hakbit | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

16/04/2025, 11:04

250416-m58gsaz1ay 10

15/04/2025, 17:34

15/04/2025, 06:16

14/04/2025, 08:06

14/04/2025, 07:59

14/04/2025, 07:22

14/04/2025, 07:16

11/04/2025, 21:39

Analysis

max time kernel
445s
max time network
456s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
14/04/2025, 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
SSDEEP

1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score

10^/10

hakbit credential_access defense_evasion discovery execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: QrjFddS6rH5hHjU403z26gkkLvuA3dR4bOUH87wL93aUeZ2MYvVyu1WzHQltdGINv6tSd1YbcRiit5tgeSwa4EWVlcndzFiM4awc9C7AVe7wg7TFIfPBDgIeB61YBR495tiWZ/eNF0lkU0FQyOzB4JbIw/5EZqAbWu0yT3E7uFrQknqng1jarsAo7+aOCTIK2sGZvQ6MbU1ovUsDRb+9FK3G/hNUHBecza4iYwZyKUfM9G10qu+OqeZZk3kZ/SI3myPA3drPUZLfbhYl1p2sqnfd3gNve5ahE/6R1ZADVrpJSpjikfQLSCdPd47gaKi/0yV2VK0/B28h2o/fNfd3miOv2regzePhTs9EZvVaeG3zAXfzmcY2GhJZgMCeCHwIB4xU8L85nK/n6KVooBuWquiSEKcBaQu3Tnt41XCJvkh4gz3b5X1Flira9h+NbWFOTcQSkJZ5h1j5o4suKd433XCXzYgXzGxqo0wGOhJIBzFANkCCOHQgtPPmmJbGmlfQjhP4b00G52iwaiu183GN1QLLz7rjiaVz4yFs2gjWpJVJ71eIrvCCUY7H2FMi2EyoDsMfgG04/01WOi5LXC/ineLkVQvAJtXCVJZmVqBokM3RDvh/oePlUA+OzR+pt6yf+q7cudQjWZNpz7RwEX4nYIelYRfC3BDNtu0mylSWvAg= Number of files that were processed is: 414

Emails

[email protected]

Signatures

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Hakbit family
hakbit
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3648	sc.exe
2828	sc.exe
3888	sc.exe
4840	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5592	cmd.exe
2508	PING.EXE

