Overview

overview

10

Static

static

3

a44d817c29...dd.exe

windows7-x64

10

a44d817c29...dd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 01:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd.exe

  • Size

    23.2MB

  • MD5

    aabdecc74290221f555bc6400ceef5c6

  • SHA1

    6bf8559dfd409bee873f4e147f31ce313d23f2bc

  • SHA256

    a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd

  • SHA512

    880d741faf049b9276c4ab10e6e3a0817ef28cb05f0e00fa3edf814ebf545d3d316dfac022fcff4b8fee9f95e18542e2cf7e89f02702e30409409f40a5fb6bbe

  • SSDEEP

    393216:+/NvciCzO7XohRMU0K611YKvcg7dSVqMXDVZm/3hL1/VYs0tvj1Q3QJrSZ0aP54d:+1ciC6ohRMPK6gKzRctVZmf//VYRtvjR

Score
10/10
mimicevasionpersistenceransomwarespywarestealer

Malware Config

Signatures

  • Detects Mimic ransomware 1 IoCs
  • Mimic

    Ransomware family was first exploited in the wild in 2022.

    ransomwaremimic
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs
  • Detects command variations typically used by ransomware 1 IoCs
  • Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware 1 IoCs
  • Detects executables containing commands for clearing Windows Event Logs 1 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (5193) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 10 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 20 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd.exe
    "C:\Users\Admin\AppData\Local\Temp\a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\tempenc\encrypt.exe
      "C:\tempenc\encrypt.exe" -e all -sd -crc
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4728
      • C:\Users\Admin\AppData\Local\encrypt\encrypt.exe
        "C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e all -sd -crc
        3⤵
        • Modifies security service
        • Sets file execution options in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3348
        • C:\Users\Admin\AppData\Local\encrypt\encrypt.exe
          "C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e watch -pid 3348 -! -e all -sd -crc
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3000
        • C:\Users\Admin\AppData\Local\encrypt\encrypt.exe
          "C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e ul1
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:1352
        • C:\Users\Admin\AppData\Local\encrypt\encrypt.exe
          "C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e ul2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:4444
        • C:\Users\Admin\AppData\Local\encrypt\Everything.exe
          "C:\Users\Admin\AppData\Local\encrypt\Everything.exe" -startup
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Suspicious use of SetWindowsHookEx
          PID:2272
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -H off
          4⤵
            PID:4328
          • C:\Windows\SYSTEM32\powercfg.exe
            powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
            4⤵
              PID:3536
            • C:\Windows\SYSTEM32\powercfg.exe
              powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
              4⤵
                PID:548
              • C:\Windows\SYSTEM32\powercfg.exe
                powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
                4⤵
                  PID:320
                • C:\Windows\SYSTEM32\powercfg.exe
                  powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
                  4⤵
                    PID:4876
                  • C:\Windows\SYSTEM32\powercfg.exe
                    powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
                    4⤵
                      PID:3504
                    • C:\Windows\SYSTEM32\powercfg.exe
                      powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
                      4⤵
                        PID:3336
                      • C:\Windows\SYSTEM32\powercfg.exe
                        powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
                        4⤵
                          PID:3304
                        • C:\Windows\SYSTEM32\powercfg.exe
                          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
                          4⤵
                            PID:4224
                          • C:\Windows\SYSTEM32\powercfg.exe
                            powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
                            4⤵
                              PID:4176
                            • C:\Windows\SYSTEM32\powercfg.exe
                              powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
                              4⤵
                                PID:4880
                              • C:\Windows\SYSTEM32\powercfg.exe
                                powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
                                4⤵
                                  PID:540
                                • C:\Windows\SYSTEM32\powercfg.exe
                                  powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
                                  4⤵
                                    PID:4232
                                  • C:\Windows\SYSTEM32\powercfg.exe
                                    powercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
                                    4⤵
                                      PID:1440
                                    • C:\Windows\SYSTEM32\powercfg.exe
                                      powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61
                                      4⤵
                                        PID:4548
                                      • C:\Windows\SYSTEM32\bcdedit.exe
                                        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                        4⤵
                                        • Modifies boot configuration data using bcdedit
                                        PID:4992
                                      • C:\Windows\SYSTEM32\bcdedit.exe
                                        bcdedit.exe /set {default} recoveryenabled no
                                        4⤵
                                        • Modifies boot configuration data using bcdedit
                                        PID:2936
                                      • C:\Windows\SYSTEM32\wbadmin.exe
                                        wbadmin.exe DELETE SYSTEMSTATEBACKUP
                                        4⤵
                                        • Deletes System State backups
