Overview

overview

10

Static

static

10

malware.zip

windows11-21h2-x64

10

Resubmissions

18-08-2024 08:26

240818-kbzlnsxfnm 10

18-08-2024 08:17

240818-j6x6navale 10

Analysis

  • max time kernel
    295s
  • max time network
    312s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-08-2024 08:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    malware.zip

  • Size

    19.0MB

  • MD5

    dbe043570af9fefa680af63700077184

  • SHA1

    115e824543c9281399d9670a583ff4b1dde422ef

  • SHA256

    ec0f02edde4086d5f3dad2cd8fe33bbea9d68245f0d75affe2135ae0270a4543

  • SHA512

    1a6b44da4b0cd14c7d482d3e4e717b3ea4a908841ec318bb2a56e8afcf659f2bd5ffba187974de62de07c590a8e55a813493577ce87e826efa52ac9a80a9bc6a

  • SSDEEP

    393216:Fdlmao1Hn7SIRferH0dUmWCb9R8Vi0od6mwLb7Be4H1Cu1m72WEyU6h1+DzXUwCk:XS7SafbUmWCbjQmwLb7Be4H1J1m72WER

Score
10/10
mimicdiscoveryevasionexecutionpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Datadecrypt.txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a _miracle_ and get _your_ PRICE DOUBLED! Or start obtaining *BITCOIN NOW! , and restore _YOUR_ _DATA_ easy way If You have really valuable _DATA_, you better _NOT_ _WASTE_ _YOUR_ _TIME_, because there is _NO_ other way to get your files, except make a _PAYMENT_ Your personal ID: I9AcnWikolOyFit53rbLApU4ddhB1Sc2j8PpuTtQCQQ*Jami_decryptionguy If you want to recover your files, write us 1)Jami messenger (Fastest and anonymous) https://jami.net/ Also you can find it on your phone at google play/app store Install it on your server,phone or tablet Press sign up and do your own nickname And add me/write message - Decryptionguy (use search) 2) TOX messenger (fast and anonymous) https://tox.chat/download.html Install qtox Press sign up Create your own name Press plus Put there our tox ID: E9164A982410EFAEBC451C1D5629A2CBB75DBB6BCDBD6D2BA94F4D0A7B0B616F911496E469FB And add me/write message 3)Mail - [email protected] (USE ONLY IF WE NOT REPLY MORE THEN 24H) Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software - it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write - the more favorable conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption. --------------------------------------------------------------------------------------------------------------------------------------------
URLs

https://jami.net/

https://tox.chat/download.html

Signatures

  • Detects Mimic ransomware 2 IoCs
  • Mimic

    Ransomware family was first exploited in the wild in 2022.