Kills process with taskkill 47 IoCs

defense_evasion

pid	Process
5976	taskkill.exe
4600	taskkill.exe
568	taskkill.exe
824	taskkill.exe
4928	taskkill.exe
4828	taskkill.exe
3972	taskkill.exe
2396	taskkill.exe
2464	taskkill.exe
5336	taskkill.exe
2308	taskkill.exe
2392	taskkill.exe
4996	taskkill.exe
2852	taskkill.exe
3516	taskkill.exe
948	taskkill.exe
4308	taskkill.exe
4780	taskkill.exe
2320	taskkill.exe
5788	taskkill.exe
3036	taskkill.exe
4820	taskkill.exe
1456	taskkill.exe
1208	taskkill.exe
132	taskkill.exe
4932	taskkill.exe
3976	taskkill.exe
2504	taskkill.exe
5168	taskkill.exe
4876	taskkill.exe
4812	taskkill.exe
5652	taskkill.exe
3600	taskkill.exe
3400	taskkill.exe
704	taskkill.exe
4960	taskkill.exe
4792	taskkill.exe
3220	taskkill.exe
1960	taskkill.exe
4972	taskkill.exe
3020	taskkill.exe
5544	taskkill.exe
5400	taskkill.exe
2080	taskkill.exe
3696	taskkill.exe
3368	taskkill.exe
3100	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1372	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2508	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	2396	taskkill.exe
Token: SeDebugPrivilege	5544	taskkill.exe
Token: SeDebugPrivilege	948	taskkill.exe
Token: SeDebugPrivilege	5788	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	4960	taskkill.exe
Token: SeDebugPrivilege	568	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	5652	taskkill.exe
Token: SeDebugPrivilege	3600	taskkill.exe
Token: SeDebugPrivilege	4932	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	3400	taskkill.exe
Token: SeDebugPrivilege	132	taskkill.exe
Token: SeDebugPrivilege	3696	taskkill.exe
Token: SeDebugPrivilege	4828	taskkill.exe
Token: SeDebugPrivilege	4996	taskkill.exe
Token: SeDebugPrivilege	2504	taskkill.exe
Token: SeDebugPrivilege	5400	taskkill.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	4876	taskkill.exe
Token: SeDebugPrivilege	4812	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	5168	taskkill.exe
Token: SeDebugPrivilege	4780	taskkill.exe
Token: SeDebugPrivilege	2308	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	5336	taskkill.exe
Token: SeDebugPrivilege	3368	taskkill.exe
Token: SeDebugPrivilege	5976	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	4820	taskkill.exe
Token: SeDebugPrivilege	4972	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	704	taskkill.exe
Token: SeDebugPrivilege	3100	taskkill.exe
Token: SeDebugPrivilege	4928	taskkill.exe
Token: SeDebugPrivilege	4600	taskkill.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	4792	taskkill.exe
Token: SeDebugPrivilege	4732	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 2828	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	78
PID 708 wrote to memory of 2828	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	78
PID 708 wrote to memory of 3648	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	79
PID 708 wrote to memory of 3648	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	79
PID 708 wrote to memory of 4840	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	80
PID 708 wrote to memory of 4840	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	80
PID 708 wrote to memory of 3888	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	81
PID 708 wrote to memory of 3888	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	81
PID 708 wrote to memory of 2392	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	82
PID 708 wrote to memory of 2392	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	82
PID 708 wrote to memory of 4308	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 708 wrote to memory of 4308	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 708 wrote to memory of 4960	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 708 wrote to memory of 4960	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 708 wrote to memory of 5400	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 708 wrote to memory of 5400	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 708 wrote to memory of 2308	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 708 wrote to memory of 2308	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 708 wrote to memory of 5336	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 708 wrote to memory of 5336	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 708 wrote to memory of 5544	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 708 wrote to memory of 5544	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 708 wrote to memory of 5168	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 708 wrote to memory of 5168	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 708 wrote to memory of 2464	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 708 wrote to memory of 2464	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 708 wrote to memory of 2396	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 708 wrote to memory of 2396	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 708 wrote to memory of 3036	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 708 wrote to memory of 3036	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 708 wrote to memory of 5788	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 708 wrote to memory of 5788	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 708 wrote to memory of 3020	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 708 wrote to memory of 3020	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 708 wrote to memory of 3972	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 708 wrote to memory of 3972	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 708 wrote to memory of 824	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 708 wrote to memory of 824	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 708 wrote to memory of 704	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 708 wrote to memory of 704	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 708 wrote to memory of 132	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 708 wrote to memory of 132	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 708 wrote to memory of 568	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 708 wrote to memory of 568	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 708 wrote to memory of 4972	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 708 wrote to memory of 4972	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 708 wrote to memory of 1960	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 708 wrote to memory of 1960	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 708 wrote to memory of 3220	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 708 wrote to memory of 3220	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 708 wrote to memory of 4600	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 708 wrote to memory of 4600	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 708 wrote to memory of 1208	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 708 wrote to memory of 1208	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 708 wrote to memory of 4996	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 708 wrote to memory of 4996	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 708 wrote to memory of 5976	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 708 wrote to memory of 5976	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 708 wrote to memory of 948	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107
PID 708 wrote to memory of 948	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107
PID 708 wrote to memory of 3100	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 708 wrote to memory of 3100	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 708 wrote to memory of 2504	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	109
PID 708 wrote to memory of 2504	708	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	109

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:708
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:2828
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:3648
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:4840
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3888
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5400
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5336
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5544
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5168
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5788
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:132
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:568
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4972
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:3220
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5976
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3100
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3516
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3600
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3368
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5652
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4932
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3696
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4812
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4820
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4828
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:4900
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1372
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5592
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2508
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:4592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
  2⤵
  PID:2932
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:6112

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2912

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
9135a30d6ba12ac79242246289ededcb