                                        PID:4868
                                      • C:\Windows\SYSTEM32\wbadmin.exe
                                        wbadmin.exe delete catalog -quiet
                                        4⤵
                                        • Deletes backup catalog
                                        PID:1624
                                      • C:\Users\Admin\AppData\Local\encrypt\Everything.exe
                                        "C:\Users\Admin\AppData\Local\encrypt\Everything.exe" -startup
                                        4⤵
                                        • Executes dropped EXE
                                        • Enumerates connected drives
                                        • Suspicious use of SetWindowsHookEx
                                        PID:3896
                                      • C:\Windows\SysWOW64\notepad.exe
                                        notepad.exe "C:\Users\Admin\AppData\Local\HACKLENDINIZ.txt"
                                        4⤵
                                        • Opens file in notepad (likely ransom note)
                                        PID:1960
                                      • C:\Users\Admin\AppData\Local\encrypt\sdel64.exe
                                        "C:\Users\Admin\AppData\Local\encrypt\sdel64.exe" -accepteula -p 3 -c C:\
                                        4⤵
                                        • Executes dropped EXE
                                        PID:2920
                                • C:\Windows\System32\Systray.exe
                                  C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                  1⤵
                                    PID:2920
                                  • C:\Windows\System32\Systray.exe
                                    C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                    1⤵
                                      PID:4472
                                    • C:\Windows\System32\Systray.exe
                                      C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                      1⤵
                                        PID:3804
                                      • C:\Windows\System32\Systray.exe
                                        C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                        1⤵
                                          PID:4556
                                        • C:\Windows\System32\Systray.exe
                                          C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                          1⤵
                                            PID:4800
                                          • C:\Windows\System32\Systray.exe
                                            C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                            1⤵
                                              PID:3612
                                            • C:\Windows\System32\Systray.exe
                                              C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                              1⤵
                                                PID:4256
                                              • C:\Windows\System32\Systray.exe
                                                C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                1⤵
                                                  PID:5092
                                                • C:\Windows\System32\Systray.exe
                                                  C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                  1⤵
                                                    PID:4456
                                                  • C:\Windows\System32\Systray.exe
                                                    C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                    1⤵
                                                      PID:4332
                                                    • C:\Windows\System32\Systray.exe
                                                      C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                      1⤵
                                                        PID:4252
                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                        1⤵
                                                        • Modifies registry class
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:4712
                                                      • C:\Windows\System32\Systray.exe
                                                        C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                        1⤵
                                                          PID:4032
                                                        • C:\Windows\System32\Systray.exe
                                                          C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                          1⤵
                                                            PID:4164
                                                          • C:\Windows\system32\vssvc.exe
                                                            C:\Windows\system32\vssvc.exe
                                                            1⤵
                                                              PID:4932
                                                            • C:\Windows\system32\wbengine.exe
                                                              "C:\Windows\system32\wbengine.exe"
                                                              1⤵
                                                                PID:4056
                                                              • C:\Windows\System32\vdsldr.exe
                                                                C:\Windows\System32\vdsldr.exe -Embedding
                                                                1⤵
                                                                  PID:2632
                                                                • C:\Windows\System32\vds.exe
                                                                  C:\Windows\System32\vds.exe
                                                                  1⤵
                                                                  • Checks SCSI registry key(s)
                                                                  PID:1776

