Overview

overview

10

Static

static

10

Archive.zip

windows10-1703-x64

1

Dropper/Berbew.exe

windows10-1703-x64

10

Dropper/Phorphiex.exe

windows10-1703-x64

10

out.exe

windows10-1703-x64

3

RAT/31.exe

windows10-1703-x64

10

RAT/XClient.exe

windows10-1703-x64

10

RAT/file.exe

windows10-1703-x64

7

Ransomware...-2.exe

windows10-1703-x64

10

Ransomware...01.exe

windows10-1703-x64

10

Ransomware...lt.exe

windows10-1703-x64

10

Stealers/Azorult.exe

windows10-1703-x64

10

Stealers/B...on.exe

windows10-1703-x64

10

Stealers/Dridex.dll

windows10-1703-x64

10

Stealers/M..._2.exe

windows10-1703-x64

10

Stealers/lumma.exe

windows10-1703-x64

10

Trojan/BetaBot.exe

windows10-1703-x64

10

Trojan/Smo...er.exe

windows10-1703-x64

10

Resubmissions

03-09-2024 14:02

240903-rb57sazdqf 10

03-09-2024 13:51

240903-q59avszclf 10

02-09-2024 19:51

240902-yk8gtsxbpd 10

02-09-2024 02:27

240902-cxh7tazflg 10

02-09-2024 02:26

240902-cwxc2sygll 10

21-06-2024 19:37

240621-yca7cszgnd 10

09-06-2024 17:07

240609-vm7rjadd73 10

13-05-2024 17:36

240513-v6qblafe3y 10

12-05-2024 17:17

240512-vty3zafh5s 10

Analysis

  • max time kernel
    135s
  • max time network
    85s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02-09-2024 02:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ransomware/Client-2.exe

  • Size

    80KB

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

  • SSDEEP

    1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score
10/10
hakbitcredential_accessdiscoveryevasionexecutionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: MFFcGkZss55TpauLXP8x7qUrMnueixXzrmlpNeWACBMypG2DHHh3NqccJ0Cn8Ow0C3GPPE2gkOmU+t1inqelagghVYiIFCt5Ao5qGtGXK0Bh7Un4GKQfojxpGRmb8XHTnK6CbqTzYu0gH7hjB6TAqwNY4HfcR7UHrBzk+TYIOLF5Z/1gwKYDJ75YtFlJJlM2AmlhnTd/7gEO10qtJb8mztXyEi5AY7XxbGpqBawJR3IUL3dGZ2JdAfB1kwbzzb/k/CgIeh5kLOYgMGHIHbpVlEMWURYKzlh61AFbsHsrZE0NSyDWmy1toq3amU6kGV3gZxZOROg1X4QqViChlJZqHizSx2pgHmtx2gNGYGpz5pxJg8RNifrK9eyXB0FSQSJ67KNIFiARdDhar/RelbGpzXp0+KsQAQhjkgcLfFrNnyb1ZFs8BljMFyrycSrCOvFZLdVdpACDc59LvOzLLvxmtGNEuZc0C4w4HTq6AjB0fDNBF0uKITQgyesR51Ghnw0n5OWFf+gbXFfFq4xS6OrWU9QH7HpTXATcavlvz+suVn2A09baXMqzK5iV69inmmJswOAiv1n4PL4OQN7xU6sf6AH9ZlLNsD7BcB85Q9q8nxjUeBUg1df5hzS/rQ0jeB6nTxbpvUxYR0ZEJOvWH9g2uLLpnxI2AJqP2vzFSAez4xM= Number of files that were processed is: 1230

