Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/10/2024, 12:52

General

  • Target

    f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe

  • Size

    2.6MB

  • MD5

    b405feb91870f682d15560c84e2eee13

  • SHA1

    02b02649b78f92fba4ffe9ead97be3621d6a9458

  • SHA256

    f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a

  • SHA512

    c40ad6fc166f4f7dd7ade49836fb6c96f77574435e07b580e140c9a542ede832674ee27448fddc62011d2502440a3f4bbcf51d7fd2dedf25d925e8e1eb850522

  • SSDEEP

    49152:wgwR3ifu1DBgutBPNozkquwVOYJU66zpXpY2+2rW+Dc2v+f9D+:wgwR3vguPP+oqhZJ/4HY2LW+wvVK

Malware Config

Signatures

  • Detects Mimic ransomware 1 IoCs
  • Mimic

    Ransomware family was first exploited in the wild in 2022.

  • Modifies security service 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 4 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (6331) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 21 IoCs
  • Modifies system executable filetype association 2 TTPs 10 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Power Settings 1 TTPs 15 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 11 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe
    "C:\Users\Admin\AppData\Local\Temp\f44ad68fe484fbff5c0abcdaf063ffbef36d4e43f9d40e61d026c7e51c9bf31a.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2860
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p259441286182422003 Everything64.dll
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2696
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3kn.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3kn.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe
        "C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe"
        3⤵
        • UAC bypass
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Checks whether UAC is enabled
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2948
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c DC.exe /D
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1264
          • C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\DC.exe
            DC.exe /D
            5⤵
            • Modifies security service
            • Executes dropped EXE
            • Windows security modification
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1064
        • C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe
          "C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe" -e watch -pid 2948 -!
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1832
        • C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe
          "C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe" -e ul1
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1268
        • C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe
          "C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\YOURDATA.exe" -e ul2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:340
        • C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\Everything.exe
          "C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\Everything.exe" -startup
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2228
          • C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\Everything.exe
            "C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\Everything.exe" -app-data
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2092
        • C:\Windows\system32\powercfg.exe
          powercfg.exe -H off
          4⤵
          • Power Settings
          PID:960
        • C:\Windows\system32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:344
        • C:\Windows\system32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:328
        • C:\Windows\system32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:1048
        • C:\Windows\system32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:1812
        • C:\Windows\system32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:1708
        • C:\Windows\system32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:1584
        • C:\Windows\system32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:1572
        • C:\Windows\system32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:1816
        • C:\Windows\system32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:1172
        • C:\Windows\system32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:1464
        • C:\Windows\system32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:1756
        • C:\Windows\system32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:1664
        • C:\Windows\system32\powercfg.exe
          powercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
          4⤵
          • Power Settings
          PID:1744
        • C:\Windows\system32\powercfg.exe
          powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61
          4⤵
          • Power Settings
          PID:2996
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:2344
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:2496
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1768
        • C:\Windows\system32\bcdedit.exe
          bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2000
        • C:\Windows\system32\bcdedit.exe
          bcdedit.exe /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:944
        • C:\Windows\system32\wbadmin.exe
          wbadmin.exe DELETE SYSTEMSTATEBACKUP
          4⤵
          • Deletes System State backups
          • Drops file in Windows directory
          PID:1632
        • C:\Windows\system32\wbadmin.exe
          wbadmin.exe delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:1352
        • C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\Everything.exe
          "C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\Everything.exe" -startup
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2440
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1320
  • C:\Windows\system32\gpscript.exe
    gpscript.exe /RefreshSystemParam
    1⤵
      PID:2072
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:2124
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
          PID:1392
        • C:\Windows\System32\vdsldr.exe
          C:\Windows\System32\vdsldr.exe -Embedding
          1⤵
            PID:1768
          • C:\Windows\System32\vds.exe
            C:\Windows\System32\vds.exe
            1⤵
              PID:1736

