Resubmissions

10-01-2024 13:21

240110-qlvy5ahag4 10

10-01-2024 12:17

240110-pf835afbdr 10

Analysis

  • max time kernel
    600s
  • max time network
    372s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2024 13:21

General

  • Target

    a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe

  • Size

    3.2MB

  • MD5

    6d44f8f3c1608e5958b40f9c6d7b6718

  • SHA1

    9203ad3b6ffb7732591ef560965566555bce9d82

  • SHA256

    a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455

  • SHA512

    656eb44b563705e1045b6a881b4f8a462ecf3bb8b2421cb18dfa21421629f7af92fe4b72736edfe3fea2ea13bef84f5faab5a78b8ef2b4f656a9055d0c4a22bd

  • SSDEEP

    98304:wgwRevguPPFpugyxQkvA51nFbk+kUwWlGroD+1f:wgtv7ov5vqbk++AGkD+1f

Malware Config

Signatures

  • Detects Mimic ransomware 2 IoCs
  • Mimic

    Ransomware family was first exploited in the wild in 2022.

  • Modifies security service 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 4 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (6285) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Sets file execution options in registry 2 TTPs 64 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 21 IoCs
  • Modifies system executable filetype association 2 TTPs 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe
    "C:\Users\Admin\AppData\Local\Temp\a8759b39cecf17631e9d4952aecd32ce233e01d08841178e7ef81f3afdd8e455.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2368
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p58042791667523172 Everything64.dll
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3usdaa.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3usdaa.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe
        "C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe"
        3⤵
        • UAC bypass
        • Sets file execution options in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3068
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c DC.exe /D
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\DC.exe
            DC.exe /D
            5⤵
            • Modifies security service
            • Executes dropped EXE
            • Windows security modification
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1928
        • C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe
          "C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe" -e watch -pid 3068 -!
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:848
        • C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe
          "C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe" -e ul1
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:2872
        • C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe
          "C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe" -e ul2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:960
        • C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.exe
          "C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.exe" -startup
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Suspicious use of SetWindowsHookEx
          PID:2420
        • C:\Windows\system32\powercfg.exe
          powercfg.exe -H off
          4⤵
            PID:2360
          • C:\Windows\system32\powercfg.exe
            powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
            4⤵
              PID:1164
            • C:\Windows\system32\powercfg.exe
              powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
              4⤵
                PID:964
              • C:\Windows\system32\powercfg.exe
                powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
                4⤵
                  PID:1904
                • C:\Windows\system32\powercfg.exe
                  powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
                  4⤵
                    PID:2452
                  • C:\Windows\system32\powercfg.exe
                    powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
                    4⤵
                      PID:1404
                    • C:\Windows\system32\powercfg.exe
                      powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
                      4⤵
                        PID:1836
                      • C:\Windows\system32\powercfg.exe
                        powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
                        4⤵
                          PID:2868
                        • C:\Windows\system32\powercfg.exe
                          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
                          4⤵
                            PID:1280
                          • C:\Windows\system32\powercfg.exe
                            powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
                            4⤵
                              PID:708
                            • C:\Windows\system32\powercfg.exe
                              powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
                              4⤵
                                PID:1548
                              • C:\Windows\system32\powercfg.exe
                                powercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
                                4⤵
                                  PID:272
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  powershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"
                                  4⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:2044
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  powershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"
                                  4⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:1388
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  powershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"
                                  4⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:2404
                                • C:\Windows\system32\powercfg.exe
                                  powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61
                                  4⤵
                                    PID:984
                                  • C:\Windows\system32\powercfg.exe
                                    powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
                                    4⤵
                                      PID:1664
                                    • C:\Windows\system32\powercfg.exe
                                      powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
                                      4⤵
                                        PID:1832
                                      • C:\Windows\system32\bcdedit.exe
                                        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                        4⤵
                                        • Modifies boot configuration data using bcdedit
                                        PID:2088
                                      • C:\Windows\system32\wbadmin.exe
                                        wbadmin.exe delete catalog -quiet
                                        4⤵
                                        • Deletes backup catalog
                                        PID:2136
                                      • C:\Windows\system32\wbadmin.exe
                                        wbadmin.exe DELETE SYSTEMSTATEBACKUP
                                        4⤵
                                        • Deletes System State backups
                                        • Drops file in Windows directory
                                        PID:3016
                                      • C:\Windows\system32\bcdedit.exe
                                        bcdedit.exe /set {default} recoveryenabled no
                                        4⤵
                                        • Modifies boot configuration data using bcdedit
                                        PID:2648
                                      • C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.exe
                                        "C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.exe" -startup
                                        4⤵
                                        • Executes dropped EXE
                                        • Enumerates connected drives
                                        • Suspicious use of SetWindowsHookEx
                                        PID:968
                                      • C:\Windows\SysWOW64\notepad.exe
                                        notepad.exe "C:\Users\Admin\AppData\Local\----Read-Me-----.txt"
                                        4⤵
                                          PID:2088
                                        • C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\xdel.exe
                                          "C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\xdel.exe" -accepteula -p 1 -c F:\
                                          4⤵
                                          • Executes dropped EXE
                                          PID:208
                                        • C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\xdel.exe
                                          "C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\xdel.exe" -accepteula -p 1 -c C:\
                                          4⤵
                                          • Executes dropped EXE
                                          PID:380
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
                                      2⤵
                                      • Deletes itself
                                      PID:1384
                                  • C:\Windows\system32\gpscript.exe
                                    gpscript.exe /RefreshSystemParam
                                    1⤵
                                      PID:1104
                                    • C:\Windows\system32\vssvc.exe
                                      C:\Windows\system32\vssvc.exe
                                      1⤵
                                        PID:2512
                                      • C:\Windows\system32\wbengine.exe
                                        "C:\Windows\system32\wbengine.exe"
                                        1⤵
                                          PID:2672
                                        • C:\Windows\System32\vdsldr.exe
                                          C:\Windows\System32\vdsldr.exe -Embedding
                                          1⤵
                                            PID:2820
                                          • C:\Windows\System32\vds.exe
                                            C:\Windows\System32\vds.exe
                                            1⤵
                                              PID:1660