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

    ransomwarehakbit
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 47 IoCs
    evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
    "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      2⤵
      • Launches sc.exe
      PID:1372
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
      2⤵
        PID:1920
      • C:\Windows\SYSTEM32\sc.exe
        "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
        2⤵
        • Launches sc.exe
        PID:3564
      • C:\Windows\SYSTEM32\sc.exe
        "sc.exe" config SQLWriter start= disabled
        2⤵
        • Launches sc.exe
        PID:3772
      • C:\Windows\SYSTEM32\sc.exe
        "sc.exe" config SstpSvc start= disabled
        2⤵
        • Launches sc.exe
        PID:4180
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mspub.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4220
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4796
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3524
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mysqld.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3276
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqbcoreservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:312
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM firefoxconfig.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:308
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM agntsvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:96
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM thebat.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4520
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM steam.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4128
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM encsvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3920
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM excel.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1396
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM CNTAoSMgr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4632
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlwriter.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1400
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM tbirdconfig.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1120
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM dbeng50.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3916
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM thebat64.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1964
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM ocomm.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4968
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM infopath.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5068
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mbamtray.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4992
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM zoolz.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1996
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" IM thunderbird.exe /F
        2⤵
        • Kills process with taskkill
        PID:1724
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM dbsnmp.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4780
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM xfssvccon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4068
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mspub.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4840
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM Ntrtscan.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5072
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM isqlplussvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2944
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM onenote.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1824
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM PccNTMon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1480
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM msaccess.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1948
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM outlook.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3900
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM tmlisten.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:596
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM msftesql.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3572
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM powerpnt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4936
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5032
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM visio.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3236
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:716
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM winword.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4120
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mysqld-nt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1912
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM wordpad.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1512
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mysqld-opt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1208
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM ocautoupds.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4116
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM ocssd.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5092
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM oracle.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:748
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlagent.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4720
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlbrowser.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4316
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlservr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1872
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM synctime.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4952
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3420
      • C:\Windows\System32\notepad.exe
        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:6992
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:7008
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.7 -n 3
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:7108
        • C:\Windows\system32\fsutil.exe
          fsutil file setZeroData offset=0 length=524288 “%s”
          3⤵
            PID:6016
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
          2⤵
            PID:7024
            • C:\Windows\system32\choice.exe
              choice /C Y /N /D Y /T 3
              3⤵
                PID:7160

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          System Services

          1
          T1569

          Service Execution

          1
          T1569.002

          Persistence

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Privilege Escalation

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Defense Evasion

          Credential Access

          Credentials from Password Stores

          2
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Windows Credential Manager

          1
          T1555.004

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Browser Information Discovery

          1
          T1217

          Remote System Discovery

          1
          T1018

          System Information Discovery

          1
          T1082

          System Network Configuration Discovery

          1
          T1016

          Internet Connection Discovery

          1
          T1016.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Service Stop

          1
          T1489

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log
            Filesize

            1.3MB

            MD5

            2a6415dd2d3018147990087747d3bc6d

            SHA1

            c235ad2af8f2455ad687443a169e77db2f7841ab

            SHA256

            12ad448d87c9021b51a19abd7c578ed45e21efbf4f45e36e06f95d3fd4480753

            SHA512

            0b2fce7e144f277a6913be498535dfe3f3cc2f0066be929ee0fb35e88099edd16d1354c59f1955bf7b9d12e45ac51c9ba158a6a833a1a4eeb2e10c83efe7f476

            Download Submit

          • C:\ProgramData\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\MasterDatastore.xml.energy[[email protected]]
            Filesize

            4KB

            MD5

            a8135045089f0a617b8a68598015e313

            SHA1

            a6d75798ba689249354bc67d2e14b0e4021d8606

            SHA256

            ac9bb0e277bdaa1c8edc6b95af3248f596b57c9ffd09870ade94ead6b02d8dfe

            SHA512

            00659094fdc1b6a3dfac9217f5adef1d73bd5d9cd57088ae161c6c97e5ddfcd951ba6577cd3dd7f890f78bafe2b6e3ac45d49e261b265321e97706fd4f3e2546

            Download Submit

          • C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\162__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.energy[[email protected]]
            Filesize

            4KB

            MD5

            03b07e985bf72b448c02cb94bb29c53e

            SHA1

            135f884b830d384eaea573db946c15d709787aea

            SHA256

            6ff79671c2fd6f06332241d1881a1363985342e610948c206f45266ee1b28453

            SHA512

            e96c0a925ffff852d960192a0a493401b623111a7d303f757722c5b22b8458577efa31b378522ab8b7ed8bbcd969c52ebc25dd74950802673db65d7219a3d912

            Download Submit

          • C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.energy[[email protected]]
            Filesize

            480B

            MD5

            4c84772e7027f0c4e53aa403e1725aaf

            SHA1

            2aa1a1842afe491024eb53fa6b8c8ee2d11a8e93

            SHA256

            5e074b1238bd7e690f1eeb1e007145c76ca13d27f81c1ee83db99b7faa366ded

            SHA512

            9b39288f03bbce56f200bf1eaff6c612226e99eac73b82776272bf5015583f5280711746b26f7723f60aeae86be56640206844ba55f7f388e8c554fb02cdec22

