Overview

overview

10

Static

static

3

9f6a696876...2f.exe

windows10-ltsc 2021-x64

10

9f6a696876...2f.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1473s
  • max time network
    1219s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    08-12-2024 02:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe

  • Size

    3.6MB

  • MD5

    33eeeb25f834e0b180f960ecb9518ea0

  • SHA1

    61f73e692e9549ad8bc9b965e25d2da683d56dc1

  • SHA256

    9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f

  • SHA512

    aaa4583b37c08a8baebac026a1b5fdca865b1c0f6760e7ade19181a28426340285dbeeb65d55bc9e222d6863645a7bf719384a1e0d3593207882619c234c9292

  • SSDEEP

    98304:ngwRMbvguPPou2Bzg1jGE5FS3E/HrmP9Aji:ng/bv25jEKU/HrmP9AO

Score
10/10
mimicdiscoveryevasionexecutionpersistenceprivilege_escalationransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\global_options.ini

Ransom Note
26=ELPACO-team 27=TIB;sql;sqlite;sqlite3;sqlitedb;mdf;mdb;adb;db;db3;dbf;dbs;udb;dbv;dbx;edb;exb;1cd;fdb;idb;mpd;myd;odb;xls;xlsx;doc;docx;bac;bak;back;zip;rar;dt;4dd;4dl;abcddb;abs;abx;accdb;accdc;accde;accdr;accdt;accdw;accft;ade;adf;adn;adp;alf;arc;ask;bacpac;bdf;btr;cat;cdb;chck;ckp;cma;cpd;dacpac;dad;dadiagrams;daschema;db-shm;db-wal;db2;dbc;dbt;dcb;dct;dcx;ddl;dlis;dp1;dqy;dsk;dsn;dtsx;dxl;eco;ecx;epim;fcd;fic;fm5;fmp;fmp12;fmpsl;fol;fp3;fp4;fp5;fp7;fpt;frm;gdb;grdb;gwi;hdb;his;hjt;ib;icg;icr;ihx;itdb;itw;jet;jtx;kdb;kexi;kexic;kexis;lgc;lut;lwx;maf;maq;mar;mas;mav;maw;mdn;mdt;mrg;mud;mwb;ndf;nnt;nrmlib;ns2;ns3;ns4;nsf;nv;nv2;nwdb;nyf;oqy;ora;orx;owc;p96;p97;pan;pdb;pdm;pnz;qry;qvd;rbf;rctd;rod;rodx;rpd;rsd;s2db;sas7bdat;sbf;scx;sdb;sdc;sdf;sis;sl3;spq;sqlite2;te;temx;tmd;tps;trc;trm;udl;usr;v12;vis;vpd;vvv;wdb;wmdb;wrk;xdb;xld;xmlff;7z; 28=386;cmd;deskthemepack;diagcab;diagcfg;diagpkg;dll;info;mui;sys;theme;tmp; 29=steamapps;Cache;Boot;Chrome;Firefox;Mozilla;Mozilla Firefox;MicrosoftEdge;Internet Explorer;Tor Browser;Opera;Opera Software;Common Files;Config.Msi;Intel;Microsoft;Microsoft Shared;Microsoft.NET;MSBuild;MSOCache;Packages;PerfLogs;ProgramData;System Volume Information;tmp;Temp;USOShared;Windows;Windows Defender;Windows Journal;Windows NT;Windows Photo Viewer;Windows Security;Windows.old;WindowsApps;WindowsPowerShell;WINNT;$RECYCLE.BIN;$WINDOWS.~BT;$Windows.~WS;:\Users\Public\;:\Users\Default\; 30=desktop.ini;iconcache.db;thumbs.db; 31= 32= 33=reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AllowMultipleTSSessions" /t REG_DWORD /d 0x1 /f;reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fSingleSessionPerUser" /t REG_DWORD /d 0x0 /f;reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "c:\windows\system32\cmd.exe"; 34=1 35=2 36=0 37=0 38=0 39=1 40=0 41=1 42=1 43=1 44=1 45=1 46=1 47=0 48=1 49=0 50=0 51=0 53=1 54=0 55=1 56=1 57=1 58=1 59=1 60=1 61=1 62=1 63=Hello my dear friend (Do not scan the files with antivirus in any case. In case of data loss, the consequences are yours)\nYour data is encrypted\nYour decryption ID is ID_PLACEHOLDER\nUnfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\nIf you want to recover your files, write us\n1) eMail - [email protected]\n2) Telegram - @DataSupport911 or https://t.me/DataSupport911\n\nAttention!\n\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software - it may cause permanent data loss. \nWe are always ready to cooperate and find the best way to solve your problem. \nThe faster you write - the more favorable conditions will be for you. \nOur company values its reputation. We give all guarantees of your files decryption. 66=1
Emails
URLs