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\----Read-Me-----.txt

                                              Filesize

                                              846B

                                              MD5

                                              1b1aa251f3fdef28aff78edfd34d2901

                                              SHA1

                                              3ea67d4f747d53c5f948f3f442a7b2687dcad7d5

                                              SHA256

                                              9d1e253c902385f95920a1869e4cd0c538fecf8a394795160fdc81ba405202b3

                                              SHA512

                                              be865b9404d3564ff358c01ad392df0cfedb405b4efa5cf7fa7ae5b293e9ac6637c61c96797cadb77829f9d1c059254024072fbd495c1e4b0ea82947420b344a

                                            • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

                                              Filesize

                                              300B

                                              MD5

                                              e1a82f783e5da276aaee7cd82b8f0634

                                              SHA1

                                              08ee4d34971a8a1d237b9fb44025b75552c25ab1

                                              SHA256

                                              785df04aad0f47e60a439c7c9a495cd6143d3f8f7f39435f687df0ac5f5e232f

                                              SHA512

                                              4b4a9345c6dc53fbc74ce92bc436d93082f6b6cd3483614a28bd58aea96d49b2d760d39e3207c1fad90fa2eb550007d2bbb0da3d7bab86fea20918299cba3006

                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3usdaa.exe

                                              Filesize

                                              2.9MB

                                              MD5

                                              a02157550bc9b491fd03cad394ccdfe7

                                              SHA1

                                              108b7428e779d5caa7854a1a4dfa5ca42f292f04

                                              SHA256

                                              a15d1311e02cffd67a0db25cb0d6b2ccd3fc457d0bd76d7d2a4a462bbad6356a

                                              SHA512

                                              bea12edb6be3921ed25b4b3210ff53f8224c35c3d789864fc86991db972e0a3066af9d5891814153a6091c9dad4deedf3f0879a4dd632e3398864c9f2b6d1022

