Overview

overview

10

Static

static

3

1fa8b306a9...e9.exe

windows7-x64

10

1fa8b306a9...e9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-10-2024 18:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe

  • Size

    2.6MB

  • MD5

    cf50063a3105d27ba3063575bdf494d6

  • SHA1

    d466e9fb8302c07973e9835b252359fe63e0c999

  • SHA256

    1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9

  • SHA512

    67531b0de8623942929af87f19d10e9945ff599ff04b355643587be7ceac01f6f6273430c70a8e4308a9daee97250334a66e6e52a3ef9c3fda272bdf024eaef9

  • SSDEEP

    49152:wgwRXifu1DBgutBPNv4gYlMiokURXK02xaRQBBKhPyla3Crg1Qew1v4Chp/:wgwRXvguPPl4gYlrokhpxxKhPybrQQPh

Score
10/10
mimicdiscoveryevasionexecutionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\README.txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a _miracle_ and get _your_ PRICE DOUBLED! Or start obtaining *BITCOIN NOW! , and restore _YOUR_ _DATA_ easy way If You have really valuable _DATA_, you better _NOT_ _WASTE_ _YOUR_ _TIME_, because there is _NO_ other way to get your files, except make a _PAYMENT_ Your personal ID: u_KicnprWsPolsED5ZPlqTV63WqBB37imkZ9rVCdiTk*[email protected]_KicnprWsPolsED5ZPlqTV63WqBB37imkZ9rVCdiTk If you want to recover your files, write us to our mail 1)[email protected] And add me/write message - Decryptionguy (use search) 2)[email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software - it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write - the more favorable conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption. --------------------------------------------------------------------------------------------------------------------------------------------
Emails

u_KicnprWsPolsED5ZPlqTV63WqBB37imkZ9rVCdiTk*[email protected]_KicnprWsPolsED5ZPlqTV63WqBB37imkZ9rVCdiTk

1)[email protected]

2)[email protected]

Signatures

  • Detects Mimic ransomware 1 IoCs
  • Mimic

    Ransomware family was first exploited in the wild in 2022.

    ransomwaremimic
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (5828) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 10 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Power Settings 1 TTPs 15 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe
    "C:\Users\Admin\AppData\Local\Temp\1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3792
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p1946518016400410350 Everything64.dll
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4716
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\[email protected]_no gui.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\[email protected]_no gui.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4540
      • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe
        "C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe"
        3⤵
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1932
        • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\Everything.exe
          "C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\Everything.exe" -startup
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4984
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c DC.exe /D
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1696
          • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\DC.exe
            DC.exe /D
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:216
        • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe
          "C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe" -e watch -pid 1932 -!
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4092
        • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe
          "C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe" -e ul1
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3680
        • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe
          "C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe" -e ul2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1184
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -H off
          4⤵
          • Power Settings
          PID:1572
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:4432
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:3864
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:2408
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:1844
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:4992
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:2012
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:2296
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:4332
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:1764
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:4220
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:852
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:1368
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
          4⤵
          • Power Settings
          PID:1420
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61
          4⤵
          • Power Settings
          PID:4272
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1608
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1064
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1456
        • C:\Windows\SYSTEM32\bcdedit.exe
          bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1956
        • C:\Windows\SYSTEM32\bcdedit.exe
          bcdedit.exe /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:4440
        • C:\Windows\SYSTEM32\wbadmin.exe
          wbadmin.exe DELETE SYSTEMSTATEBACKUP
          4⤵
          • Deletes System State backups
          • Drops file in Windows directory
          PID:2380
        • C:\Windows\SYSTEM32\wbadmin.exe
          wbadmin.exe delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:1468
        • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\Everything.exe
          "C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\Everything.exe" -startup
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:332
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4476
  • C:\Windows\System32\Systray.exe
    C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
      PID:4864
    • C:\Windows\System32\Systray.exe
      C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:4964
      • C:\Windows\System32\Systray.exe
        C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
          PID:4044
        • C:\Windows\System32\Systray.exe
          C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:3040
          • C:\Windows\System32\Systray.exe
            C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:4712
            • C:\Windows\System32\Systray.exe
              C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:4344
              • C:\Windows\System32\Systray.exe
                C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                  PID:2556
                • C:\Windows\System32\Systray.exe
                  C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:5044
                  • C:\Windows\System32\Systray.exe
                    C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:4088
                    • C:\Windows\System32\Systray.exe
                      C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                        PID:1708
                      • C:\Windows\System32\Systray.exe
                        C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                        1⤵
                          PID:3024
                        • C:\Windows\system32\vssvc.exe
                          C:\Windows\system32\vssvc.exe
                          1⤵
                            PID:1744
                          • C:\Windows\system32\wbengine.exe
                            "C:\Windows\system32\wbengine.exe"
                            1⤵
                              PID:2416
                            • C:\Windows\System32\vdsldr.exe
                              C:\Windows\System32\vdsldr.exe -Embedding
                              1⤵
                                PID:1652
                              • C:\Windows\System32\vds.exe
                                C:\Windows\System32\vds.exe
                                1⤵
                                • Checks SCSI registry key(s)
                                PID:3056
                              • C:\Windows\System32\Systray.exe
                                C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                1⤵
                                  PID:6480