https://t.me/DataSupport911\n\nAttention!\n\nDo

Extracted

Path

C:\Users\Admin\AppData\Local\Decryption_INFO.txt

Ransom Note
Hello my dear friend (Do not scan the files with antivirus in any case. In case of data loss, the consequences are yours) Your data is encrypted Your decryption ID is B4gVAcIJcsCdtZuN_V3dtP7_Ab1mqrzz0gnJkznWkHo*ELPACO-team Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted The only method of recovering files is to purchase decrypt tool and unique key for you. If you want to recover your files, write us 1) eMail - [email protected] 2) Telegram - @DataSupport911 or https://t.me/DataSupport911 Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software - it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write - the more favorable conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption.
URLs

https://t.me/DataSupport911

Signatures

  • Detects Mimic ransomware 2 IoCs
  • Mimic

    Ransomware family was first exploited in the wild in 2022.

    ransomwaremimic
  • Mimic family
    mimic
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • UAC bypass 3 TTPs 4 IoCs
    evasiontrojan
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (3409) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 22 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 10 IoCs
    persistence
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Power Settings 1 TTPs 15 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 19 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 11 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe
    "C:\Users\Admin\AppData\Local\Temp\9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1008
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p7183204373585782 Everything64.dll
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1020
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ELPACO-team.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ELPACO-team.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\svhostss.exe
        "C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\svhostss.exe"
        3⤵
        • UAC bypass
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Checks whether UAC is enabled
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3664
        • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\gui40.exe
          C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\gui40.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3192
        • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\Everything.exe
          "C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\Everything.exe" -startup
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1748
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c DC.exe /D
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1572
          • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\DC.exe
            DC.exe /D
            5⤵
            • Modifies security service
            • Executes dropped EXE
            • Windows security modification
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            PID:1980
            • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\DC.exe
              "C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\DC.exe" /SYS 1
              6⤵
              • Modifies security service
              • Executes dropped EXE
              • Windows security modification
              • System Location Discovery: System Language Discovery
              PID:1880
        • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\svhostss.exe
          "C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\svhostss.exe" -e watch -pid 3664 -!
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:5040
        • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\svhostss.exe
          "C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\svhostss.exe" -e ul1
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1152
        • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\svhostss.exe
          "C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\svhostss.exe" -e ul2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1316
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -H off
          4⤵
          • Power Settings
          PID:2620
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:1808
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:4584
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:4608
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:4832
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:2580
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:2304
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:644
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:3648
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:3240
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
          4⤵
          • Power Settings
          PID:2312
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
          4⤵
          • Power Settings
          PID:3136
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
          4⤵
          • Power Settings
          PID:1620
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
          4⤵
          • Power Settings
          PID:3760
        • C:\Windows\SYSTEM32\powercfg.exe
          powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61
          4⤵
          • Power Settings
          PID:2424
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:3216
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:924
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:236
        • C:\Windows\SYSTEM32\bcdedit.exe
          bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3216
        • C:\Windows\SYSTEM32\bcdedit.exe
          bcdedit.exe /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:5000
        • C:\Windows\SYSTEM32\wbadmin.exe
          wbadmin.exe DELETE SYSTEMSTATEBACKUP
          4⤵
          • Deletes System State backups
          • Drops file in Windows directory
          PID:716
        • C:\Windows\SYSTEM32\wbadmin.exe
