Overview

overview

10

Static

static

10

Dropper/Berbew.exe

windows10-1703-x64

10

Dropper/Berbew.exe

windows10-2004-x64

10

Dropper/Phorphiex.exe

windows10-1703-x64

10

Dropper/Phorphiex.exe

windows10-2004-x64

10

RAT/31.exe

windows10-1703-x64

10

RAT/31.exe

windows10-2004-x64

10

RAT/XClient.exe

windows10-1703-x64

10

RAT/XClient.exe

windows10-2004-x64

10

RAT/file.exe

windows10-1703-x64

7

RAT/file.exe

windows10-2004-x64

7

Ransomware...-2.exe

windows10-1703-x64

10

Ransomware...-2.exe

windows10-2004-x64

10

Ransomware...01.exe

windows10-1703-x64

10

Ransomware...01.exe

windows10-2004-x64

10

Ransomware...lt.exe

windows10-1703-x64

10

Ransomware...lt.exe

windows10-2004-x64

10

Stealers/Azorult.exe

windows10-1703-x64

10

Stealers/Azorult.exe

windows10-2004-x64

10

Stealers/B...on.exe

windows10-1703-x64

10

Stealers/B...on.exe

windows10-2004-x64

10

Stealers/Dridex.dll

windows10-1703-x64

10

Stealers/Dridex.dll

windows10-2004-x64

10

Stealers/M..._2.exe

windows10-1703-x64

10

Stealers/M..._2.exe

windows10-2004-x64

10

Stealers/lumma.exe

windows10-1703-x64

10

Stealers/lumma.exe

windows10-2004-x64

10

Trojan/BetaBot.exe

windows10-1703-x64

10

Trojan/BetaBot.exe

windows10-2004-x64

10

Trojan/Smo...er.exe

windows10-1703-x64

10

Trojan/Smo...er.exe

windows10-2004-x64

10

Resubmissions

03-09-2024 14:02

240903-rb57sazdqf 10

03-09-2024 13:51

240903-q59avszclf 10

02-09-2024 19:51

240902-yk8gtsxbpd 10

02-09-2024 02:27

240902-cxh7tazflg 10

02-09-2024 02:26

240902-cwxc2sygll 10

21-06-2024 19:37

240621-yca7cszgnd 10

09-06-2024 17:07

240609-vm7rjadd73 10

13-05-2024 17:36

240513-v6qblafe3y 10

12-05-2024 17:17

240512-vty3zafh5s 10

Analysis

  • max time kernel
    134s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-06-2024 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ransomware/Client-2.exe

  • Size

    80KB

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

  • SSDEEP

    1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score
10/10
hakbitevasionexecutionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: qzilvhjaKVkbZqMAuoWtRw9cOXGrqXsTeOEsIzC01jm8w1b4grgnZxtmdsXFvNlvfjIIZ+Ld7xfupPaEVDybiWPJ9BjTdguaPSALRiqPCngqkWt3TvGjviZpREXQObxOEOB5CvDvEnGfvrYCF00OW71u4W0/dzT9HZK9yDNWv7QlRY3zVyaGwdkeVmhTn39T/K9jvuUTcWIg/Y9U3qDulbgM37Vl3R2FDl9IHomzqef94b27cPMJ6bVyzUy6UEXywngYxp+NPHHSERaEALwQ5m+2yhMwQ7Kj2FdLVaoDyiodwIzd4ZKVeJQ7rln9T5xiatZCoE4aFxDkKETSjU4cjzc7+ueN5ZrhyT3q2f+2D6/RdPi6bGtUxOYTh/aLLO4iRWfdY9qY4K3/2cZBbVeJxKMCzTv48r+CuWl2XQkRPpf/PuFwXg/8MyODvAtUn5iIqJiWJQQE71H1NckH1+kEH088QOYhkdpokkE+/XRhdIqlGE9eAGxAoChFiKUFFgw8d5PUK8PjWM6tovS+v+hBB1SwHoxrNKTx3qjbM/IUUntMmTxtcR4VwfAjPG5IoS6dgTbamifUazq9Gw+k0JgvEb3R6YlSdU/FZX2xdyteWBlujUBxqyyToX3hTE7pVF6MYvZP+3Vxsbhijqtn6nuxr1UDvWWfw5FMsOpjHoS5wGU= Number of files that were processed is: 1199