    ransomwaremimic
  • UAC bypass 3 TTPs 8 IoCs
    evasiontrojan
  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
    ransomwareevasion
  • Deletes System State backups 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Executes dropped EXE 15 IoCs
  • Loads dropped DLL 9 IoCs
  • Modifies system executable filetype association 2 TTPs 18 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Power Settings 1 TTPs 30 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in Windows directory 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 8 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 31 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 22 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\malware.zip
    1⤵
      PID:3688
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4500
      • C:\Users\Admin\Desktop\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\[email protected]
        "C:\Users\Admin\Desktop\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\[email protected]"
        1⤵
        • Modifies system executable filetype association
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:720
        • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe
          "C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe"
          2⤵
          • UAC bypass
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies system executable filetype association
          • Checks whether UAC is enabled
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4604
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c DC.exe /D
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4992
            • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\DC.exe
              DC.exe /D
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2960
          • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe
            "C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe" -e watch -pid 4604 -!
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:3036
            • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe
              "C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies system executable filetype association
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:652
              • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe
                "C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe"
                5⤵
                • UAC bypass
                • Event Triggered Execution: Image File Execution Options Injection
                • Executes dropped EXE
                • Loads dropped DLL
                • Modifies system executable filetype association
                • Checks whether UAC is enabled
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • System policy modification
                PID:2084
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /c DC.exe /D
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:3192
                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\DC.exe
                    DC.exe /D
                    7⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:3880
                • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe
                  "C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe" -e watch -pid 2084 -!
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:296
                • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe
                  "C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe" -e ul1
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:304
                • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe
                  "C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe" -e ul2
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:312
                • C:\Windows\SYSTEM32\powercfg.exe
                  powercfg.exe -H off
                  6⤵
                  • Power Settings
                  PID:2368
                • C:\Windows\SYSTEM32\powercfg.exe
                  powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
                  6⤵
                  • Power Settings
                  PID:4588
                • C:\Windows\SYSTEM32\powercfg.exe
                  powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
                  6⤵
                  • Power Settings
                  PID:1056
                • C:\Windows\SYSTEM32\powercfg.exe
                  powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
                  6⤵
                  • Power Settings
                  PID:3548
                • C:\Windows\SYSTEM32\powercfg.exe
                  powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
                  6⤵
                  • Power Settings
                  PID:836
                • C:\Windows\SYSTEM32\powercfg.exe
                  powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
                  6⤵
                  • Power Settings
                  PID:4988
                • C:\Windows\SYSTEM32\powercfg.exe
                  powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
                  6⤵
                  • Power Settings
                  PID:200
                • C:\Windows\SYSTEM32\powercfg.exe
                  powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
                  6⤵
                  • Power Settings
                  PID:1972
                • C:\Windows\SYSTEM32\powercfg.exe
                  powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
                  6⤵
                  • Power Settings
                  PID:2196
                • C:\Windows\SYSTEM32\powercfg.exe
                  powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
                  6⤵
                  • Power Settings
                  PID:4860
                • C:\Windows\SYSTEM32\powercfg.exe
                  powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
                  6⤵
                  • Power Settings
                  PID:1892
                • C:\Windows\SYSTEM32\powercfg.exe
                  powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
                  6⤵
                  • Power Settings
                  PID:1520
                • C:\Windows\SYSTEM32\powercfg.exe
                  powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
                  6⤵
                  • Power Settings
                  PID:4020
                • C:\Windows\SYSTEM32\powercfg.exe
                  powercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
                  6⤵
                  • Power Settings
                  PID:1220
                • C:\Windows\SYSTEM32\powercfg.exe
                  powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61
                  6⤵
                  • Power Settings
                  PID:3740
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:2240
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:1356
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:3340
                • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything.exe
                  "C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything.exe" -startup
                  6⤵
                  • Executes dropped EXE
                  • Enumerates connected drives
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:2960
                • C:\Windows\SYSTEM32\bcdedit.exe
