Analysis

  • max time kernel
    147s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 01:17

General

  • Target

    1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe

  • Size

    2.6MB

  • MD5

    cf50063a3105d27ba3063575bdf494d6

  • SHA1

    d466e9fb8302c07973e9835b252359fe63e0c999

  • SHA256

    1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9

  • SHA512

    67531b0de8623942929af87f19d10e9945ff599ff04b355643587be7ceac01f6f6273430c70a8e4308a9daee97250334a66e6e52a3ef9c3fda272bdf024eaef9

  • SSDEEP

    49152:wgwRXifu1DBgutBPNv4gYlMiokURXK02xaRQBBKhPyla3Crg1Qew1v4Chp/:wgwRXvguPPl4gYlrokhpxxKhPybrQQPh

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\README.txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a _miracle_ and get _your_ PRICE DOUBLED! Or start obtaining *BITCOIN NOW! , and restore _YOUR_ _DATA_ easy way If You have really valuable _DATA_, you better _NOT_ _WASTE_ _YOUR_ _TIME_, because there is _NO_ other way to get your files, except make a _PAYMENT_ Your personal ID: BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8*[email protected]_p_5lIwV4QXk8 If you want to recover your files, write us to our mail 1)[email protected] And add me/write message - Decryptionguy (use search) 2)[email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software - it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write - the more favorable conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption. --------------------------------------------------------------------------------------------------------------------------------------------
Emails

BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8*[email protected]_p_5lIwV4QXk8

1)[email protected]

2)[email protected]

Signatures

  • Detects Mimic ransomware 1 IoCs
  • Mimic

    Ransomware family was first exploited in the wild in 2022.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (5795) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Power Settings 1 TTPs 15 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

  • Drops file in Program Files directory 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe
    "C:\Users\Admin\AppData\Local\Temp\1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3512
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2100
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p1946518016400410350 Everything64.dll
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4732
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\[email protected]_no gui.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\[email protected]_no gui.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3944
      • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe
        "C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe"
        3⤵
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1872
        • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\Everything.exe
          "C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\Everything.exe" -startup
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4932
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c DC.exe /D
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2484
          • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\DC.exe
            DC.exe /D
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3616
        • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe
          "C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe" -e watch -pid 1872 -!
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1584
        • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe
          "C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe" -e ul1
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2040
        • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe
          "C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\PIDAR.exe" -e ul2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1788
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -H off
          4⤵
          • Power Settings
          PID:4144
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:3780
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:3156
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:3172
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:2348
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:1348
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:2816
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:3024
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:1824
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:956
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:516
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:1828
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:2508
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
          4⤵
          • Power Settings
          PID:3664
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61
          4⤵
          • Power Settings
          PID:1536
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1448
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:812
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:4436
        • C:\Windows\SYSTEM32\bcdedit.exe
          bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3292
        • C:\Windows\SYSTEM32\bcdedit.exe
          bcdedit.exe /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:396
        • C:\Windows\SYSTEM32\wbadmin.exe
          wbadmin.exe DELETE SYSTEMSTATEBACKUP
          4⤵
          • Deletes System State backups
          PID:4612
        • C:\Windows\SYSTEM32\wbadmin.exe
          wbadmin.exe delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:3820
        • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\Everything.exe
          "C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\Everything.exe" -startup
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5072
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1964
  • C:\Windows\System32\Systray.exe
    C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
      PID:3312
    • C:\Windows\System32\Systray.exe
      C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:4796
      • C:\Windows\System32\Systray.exe
        C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
          PID:5024
        • C:\Windows\System32\Systray.exe
          C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:2348
          • C:\Windows\System32\Systray.exe
            C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:396
            • C:\Windows\System32\Systray.exe
              C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:1216
              • C:\Windows\System32\Systray.exe
                C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                  PID:4420
                • C:\Windows\System32\Systray.exe
                  C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:4516
                  • C:\Windows\System32\Systray.exe
                    C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:4896
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                        PID:1380
                      • C:\Windows\system32\wbengine.exe
                        "C:\Windows\system32\wbengine.exe"
                        1⤵
                          PID:3400
                        • C:\Windows\System32\vdsldr.exe
                          C:\Windows\System32\vdsldr.exe -Embedding
                          1⤵
                            PID:3536
                          • C:\Windows\System32\vds.exe
                            C:\Windows\System32\vds.exe
                            1⤵
                            • Checks SCSI registry key(s)
                            PID:3672
                          • C:\Windows\System32\Systray.exe
                            C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                              PID:3304