                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DC.exe

                                              Filesize

                                              802KB

                                              MD5

                                              ac34ba84a5054cd701efad5dd14645c9

                                              SHA1

                                              dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

                                              SHA256

                                              c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

                                              SHA512

                                              df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.exe

                                              Filesize

                                              1.7MB

                                              MD5

                                              c44487ce1827ce26ac4699432d15b42a

                                              SHA1

                                              8434080fad778057a50607364fee8b481f0feef8

                                              SHA256

                                              4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405

                                              SHA512

                                              a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808

                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.ini

                                              Filesize

                                              548B

                                              MD5

                                              742c2400f2de964d0cce4a8dabadd708

                                              SHA1

                                              c452d8d4c3a82af4bc57ca8a76e4407aaf90deca

                                              SHA256

                                              2fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01

                                              SHA512

                                              63a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4

                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything2.ini

                                              Filesize

                                              550B

                                              MD5

                                              51014c0c06acdd80f9ae4469e7d30a9e

                                              SHA1

                                              204e6a57c44242fad874377851b13099dfe60176

                                              SHA256

                                              89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5

                                              SHA512

                                              79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c

                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dll

                                              Filesize

                                              84KB

                                              MD5

                                              3b03324537327811bbbaff4aafa4d75b

                                              SHA1

                                              1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

                                              SHA256

                                              8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

                                              SHA512

                                              ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dll

                                              Filesize

                                              2.3MB

                                              MD5

                                              c576119a8bae4d63560ee48893aced8f

                                              SHA1

                                              7c46e928379715faa8ac3fb381264f86fcb17ef8

                                              SHA256

                                              69d9d97db25a2058c3ad1809356b8e61252e5884dc8122f1a942bf9afa5b1913

                                              SHA512

                                              93e1e7eb9d0fd6a6c7c8f2183345d2e17d68748ec0a6e2b1406a3fcf01843ea099680400438ba390001673b9d964bbd2be22f45e0b5bc48b71b1b057673f5d56

                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xdel.exe

                                              Filesize

                                              350KB

                                              MD5

                                              803df907d936e08fbbd06020c411be93

                                              SHA1

                                              4aa4b498ae037a2b0479659374a5c3af5f6b8d97

                                              SHA256

                                              e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c

                                              SHA512

                                              5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532

                                            • C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.db

                                              Filesize

                                              9.3MB

                                              MD5

                                              7ef9a3681c621d2900e4c1499721131b

                                              SHA1

                                              1e326f4df528f0e46dc848649aea14e898eb2f58

                                              SHA256

                                              32cc35f86c89aa41d309c704eded7be1b8eaba0fbb51801166b0e64f28b5bc66

                                              SHA512

                                              a0bbc1d5268b5f72a542e6984170dd7359f2d529e83a33d44237f103adc33699df625514a9184fdca98eccde80078fe6483876d623f52b02fe50c95b20757203

                                            • C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\Everything.ini

                                              Filesize

                                              20KB

                                              MD5

                                              5ba8b6c385b3f8fc6f6415773ef9c590

                                              SHA1

                                              8c5b688d6a057c8f94400a5eeedfec01805d7f72

                                              SHA256

                                              5d1db55cb3b41dd9b4dfa5661fcd5edb459a02dc32af947e0dfb45ded01e9698

                                              SHA512

                                              2ddf1dc4d22e3e0c59ca2b751acbabbdee5834690448881ab6234e542cc5ac974da8c52c499431ed204276433ac66ac56652760bae45673bfea7af2a189ac616

                                            • C:\Users\Admin\AppData\Local\{3E72089C-1A3A-DF6C-7071-175DF7BCDA76}\YOURDATA.exe

                                              Filesize

                                              2.8MB

                                              MD5

                                              623d41b2b7002fbea982038e7c26d316

                                              SHA1

                                              5d2378ec4c2c337c7cd7e3736cc401f9be955cc8

                                              SHA256

                                              b220470bbab0dc39b6566703e82ca7ef2f67b35897254b56ebc2b4bb2364bc1f

                                              SHA512

                                              20589b22e109b42fbb099054c7acf6da5286a9e82eef2b708a59d3ea570209ca6ea2d93bf76c450d591cb1a7c2758ceab34b1595ee796505737bdc72e37728b5

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              e30d7d09c5d4eacd834cc172882114b5

                                              SHA1

                                              9ecdbb4bf8dd7aa5706813dcd96d99ab6d3ac24a

                                              SHA256

                                              aae2a7276cee53e00179127d37cb4530a8fba9e7c1955315b29415c1217f5829

                                              SHA512

                                              1f2cf307376552219c9d9306f483a7ac0a877b74c290b9afbbbcf97479cb5e1f5096ecb77c85307ed4db2ccf04ba61e5a7a8fd0a389bc71956f7afa223fc150a