                  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:1980
                • C:\Windows\SYSTEM32\bcdedit.exe
                  bcdedit.exe /set {default} recoveryenabled no
                  6⤵
                  • Modifies boot configuration data using bcdedit
                  PID:3568
                • C:\Windows\SYSTEM32\wbadmin.exe
                  wbadmin.exe DELETE SYSTEMSTATEBACKUP
                  6⤵
                  • Deletes System State backups
                  • Drops file in Windows directory
                  PID:1960
                • C:\Windows\SYSTEM32\wbadmin.exe
                  wbadmin.exe delete catalog -quiet
                  6⤵
                  • Deletes backup catalog
                  PID:1996
                • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything.exe
                  "C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything.exe" -startup
                  6⤵
                  • Executes dropped EXE
                  • Enumerates connected drives
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:1084
          • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe
            "C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe" -e ul1
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:3904
          • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe
            "C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe" -e ul2
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:124
          • C:\Windows\SYSTEM32\powercfg.exe
            powercfg.exe -H off
            3⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:2724
          • C:\Windows\SYSTEM32\powercfg.exe
            powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
            3⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:2488
          • C:\Windows\SYSTEM32\powercfg.exe
            powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
            3⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:1864
          • C:\Windows\SYSTEM32\powercfg.exe
            powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
            3⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:4572
          • C:\Windows\SYSTEM32\powercfg.exe
            powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
            3⤵
            • Power Settings
            PID:1432
          • C:\Windows\SYSTEM32\powercfg.exe
            powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
            3⤵
            • Power Settings
            PID:2200
          • C:\Windows\SYSTEM32\powercfg.exe
            powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
            3⤵
            • Power Settings
            PID:1912
          • C:\Windows\SYSTEM32\powercfg.exe
            powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
            3⤵
            • Power Settings
            PID:4896
          • C:\Windows\SYSTEM32\powercfg.exe
            powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
            3⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:4500
          • C:\Windows\SYSTEM32\powercfg.exe
            powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
            3⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:1504
          • C:\Windows\SYSTEM32\powercfg.exe
            powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
            3⤵
            • Power Settings
            PID:3476
          • C:\Windows\SYSTEM32\powercfg.exe
            powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
            3⤵
            • Power Settings
            PID:1216
          • C:\Windows\SYSTEM32\powercfg.exe
            powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
            3⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:3140
          • C:\Windows\SYSTEM32\powercfg.exe
            powercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
            3⤵
            • Power Settings
            PID:4100
          • C:\Windows\SYSTEM32\powercfg.exe
            powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61
            3⤵
            • Power Settings
            PID:4636
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:2512
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:3916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:4404
          • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything.exe
            "C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything.exe" -startup
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4776
          • C:\Windows\SYSTEM32\bcdedit.exe
            bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
            3⤵
            • Modifies boot configuration data using bcdedit
            PID:3764
          • C:\Windows\SYSTEM32\bcdedit.exe
            bcdedit.exe /set {default} recoveryenabled no
            3⤵
            • Modifies boot configuration data using bcdedit
            PID:2400
          • C:\Windows\SYSTEM32\wbadmin.exe
            wbadmin.exe DELETE SYSTEMSTATEBACKUP
            3⤵
            • Deletes System State backups
            • Drops file in Windows directory
            PID:4308
          • C:\Windows\SYSTEM32\wbadmin.exe
            wbadmin.exe delete catalog -quiet
            3⤵
            • Deletes backup catalog
            PID:1244
          • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything.exe
            "C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything.exe" -startup
            3⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1240
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /d /c "ping 127.2 -n 5 & fsutil file setZeroData offset=0 length=20000000 "C:\Users\Admin\Desktop\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\[email protected]" & cd /d "C:\Users\Admin\Desktop\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F" & Del /f /q /a *.exe *.bat"
          2⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:4100
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.2 -n 5
            3⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1860
          • C:\Windows\SysWOW64\fsutil.exe
            fsutil file setZeroData offset=0 length=20000000 "C:\Users\Admin\Desktop\C963AEC1-6D52-EB4D-61BC-64DB2602EE5F\[email protected]"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:228
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
          PID:3688
        • C:\Windows\system32\wbengine.exe
          "C:\Windows\system32\wbengine.exe"
          1⤵
            PID:2012
          • C:\Windows\System32\vdsldr.exe
            C:\Windows\System32\vdsldr.exe -Embedding
            1⤵
              PID:1680
            • C:\Windows\System32\vds.exe
              C:\Windows\System32\vds.exe
              1⤵
              • Checks SCSI registry key(s)
              PID:1852
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
                PID:1436
              • C:\Windows\system32\wbengine.exe
                "C:\Windows\system32\wbengine.exe"
                1⤵
                  PID:1712
                • C:\Windows\System32\vdsldr.exe
                  C:\Windows\System32\vdsldr.exe -Embedding
                  1⤵
                    PID:4340
                  • C:\Windows\System32\vds.exe
                    C:\Windows\System32\vds.exe
                    1⤵
                    • Checks SCSI registry key(s)
                    PID:4380