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\----Read-Me-----.txt

              Filesize

              1KB

              MD5

              3d4f7d8c774565727bd5aa8e96d4c71d

              SHA1

              c70e1d08a4a52c61499f34b5cc974b228eb36b13

              SHA256

              3989800e58ab5671965062f66ea49516ecad071d09e319ff38ee473674897436

              SHA512

              0d00442a57c801f543a006cd4af2d850c2f2cf8454baf885f534ad1ea8a6d3752dfe52ee61f819449c4715db265600279f71298c3a966a37d349c950a129d245

            • C:\Users\Admin\AppData\Local\Everything\Everything.db

              Filesize

              9.3MB

              MD5

              442a1c0a4d7fc01a1ba813cf7f6e1b90

              SHA1

              49968bf141f8930711f53ce9522e4361f8435b2f

              SHA256

              dff77aaeca12ced1b908e1f7518a6593eb335180ccae7d244ef4e6193a262952

              SHA512

              6bbe0be8283cdf08844756f1b3875d831100cb3e60164a475ae836cdcd55a59e1d5a4beace178c9ac113cacb0df63cc0121dbbf68a91eb66c029f0a5ccd1530a

            • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

              Filesize

              300B

              MD5

              b544278eabdac52cfc43de42babfd5a1

              SHA1

              c5188db9b94daff7624dc4b23b08737dea1434bf

              SHA256

              9cecba59bc812193c90de6bab13ee2ca86f1b3cebeaa994df087010b72e00b86

              SHA512

              ae9fa11ea4f9c9b6cf1026c1ff339bbcf3716d4b004d6f66487f874bdd288a191d0693939f47cc8977604a3e4880f9cae0567f2c33ccb44f07d3093850d6735f

            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3kn.exe

              Filesize

              2.3MB

              MD5

              21db18d71c45b82cc91f2a08f345c1f4

              SHA1

              d0114a9e5ad6a693f03b08569b00fff984a9609a

              SHA256

              63a1b530949154dfa7ad62917aca747193a4d4205b4c0a3953a6154b2c14fea1

              SHA512

              1ef865a4065c96692cfc25093f7e95a7f478667b7befdabae351303626b2b9d9a75799e1c7b18179f6d1a9bd6c46c3f224a85185b525544904bb8c2543cb3c0a

            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DC.exe

              Filesize

              802KB

              MD5

              ac34ba84a5054cd701efad5dd14645c9

              SHA1

              dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

              SHA256

              c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

              SHA512

              df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.exe

              Filesize

              1.7MB

              MD5

              c44487ce1827ce26ac4699432d15b42a

              SHA1

              8434080fad778057a50607364fee8b481f0feef8

              SHA256

              4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405

              SHA512

              a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808

            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.ini

              Filesize

              548B

              MD5

              742c2400f2de964d0cce4a8dabadd708

              SHA1

              c452d8d4c3a82af4bc57ca8a76e4407aaf90deca

              SHA256

              2fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01

              SHA512

              63a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4

            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything2.ini

              Filesize

              550B

              MD5

              51014c0c06acdd80f9ae4469e7d30a9e

              SHA1

              204e6a57c44242fad874377851b13099dfe60176

              SHA256

              89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5

              SHA512

              79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c

            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dll

              Filesize

              84KB

              MD5

              3b03324537327811bbbaff4aafa4d75b

              SHA1

              1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

              SHA256

              8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

              SHA512

              ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dll

              Filesize

              1.7MB

              MD5

              32e57eddfcb3d2bbd1242a892a8744a6

              SHA1

              554b1e5ff39e64bc494fa4112433cc9358d50bc5

              SHA256

              11b9e357a8c2e08ed09f4b305a1f8328ed4537382bb62a2d9fb35540976dbe46

              SHA512

              86da9974ac1cb9d17e916996d6f90fe4a741bc8b95bcf4e2b37c610a797366f86fb5fd380dd93df6dbcb1e6b080820ee5f107a4a3eacd517e9ecc2667462e8fb

            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xdel.exe

              Filesize

              350KB

              MD5

              803df907d936e08fbbd06020c411be93

              SHA1

              4aa4b498ae037a2b0479659374a5c3af5f6b8d97

              SHA256

              e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c

              SHA512

              5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532

            • C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\Everything.db

              Filesize

              9.3MB

              MD5

              5b65cca8f9ff2a0f1c4d894cb9401089

              SHA1

              dca445d52541becaf65fa6b25c5b6223407211a9

              SHA256

              3145f29d097807c0cbdbd9c2c9e8a01dab68188d536f4027c3ad6be3d20b565a

              SHA512

              ef01cc87689d4d5197eab909fef2e9e8ac252265055eb68c12455ab755dc2d5305c3da0a35fc8f450eca1639bf28dda34a53759e808c9fbb8108045628471ecd