                                                                Network

                                                                MITRE ATT&CK Enterprise v15

                                                                Reconnaissance

                                                                Resource Development

                                                                Initial Access

                                                                Execution

                                                                Command and Scripting Interpreter

                                                                2
                                                                T1059

                                                                Persistence

                                                                Boot or Logon Autostart Execution

                                                                2
                                                                T1547

                                                                Registry Run Keys / Startup Folder

                                                                2
                                                                T1547.001

                                                                Create or Modify System Process

                                                                1
                                                                T1543

                                                                Windows Service

                                                                1
                                                                T1543.003

                                                                Event Triggered Execution

                                                                1
                                                                T1546

                                                                Change Default File Association

                                                                1
                                                                T1546.001

                                                                Privilege Escalation

                                                                Boot or Logon Autostart Execution

                                                                2
                                                                T1547

                                                                Registry Run Keys / Startup Folder

                                                                2
                                                                T1547.001

                                                                Create or Modify System Process

                                                                1
                                                                T1543

                                                                Windows Service

                                                                1
                                                                T1543.003

                                                                Event Triggered Execution

                                                                1
                                                                T1546

                                                                Change Default File Association

                                                                1
                                                                T1546.001

                                                                Defense Evasion

                                                                Indicator Removal

                                                                2
                                                                T1070

                                                                File Deletion

                                                                2
                                                                T1070.004

                                                                Modify Registry

                                                                5
                                                                T1112

                                                                Credential Access

                                                                Unsecured Credentials

                                                                1
                                                                T1552

                                                                Credentials In Files

                                                                1
                                                                T1552.001

                                                                Discovery

                                                                Peripheral Device Discovery

                                                                2
                                                                T1120

                                                                Query Registry

                                                                4
                                                                T1012

                                                                System Information Discovery

                                                                4
                                                                T1082

                                                                Lateral Movement

                                                                Collection

                                                                Data from Local System

                                                                1
                                                                T1005

                                                                Command and Control

                                                                Exfiltration

                                                                Impact

                                                                Inhibit System Recovery

                                                                3
                                                                T1490

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssci.dll.mui
                                                                  Filesize

                                                                  4KB

                                                                  MD5

                                                                  467644c119a12feefd222c3cd8241dbc

                                                                  SHA1

                                                                  6901ba556fc97da52a62c2125a4bc3ddb63715d2

                                                                  SHA256

                                                                  deae6acf365cc6ae27cf01aad7cc342aacf2eb5200d98a079b4ec58ea43656c4

                                                                  SHA512

                                                                  9974942dc99dca59d46718c2be4009fa3f8e108abd874434942dd2807dcc04398e9d2c26ca20f45c01dbc5a1bb9cd1c23edc07ed3408718a80613a7be0b78b9d

                                                                  Download Submit

                                                                • C:\Program Files\Windows Media Player\it-IT\mpvis.dll.mui
                                                                  Filesize

                                                                  3KB

                                                                  MD5

                                                                  8f1b6f0058556243a64c76ee047263e9

                                                                  SHA1

                                                                  8ebe5c0785d18bbb911845cd5e91f34d2dc77719

                                                                  SHA256

                                                                  40b0f22ab91da78ae7e655408c22d7b60c526ee7d789d0ce8fccede625cc4f82

                                                                  SHA512

                                                                  a42930076717cf50b1ce224f8362fb283d6efae0cda97de4330aa39a0b9f3e2605a63b7f0763f6bbe78b3a4139677d56ce10780fcbc0cd1a1883b0223f2f9045

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\HACKLENDINIZ.txt
                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  f9b6ac9b419e1595984a40d5cb4c2aa8

                                                                  SHA1

                                                                  3431a55631e88a2b2982c1d39955f4aca6bc83fd

                                                                  SHA256

                                                                  bc6d6fedb065aa657a1af7e40cc589da1bceabb09ca6d8854172e4cca664cd1a

                                                                  SHA512

                                                                  e1493ae840bb960031445a2b3560350374c5d0b84eac1cd6634d6b391d95fe542e0463e1bb7e13f9a59c62ad0c2d9856334291821b97973f8550c1985c0e953c

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
                                                                  Filesize

                                                                  13KB

                                                                  MD5

                                                                  dfc1b52b68aab4c909b32b20b0fb4f81

                                                                  SHA1

                                                                  ba3aa286657f4ba4597b2cea24af2bc5eb53d34a

                                                                  SHA256

                                                                  20ba24099918e2bffed50527017efa214c041265b5282c933adec73e814cb903

                                                                  SHA512

                                                                  30fd2ecf7a29dbf8b8666907ffd22457b32de7f016bc04dc3aebd8746197148738a4285a07539de2b2fe3b32ecf4d7ae8c8b8f8fe7f501ffd0f7de280e61f314

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
                                                                  Filesize

                                                                  13KB

                                                                  MD5

                                                                  a059ababde70c132bc8c2f38f55062dc

                                                                  SHA1

                                                                  8a50b2926055f9408900e531368e7e9885fe016b

                                                                  SHA256

                                                                  0694a994f2701772039cee98730569e33476a6b7bac7329e76a963d36231ba71

                                                                  SHA512

                                                                  e556f91127326c000c64a4a295754e62c3c1b90668c1e6cd4c4fe7a89a0124b5a70c63a980b304987cb309a2f0ac5e3513ff6c970373d133f8c7ff6079fa42b1