                  Network

                  MITRE ATT&CK Enterprise v15

                  Reconnaissance

                  Resource Development

                  Initial Access

                  Execution

                  Command and Scripting Interpreter

                  3
                  T1059

                  PowerShell

                  1
                  T1059.001

                  Persistence

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Event Triggered Execution

                  2
                  T1546

                  Change Default File Association

                  1
                  T1546.001

                  Image File Execution Options Injection

                  1
                  T1546.012

                  Power Settings

                  1
                  T1653

                  Privilege Escalation

                  Abuse Elevation Control Mechanism

                  1
                  T1548

                  Bypass User Account Control

                  1
                  T1548.002

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Event Triggered Execution

                  2
                  T1546

                  Change Default File Association

                  1
                  T1546.001

                  Image File Execution Options Injection

                  1
                  T1546.012

                  Defense Evasion

                  Abuse Elevation Control Mechanism

                  1
                  T1548

                  Bypass User Account Control

                  1
                  T1548.002

                  Impair Defenses

                  1
                  T1562

                  Disable or Modify Tools

                  1
                  T1562.001

                  Indicator Removal

                  2
                  T1070

                  File Deletion

                  2
                  T1070.004

                  Modify Registry

                  4
                  T1112

                  Credential Access

                  Discovery

                  Peripheral Device Discovery

                  2
                  T1120

                  Query Registry

                  3
                  T1012

                  Remote System Discovery

                  1
                  T1018

                  System Information Discovery

                  4
                  T1082

                  System Location Discovery

                  1
                  T1614

                  System Language Discovery

                  1
                  T1614.001

                  System Network Configuration Discovery

                  1
                  T1016

                  Internet Connection Discovery

                  1
                  T1016.001

                  Lateral Movement

                  Collection

                  Command and Control

                  Exfiltration

                  Impact

                  Inhibit System Recovery

                  3
                  T1490

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\7za.exe
                    Filesize

                    772KB

                    MD5

                    b93eb0a48c91a53bda6a1a074a4b431e

                    SHA1

                    ac693a14c697b1a8ee80318e260e817b8ee2aa86

                    SHA256

                    ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

                    SHA512

                    732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

                    Download Submit

                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\DC.exe
                    Filesize

                    802KB

                    MD5

                    ac34ba84a5054cd701efad5dd14645c9

                    SHA1

                    dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

                    SHA256

                    c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

                    SHA512

                    df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

                    Download Submit

                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe
                    Filesize

                    2.4MB

                    MD5

                    0bf7c0d8e3e02a6b879efab5deab013c

                    SHA1

                    4f93d2cda84e669eeddcfeb2e2fa2319901059a1

                    SHA256

                    b600e06f14e29b03f0b1456723a430b5024816518d704a831dde2dc9597ce9c9

                    SHA512

                    313f9a8ae5a0096488996f51ce0d2049f7040b5cba1f6efd6e7190517accffad9af4d72eb551755978e624f4089b9e5983eae792496b2e8e6da5a6cd7939ae5f

                    Download Submit

                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything.db
                    Filesize

                    28.7MB

                    MD5

                    5be65f749d8536954c242d0f541a21a6

                    SHA1

                    ff2a66004ec61337c1dc2be777c8ea1ed75a8308

                    SHA256

                    cf98330caf3aca7e70676b034507647c377bc487d8a666945b089d698de63b62

                    SHA512

                    d8076764c0888e63d823185fdba4392d2bcea14a2f94c367d7fdd863afff518e49ce2d6b4f815450bd5e394db791911ba489bf82be6e884d159cd4af3a2c3081

                    Download Submit

                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything.db
                    Filesize

                    10.1MB

                    MD5

                    b175ec3c0dd4234711d0bbc7ae625923

                    SHA1

                    65f9ec7d278b9770638a5d38bd4946970a6327f5

                    SHA256

                    9984de96e76712d2fd6ce3c3b16c7a4c6dd8831568f6a92bac8bd7be035d6098

                    SHA512

                    6a52c3ed19165afc1acb20ac55e468776942147c8ee94dc707a97246f338c9fbf0ea25b783a7c4486d790d65fba8f8eb4e7293310fad9941c773754cd8af25a9

                    Download Submit

                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything.db
                    Filesize

                    10.1MB

                    MD5

                    ec96fbb8e93ee0a84aaadb9b56718ddb

                    SHA1

                    0dbf0febfe525174d384c38a4b6ef06726226020

                    SHA256

                    d1fac3fc95552584097f2e8d970ba34944ebae4ab5df9a6f6fc0681907db750e

                    SHA512

                    c33433f6ff19c97dc7524bd00f27250183115357156e59a5971a9052c36cef4078961fad6723aa63551356e2c9fb614015ffd4ded5e1ca293e62498fad5a38e8

                    Download Submit

                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything.db.tmp
                    Filesize

