd917010845316da54b401106910f153657b274795bd8408e79b84eb357e7c44b2ab39118784f82434

                • C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

                  Filesize

                  25.7MB

                  MD5

                  bdfd54639c22d4fde441fd455a5e72a2

                  SHA1

                  3a86fbf43ae0b402e9ddf8aba9e2cdbbc073fdae

                  SHA256

                  64bbb364b4faf1afcc69e41c3da1a56777c7064beeb2dd33d67901a39f267433

                  SHA512

                  19f8cc989f92538e8b224af8c51604d9ef9cbc1d3438f78914963ce76f010fe2d26f2bf6d9293caea662eb7cb4960166a252e1246592329c56c79cc668d4ce82

                • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

                  Filesize

                  180KB

                  MD5

                  3aa8c48069dee49121d8669b53e4660a

                  SHA1

                  a628e726e36ad8e6d1e8958c66dcc6bfef77a0e6

                  SHA256

                  a9f3748c041b7bfd83b829f0dc19597391928264ebed09e4937deedd2232e834

                  SHA512

                  7ae87923606142d7327010b5c9d8235c39e95724a4f97d39832f7e5e7ee0bbbe26f730e2453e491ead13b085e3c6dc6eb34270ab78c7079887372c02ca792bc0

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                  Filesize

                  2KB

                  MD5

                  d85ba6ff808d9e5444a4b369f5bc2730

                  SHA1

                  31aa9d96590fff6981b315e0b391b575e4c0804a

                  SHA256

                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                  SHA512

                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  bd5940f08d0be56e65e5f2aaf47c538e

                  SHA1

                  d7e31b87866e5e383ab5499da64aba50f03e8443

                  SHA256

                  2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                  SHA512

                  c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qku0prtn.qdy.ps1

                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

                  Filesize

                  828B

                  MD5

                  19a3c2f197b43912369b3041d86c3e37

                  SHA1

                  5d5094f4c01c027be108770ee8e8043279532a25

                  SHA256

                  6088c6d2e7f2c02ee2ccda670fa67d1464b0dd615764fb3c7bef71f9c3bcfb6d

                  SHA512

                  010250b80239afcac8e5a94a21d8058a4a4f9875b82870af35632f59decd9403faf42d14cbb01cd489ef91be436e88d350196c541198c3d4bfbee859b18e78fb

                • memory/2568-2-0x00007FFE9F780000-0x00007FFEA0241000-memory.dmp

                  Filesize

                  10.8MB

                • memory/2568-1-0x00007FFE9F783000-0x00007FFE9F785000-memory.dmp

                  Filesize

                  8KB

                • memory/2568-0-0x0000000000EE0000-0x0000000000EFA000-memory.dmp

                  Filesize

                  104KB

                • memory/2568-550-0x00007FFE9F780000-0x00007FFEA0241000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4840-20-0x000001F620740000-0x000001F620762000-memory.dmp

                  Filesize

                  136KB