          wbadmin.exe delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:4580
        • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\Everything.exe
          "C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\Everything.exe" -startup
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2764
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2236
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
    1⤵
    • Drops file in Windows directory
    PID:2036
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
    1⤵
      PID:1260
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /RefreshSystemParam
      1⤵
        PID:2100
      • C:\Windows\System32\Systray.exe
        C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
          PID:1112
        • C:\Windows\System32\Systray.exe
          C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:1196
          • C:\Windows\System32\Systray.exe
            C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:1744
            • C:\Windows\System32\Systray.exe
              C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:5100
              • C:\Windows\System32\Systray.exe
                C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                  PID:1148
                • C:\Windows\System32\Systray.exe
                  C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:2304
                  • C:\Windows\System32\Systray.exe
                    C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:556
                    • C:\Windows\System32\Systray.exe
                      C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                        PID:4824
                      • C:\Windows\System32\Systray.exe
                        C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                        1⤵
                          PID:1656
                        • C:\Windows\System32\Systray.exe
                          C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:4644
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                              PID:1824
                            • C:\Windows\system32\wbengine.exe
                              "C:\Windows\system32\wbengine.exe"
                              1⤵
                                PID:1960
                              • C:\Windows\System32\vdsldr.exe
                                C:\Windows\System32\vdsldr.exe -Embedding
                                1⤵
                                  PID:1032
                                • C:\Windows\System32\vds.exe
                                  C:\Windows\System32\vds.exe
                                  1⤵
                                  • Checks SCSI registry key(s)
                                  PID:2432
                                • C:\Windows\System32\Systray.exe
                                  C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                  1⤵
                                    PID:1456
                                  • C:\Windows\System32\Systray.exe
                                    C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                    1⤵
                                      PID:1968
                                    • C:\Windows\System32\Systray.exe
                                      C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                      1⤵
                                        PID:3284
                                      • C:\Windows\System32\Systray.exe
                                        C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                        1⤵
                                          PID:3696
                                        • C:\Windows\System32\Systray.exe
                                          C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                          1⤵
                                            PID:216
                                          • C:\Windows\System32\Systray.exe
                                            C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                            1⤵
                                              PID:3876
                                            • C:\Windows\System32\Systray.exe
                                              C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                              1⤵
                                                PID:1392
                                              • C:\Windows\System32\rundll32.exe
                                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                1⤵
                                                  PID:2864
                                                • C:\Windows\system32\NOTEPAD.EXE
                                                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Decryption_INFO.txt
                                                  1⤵
                                                  • Opens file in notepad (likely ransom note)
                                                  PID:1452
                                                • C:\Windows\System32\Systray.exe
                                                  C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                  1⤵
                                                    PID:4820
                                                  • C:\Windows\System32\Systray.exe
                                                    C:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                    1⤵
                                                      PID:3828
                                                    • C:\Windows\regedit.exe
                                                      "C:\Windows\regedit.exe"
                                                      1⤵
                                                      • Event Triggered Execution: Netsh Helper DLL
                                                      • Runs regedit.exe
                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                      PID:3132