SHA1
446abe8b9d8956a3b386b09b8c732e0c1aed5dbb

SHA256
9749d22f7c57440eb07dbc2fea702a12a742c84c0e41030a7541ab2b3675704b

SHA512
ae79003970d8dea36e44be055080fed055595725a8e3363ea3251f7036da10d52cf754e1bc836d146739b2c1c26a4313f076aa2fd1fa2b2391b5a5e147903214

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
1c30080b6cafea95107893c3399a7840

SHA1
04eb5708986745ce95de0e9fd15e9a69d83a7262

SHA256
d1d4c358c24887b7ae261e6fe972a9590bd28c16e2ee0f460c4b34cd87c7764d

SHA512
d5d47b7b5eea3036e5ae89983b98b442ed79205424502d34d8cbe08a8e887b6dd6e3faadb085f13fb8d18f16fa6f6d77d3bea7e816affc22adb4e3667d201976

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

Filesize
728KB

MD5
6213b79c042e7a4e83e0a96db4fd7279

SHA1
df069d7ffe0d5f264714b11d09fd7bf643befba7

SHA256
f24b17c7889172098d3f04bbd6d2d93f7771b87f04ed00ef527404370a7c4576

SHA512
9276cc4871843e2a908d3b9ae07518d6c995687b7e4d76467432ae7a1304813a57e716a533e29116f56462a0fcdd5db88ec408a2fdc7b0644dd198fe8ca33cd6

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
d876c52a806184e36cd6185700c95854

SHA1
f5a079bf05765476c11e866d0db95376d49d380b

SHA256
197459b64df2565451ba81c62bfc2e5bcdb9781a4b179f6dd83564fd2119dc4d

SHA512
7c53757a8d4ce3f776e1c88800aeba20adbde35f6eb928e959be52043d2441280d870945c4ca199bbe1bcc350dfc4d498a47a869265d2f668d7449d02ab413ce

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

Filesize
180KB

MD5
57f70e5eaf8e3530465cc919c19a2337

SHA1
070d8ee1fee01e987ce4d404206d39871894069e

SHA256
1bb7c917004d0103acc976a735de0c7bf803c2b1579ccbd3056547013cc7c0f9

SHA512
ca7af33d5ae648adabe01612328ad789d0bf31c2500d92ef589740f9fdbe4b3a95a41357d7f57ad46ea3562b9b0209d6b293a59c1066718a42728d7c70e68f19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3284cb698efa6fb773dc0eebd30a3214

SHA1
a1093d44f025e5ba9609e99a3fc5fce3723fd7f3

SHA256
22f6a7c20c96be4775bec28c377d98d91a160fb5dd3158083e4365286161a2aa

SHA512
af3ea3c69350087cd0e6768679ba7bdfff4c184b5bfe7abf9152aa161713c56c6dc86390543507580f9ae0a6103d26486dbe37330dbc78e172a966957ba43606

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\81ba0410-630e-468e-b216-433e0e967149.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rid5axak.ypx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\BackupRedo.xlsx.energy[[email protected]]

Filesize
9KB

MD5
95cb76b3db35e64abe4d6004d940f972

SHA1
18815222325e877604ea75fbf7113c70e88a2c74

SHA256
bb564016aa8528938ec57c3cce951a16c15d1c45316034a6bc1c5a3c87fd9fb1

SHA512
272ddec0b7b961eb0dd3c6de5f4ace74f53dc5ade0765edccf29b9bf1b92ce626e54ef376044c4f0907649db4f254cff6c42b6fbb8668dd0879cdf777da0ecbe

Download Submit
C:\Users\Admin\Desktop\CompareBackup.mpeg.energy[[email protected]]

Filesize
225KB

MD5
e0ba7c82ef1130a4b2a337b0989c066c

SHA1
b406191fbd8eac1f5840f10f59512595978bef5c

SHA256
a61adab771457ac3a46b2ff9c7e54e02c97f59b73b5e810d4f0b6444586d30c6

SHA512
d3ff34ed5483ab79cf7e6fd54c5116098e68c2ded7cbe993542ef44400b05e3f94f2fdc025588abb2d70e9b6b6c8c17460161c7e99869357286a0d099c1e0337