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\Everything.db

                              Filesize

                              13.2MB

                              MD5

                              1d29f35b2b5e7a1dede3261c8cf667c4

                              SHA1

                              874fd11fd9eb2a144bb5f9e08374fb202a7e5eb5

                              SHA256

                              225f345ced0a85283409f6ebbbe6e56a0a685e5b30a6ab9b4157f86e011d63dc

                              SHA512

                              536dd37ab90e294e651204537be5a3155b12fcf0afeee8ba2df5bf881fde1d946e6c9294aaec8e57899d26cfb5ad7e08cf9b7fe6c93f3a7f36271e80e45e9e18

                            • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\Everything.ini

                              Filesize

                              20KB

                              MD5

                              9c0c6094b957401491f7b0fe14f91a2c

                              SHA1

                              6ac694ad5890a3babc6f5c43b877ec48fa44f33d

                              SHA256

                              16b311e663c2da112a16a52d36c91f37d592d2f07912ef6cfe17c9dfd873ffe9

                              SHA512

                              981d77aa03c2ee88d0abdfe86a0630cc8b9c922088656393d5bd8ec56ad07a28de269fc16de61cc8710d62546ba95afc19139ed89b6d00e24ba145cc6ad8134d

                            • C:\Users\Admin\AppData\Local\1D4F026E-DB59-647A-72D2-3763F22A75A1\session.tmp

                              Filesize

                              32B

                              MD5

                              65a07533345e4cf838f70656aea868e0

                              SHA1

                              77f326d9197f587d9983f2ca4470d10ca0293bd9

                              SHA256

                              b76d6801fa2ebed1706bcc4fd1783155413bfd06d791471b19964f27650a3ac4

                              SHA512

                              717e4ce5d6de162f99d1f625383bd9f87143a2d106d07dc088c52c5738a17894b1955bc8a88ed2c266d31e8f088ecbfe6a63fbab106d68387fc783b90ca5b3c3

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                              Filesize

                              2KB

                              MD5

                              d85ba6ff808d9e5444a4b369f5bc2730

                              SHA1

                              31aa9d96590fff6981b315e0b391b575e4c0804a

                              SHA256

                              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                              SHA512

                              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              944B

                              MD5

                              d28a889fd956d5cb3accfbaf1143eb6f

                              SHA1

                              157ba54b365341f8ff06707d996b3635da8446f7

                              SHA256

                              21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                              SHA512

                              0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Filesize

                              1KB

                              MD5

                              87dd60a6bd8b7d6c90230c57b86ab867

                              SHA1

                              67fdca992575b637cbebbbb5674cc16e93d9598f

                              SHA256

                              8ef8079a07081d4ed4376f55b8b5d3ceebd896ec9d42c1fb3e441658a93bd8ae

                              SHA512

                              906ad53219030c52728c96f6d94da4309e47ee3b78068ab34d8ad43945ff0fb96e502de717c5183c7db6162427e18a364ec0017dcfb12631834d381c20e990e1

                            • C:\Users\Admin\AppData\Local\README.txt

                              Filesize

                              1KB

                              MD5

                              d9145bcf8fc37cbe959073aa0ac29b38

                              SHA1

                              f49370c475df7c8f3527f0b50464546f99f28363

                              SHA256

                              e3f048452b58a765b98215ebd5b3c3200b29766678dee94ba8154f555925865b

                              SHA512

                              a4ffbc661ab30b4f1f888f68305e0aa337644d5a8a423fd784b669bd89c3461f1cdf81de37a865f56d2ef8ea5066206f23868c73ccefa03cf101daed432a395b