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Reconnaissance

                                                    Resource Development

                                                    Initial Access

                                                    Execution

                                                    Command and Scripting Interpreter

                                                    3
                                                    T1059

                                                    PowerShell

                                                    1
                                                    T1059.001

                                                    Persistence

                                                    Boot or Logon Autostart Execution

                                                    1
                                                    T1547

                                                    Registry Run Keys / Startup Folder

                                                    1
                                                    T1547.001

                                                    Create or Modify System Process

                                                    1
                                                    T1543

                                                    Windows Service

                                                    1
                                                    T1543.003

                                                    Event Triggered Execution

                                                    3
                                                    T1546

                                                    Change Default File Association

                                                    1
                                                    T1546.001

                                                    Image File Execution Options Injection

                                                    1
                                                    T1546.012

                                                    Netsh Helper DLL

                                                    1
                                                    T1546.007

                                                    Power Settings

                                                    1
                                                    T1653

                                                    Privilege Escalation

                                                    Abuse Elevation Control Mechanism

                                                    1
                                                    T1548

                                                    Bypass User Account Control

                                                    1
                                                    T1548.002

                                                    Boot or Logon Autostart Execution

                                                    1
                                                    T1547

                                                    Registry Run Keys / Startup Folder

                                                    1
                                                    T1547.001

                                                    Create or Modify System Process

                                                    1
                                                    T1543

                                                    Windows Service

                                                    1
                                                    T1543.003

                                                    Event Triggered Execution

                                                    3
                                                    T1546

                                                    Change Default File Association

                                                    1
                                                    T1546.001

                                                    Image File Execution Options Injection

                                                    1
                                                    T1546.012

                                                    Netsh Helper DLL

                                                    1
                                                    T1546.007

                                                    Defense Evasion

                                                    Abuse Elevation Control Mechanism

                                                    1
                                                    T1548

                                                    Bypass User Account Control

                                                    1
                                                    T1548.002

                                                    Impair Defenses

                                                    2
                                                    T1562

                                                    Disable or Modify Tools

                                                    2
                                                    T1562.001

                                                    Indicator Removal

                                                    2
                                                    T1070

                                                    File Deletion

                                                    2
                                                    T1070.004

                                                    Modify Registry

                                                    6
                                                    T1112

                                                    Credential Access

                                                    Discovery

                                                    Peripheral Device Discovery

                                                    2
                                                    T1120

                                                    Query Registry

                                                    4
                                                    T1012

                                                    System Information Discovery

                                                    5
                                                    T1082

                                                    System Location Discovery

                                                    1
                                                    T1614

                                                    System Language Discovery

                                                    1
                                                    T1614.001

                                                    Lateral Movement

                                                    Collection

                                                    Command and Control

                                                    Exfiltration

                                                    Impact

                                                    Inhibit System Recovery

                                                    3
                                                    T1490

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\Everything.db
                                                      Filesize

                                                      19.5MB

                                                      MD5

                                                      26682984d2de5787bdc3c6499fe85373

                                                      SHA1

                                                      a5c31bb3d0a41e57db1840c31bd5651375c73eb7

                                                      SHA256

                                                      36787cc7c5adc98407ca79b8a547221f8589da8d34a5d1fcfc8b501fb15b0a7d

                                                      SHA512

                                                      a4156aa32a4b4fc031e6e5e7622e8fb3a7ce595002b27149bd55f915fa53a56c7226436d0399b43455e0198b5c326c4e32c593d2a5c1811ea62ac6827d71286e

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\Everything.ini
                                                      Filesize

                                                      20KB

                                                      MD5

                                                      215fd14c56d72f6e45307bed3ff4da59

                                                      SHA1

                                                      178e8b6d37fbb361a8974b667ffa4a7bde060caa

                                                      SHA256

                                                      e4685af9295a2fc5760b8fd0bd2b7c7919ec2c37eaf16af168217b67d57f6c4d

                                                      SHA512

                                                      887bbadbbf638df1086aa7cbeda97beb80135bb32b3df500232c4b1b7b014d61a53aac2d19d5f1facd7ad3e597b1b172dd4fae4944d2ea8b2571bce4dad39645

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\global_options.ini
                                                      Filesize

                                                      6KB

                                                      MD5

                                                      a70dce43c9f7c8305037a3bc98488f2e

                                                      SHA1

                                                      a9ab77b5407c4cdab25c6ca4d5f0ef236e247f05

                                                      SHA256

                                                      5f44b56e5991a9a1bb464d770bab15c095a7545c74b720a7ea051de750133ce2

                                                      SHA512

                                                      791da8b1ed2a219d93b90319fd8cfd9a12d1af2443cc16bc62ed7b7a0f4d8df24660b31f7406ead472d297b277c01b5188f48099a8b3b1dc39294634bb537c41

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\global_options.ini
                                                      Filesize

                                                      5KB

                                                      MD5

                                                      1b37dc212e98a04576aac40d7ce7d06a

                                                      SHA1

                                                      bb02a94617d4d355b1837f50bd50362f37b409a9

                                                      SHA256

                                                      d5ab2b261c3138070a70fa2feeb435162c40f7d0ba8a15f6ac6064d57b6a3545

                                                      SHA512

                                                      3b50f6c82b7e3cfc5bf85a9a26dccad9aab8aa9a2351676bd58c27b3461c0c219a0c0deed09664aa492ba86346bd56605beae0a4eab982afd289611b1ab76ac8

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\global_options.ini
                                                      Filesize

                                                      6KB

                                                      MD5

                                                      0642db3fff8c806f1e422b0ab3ebf3c7

                                                      SHA1

                                                      77822871711afa94cf14579f1829750e88651b92

                                                      SHA256

                                                      894fa3eb494a73a4ca0cf5a4bfd0219b3959be66d3f37f00d8778c9c7ffa2df2

                                                      SHA512

                                                      baae8a258b835f212ccaeb3b9aa96f312e1fd7c79ec6bb2ec79e6d320f4de47728bedcca46efa6e963821984a160b87f801a6d3e705f359a37135f1c450b0985

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\session.tmp
                                                      Filesize