Download Submit
C:\Users\Admin\Desktop\CompleteRename.aiff.energy[[email protected]]

Filesize
245KB

MD5
1ea78650a808d18e55706daed7f3eb23

SHA1
607d5172dd1b2fae82fc8f12ec7837b33c42d372

SHA256
0cad64064ce93f64a0218b2350d8626368fed246449ce3b0ae20c0d7d6022b49

SHA512
aaa161bcae07655d98e80c9ce8d73a9f8198a5ecb384e09ffecdf0892d3c78b3e06aa3ef34a41b475e7e7494011953aab792409cf3c278aa836b63d1f5713186

Download Submit
C:\Users\Admin\Desktop\CompressRequest.xltm.energy[[email protected]]

Filesize
307KB

MD5
1d6cd48be683bd9273a0631437b44ff8

SHA1
e03c98faca70179fb886e0f6e132f4a8aee475c8

SHA256
c51d63674d97b2865d304410bc862f57eae64df532d7334cfc8dfcdc1ef557e5

SHA512
e64f97ffd3e906df2ada3b8d082363d886fad38c5859ff7d9d9337b49e2230eaaa048e8009f81fca0ce02761f60b7b08014672bef8c3418c8efe8a14e3bd3be4

Download Submit
C:\Users\Admin\Desktop\ConvertToEnter.mpg.energy[[email protected]]

Filesize
492KB

MD5
829175eb4ef56d977f1d4394a8dd538d

SHA1
390e564caccfdf0a29883c411c780bd5fc41db13

SHA256
40788dd9feb1079810dac8700858bc9b401ecba615f6f0ffbc6bcef0e61c5b4e

SHA512
8ea2402c3b992faea9cdde9c1b13442588c683e908fa99d4ebe511e21b64c29aab4fdd79ba6b9aadf6c94d1dc8ddedc90fb19956334b50b7cb5af33654ea9dfb

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
828B

MD5
0e6e1c054dc06a14f0217e4465ba0d7f

SHA1
b3e2a4541a91f71482f131dbc6c048c23423c225

SHA256
390d74064e2a2ac246f06377b3318b8b2dc1ca4962daacfd56ff712c05d26ad3

SHA512
74e34032825260d20d7b9bf988ea38448958cbce6757b48ad203be8e01ea739ab4b197da23a0a81dd76a899a99a229b3da1406921e79dfbb5e38221cd8725e91

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
807B

MD5
adc74de3cbc2a3ce2db8782ed253859a

SHA1
d1cd31eb715d3525be94cc6726d86d7f32235173

SHA256
c25a11635c2e952b8a2c177d99432acfb476f4f95215a9245072595c00d2855a

SHA512
f5fccbfb3ca20eb326f3208bcdf924e8abd86882defea2d4fdb493bb99a263844bbf08a4079a0b35941109a10e4b22469260a7b5e87f38454a4d10942688dc80

Download Submit
C:\Users\Admin\Desktop\InitializeUnregister.docx.energy[[email protected]]

Filesize
17KB

MD5
b36fcd150ecc4b0f250c31956bfb4fa2

SHA1
865935d1d10fc3e8d0528df5ada05f629a585ecc

SHA256
38e422f3a069c3f4a0ed3e5e7767e825bacbc57c592e79d767150b433521c84f

SHA512
5e3bb975dc6a61869d59bf6b177e4c7edf4081325a67c159abac16a8ff1673d19eb0882ee344564f502ea291d56c48df20264b359fc92dca22cff9dc02556806

Download Submit
C:\Users\Admin\Desktop\MeasureBackup.xps.energy[[email protected]]

Filesize
392KB

MD5
78a38ebc97c8dff04a33786d66adb7d3

SHA1
54565c79c45f206cb2d0825d6e583fd1577631db

SHA256
5a33bec592008721d342c42ba45c764b038972273dbef0be172416cbe4e2498e

SHA512
f4c349a6d258e9189880b5fe116b9d4a155c7db017b204a7d8cccb34adbebabecb159e6248eed491269956d39c5bbc0a198506dcf5fd2816f89406cca69159d8

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk.energy[[email protected]]