                                            • C:\Windows\System32\GroupPolicy\gpt.ini

                                              Filesize

                                              233B

                                              MD5

                                              cd4326a6fd01cd3ca77cfd8d0f53821b

                                              SHA1

                                              a1030414d1f8e5d5a6e89d5a309921b8920856f9

                                              SHA256

                                              1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

                                              SHA512

                                              29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

                                            • C:\temp\MIMIC_LOG.txt

                                              Filesize

                                              31KB

                                              MD5

                                              e2cd5b4267efe9c1c964f9030cda58b6

                                              SHA1

                                              8d2732b0b6bd89ef4065448b628760006d3313e4

                                              SHA256

                                              21770feab42582781b28c57abffd7f1cdc5f5422ddb17498cf58dc95c15b23b0

                                              SHA512

                                              0b129a4f5bebb1f036c8386d5f882029d7dced17cdfd86e7b4dea6daa81aa906148a6d8cbcb23905117c93d1ce47f8b9f2c8e47ec484910b48a20f3977470e0b

                                            • C:\temp\MIMIC_LOG.txt

                                              Filesize

                                              31KB

                                              MD5

                                              d416b03ab9a25f628ab8b1ef2391d5a6

                                              SHA1

                                              6f6e4e0cbcfbb9a71b252562c12a19c2ece17e05

                                              SHA256

                                              4a0fb3fa5c03cc62be96c7db3cd23a9837b9330bfde06ed2fe718c849166bbb1

                                              SHA512

                                              add4439274056aac1e43ae5ecdeb14a8d4e0402bae8a2a05db13341d6f5237320eb80edf7095d91607e42bff8d13404fbe4a9b1d15ca6655698d5ad3611ca3a7

                                            • C:\temp\session.tmp

                                              Filesize

                                              32B

                                              MD5

                                              597f5c6b723bc8e97f6c36fea52fb8a5

                                              SHA1

                                              d61e126543665d7a255ea24a592b67f80280e4c2

                                              SHA256

                                              c532566620757eb569ed0e05caf6eadb159adfe4d44678a66ab4aca014d31416

                                              SHA512

                                              8b7f1bc29a0e1d53d978edf501bb8f7137e8b9cb31653bb9696cfeb79288f1810ac9cae9a654f6dfc71388ebc7cdb3617e63c7e2895c2adcc04f120a6d7289da

                                            • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe

                                              Filesize

                                              772KB

                                              MD5

                                              b93eb0a48c91a53bda6a1a074a4b431e

                                              SHA1

                                              ac693a14c697b1a8ee80318e260e817b8ee2aa86

                                              SHA256

                                              ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

                                              SHA512

                                              732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

                                            • memory/1388-142-0x00000000028A0000-0x0000000002920000-memory.dmp

                                              Filesize

                                              512KB

                                            • memory/1388-153-0x00000000028A0000-0x0000000002920000-memory.dmp

                                              Filesize

                                              512KB

                                            • memory/1388-139-0x000000001B340000-0x000000001B622000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1388-141-0x000007FEF5CB0000-0x000007FEF664D000-memory.dmp

                                              Filesize

                                              9.6MB

                                            • memory/1388-140-0x0000000002490000-0x0000000002498000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1388-145-0x000007FEF5CB0000-0x000007FEF664D000-memory.dmp

                                              Filesize

                                              9.6MB

                                            • memory/1388-148-0x000007FEF5CB0000-0x000007FEF664D000-memory.dmp

                                              Filesize

                                              9.6MB

                                            • memory/1388-151-0x00000000028A0000-0x0000000002920000-memory.dmp

                                              Filesize

                                              512KB

                                            • memory/2044-150-0x000000000251B000-0x0000000002582000-memory.dmp

                                              Filesize

                                              412KB

                                            • memory/2044-143-0x000007FEF5CB0000-0x000007FEF664D000-memory.dmp

                                              Filesize

                                              9.6MB

                                            • memory/2044-147-0x0000000002514000-0x0000000002517000-memory.dmp

                                              Filesize

                                              12KB

                                            • memory/2044-146-0x0000000002510000-0x0000000002590000-memory.dmp

                                              Filesize

                                              512KB

                                            • memory/2404-152-0x00000000024E4000-0x00000000024E7000-memory.dmp

                                              Filesize

                                              12KB

                                            • memory/2404-154-0x00000000024EB000-0x0000000002552000-memory.dmp

                                              Filesize

                                              412KB

                                            • memory/2404-149-0x00000000024E0000-0x0000000002560000-memory.dmp

                                              Filesize

                                              512KB

                                            • memory/2404-144-0x000007FEF5CB0000-0x000007FEF664D000-memory.dmp

                                              Filesize

                                              9.6MB