                                                      32B

                                                      MD5

                                                      93469165a7ebde00ffc9dc419fc987df

                                                      SHA1

                                                      d5f39120142df7d63b41915162cc7e4a2d7ac3a9

                                                      SHA256

                                                      f238595ec10d94eb77a5f417eb3173729d39281703de4de60ba6ff69e8efabde

                                                      SHA512

                                                      cf6ee5d772c59b33f73df27bc6dc8d26c3e195266d9c28a2a718965ed3c5bb7cae1c9061a172d97338b246e6927227872bd196eda90ff7b32b3a24f0f25cb122

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Decryption_INFO.txt
                                                      Filesize

                                                      945B

                                                      MD5

                                                      a39a54a675576b851a72064617e2bd7f

                                                      SHA1

                                                      6f6971979d4eca656396922704d39f2031484875

                                                      SHA256

                                                      441eb96a4e670a7b6b1d3210fd2619faaa99d06a9e0514a8ac1aff13229b8a45

                                                      SHA512

                                                      4a71bb287403ce6ba7e03a78e7dbf2d04732054a59a1f320519e80125bf282c3dda75975ab917a50c4c0e83e46ba76d1329280c939703a4ebe9a7c0d8773a9a0

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                      Filesize

                                                      2KB

                                                      MD5

                                                      e30544e6d048b2c1c6129c89835c16dd

                                                      SHA1

                                                      21d167ff64825d3f8a5c351c3160b670dc14cb60

                                                      SHA256

                                                      df0fcfba7ccb03bac0ccf6941f9cc512937fdc63035a2fedc78aa9a82c1d8af1

                                                      SHA512

                                                      fcfc1e2b4110286dc8ede8caab34ea309e24fa6deb225213ab0e5b2d6499cc195e65dde2e125bca3ef5d5b5f4fdda66a1e4429cf2ea1c3df0ba92142342dfd9b

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      944B

                                                      MD5

                                                      0fa58a0d8f6fb91e3dd72585a54a4a63

                                                      SHA1

                                                      8c33691c9916eeeab06bcb6e61cbc32405d8e894

                                                      SHA256

                                                      7d57ae3a775f0497ab9ff67a0d02346e7bde40a4cea885343ac7f761ab4be2ac

                                                      SHA512

                                                      354aa3d87a477d4e61cd33a3fc4a7327438e4310fe230872acc5fe4f93d924d26c98263a567cb56796856da0691fdb8b76c6d56d3d2e16de5879a0f1890ed49e

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Filesize

                                                      1KB

                                                      MD5

                                                      815e7eb891e74afb8a842ba93676d6cf

                                                      SHA1

                                                      4ba78001739c0cee138966ab64ea9234082cc2f9

                                                      SHA256

                                                      2598931135bf34b78511800d611fe592a325312e6176e8ecdc139f214b603044

                                                      SHA512

                                                      aeab603f2dea415cd8beab2f3921f2cdf6ef656bb264461a1f2d5d5c1663ed0166292e618e40d46ce69c7d004baccb8e0c80e103aa27dba9493cdb23426662db

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
                                                      Filesize

                                                      300B

                                                      MD5

                                                      f31b4d075ad2f1027f66293e5d7d7be3

                                                      SHA1

                                                      5055a7122d9498830e17b017c3fca09a07da7f16

                                                      SHA256

                                                      83710f793fb3fce43cbb6658bb8a4e3d46a678addad385325d32b51526ce939d

                                                      SHA512

                                                      b3ecc61f7efc37850137e5b7c2bcbb1b313bed749aa197ab7dce2f4eded7f5a720e6bfb34bb1237410ec183e5378b8a6d5224b75f9eb211738c28664dad35be5

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
                                                      Filesize

                                                      772KB

                                                      MD5

                                                      b93eb0a48c91a53bda6a1a074a4b431e

                                                      SHA1

                                                      ac693a14c697b1a8ee80318e260e817b8ee2aa86

                                                      SHA256

                                                      ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

                                                      SHA512

                                                      732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DC.exe
                                                      Filesize

                                                      802KB

                                                      MD5

                                                      ac34ba84a5054cd701efad5dd14645c9

                                                      SHA1

                                                      dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

                                                      SHA256

                                                      c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

                                                      SHA512

                                                      df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ELPACO-team.exe
                                                      Filesize

