Overview

overview

10

Static

static

10

Dropper/Berbew.exe

windows7-x64

10

Dropper/Berbew.exe

windows10-2004-x64

10

Dropper/Phorphiex.exe

windows7-x64

10

Dropper/Phorphiex.exe

windows10-2004-x64

10

RAT/31.exe

windows7-x64

10

RAT/31.exe

windows10-2004-x64

10

RAT/XClient.exe

windows7-x64

10

RAT/XClient.exe

windows10-2004-x64

10

RAT/file.exe

windows7-x64

7

RAT/file.exe

windows10-2004-x64

7

Ransomware...-2.exe

windows7-x64

10

Ransomware...-2.exe

windows10-2004-x64

10

Ransomware...01.exe

windows7-x64

10

Ransomware...01.exe

windows10-2004-x64

10

Ransomware...lt.exe

windows7-x64

10

Ransomware...lt.exe

windows10-2004-x64

10

Stealers/Azorult.exe

windows7-x64

10

Stealers/Azorult.exe

windows10-2004-x64

10

Stealers/B...on.exe

windows7-x64

10

Stealers/B...on.exe

windows10-2004-x64

10

Stealers/Dridex.dll

windows7-x64

10

Stealers/Dridex.dll

windows10-2004-x64

10

Stealers/M..._2.exe

windows7-x64

10

Stealers/M..._2.exe

windows10-2004-x64

10

Stealers/lumma.exe

windows7-x64

10

Stealers/lumma.exe

windows10-2004-x64

10

Trojan/BetaBot.exe

windows7-x64

10

Trojan/BetaBot.exe

windows10-2004-x64

10

Trojan/Smo...er.exe

windows7-x64

10

Trojan/Smo...er.exe

windows10-2004-x64

10

Resubmissions

03-09-2024 14:02

240903-rb57sazdqf 10

03-09-2024 13:51

240903-q59avszclf 10

02-09-2024 19:51

240902-yk8gtsxbpd 10

02-09-2024 02:27

240902-cxh7tazflg 10

02-09-2024 02:26

240902-cwxc2sygll 10

21-06-2024 19:37

240621-yca7cszgnd 10

09-06-2024 17:07

240609-vm7rjadd73 10

13-05-2024 17:36

240513-v6qblafe3y 10

12-05-2024 17:17

240512-vty3zafh5s 10

Analysis

  • max time kernel
    95s
  • max time network
    84s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-09-2024 14:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ransomware/Client-2.exe

  • Size

    80KB

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

  • SSDEEP

    1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score
10/10
hakbitcredential_accessdiscoveryevasionexecutionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: Ms7e1M1HWOddXpnvzInhOXw7dSPPN5fA9eoK4HrNAk/YjbRBtkZGNh20NubuThVhf6zfZjEEzlhlzezf06PIUyyyw6Slx9pn5P/OVw4NVKPnwNmmVXwjv11BKtbFdSCxJM3YJc4a6S4Zy7zQ06h2QKvI439Yk58dsJOe4caAPZrBysuauzgEqGnU9N+c9XRe0HPsr5WZFQ+WPCXsfd8lTzrblT0WDTGQCJbtgzwECphcBrYpYCjAm6uKkdH6MwIj4KBxn/1IAZm2ZatIFFAVuQYYGECrYH4EtwKXHWurygEAeQLW8JavsWg9rICWrzvaXFGx8Eah/+Lw0dO2+jGCPUJKvVyG5fE0zJN1F1w1UHqHB09DDB0Y7MmP9i4mDd0la1dKOb6SbbEyNglA+PsyzYLYEUDfiMboXsVcvirhzolTrTlJsTt5LgMDlw394kgY5R5QWh7qLrxDDj0X+tFYAm0MRLkxQPm5kBuicwnTelMuNr3tXNK2uxxH4M0hNCo+PLXPapr7AT9RLOT5Xh8Z29R9+a0jYYDiVhEOz1gwYh3BI1KNF97CZ1h9jck0HXApnt5mK6DFULOelfPijyvB51Qb+YMZVFosf5+ev3peOz16l7FXcCMNudy/6g1K5ZMYaASiMk28Elwi1glFyJeFfJEojOjXZvryIc4VLq/O0gM= Number of files that were processed is: 469