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\encrypt\Everything.db
                                                                  Filesize

                                                                  13.3MB

                                                                  MD5

                                                                  86b93c75fcb902c1f5f6d7f21b739ca8

                                                                  SHA1

                                                                  d8f7c8df8f01d485655751e3183995e2a098c728

                                                                  SHA256

                                                                  03169ff47914cd6cc540b3f1b216ad01a930d02cf67eb2c27c366948002f97da

                                                                  SHA512

                                                                  f0f5022699c42e1d76213e52052e390a668fb169ea8529ab4c0b32bf672a156c3ded8b82aa9fc297db918b6a09bd2facffcd5882e1ab2c49e063126afee20867

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\encrypt\Everything.ini.tmp
                                                                  Filesize

                                                                  20KB

                                                                  MD5

                                                                  ab61252259d515c6c11e6f4942927d68

                                                                  SHA1

                                                                  df2fbd778e9b4ed2f14b8fa7043a839190d0df3d

                                                                  SHA256

                                                                  6840113eb4aeb73affd54819b1b7681a4a75bfe16577ebd42bacf4a0353e4d80

                                                                  SHA512

                                                                  77245c99388d77c78e412babb604973785f5dc2da3475952885006371064e827e0b8179a730c3000b694cc0dab15565029f29c087fa6eec051a2acdfc3047531

                                                                  Download Submit

                                                                • C:\temp\hashlist.txt
                                                                  Filesize

                                                                  1.6MB

                                                                  MD5

                                                                  9e6962555025b46150a684e645faa2ac

                                                                  SHA1

                                                                  917f635048b8ad8d43fdfeaf1413c42611871a02

                                                                  SHA256

                                                                  f500c664406f71341847a7529a56554dccb5c1f15ae4b2437d0efb4fc3dabbf8

                                                                  SHA512

                                                                  2241c39090c9ab5e33026617ba67cd1b499638b7f38b1c77d80cfdd0b4eab7a2ce6235083b6881942dd2941574bf7d1a975b2458ddc2049f8b5d116d42a2ca5a

                                                                  Download Submit

                                                                • C:\tempenc\7za.exe
                                                                  Filesize

                                                                  772KB

                                                                  MD5

                                                                  b93eb0a48c91a53bda6a1a074a4b431e

                                                                  SHA1

                                                                  ac693a14c697b1a8ee80318e260e817b8ee2aa86

                                                                  SHA256

                                                                  ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

                                                                  SHA512

                                                                  732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

                                                                  Download Submit

                                                                • C:\tempenc\Everything.db
                                                                  Filesize

                                                                  47.4MB

                                                                  MD5

                                                                  6e2bd9da8e4aa5ea5a4ca236bffbff2a

                                                                  SHA1

                                                                  0019332594d0ef67300c3257a2d6c708ffed53a6

                                                                  SHA256

                                                                  12921122de3b5525aab45bec5e7e0974e5da57914693bba12d5f6234f9e508a9

                                                                  SHA512

                                                                  0405a1ee08b7f9cdd068df78d7630f187349a75d80cb54952a8f0e1c5693dba6166db0ca469ee3c2d4025bffabe605ebb926a081aa9f3a23a86fe91eb84f6c46

                                                                  Download Submit

                                                                • C:\tempenc\Everything.exe
                                                                  Filesize

                                                                  1.7MB

                                                                  MD5

                                                                  c44487ce1827ce26ac4699432d15b42a

                                                                  SHA1

                                                                  8434080fad778057a50607364fee8b481f0feef8

                                                                  SHA256

                                                                  4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405

                                                                  SHA512

                                                                  a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808

                                                                  Download Submit

                                                                • C:\tempenc\Everything.ini
                                                                  Filesize

                                                                  20KB

                                                                  MD5

                                                                  f76c7e0522feac7f22bf8d1dbe42b50c

                                                                  SHA1

                                                                  eeac2e325dae17242a993f4be748b4f8b0aabed6

                                                                  SHA256

                                                                  d2bda99bfdadb5e0a9464d841f66c28891c67382e6c044b8e14aa46923601326

                                                                  SHA512

                                                                  96726be1bf168ae9be28e01f0dfc0c3b611c4d842de90ca71d009aa259f7d273bc094d34f2f7c7e1a6aa06b656d3d192baaac2c39c591610e428bc999132be2b