Filesize
2KB

MD5
1f4cd706e01c68eca8b0ae3ae39dfb93

SHA1
fa36a9b686fad74188f104a40406fd5a1658e7b7

SHA256
c059ed87b191eb1a479f9a9da7724bcf353c4ac6899a16791ddb0e353c681403

SHA512
e33e60fdf088903ca610cb002074b2cc2377e3c4004b8a782efafa816c20ea7cee10bf25bfa56abb5783d2a5945cae222e44fcda502446a1553bea355fac6eb9

Download Submit
C:\Users\Admin\Desktop\MountSync.ppsm.energy[[email protected]]

Filesize
471KB

MD5
67a5752e2395bfc051a54a3af34402db

SHA1
0104ec0735822a398b3858665928195d6796e182

SHA256
a5f3f23e6958b6d0ae3c9406a2c73aef4f692a4c8adaa3519bf428ccb7425800

SHA512
ba7a9a7394d4a6e63945ac8aa256ca24a4b2929e987956dbf401356548fe9c4e1e8d0e6a2856309751f78530e4b648d93cb210c106e043844eccaaa479f7b2ec

Download Submit
C:\Users\Admin\Desktop\MoveUndo.mhtml.energy[[email protected]]

Filesize
208KB

MD5
ab0a5c6d03c2150f7e0415bf6bcc7a46

SHA1
1ba7f9eef05eef1229b916ec989d188c9b3ab5a1

SHA256
d41a69f56e48b25f4ec2108ba3bc471cf8036f3f8d96afe29a5ae74216c2a2d7

SHA512
d7daeb55f592e47b15c2c3d2bc5ea1ffcf83c5d39e57b8202632d91b16dafde944ee0e663d3be6b8283f1a68f8f6d5ae5efa34be0eadd346fc63f6799fbd47c9

Download Submit
C:\Users\Admin\Desktop\OpenConvertFrom.txt.energy[[email protected]]

Filesize
327KB

MD5
2d16073b5d935e50a4f1644306011a0b

SHA1
4df9fb9910d406564099d2d72505132f63f45f0d

SHA256
69310b916926339a7597e8914fd120710292e029b2516b0a0e7165b92c58f8f0

SHA512
134a169bedb21d8ba37947f8e747ae5f6192d53039c68a2ef176a59541766f2acf4cbe2e8682c978bf66ba3f8ff73fc930ad7c3454b817f5d808f4d769bb1cf9

Download Submit
C:\Users\Admin\Desktop\ReadEnable.sql.energy[[email protected]]

Filesize
432KB

MD5
bca9fc577a579cae000a4f2ab91934c6

SHA1
26516847bfa4955ace62552a3015212c3f03fc4b

SHA256
da2f8f51a69f1120eaaf5ac0422aaa5f3790f58978f5b59efe9ddffcc754a15a

SHA512
0498fb8840595d0a24bde8ebcf663572250e33f97355319a80c8688c6ceb8a3b58eacc385fd94032c6d2b9d06037801a5080139e3d8c18a0f953a278d28bb3e2

Download Submit
C:\Users\Admin\Desktop\RedoStep.crw.energy[[email protected]]

Filesize
412KB

MD5
bdf8b1f7a571c9ac62ae2f66ce741218

SHA1
7148474c1c80cba967e5c0a0b48d0f18e2a5e8c6

SHA256
1648e8cd1f7dfdaa0c057c02e03ac4674049e502d38bc4d6def92e7372854612

SHA512
2700dff244e4698160f6527c73762ec4f9ebbbf7e3a54d7d7e0dc035ab6faf6d50aa82c5a6b5658e155d147a37c0dc532af6d0f55ce31ad8bda9fe87af7b8600

Download Submit
C:\Users\Admin\Desktop\RegisterTest.mpeg.energy[[email protected]]

Filesize
576KB

MD5
e91aa985215df6ed74ae4d69e96db731

SHA1
a23442e52f8de25d99cc31ae277dd64acdc082cf

SHA256
b1e569cad44f276fee96eb5739c97c853104905677042d35d94528b5ed93b053

SHA512
c5ef47d6836e42717bb9c63f117007f60ebcc34796cb7a23d36d8335b5bb00ff3f83fde11f76aa9255a14759a2f5a0b437da3ba7a37b141decf8741cfd5a1b9c