                    10.1MB

                    MD5

                    11bf1aa9acf73b1bb79a80b5895fde3e

                    SHA1

                    e16a961e926e7eed7329a5be0a12d5a4c6f79340

                    SHA256

                    7b632a86060127b70c57688dde26ec0e769b8c07ce0abd6a20c8f6a3c598eeae

                    SHA512

                    d242222911eaab01311790c18f74a6c3b35ed6a4a490fe31ab7bd27b030c3a08aa62030c4b706eb2ab688101059aa14d48526656b4557f3990ab1e773318f0da

                    Download Submit

                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything.exe
                    Filesize

                    1.7MB

                    MD5

                    c44487ce1827ce26ac4699432d15b42a

                    SHA1

                    8434080fad778057a50607364fee8b481f0feef8

                    SHA256

                    4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405

                    SHA512

                    a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808

                    Download Submit

                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything.ini
                    Filesize

                    20KB

                    MD5

                    b08dea2c475176c96e29eacc73667b24

                    SHA1

                    65ebd451669ae873b96df95d46ecec7de216293e

                    SHA256

                    2a2a0fe8ba8f77a156d5bd3a5e9bf3628437afb19680964fe12a63b63959ab2f

                    SHA512

                    47f4b74022c457bf2eec57284f24cd339496de389ba344f2ad5b067e0baf16c361bff6caf573721b022e544763a6d6b559213efa621d7a8b1fa334fc371a2fcd

                    Download Submit

                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything.ini
                    Filesize

                    20KB

                    MD5

                    ea661c26834a6862fc3ebf42a81be794

                    SHA1

                    1f3c27131797dfc06a8999c9dd27adeb0deeb820

                    SHA256

                    6dadd0798e07e410c9e3c7fe9530c12d66855ff29d622569dafc525d04deefaf

                    SHA512

                    8516dd92d761d56313af636de05823a3148fa61392cc863703ccd8723e2c12136edb1b2f89173e110558444c4e63a82028e66c3ea8449c9e3a0b705f5b2db956

                    Download Submit

                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything2.ini
                    Filesize

                    550B

                    MD5

                    51014c0c06acdd80f9ae4469e7d30a9e

                    SHA1

                    204e6a57c44242fad874377851b13099dfe60176

                    SHA256

                    89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5

                    SHA512

                    79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c

                    Download Submit

                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything32.dll
                    Filesize

                    84KB

                    MD5

                    3b03324537327811bbbaff4aafa4d75b

                    SHA1

                    1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

                    SHA256

                    8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

                    SHA512

                    ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

                    Download Submit

                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything64.dll
                    Filesize

                    2.5MB

                    MD5

                    e7cecb49da4cefd6f0b306ff09afdcb4

                    SHA1

                    5ea8f3e6a1243f12290b473ca1948fb3bec7be0f

                    SHA256

                    b4c78dcf7c9bfe60c2c61cab64243fe72a94a2ba002d0c742fadd56b1a92bfdd

                    SHA512

                    29589431b6e6e479c8a8cb0ad7e98905f5891e8c3b12d73a6a985e2cac40385d1c88529b14bcd8e614d01bfc6bc8068447274c4b485d35900677f583f49a3347

                    Download Submit

                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Jami.exe
                    Filesize

                    2.4MB

                    MD5

                    7f861580d2292e2f2c438f875725fd2f

                    SHA1

                    20dd7b7d4cddf91aabcfe79d97dbaaaf277b7654

                    SHA256

                    bd6775e772ad56d7dc4f1c7cec73fff98e6b03a2a9d109abe69a7c125a2c7828

                    SHA512

                    a3ea904f97256840fc5a8636e9a2fb73d119de4e8979224b79e888c5bd3c4fc9eb748f264e13c9acd86e1de312d5f371b39197dd0f0d1e256c1c94566876f78d

                    Download Submit

                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\global_options.ini
                    Filesize

                    12KB

                    MD5

                    84f6a8f7607a096ba9c0cb704ae6ac8f

                    SHA1

                    48d951cc741484e87fdb6d08924385f8e1ae340d

                    SHA256

                    d7724e06402a2b1fc49f95178c1f8f9006f9c6a0636a7be4e29cd5474339013d

                    SHA512

                    60ae5fc39691dedebeb0f4e31630be778fb893f1c868996fa9d3b7ba4dd15be389e9a41a395f979357ac2d72eff80caa2fada5614428c569c68ef14d415d4b3a