                                                      2.4MB

                                                      MD5

                                                      b951e50264f9c5244592dfb0a859ec41

                                                      SHA1

                                                      8af05099986d0b105d8e38f305efe9098a9fbda6

                                                      SHA256

                                                      e160d7d21c917344f010e58dcfc1e19bec6297c294647a06ce60efc7420d3b13

                                                      SHA512

                                                      ae9d85bad1ae0ed2b614fce1b7d3969483a1e39a50bc3aad3e5ba5c8fab56d4d38bf60b3e641c67ee6be29d88e3fbb73dfa39dd3c11a9a01aacdb7c269a7471d

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\[email protected]
                                                      Filesize

                                                      2.4MB

                                                      MD5

                                                      0bf7c0d8e3e02a6b879efab5deab013c

                                                      SHA1

                                                      4f93d2cda84e669eeddcfeb2e2fa2319901059a1

                                                      SHA256

                                                      b600e06f14e29b03f0b1456723a430b5024816518d704a831dde2dc9597ce9c9

                                                      SHA512

                                                      313f9a8ae5a0096488996f51ce0d2049f7040b5cba1f6efd6e7190517accffad9af4d72eb551755978e624f4089b9e5983eae792496b2e8e6da5a6cd7939ae5f

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.exe
                                                      Filesize

                                                      1.7MB

                                                      MD5

                                                      c44487ce1827ce26ac4699432d15b42a

                                                      SHA1

                                                      8434080fad778057a50607364fee8b481f0feef8

                                                      SHA256

                                                      4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405

                                                      SHA512

                                                      a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.ini
                                                      Filesize

                                                      548B

                                                      MD5

                                                      742c2400f2de964d0cce4a8dabadd708

                                                      SHA1

                                                      c452d8d4c3a82af4bc57ca8a76e4407aaf90deca

                                                      SHA256

                                                      2fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01

                                                      SHA512

                                                      63a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything2.ini
                                                      Filesize

                                                      550B

                                                      MD5

                                                      51014c0c06acdd80f9ae4469e7d30a9e

                                                      SHA1

                                                      204e6a57c44242fad874377851b13099dfe60176

                                                      SHA256

                                                      89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5

                                                      SHA512

                                                      79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dll
                                                      Filesize

                                                      84KB

                                                      MD5

                                                      3b03324537327811bbbaff4aafa4d75b

                                                      SHA1

                                                      1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

                                                      SHA256

                                                      8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

                                                      SHA512

                                                      ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dll
                                                      Filesize

                                                      2.5MB

                                                      MD5

                                                      245fb739c4cb3c944c11ef43cddd8d57

                                                      SHA1

                                                      435fee4453ac3d3a14d422ac21400c32d792763c

                                                      SHA256

                                                      d180f63148fbbfcfd88aa7938ab88fcea3881402b6617f4f3e152427aeb6c59c

                                                      SHA512

                                                      ee45e53116508b385a9788ce9bfe7d119f4dbf1dd4f31fc940d0dab4ca91eb63c842868ae56782f0bdb807d26895344c6e8aa909c94ddcf2dfe3189d9e24c342

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\global_options.ini
                                                      Filesize

                                                      10B

                                                      MD5

                                                      26f59bb93f02d5a65538981bbc2da9cc

                                                      SHA1

                                                      5e99a311784301637638c02401925a89694f463d

                                                      SHA256

                                                      14f93a82d99cd2bf3da0aba73b162a7bb183eded695cffff47a05c1290d2a2fa

                                                      SHA512

                                                      e48f20a62bb2d5de686a7328a682a84821c83c8c4d836287adffbe464a8b4a0ba8ca728a35438c58f142686047b153c9c3f722c0431db620e3ef3479215b9016

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gui35.exe
                                                      Filesize

                                                      276KB

                                                      MD5

                                                      03a63c096b9757439264b57e4fdf49d1

                                                      SHA1

                                                      a5007873ce19a398274aec9f61e1f90e9b45cc81

                                                      SHA256

                                                      22ea129b0f57184f30b1771c62a3233ba92e581c1f111b4e8abfa318dc92cc46

                                                      SHA512

                                                      0d656d807572f6be4574024e2bbcf0cbd291fe13a1adeb86a333177ee38db16b06da9a18509e599db0d2cf8206b84f6856a9674dba29a2cbeb844a216cb45ddd

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gui40.exe
                                                      Filesize