                                Network

                                MITRE ATT&CK Enterprise v15

                                Reconnaissance

                                Resource Development

                                Initial Access

                                Execution

                                Command and Scripting Interpreter

                                3
                                T1059

                                PowerShell

                                1
                                T1059.001

                                Persistence

                                Boot or Logon Autostart Execution

                                1
                                T1547

                                Registry Run Keys / Startup Folder

                                1
                                T1547.001

                                Event Triggered Execution

                                2
                                T1546

                                Change Default File Association

                                1
                                T1546.001

                                Image File Execution Options Injection

                                1
                                T1546.012

                                Power Settings

                                1
                                T1653

                                Privilege Escalation

                                Boot or Logon Autostart Execution

                                1
                                T1547

                                Registry Run Keys / Startup Folder

                                1
                                T1547.001

                                Event Triggered Execution

                                2
                                T1546

                                Change Default File Association

                                1
                                T1546.001

                                Image File Execution Options Injection

                                1
                                T1546.012

                                Defense Evasion

                                Indicator Removal

                                2
                                T1070

                                File Deletion

                                2
                                T1070.004

                                Modify Registry

                                3
                                T1112

                                Credential Access

                                Discovery

                                Peripheral Device Discovery

                                2
                                T1120

                                Query Registry

                                4
                                T1012

                                System Information Discovery

                                4
                                T1082

                                System Location Discovery

                                1
                                T1614

                                System Language Discovery

                                1
                                T1614.001

                                Lateral Movement

                                Collection

                                Command and Control

                                Exfiltration

                                Impact

                                Inhibit System Recovery

                                3
                                T1490

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\Everything.db
                                  Filesize

                                  13.2MB

                                  MD5

                                  75b05c8d86fe8f6a0b8faa2f2e2b14e7

                                  SHA1

                                  9b5f68b768c8c6579f954a200eebaa2f6de83fc9

                                  SHA256

                                  bd1a9867c24b3c823bc3235f9b0b5aa5955fb8fa754c840b608f88b47207b9e5

                                  SHA512

                                  67ebd6fe932cab30943100434647a84705816ade4f10dd512ea0c500f6759f84b05efa1b7d6a27f06d91130191b24d7aa6c7e99cba78a09170b2996e5d964dd6

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\Everything.ini
                                  Filesize

                                  20KB

                                  MD5

                                  f68e6b7c0d724dd72b7e85856abf8dce

                                  SHA1

                                  bde1e90b12b091464c6c553ac399a9f71e0ee684

                                  SHA256

                                  2ce238bccad3488278d157dfa0d66863031fcba638bab7d9452aebdacac829b8

                                  SHA512

                                  e634f1b33ae0ad15c4d2e8ffc0ccb4fadf308d150d8e0e1dd96262278b061572369d20f405fb70c5cb81f2f10679315d36934184abe2318fe45d63f994dd880c

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\session.tmp
                                  Filesize

                                  32B

                                  MD5

                                  9659070580fce65cd980159c2ca5e359

                                  SHA1

                                  0e7c56fa2dad43077c4246bdefa8e2c0ab546338

                                  SHA256

                                  a1b9b205e21b8d42201e8afce783be525ecb34eab9ca9425d6916dbca3b99a6a

                                  SHA512

                                  056b029869ce2d0bd1883a80136735579306bfcddaeeb5b44bf1e2d47d9c40de95e8ca3e32ae86afc6a5150e5c7e72c539c9939af7770b77a875a13293101b8d

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                  Filesize

                                  2KB

                                  MD5

                                  d85ba6ff808d9e5444a4b369f5bc2730

                                  SHA1

                                  31aa9d96590fff6981b315e0b391b575e4c0804a

                                  SHA256

                                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                  SHA512

                                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  944B

                                  MD5

                                  d28a889fd956d5cb3accfbaf1143eb6f

                                  SHA1

                                  157ba54b365341f8ff06707d996b3635da8446f7

                                  SHA256

                                  21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                  SHA512

                                  0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  663B

                                  MD5

                                  d008c06abbb351dd176312b07dbf7ac3

                                  SHA1

                                  5921da1745729d7b3b30d39b0c9617e2b494e8ec

                                  SHA256

                                  d4c0ba066b7a4ea36fcd3e4b74c07c391df7c96e0aeb901d04a6203b63b7a391

                                  SHA512

                                  7f6b3fb1f29a8b23c1a5d0be68d312dc91b684f0581b598724de406986ecc618a87ade674030f56b9cc60b47aaf30a593beac8f185646dc6981ec62ebf511c3c