                    Download Submit

                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\gui35.exe
                    Filesize

                    276KB

                    MD5

                    03a63c096b9757439264b57e4fdf49d1

                    SHA1

                    a5007873ce19a398274aec9f61e1f90e9b45cc81

                    SHA256

                    22ea129b0f57184f30b1771c62a3233ba92e581c1f111b4e8abfa318dc92cc46

                    SHA512

                    0d656d807572f6be4574024e2bbcf0cbd291fe13a1adeb86a333177ee38db16b06da9a18509e599db0d2cf8206b84f6856a9674dba29a2cbeb844a216cb45ddd

                    Download Submit

                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\gui40.exe
                    Filesize

                    276KB

                    MD5

                    57850a4490a6afd1ef682eb93ea45e65

                    SHA1

                    338d147711c56e8a1e75e64a075e5e2984aa0c05

                    SHA256

                    31feff32d23728b39ed813c1e7dc5fe6a87dcd4d10aa995446a8c5eb5da58615

                    SHA512

                    15cf499077e0c8f3421b95e09a18ae5468ae20a7b3a263f01cc8e6d445d54f09ca8a3189ecb40c87d0e6277c99b504424cdd0e35bbe493a1b0849900d21bccf8

                    Download Submit

                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\session.tmp
                    Filesize

                    32B

                    MD5

                    f3fecae31ffe8e63f962c2779e24f1f5

                    SHA1

                    c1f3d5cba932ef8d8664e22da102e190ce64c60e

                    SHA256

                    579c870a0f12af418e36b48b5f43bc5e38522d6aeca628b031dbc65ce82114be

                    SHA512

                    9b1c9c4e685bdc5ee46c0ca297e398a6008766d3b3011de7bddca67c3fba3596b6121b5189093d0d22badd0031a22408ec520cd95aa28a33ca087815caeb0271

                    Download Submit

                  • C:\Users\Admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\xdel.exe
                    Filesize

                    350KB

                    MD5

                    803df907d936e08fbbd06020c411be93

                    SHA1

                    4aa4b498ae037a2b0479659374a5c3af5f6b8d97

                    SHA256

                    e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c

                    SHA512

                    5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Datadecrypt.txt
                    Filesize

                    2KB

                    MD5

                    1f43c3c88d3c0e8c6bf39969391e5891

                    SHA1

                    38618bf833bbe691a6307d4f832d87d66b649f59

                    SHA256

                    444b546728cfe4120d72fff22c7c98d1fd894ecbfa1b6658006c30623ddb5602

                    SHA512

                    bd49bb786b3b9fb264593147d5e33b0c48f5feac7caa7d15cd8c8589798bffd67ee97e2816d93792f752f7ca91972c96fe3d6a822ae3436cb6e00db4567eac66

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    Filesize

                    2KB

                    MD5

                    627073ee3ca9676911bee35548eff2b8

                    SHA1

                    4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                    SHA256

                    85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                    SHA512

                    3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    2e8eb51096d6f6781456fef7df731d97

                    SHA1

                    ec2aaf851a618fb43c3d040a13a71997c25bda43

                    SHA256

                    96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

                    SHA512

                    0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    360B

                    MD5

                    4a81e436018ab218090069f14539c4d5

                    SHA1

                    b1537155ae586338710452934241604cbc4f3fe6

                    SHA256

                    8b0e0e88bdc292ad4613f08d57a631540e283c5cb806d8cde23be0aac8993149

                    SHA512

                    c56847388fb676dc42c474a9bddccfe187c5d16f83d37664f4942130656844d8e920cd64c319117bff78bfafc559f56929c71cb482c735e9a6674af18bd0fd0f

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    1KB

                    MD5

                    4e96693b77d235c07aa3292c00101e79

                    SHA1

                    e0cbadc04154568f0414265d9c573a717e75c73d

                    SHA256

                    128deb6c8f12c4835cff503d05d2b8d7570711e662cd323a1aab6190fdfd80d1

                    SHA512

                    b3d26d2e1647e0f54a18ed6eb8a57088795873ca8f4fc1d087e6141f867810bf8d6de6092a6222749cadbb871fefbfcbb1dbcb53aa44befa7ddb886a5d6cc8b7