                                                                  Download Submit

                                                                • C:\tempenc\Everything2.ini
                                                                  Filesize

                                                                  550B

                                                                  MD5

                                                                  51014c0c06acdd80f9ae4469e7d30a9e

                                                                  SHA1

                                                                  204e6a57c44242fad874377851b13099dfe60176

                                                                  SHA256

                                                                  89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5

                                                                  SHA512

                                                                  79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c

                                                                  Download Submit

                                                                • C:\tempenc\Everything32.dll
                                                                  Filesize

                                                                  84KB

                                                                  MD5

                                                                  3b03324537327811bbbaff4aafa4d75b

                                                                  SHA1

                                                                  1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

                                                                  SHA256

                                                                  8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

                                                                  SHA512

                                                                  ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

                                                                  Download Submit

                                                                • C:\tempenc\Everything64.dll
                                                                  Filesize

                                                                  2.1MB

                                                                  MD5

                                                                  d02d7dc907d19d2e448368d433baebfe

                                                                  SHA1

                                                                  d66616386e968ddb4661a9f9c1ef8c63403ba8f8

                                                                  SHA256

                                                                  816fe96f0fff9475069d14cff51def4b823e1423c1aa464961ee6a61f7a62200

                                                                  SHA512

                                                                  8cf776ec9332fcff9a6a080f39a6c734df4ccfb9bf405232f00d967d80ff4968c248077d90a7eff368ae3d7ac0edc8f504596212bf176364bb5ae37532c7969b

                                                                  Download Submit

                                                                • C:\tempenc\encrypt.exe
                                                                  Filesize

                                                                  3.0MB

                                                                  MD5

                                                                  a48ee000e248741247c24dc70fa2f936

                                                                  SHA1

                                                                  4c814fe7c94e6fb4d1d89cdae7e6e83905c459d7

                                                                  SHA256

                                                                  bb28adc32ff1b9dcfaac6b7017b4896d2807b48080f9e6720afde3f89d69676c

                                                                  SHA512

                                                                  8bdd60732bf105b9ade5d4dbc5c722a866119e0a284692afc1bd5b530a4afc3954536a14946a87f72213c92020def2ac7b5c1cbcc51b6e0ad5671b7c58543f34

                                                                  Download Submit

                                                                • C:\tempenc\sdel.exe
                                                                  Filesize

                                                                  350KB

                                                                  MD5

                                                                  803df907d936e08fbbd06020c411be93

                                                                  SHA1

                                                                  4aa4b498ae037a2b0479659374a5c3af5f6b8d97

                                                                  SHA256

                                                                  e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c

                                                                  SHA512

                                                                  5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532

                                                                  Download Submit

                                                                • C:\tempenc\sdel64.exe
                                                                  Filesize

                                                                  448KB

                                                                  MD5

                                                                  e2114b1627889b250c7fd0425ba1bd54

                                                                  SHA1

                                                                  97412dba3cbeb0125c71b7b2ab194ea2fdff51b2

                                                                  SHA256

                                                                  5434dfdb731238edcb07a8c3a83594791536dda7a63c29f19be7bb1d59aedd60

                                                                  SHA512

                                                                  76ca5f677bc8ee1485f3d5b028b3a91f74344e9ff7af3c62a98e737a9888bd35389b3e6bf7b8b67747e0f64e1c973c0708864f12de1388b95f5c31b4e084e2e1

                                                                  Download Submit

                                                                • C:\tempenc\session.tmp
                                                                  Filesize

                                                                  32B

                                                                  MD5

                                                                  5d52bf0ad56a46b3ec3f0f0cdae0c74e

                                                                  SHA1

                                                                  128b12c7f5432fa1280eb4d74c4242fa49732f6c

                                                                  SHA256

                                                                  09c09be4e16f8e9b1ac66e62766affc2a40801dd071a14f073089ac497fe5c48

                                                                  SHA512

                                                                  abaf7f21d9956b59dea8d761e854a1f67cf7f201c94c5cfae372da6c0da518be45f6d3b31f75e3ac55670ec1a1b5bad49b3e8d3a82fe132413f3761ac1d69f33

                                                                  Download Submit