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\README.txt
                                  Filesize

                                  1KB

                                  MD5

                                  15b33590c7893b91782acca7b1436c56

                                  SHA1

                                  f58cabc90428f6f707d8aadfd4869f05eb8b7841

                                  SHA256

                                  5bfa846407131eaf3e1f5863ed76879b73af93036023f84adc4a60691d58872e

                                  SHA512

                                  1ca87f656aabf6c6688c6bd8b08dad083ded10c12b77f29ad5077906b16966a267cf36649662dd0926e939e55c884e18360f068d3c86360d50b7b5f8aa4705e4

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
                                  Filesize

                                  300B

                                  MD5

                                  029b68a0ebac33e45a8a8dea7a79df81

                                  SHA1

                                  489701bb5fe85f53efb65d7eeade4d7c455f3aad

                                  SHA256

                                  e3eea71d4421322a6be2b7229ccbd42aeb84ec77a096054f12cc9fec5d93dd3c

                                  SHA512

                                  ef30db8b516066656a595cdb5bcfad392c51c9d367cdb07c1f8a99fd01df83d37578338729ebded318364f0babd9725137f2384400a9c2f21416138eccc03718

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
                                  Filesize

                                  772KB

                                  MD5

                                  b93eb0a48c91a53bda6a1a074a4b431e

                                  SHA1

                                  ac693a14c697b1a8ee80318e260e817b8ee2aa86

                                  SHA256

                                  ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

                                  SHA512

                                  732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DC.exe
                                  Filesize

                                  802KB

                                  MD5

                                  ac34ba84a5054cd701efad5dd14645c9

                                  SHA1

                                  dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

                                  SHA256

                                  c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

                                  SHA512

                                  df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.exe
                                  Filesize

                                  1.7MB

                                  MD5

                                  c44487ce1827ce26ac4699432d15b42a

                                  SHA1

                                  8434080fad778057a50607364fee8b481f0feef8

                                  SHA256

                                  4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405

                                  SHA512

                                  a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.ini
                                  Filesize

                                  548B

                                  MD5

                                  742c2400f2de964d0cce4a8dabadd708

                                  SHA1

                                  c452d8d4c3a82af4bc57ca8a76e4407aaf90deca

                                  SHA256

                                  2fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01

                                  SHA512

                                  63a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything2.ini
                                  Filesize

                                  550B

                                  MD5

                                  51014c0c06acdd80f9ae4469e7d30a9e

                                  SHA1

                                  204e6a57c44242fad874377851b13099dfe60176

                                  SHA256

                                  89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5

                                  SHA512

                                  79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dll
                                  Filesize

                                  84KB

                                  MD5

                                  3b03324537327811bbbaff4aafa4d75b

                                  SHA1

                                  1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

                                  SHA256

                                  8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

                                  SHA512

                                  ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dll
                                  Filesize

                                  1.6MB

                                  MD5

                                  b8dee63df27fbefc900ba69a8392d7a0

                                  SHA1

                                  4abf7f478e48031bf66cae68d67b9eb658f0123b

                                  SHA256

                                  b9f64f96b17d05a523d65518549581e83b1f5b22d72bb91ade0e18cf5e2cde29

                                  SHA512

                                  1c05beccdf9823594dd83635c84f7841148100dd1c883590dd28f4bd5a5be27f80113fa16f734c571ff4a067c60901091921951e51483b64fed7fea723ddc3eb

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\[email protected]_no gui.exe
                                  Filesize

                                  2.3MB

                                  MD5

                                  7e0ed5c2eda1b54c016f6ff95737fd59

                                  SHA1

                                  e322ba47cd719e1f05f50e6df709a707378519b0

                                  SHA256

                                  d7c3d9e42084f4319428f4624d8f1f9e707d758c1d95f0a6c1b39bc913fd5f8b

                                  SHA512

                                  eb25f6264c4ed7e61ad5480986a9db90edb9ceb719569452cd13a6b48a1181f68ba498ce03da061b082a1f432c1c4b007360029ff1c3bdb9ff53d9c4a55484f1

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xdel.exe
                                  Filesize

                                  350KB

                                  MD5

                                  803df907d936e08fbbd06020c411be93

                                  SHA1

                                  4aa4b498ae037a2b0479659374a5c3af5f6b8d97

                                  SHA256

                                  e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c

                                  SHA512

                                  5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ewyogsz.rmf.ps1
                                  Filesize

                                  60B

                                  MD5

                                  d17fe0a3f47be24a6453e9ef58c94641

                                  SHA1

                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                  SHA256

                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                  SHA512

                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                  Download Submit

                                • memory/1456-116-0x0000025273DA0000-0x0000025273DC2000-memory.dmp

                                  Filesize

                                  136KB

                                  Download