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

    ransomwarehakbit
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 47 IoCs
    evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
    "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3692
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      2⤵
      • Launches sc.exe
      PID:4356
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
      2⤵
      • Launches sc.exe
      PID:2372
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
      2⤵
        PID:3316
      • C:\Windows\SYSTEM32\sc.exe
        "sc.exe" config SQLWriter start= disabled
        2⤵
        • Launches sc.exe
        PID:4700
      • C:\Windows\SYSTEM32\sc.exe
        "sc.exe" config SstpSvc start= disabled
        2⤵
        • Launches sc.exe
        PID:4528
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mspub.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2432
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2072
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2348
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mysqld.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1480
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqbcoreservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1496
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM firefoxconfig.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3236
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM agntsvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2192
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM thebat.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4272
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM steam.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4760
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM encsvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2428
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM excel.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4444
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM CNTAoSMgr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4776
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlwriter.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1716
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM tbirdconfig.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3748
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM dbeng50.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4368
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM thebat64.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4744
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM ocomm.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5116
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM infopath.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3740
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mbamtray.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4092
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM zoolz.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3664
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" IM thunderbird.exe /F
        2⤵
        • Kills process with taskkill
        PID:4160
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM dbsnmp.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:308
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM xfssvccon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4824
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mspub.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1772
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM Ntrtscan.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2496
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM isqlplussvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1604
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM onenote.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4436
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM PccNTMon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2868
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM msaccess.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2608
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM outlook.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2916
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM tmlisten.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2924
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM msftesql.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4472
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM powerpnt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2836
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3128
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM visio.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4704
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2420
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM winword.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5044
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mysqld-nt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2312
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM wordpad.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3056
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mysqld-opt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1920
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM ocautoupds.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4300
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM ocssd.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3388
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM oracle.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:548
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlagent.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4616
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlbrowser.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1240
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlservr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4396
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM synctime.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2504
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4372
      • C:\Windows\System32\notepad.exe
        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:6044
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
        2⤵
          PID:2184
          • C:\Windows\system32\PING.EXE
            ping 127.0.0.7 -n 3
            3⤵
            • Runs ping.exe
            PID:2868
          • C:\Windows\system32\fsutil.exe
            fsutil file setZeroData offset=0 length=524288 “%s”
            3⤵
              PID:6112
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
            2⤵
              PID:7052
              • C:\Windows\system32\choice.exe
                choice /C Y /N /D Y /T 3
                3⤵
                  PID:7056

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log
              Filesize

              1.3MB

              MD5

              1f0f1fa28ca4daa2b1d833f63d2346c4

              SHA1

              91c7e7850786bd31516dcf2b1ed09ba6985532c4

              SHA256

              ab9dbb676acc75195b7d45d6ce4ef28d69b90d28ae897c7df375b0a2a57d86ac

              SHA512

              225d1868bf94c9bf0e7a8957d0b231cbccc9d69ad8dc82e95051dd8dce992cb0c9f2cea6e0696dd7599d4c20d64cc675904c3c54c2ec46f7edd9c96a256955e0

              Download Submit

            • C:\ProgramData\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\MasterDatastore.xml.energy[[email protected]]
              Filesize

              4KB

              MD5

              e26471ea017f94cc6a5f4f26de2410a8

              SHA1

              3602d221718a1978a4636794dea43e29c0bb5540

              SHA256

              32bab14c505639076c7d2d935ded3699816e7cabe7b2fc17ede4537c8bf8a229

              SHA512

              44195bec0cc6010c1d05cc512f4a0c9b7fe49314c55a6fbc73cdcbe2d0fa118be527b72636a67876c2e4a05720d86f0351c17cd89732c73fa0f2eec8f8690226

              Download Submit

            • C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\191__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.energy[[email protected]]
              Filesize

              4KB

              MD5

              bc3552762f7afb4df03dffe979c6841e

              SHA1

              f047d86f975305d84317226fe1ad135721b2b700

              SHA256

              7e36f4daab0af83d948bfacb64c740d62e6fbfd019b82dc53da10f0456d5f667

              SHA512

              20880abd0b192c6c273b2e66be73e1403a6be76c5b4bea67bd031865228bd61e82f7ba14fc711d66ee608c0b0cb92cf8d826de9692e8801ca9abc0481a1c826e

              Download Submit

            • C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\483__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.energy[[email protected]]
              Filesize