            Download Submit

          • C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\619__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml.energy[[email protected]]
            Filesize

            4KB

            MD5

            c29aa5f7897f6f285ad25553ad5715e4

            SHA1

            7c69d514399e8721e39109eb41dcf58b53fb026f

            SHA256

            b3c173390fcfbfe5c4a4771e5e6b89787605a0ec8a1753a5be5356fdf5d39dd9

            SHA512

            3839ed96ed758aeee45d521f8831a74c7c46f7318a31d23b038c52b24af7c877ed902bf94ffebe55187298d4031136fdbecc508cbd953e35d6747a722bb0a94a

            Download Submit

          • C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\81__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml.energy[[email protected]]
            Filesize

            4KB

            MD5

            9bab832df5b9ba035a563fcb49eec2d0

            SHA1

            fd57e542fb47c7a0c56c37bcff71761e8efc61df

            SHA256

            663f8c470e7888b9ed004db3477fdfb65fc96a80e5f1ce95894780d2dbb10725

            SHA512

            88b13e8949f9290b710141bd950862d71056d8148ecd49e938d07db786037bec3da94406a481ee144f16b446152d758b542cd03d25602c652d600dbc311ca532

            Download Submit

          • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]
            Filesize

            180KB

            MD5

            7bb8f1dccdca683f8e50c280ccca610f

            SHA1

            ea711ca8fcb6405116d1fdb3dcafdebc102412c8

            SHA256

            35a8afaf9b77e9a273f4546e4a1fff2e9cd921cab2c40a03381b334a8f9ea2ed

            SHA512

            ea355b3e9a5f37d8cff95bfb28ff84e44c821997f6f680752b7ec6ed3a177f1f9218cbbd7b96123c5c45c1a4c986cab25e8a70d972a5b16b14fc9f8515cf01ec

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            b49a31b6e3a6771dbfa29b309842ef4f

            SHA1

            6b837a896a3008be212e7a3e297859b06b1d22af

            SHA256

            066845e6408685e957268c1c1bbb2240809c5b5751ae7973235490032eb51d81

            SHA512

            804d493bfafbe4be906dc9bb760839af0dc1e7ff4e15cec1b75c328b982f797ee5910e045d691138bbf8e5bcaba3fcfe354523acd90be3a6180cdae14af19029

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            c40a4212f7879c8fe4c21ad756d904b5

            SHA1

            b58ead9d6286a4408d555dc044bf27631188caa4

            SHA256

            56d060d715f335a47fd950c2492cc358a178b2123f5d34f87dd279e82669352a

            SHA512

            85c8e0a5444a2468ae04c9cc22c54362e7cb64b19879a2f620f76af72b0f9c2d1af9383b1549def92addfecf10686563410c96c5bf5ec4e1690b71cdcd1f971c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jrazuuph.im3.ps1
            Filesize

            1B

            MD5

            c4ca4238a0b923820dcc509a6f75849b

            SHA1

            356a192b7913b04c54574d18c28d46e6395428ab

            SHA256

            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

            SHA512

            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

            Download Submit

          • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
            Filesize

            829B

            MD5

            7298cf5272c2f1468d281152ab8a9c22

            SHA1

            951f8c9a885b89f2c6f4a08ce0b2a1189a641a48

            SHA256

            f85b0d0277ef8841d05cf5f8d72303984ccfcb48e78b98e629155c9a7a4eb007

            SHA512

            97e9bd5c5ff31797a2c7e0c2b72fd79367abb9f44e99e4a350c827f659eef349ca77e386538e00b56a2adaf38be0190b421985179101b3560aef773b1e92a2c1

            Download Submit

          • memory/3016-199-0x00007FFD2F650000-0x00007FFD3003C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/3016-0-0x00007FFD2F653000-0x00007FFD2F654000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3016-162-0x00007FFD2F653000-0x00007FFD2F654000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3016-3-0x00007FFD2F650000-0x00007FFD3003C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/3016-1-0x00000000006B0000-0x00000000006CA000-memory.dmp

            Filesize

            104KB

            Download

          • memory/3016-1359-0x00007FFD2F650000-0x00007FFD3003C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/3420-19-0x00000227C1800000-0x00000227C1876000-memory.dmp

            Filesize

            472KB

            Download

          • memory/3420-14-0x00000227C1530000-0x00000227C1552000-memory.dmp

            Filesize

            136KB

            Download