                            • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

                              Filesize

                              300B

                              MD5

                              029b68a0ebac33e45a8a8dea7a79df81

                              SHA1

                              489701bb5fe85f53efb65d7eeade4d7c455f3aad

                              SHA256

                              e3eea71d4421322a6be2b7229ccbd42aeb84ec77a096054f12cc9fec5d93dd3c

                              SHA512

                              ef30db8b516066656a595cdb5bcfad392c51c9d367cdb07c1f8a99fd01df83d37578338729ebded318364f0babd9725137f2384400a9c2f21416138eccc03718

                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe

                              Filesize

                              772KB

                              MD5

                              b93eb0a48c91a53bda6a1a074a4b431e

                              SHA1

                              ac693a14c697b1a8ee80318e260e817b8ee2aa86

                              SHA256

                              ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

                              SHA512

                              732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DC.exe

                              Filesize

                              802KB

                              MD5

                              ac34ba84a5054cd701efad5dd14645c9

                              SHA1

                              dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

                              SHA256

                              c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

                              SHA512

                              df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.exe

                              Filesize

                              1.7MB

                              MD5

                              c44487ce1827ce26ac4699432d15b42a

                              SHA1

                              8434080fad778057a50607364fee8b481f0feef8

                              SHA256

                              4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405

                              SHA512

                              a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808

                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.ini

                              Filesize

                              548B

                              MD5

                              742c2400f2de964d0cce4a8dabadd708

                              SHA1

                              c452d8d4c3a82af4bc57ca8a76e4407aaf90deca

                              SHA256

                              2fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01

                              SHA512

                              63a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4

                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything2.ini

                              Filesize

                              550B

                              MD5

                              51014c0c06acdd80f9ae4469e7d30a9e

                              SHA1

                              204e6a57c44242fad874377851b13099dfe60176

                              SHA256

                              89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5

                              SHA512

                              79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c

                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dll

                              Filesize

                              84KB

                              MD5

                              3b03324537327811bbbaff4aafa4d75b

                              SHA1

                              1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

                              SHA256

                              8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

                              SHA512

                              ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dll

                              Filesize

                              1.6MB

                              MD5

                              b8dee63df27fbefc900ba69a8392d7a0

                              SHA1

                              4abf7f478e48031bf66cae68d67b9eb658f0123b

                              SHA256

                              b9f64f96b17d05a523d65518549581e83b1f5b22d72bb91ade0e18cf5e2cde29

                              SHA512

                              1c05beccdf9823594dd83635c84f7841148100dd1c883590dd28f4bd5a5be27f80113fa16f734c571ff4a067c60901091921951e51483b64fed7fea723ddc3eb

                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\[email protected]_no gui.exe

                              Filesize

                              2.3MB

                              MD5

                              7e0ed5c2eda1b54c016f6ff95737fd59

                              SHA1

                              e322ba47cd719e1f05f50e6df709a707378519b0

                              SHA256

                              d7c3d9e42084f4319428f4624d8f1f9e707d758c1d95f0a6c1b39bc913fd5f8b

                              SHA512

                              eb25f6264c4ed7e61ad5480986a9db90edb9ceb719569452cd13a6b48a1181f68ba498ce03da061b082a1f432c1c4b007360029ff1c3bdb9ff53d9c4a55484f1

                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xdel.exe

                              Filesize

                              350KB

                              MD5

                              803df907d936e08fbbd06020c411be93

                              SHA1

                              4aa4b498ae037a2b0479659374a5c3af5f6b8d97

                              SHA256

                              e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c

                              SHA512

                              5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yhmehpgm.vxl.ps1

                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            • memory/4436-108-0x0000022A632C0000-0x0000022A632E2000-memory.dmp

                              Filesize

                              136KB