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

    ransomwarehakbit
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 47 IoCs
    evasion
  • Modifies registry class 9 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
    "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:488
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      2⤵
      • Launches sc.exe
      PID:3064
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
      2⤵
      • Launches sc.exe
      PID:2428
    • C:\Windows\system32\sc.exe
      "sc.exe" config SQLWriter start= disabled
      2⤵
      • Launches sc.exe
      PID:756
    • C:\Windows\system32\sc.exe
      "sc.exe" config SstpSvc start= disabled
      2⤵
      • Launches sc.exe
      PID:2328
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2052
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2760
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mydesktopservice.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2792
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mysqld.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2864
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM sqbcoreservice.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2656
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM firefoxconfig.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2832
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM agntsvc.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1704
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM thebat.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2972
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM steam.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2924
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM encsvc.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2980
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM excel.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2672
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM CNTAoSMgr.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2236
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM sqlwriter.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM tbirdconfig.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2824
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM dbeng50.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2696
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM thebat64.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:396
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM ocomm.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2652
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM infopath.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2660
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mbamtray.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2668
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM zoolz.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2692
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" IM thunderbird.exe /F
      2⤵
      • Kills process with taskkill
      PID:2716
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM dbsnmp.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2772
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM xfssvccon.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2240
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2136
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM Ntrtscan.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2484
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM isqlplussvc.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1584
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM onenote.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1644
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" /IM PccNTMon.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1928
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
      2⤵
        PID:2912
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM msaccess.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:284
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM outlook.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2184
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM tmlisten.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1208
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM msftesql.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:952
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM powerpnt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2432
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2544
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM visio.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2036
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1836
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM winword.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2404
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld-nt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1052
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM wordpad.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2156
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM mysqld-opt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2200
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocautoupds.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2336
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM ocssd.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2464
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM oracle.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2124
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlagent.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2340
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlbrowser.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2444
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM sqlservr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2456
      • C:\Windows\system32\taskkill.exe
        "taskkill.exe" /IM synctime.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2496
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1044
      • C:\Windows\System32\notepad.exe
        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        • Suspicious use of FindShellTrayWindow
        PID:2248
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:2820
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.7 -n 3
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4524
        • C:\Windows\system32\fsutil.exe
          fsutil file setZeroData offset=0 length=524288 “%s”
          3⤵
            PID:4568
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Ransomware\Client-2.exe
          2⤵
          • Deletes itself
          PID:4516
          • C:\Windows\system32\choice.exe
            choice /C Y /N /D Y /T 3
            3⤵
              PID:628
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          1⤵
            PID:4624
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\BackupRemove.ppsm.energy[[email protected]]
            1⤵
            • Modifies registry class
            • Suspicious behavior: GetForegroundWindowSpam
            PID:4776
            • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
              "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\BackupRemove.ppsm.energy[[email protected]]"
              2⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1368
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
            1⤵
            • Opens file in notepad (likely ransom note)
            PID:3756

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          System Services

          1
          T1569

          Service Execution

          1
          T1569.002

          Persistence

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Privilege Escalation

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Defense Evasion

          Credential Access

          Credentials from Password Stores

          2
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Windows Credential Manager

          1
          T1555.004

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Browser Information Discovery

          1
          T1217

          Remote System Discovery

          1
          T1018

          System Information Discovery

          1
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          System Network Configuration Discovery

          1
          T1016

          Internet Connection Discovery

          1
          T1016.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Service Stop

          1
          T1489

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.Lck.energy[[email protected]]
            Filesize