              480B

              MD5

              a50828a101baf05e687032832b232f87

              SHA1

              eb058f7120d09b09d60d7349688d0ea6c280e1d4

              SHA256

              92ac8350b37335ec39df911a17327ec9bd3a35dd5a991d62e94f65edf7f0914a

              SHA512

              a8ffc24381768f7eb7c2931e68979c57c78a686940a2ef739f74744c296aa02e4b80cfb41012e4ed2f139587068b3a5baf573aa74160ef7b01c998a047bbcc37

              Download Submit

            • C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\621__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml.energy[[email protected]]
              Filesize

              4KB

              MD5

              42361d161ccf05091359c3d0cea4dc57

              SHA1

              b77768dd8441a3ef1ea216d0742f83a6e4b4b794

              SHA256

              030ef2c4fe0c8420ba66f5e97f8aa38e760eb0e55b541dffd26baf2d8763becc

              SHA512

              18db692c0b95234a2e43bd25f808179321464993c9dc789651e06f997a115cf2fed27e9c1cddd4c35bb2e1b8cebe2c34c2105f62e5c73ac532a8447dcee74dbc

              Download Submit

            • C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\81__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.energy[[email protected]]
              Filesize

              4KB

              MD5

              835649dde81505d98dfd861a2e5ae30d

              SHA1

              bf19b95a65a9f01d3a7a16c42dec965f0269f2be

              SHA256

              0713216927870ae5e30f08c180caf47acd4bfff27318b62df78a49dae50d40b5

              SHA512

              f87a64a7ca6b647fc16dffaf52148407565ecd1be470c5a47c932ae60ebed794908e28edb276ddd05bc10ef88503caab15baf2983fb3a7d04cb6c9cf25eafcf9

              Download Submit

            • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]
              Filesize

              180KB

              MD5

              5cb7630e5dda5bc36c0db14962ad5430

              SHA1

              4f25c3466db04671b8c6b9e2f3dde71ec7e7a3a5

              SHA256

              f8d9ecae035e283306ba003f75b66a7d0ab7e70312dadbcfa7eedb0ec2baa563

              SHA512

              885957b94d05277a3ff0178402dba1a7fc6b8ee1286ab493761a8ae481b7cf56294a97013cb6c5ea6280a13e5db93b16cd0377432a56745e8b47912e9d75bee3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              c6b0a774fa56e0169ed7bb7b25c114dd

              SHA1

              bcdba7d4ecfff2180510850e585b44691ea81ba5

              SHA256

              b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

              SHA512

              42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              391250ab63b34c3e784309b789a31bc5

              SHA1

              fa2c36ad65cda41061ee9d349c598cfb8fc21a82

              SHA256

              cc83054071491414926b214cc8d3313dec01a5cd8877b2d51722fa71e0bc0724

              SHA512

              67e26b2345c27a20de7cba6e7c83d5f65ba1a0c72cdeb7e061861729da645fbb442cf884c8db4c48c6fe1a2b6178ff71aa36cc1cead63a26b3a8e84023451045

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vwjceith.sou.ps1
              Filesize

              1B

              MD5

              c4ca4238a0b923820dcc509a6f75849b

              SHA1

              356a192b7913b04c54574d18c28d46e6395428ab

              SHA256

              6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

              SHA512

              4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

              Download Submit

            • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
              Filesize

              829B

              MD5

              8d69091455b1f10e91fccc5de4a4ac75

              SHA1

              0acc2b20882c8059c8cecf2de13edde40ca30635

              SHA256

              15f9a2dea3ff32fc02803e08ff35598c1dedd1178e1948df993dde8875006da0

              SHA512

              b860a70bf6b02ef233d231532ba638e2a2c92c11259af14281ab1c72575d7fdd808cdd47048d09fbf890bdbdc02aa1505d975638f758e4f2ae82068e2a4f2cd2

              Download Submit

            • memory/3692-0-0x0000000000AB0000-0x0000000000ACA000-memory.dmp

              Filesize

              104KB

              Download

            • memory/3692-3-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/3692-1-0x00007FFC94BD3000-0x00007FFC94BD4000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3692-1302-0x00007FFC94BD0000-0x00007FFC955BC000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4372-26-0x000002661D550000-0x000002661D5C6000-memory.dmp

              Filesize

              472KB

              Download

            • memory/4372-21-0x000002661D420000-0x000002661D442000-memory.dmp

              Filesize

              136KB

              Download