Download Submit
C:\Users\Admin\Desktop\RevokeAdd.crw.energy[[email protected]]

Filesize
348KB

MD5
4b7bd7f143787d30f2253925a0baa9f5

SHA1
14d14cd98f7174361f3dba06289cbf82c3ffce30

SHA256
ecbac62da0d317f144b3a441ee3ad6c4d9701d846162ce839417dcdcd75a9d6c

SHA512
c10586950cacf8cf60583c5e5e32ab0ffc925aee90d743028a77976e54bcebed224176ee423822ec9414b3c86aac732353286c61e21146ec003f306895f7f0ef

Download Submit
C:\Users\Admin\Desktop\SearchSplit.odt.energy[[email protected]]

Filesize
372KB

MD5
df7d92d0bc1db89ff307a31ad2ab85b6

SHA1
8f7e7e3849a17865d052f0f631798d3658207a00

SHA256
2826fb1172cbb155dc6d9709b4c97c56cecebc04cb8dad4269692500c28338c6

SHA512
8b4efcd1316652d538dbe8ecd34a7232f8bc2a50d710f8dc9850fad134620c9a758ad1c7df0ab7cb9dc16ebf6f63192ed84c96d3af7a99ebef04436a63393736

Download Submit
C:\Users\Admin\Desktop\TraceRedo.jfif.energy[[email protected]]

Filesize
516KB

MD5
67d2c8d5787928f9fb3179d247570388

SHA1
56942c10f051950432093b961ffde5954656643d

SHA256
d6f3b5a2f7d092df2a836a1182a28a9e4ae13731d0b7b5e52bface879d591c80

SHA512
f48e8b9c82da3d82d9befb5bec38d251af4e0df37b91d99e7a69f549465322730985d52ade33229027e47447532150c5da7ceb6dc58155362001895426160ed6

Download Submit
C:\Users\Admin\Desktop\UnlockPop.lock.energy[[email protected]]

Filesize
536KB

MD5
ffc922b35155ba32e270ed5dd572e469

SHA1
0b3943102cd8021e7081fd66689b0a369ec87c73

SHA256
11a5a14b450a11503d56c814a6aec19e742cd2d56a6db1f13006742432cbe40b

SHA512
be44380198dae6feb92941d5ba0adff25e22c79dac9d41b13b1cca8edd5ff7450b17f3a5966dda599562ed37580e323cc0ed2f0bcc715cf483b1e36dfbd4f4f7

Download Submit
C:\Users\Admin\Desktop\WriteApprove.avi.energy[[email protected]]

Filesize
450KB

MD5
7875e0d88d89a2a957a303890c641772

SHA1
17f184c035a79db9c75d290e7b285cc0d8f1e0f2

SHA256
5d5b17917b0981aed47fe01562c79404652e845483af087967c52cba2136aed8

SHA512
fef32d4aff084bfe0139eee4a1fee129937b61ac3ca001a3e49a67ff272db5679ae0abd8851f242cf5e007cb70439a1883220e7c0f7205794ce88e6b80e4d9f6

Download Submit
memory/708-0-0x00007FFFC1433000-0x00007FFFC1435000-memory.dmp

Filesize
8KB

Download
memory/708-2-0x00007FFFC1430000-0x00007FFFC1EF2000-memory.dmp

Filesize
10.8MB

Download
memory/708-526-0x00007FFFC1430000-0x00007FFFC1EF2000-memory.dmp

Filesize
10.8MB

Download
memory/708-314-0x00007FFFC1433000-0x00007FFFC1435000-memory.dmp

Filesize
8KB

Download
memory/708-363-0x00007FFFC1430000-0x00007FFFC1EF2000-memory.dmp

Filesize
10.8MB

Download
memory/708-1-0x00000000006A0000-0x00000000006BA000-memory.dmp

Filesize
104KB

Download
memory/4732-30-0x0000018979C80000-0x0000018979CA2000-memory.dmp

Filesize
136KB

Download