            16B

            MD5

            2e3502afcfae5636c6eb7c2d183d3432

            SHA1

            2515e4229e5439b284e655eb6cdd70ef387fa4a8

            SHA256

            c64b1fdb266f1322ac9327bbebb36b71b5862159293cd2736630555218550f8e

            SHA512

            109beb35291742361acf4c5b8592b620a63d64bd273ee655796ac8b7d7c844f249be16b21e9981dec892ca937276cabc70d8317f895b4930a58e7eaca6a201c6

            Download Submit

          • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]
            Filesize

            180KB

            MD5

            1e26183129ef79c789762f2c6ae5b65e

            SHA1

            185580edf900f6cbe46bad933c05c50b005b15fd

            SHA256

            ac435f6340174caa10920fd7c6d6d5edc8c234e5878bbf3b57e2c37f5646cf48

            SHA512

            3313827e4d0952e857d40e5ff6d76919a6e2a950850faa7a25e1cf7b4624577b5264fe28fce2dc771508386cb8159801335585c5fe6612cee4c4ce93cad52b9c

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
            Filesize

            3KB

            MD5

            d6a9d78f71c4c0eef868296b5b9a1a45

            SHA1

            46c49b9cfa241b1012cb7b768815a7f54b423962

            SHA256

            6cd41b0762cc708df685eaf0e9577f52120ab037c0e7e33fe76a8e59ddf30850

            SHA512

            659c6747b3a2992f79804dd8c7fe981996b39d7a67fb398063eea70d3650fe9567e4938d9708de16853e97340a94bfc149a939f2c78209741c240c33bdf4a350

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            39d66a9af4e6096b85f5f8bbbec1d8c6

            SHA1

            91e50353a1926ed65e8771a3013148d807249024

            SHA256

            ef5f0a113a3bed1afccd9c0fe58565c74825eaf649bb39b619152bf9b9ce0410

            SHA512

            acb3deeeaf426c855271eb1b617b939a2d2147bb38f576431bb06cd49d8c796972d1f291f57f257a2b7eedf54046e36ea6085ff0c522325c947c77e3e10c20cb

            Download Submit

          • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
            Filesize

            828B

            MD5

            f8f3d641791f07b3379fc93aa9f04880

            SHA1

            130d453fbafa8471563725e4ae7a2a904b8b624a

            SHA256

            caa0dcb12c4c80f9a587e671398587772482b4a82ad7c43c8ea37e47f0ecd2b5

            SHA512

            d9f9fa77db30dd8304ce7699cb41a5375b800801a61ed328a878f260e031daade60b9d45e9dc17fb8afd606649945490314051c03823936fd5b7d61b73b549b3

            Download Submit

          • C:\Users\Admin\Documents\BackupRemove.ppsm.energy[[email protected]]
            Filesize

            816KB

            MD5

            60e3affbbf44ef12e2e88ddd99ee5715

            SHA1

            4e6660c15d8b6cddfeaf296efda8cc686d2e8faf

            SHA256

            fb321cdb8fd6e89f5285b6791dc9df4417b61f8bd92c296d59375e3961623989

            SHA512

            14a901079877c396b53e63958085f99acd5262b66f2baea557580c9c0aec18d98d0cf85aab3015636ebf5d2498b356a68e2316e6270cff697d72bc0efa6cb164

            Download Submit

          • memory/488-145-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/488-0-0x000007FEF6363000-0x000007FEF6364000-memory.dmp

            Filesize

            4KB

            Download

          • memory/488-126-0x000007FEF6363000-0x000007FEF6364000-memory.dmp

            Filesize

            4KB

            Download

          • memory/488-631-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/488-3-0x000007FEF6360000-0x000007FEF6D4C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/488-1-0x0000000000CC0000-0x0000000000CDA000-memory.dmp

            Filesize

            104KB

            Download

          • memory/1044-10-0x0000000002620000-0x0000000002628000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1044-9-0x000000001B1B0000-0x000000001B492000-memory.dmp

            Filesize

            2.9MB

            Download