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    84027e49176a6ecefebae25056c62875

                    SHA1

                    c7f390295c00a0fc6baf95e3ba2b910ef8c55feb

                    SHA256

                    76a5cfe37260bf57c734a6e7921e4230404d30149a432a5ae15936748d50c2fa

                    SHA512

                    c904619ac7476f8166a8b136fce7f29025c4c1c4d5ab545747145920d0496dd690149a749eff406b08ea5ecb2fb5bd34ae8bedcfda94b69862bccdbafeffaca0

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    119B

                    MD5

                    5120479a4d900f6ce5f46892e5ee7d51

                    SHA1

                    4ad8be49cf43f525c5e88e5f32f6ea0ec5f10823

                    SHA256

                    e20e3fd3b457210b453121f07e1afca25e11342b8bee50199ba7a7a8c5bd7dcd

                    SHA512

                    831943c7d76a03ff97e383791dc99daa45da3e5a3e143c00d39cb828cf1ca49758c917c3b82ec70787b1950becfc3c0c2c0a9d9c27a386d2c8755f3ae1c583be

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1vhjfjif.pz1.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\zgecqyw
                    Filesize

                    37KB

                    MD5

                    4f4cfdec02b700d2582f27f6943a1f81

                    SHA1

                    37027566e228abba3cc596ae860110638231da14

                    SHA256

                    18a13223c2587bc03ce14be7a63325f3c60d6f805e1bb96e32025ecdc1d620b7

                    SHA512

                    146128ecb8bc682510a92f58cea58bfed68a215438d235b1b79ad6e0ef1f0f6a6b9400c7b83d70ddf7d8a22a5bcaca17b6532650192b4448e811dd7b4335b592

                    Download Submit

                  • C:\temp\MIMIC_LOG.txt
                    Filesize

                    5KB

                    MD5

                    5f3a0161fbb054217a3b23c9003f229c

                    SHA1

                    88ef7bf1c9952540fd1796504ac7f02197c8f0ed

                    SHA256

                    8a9618af390e7f29b2a5eeaca1bddcb9850fd0e6cdb951b3d4184c6ce3f99618

                    SHA512

                    e918db9273c0dc1d0a1ec7d46a8f42bdbbb28178c0b79b8969b38036128cd54c460bf8040cfa64461af7d73e04ce7afb4e6ce4ec2c1245c5d4dc7839635e3320

                    Download Submit

                  • C:\temp\MIMIC_LOG.txt
                    Filesize

                    3KB

                    MD5

                    6db91c5a776786bedf429edfea97ae7b

                    SHA1

                    88817f8d98f9789c5b041b09e0a13748e306b37c

                    SHA256

                    a0394ac9e4b22fb774f43555bd0680b4c6e6f78a1cbaf7e5a1eb5659a5211453

                    SHA512

                    cd6b931728b965c939bf712accf89129ba0f0920308f87aa20aa04f823c45c1853d7cc32a7c45d3ab216fe370dc0c6ca4e7e66d2a06133c14cfbe9cc9dc0b532

                    Download Submit

                  • C:\temp\MIMIC_LOG.txt
                    Filesize

                    4KB

                    MD5

                    ee9cd7a8dcf52d178df84adb932ca9d2

                    SHA1

                    8b505b89cfb64b772b33c15fcecbdfe0f4930a19

                    SHA256

                    f549fb8f39895aafcb94869ec4c2ae88ccdbcd214c627dae91d0376ec43639ba

                    SHA512

                    526d3c1bc20920e77d934338d20d04d21dfa3edf0ca5cb9a997170ee32d3a254405c4dd00592da2b1d3f0f3ac0753814cf738dab4f29a12feb38b52911382ff9

                    Download Submit

                  • memory/4404-100-0x0000016A5FCA0000-0x0000016A5FCAA000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/4404-80-0x0000016A5FAB0000-0x0000016A5FAD2000-memory.dmp

                    Filesize

                    136KB

                    Download