            • C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\Everything.ini

              Filesize

              20KB

              MD5

              83da2aa2c97aeb7292cf5128071d0273

              SHA1

              fb5d059a4cd93322384d13c5c2754b1aa99a3b2e

              SHA256

              fa9a42b7186ddfd75067f205845e212da4eb81705646a74273f1bba42fa9df92

              SHA512

              3c7328c59acc591c5f7cbd70afa8b28077478147f198cfa71b8b00200a38796b3fae2217196f4f8c1b913f5165e822bd082af83823c27a8934e100d0e4676528

            • C:\Users\Admin\AppData\Local\{1A0B011B-9A76-83A2-7F27-19CE8AE8BD83}\Everything.ini.tmp

              Filesize

              215B

              MD5

              d1f6937ee22c4c2a33cdc7c76f4a5ab6

              SHA1

              eda5a1e7ec1036ae9805567bb36e4fbe57b5c262

              SHA256

              905fbc87bb075de3106631b4cc6973110b175bd607e728ca28e637232d438e75

              SHA512

              a8f7ccc6d6deed765dedccbd81bfedfca1d0c8ce4085d484ea98c432a7096a0f5ad08d2e934f6f8d28f35a55c879cb3e6e35a7127149f82ae7061c174ecc59c3

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

              Filesize

              7KB

              MD5

              42661c1a4066e498119598b2d049a949

              SHA1

              72810565b210de631eddca287db3c408032c8a48

              SHA256

              a403838fc31df53bbdb68878058890bbb85c4159c29f5bb339e1c45729037c4f

              SHA512

              52010bbde30d2fb3d68bd12e1120a6bca90925eee601cb34e8dc8f0612fd29e507b173c3e833e5b3d9b07b9375d38e2cabe53c260765530abf70a41e2a3e9ad9

            • C:\Windows\System32\GroupPolicy\gpt.ini

              Filesize

              233B

              MD5

              cd4326a6fd01cd3ca77cfd8d0f53821b

              SHA1

              a1030414d1f8e5d5a6e89d5a309921b8920856f9

              SHA256

              1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

              SHA512

              29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

            • C:\temp\MIMIC_LOG.txt

              Filesize

              32KB

              MD5

              e5f9b50368df9dcfc9630dd502acada0

              SHA1

              6dc8198549400c0ee6c514d8868de51ab47b7c18

              SHA256

              3f19cb020c238b6b44159ea6ec57b7b50f462719361b27f8b1c35990da74a90c

              SHA512

              f2e765e28e94c71dba92a793a8e01478ef1370a20031c0016fdf1799071a355424199118739832ed3ba9085ca4ebb8f5be79609660a4c483505e763314764ece

            • C:\temp\session.tmp

              Filesize

              32B

              MD5

              2a37eb95aa019f56d40d0a1e392cd12f

              SHA1

              5f4a56858c11133bbf24a3e7be28a087f26bfb69

              SHA256

              3c2debdc29901af8abe4b9672b5f996ab3a18137e78dcece39766a2eca5e66c3

              SHA512

              850875f1025367512e637041dba3734fb9cdf3eb974ace90f64a38771d9a202f27b289e8b82c0138efb7adb56344720c0d459b0833a0fb37204e3e385467ccb1

            • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe

              Filesize

              772KB

              MD5

              b93eb0a48c91a53bda6a1a074a4b431e

              SHA1

              ac693a14c697b1a8ee80318e260e817b8ee2aa86

              SHA256

              ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

              SHA512

              732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

            • memory/2496-140-0x0000000002810000-0x0000000002818000-memory.dmp

              Filesize

              32KB

            • memory/2496-138-0x000000001B6A0000-0x000000001B982000-memory.dmp

              Filesize

              2.9MB