                                                      276KB

                                                      MD5

                                                      57850a4490a6afd1ef682eb93ea45e65

                                                      SHA1

                                                      338d147711c56e8a1e75e64a075e5e2984aa0c05

                                                      SHA256

                                                      31feff32d23728b39ed813c1e7dc5fe6a87dcd4d10aa995446a8c5eb5da58615

                                                      SHA512

                                                      15cf499077e0c8f3421b95e09a18ae5468ae20a7b3a263f01cc8e6d445d54f09ca8a3189ecb40c87d0e6277c99b504424cdd0e35bbe493a1b0849900d21bccf8

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xdel.exe
                                                      Filesize

                                                      350KB

                                                      MD5

                                                      803df907d936e08fbbd06020c411be93

                                                      SHA1

                                                      4aa4b498ae037a2b0479659374a5c3af5f6b8d97

                                                      SHA256

                                                      e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c

                                                      SHA512

                                                      5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mlzumukc.e1z.ps1
                                                      Filesize

                                                      60B

                                                      MD5

                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                      SHA1

                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                      SHA256

                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                      SHA512

                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                      Download Submit

                                                    • C:\Windows\Logs\StorGroupPolicy.log
                                                      Filesize

                                                      27KB

                                                      MD5

                                                      7e172c5c84e60a5febf1b33979d65666

                                                      SHA1

                                                      5a023bbc868b235c08cf87ab9269ae51924b2505

                                                      SHA256

                                                      8b3f4d99d034e11051b514c54d589c49f859b274443ea97571cf4da651f794c6

                                                      SHA512

                                                      5fc3656c8195045748e525bb72cc948cc1eabd9ebb0f892b9fbe4aa2fb7d5ec28dc52d04672c7e1dea09d593067849791a28e4effc3d12d47dda8e20d8e172d8

                                                      Download Submit

                                                    • C:\Windows\System32\GroupPolicy\gpt.ini
                                                      Filesize

                                                      233B

                                                      MD5

                                                      cd4326a6fd01cd3ca77cfd8d0f53821b

                                                      SHA1

                                                      a1030414d1f8e5d5a6e89d5a309921b8920856f9

                                                      SHA256

                                                      1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

                                                      SHA512

                                                      29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

                                                      Download Submit

                                                    • C:\Windows\Temp\weviaix
                                                      Filesize

                                                      37KB

                                                      MD5

                                                      4f4cfdec02b700d2582f27f6943a1f81

                                                      SHA1

                                                      37027566e228abba3cc596ae860110638231da14

                                                      SHA256

                                                      18a13223c2587bc03ce14be7a63325f3c60d6f805e1bb96e32025ecdc1d620b7

                                                      SHA512

                                                      146128ecb8bc682510a92f58cea58bfed68a215438d235b1b79ad6e0ef1f0f6a6b9400c7b83d70ddf7d8a22a5bcaca17b6532650192b4448e811dd7b4335b592

                                                      Download Submit

                                                    • C:\temp\MIMIC_LOG.txt
                                                      Filesize

                                                      44KB

                                                      MD5

                                                      0bfa0631cafc0db9aee9e5693f1bdc48

                                                      SHA1

                                                      6455faf7578e9cc6fd882a4614026ca9ff6b2fdb

                                                      SHA256

                                                      11eb04c70d6c3ed38ad60523ac76a1ca982a63a2db6150ef5cb10073bd769210

                                                      SHA512

                                                      5465ac2e34fb520841ec7b3f43fb1ebb9c1757bc8abd0e4ae3e362b09972f08bef61d222e7dce5b6109b72b7f2730e976f3d12c1d4ab0d6cb4998fd1a8abd7d1

                                                      Download Submit

                                                    • memory/3192-73-0x0000000000C40000-0x0000000000C46000-memory.dmp

                                                      Filesize

                                                      24KB

                                                      Download

                                                    • memory/3192-72-0x0000000000C80000-0x0000000000CD4000-memory.dmp

                                                      Filesize

                                                      336KB

                                                      Download

                                                    • memory/3192-71-0x0000000000C30000-0x0000000000C36000-memory.dmp

                                                      Filesize

                                                      24KB

                                                      Download

                                                    • memory/3192-70-0x0000000000340000-0x000000000038E000-memory.dmp

                                                      Filesize

                                                      312KB

                                                      Download

                                                    • memory/3216-128-0x00000228EA470000-0x00000228EA492000-memory.dmp

                                                      Filesize

                                                      136KB

                                                      Download