Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

antivirus.exe

windows10-2004-x64

10

Resubmissions

31/03/2024, 14:49

240331-r687xsec77 10

29/03/2024, 09:29

240329-lf9swaeg87 10

29/03/2024, 08:58

240329-kw8ebaed26 10

29/03/2024, 08:57

240329-kwtadsed22 10

29/03/2024, 08:49

240329-krew7sec34 10

Analysis

  • max time kernel
    331s
  • max time network
    304s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2024, 08:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    antivirus.exe

  • Size

    144KB

  • MD5

    4016477fd044882c78f3c1a47d7322e1

  • SHA1

    6c75ffa25ef2d1d6a658ff415b2e47964032fc6a

  • SHA256

    fbbaef754d6dafaaf32ae5e7937135fe81075806e5e2b0db1d6f9441a1cd8633

  • SHA512

    17706a8238817e135ffe378e60e1e52964a00aeee6c6b9bc7f288a0390ae97d958f053cf693a4d829a35acbe32e3ab9599c13150a3155c671490736e88d19df1

  • SSDEEP

    3072:xokEUyr9ql5n3yU6S4M5Er8zwIMsoE0WNOBKHAHp+FBZ+:er9ql53y04QEwzh0FaAHQLZ

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 9 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 36 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 10 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\antivirus.exe
    "C:\Users\Admin\AppData\Local\Temp\antivirus.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1044
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3524
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:3032
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:412
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:436
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:404
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:4740
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4184
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:4420
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\hahaha.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:756
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4068
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4492
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:3940
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:1640
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2544
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops startup file
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2412
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" shell:::{52205fd8-5dfb-447d-801a-d0b52f2e83e1}
      1⤵
        PID:268
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Modifies registry class
        PID:3048
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:2004
        • C:\Users\Admin\Desktop\decryptor-decrypter\Decrypter.exe
          "C:\Users\Admin\Desktop\decryptor-decrypter\Decrypter.exe"
          1⤵
          • Drops startup file
          • Drops desktop.ini file(s)
          • Sets desktop wallpaper using registry
          • Suspicious use of AdjustPrivilegeToken
          PID:2604
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious use of AdjustPrivilegeToken
          PID:4504

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\.ses
          Filesize

          53B

          MD5

          d0220bdd9f4cb0c8dc4b8a4464916ea2

          SHA1

          f663f8caf6afa01147c2ce9649849e9dde181e8b

          SHA256

          989d27eba96f6a9c95f111119054a8838482d38957fabebc0999692accefce2d

          SHA512

          ca890b3efcd4c5534d697fc0e3354c17a4cd369d4fecc6d834f474d0f755084fc9d0cf23747470199b4d8e1a9a17d947f349835cc21266418cac8fd84d30fbfb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log
          Filesize

          1KB

          MD5

          79c8f3c6bcc8247809ff8e162fa110f6

          SHA1

          1eb53061deca5e467b571c6409083a927de6ed30

          SHA256

          41f5e0f63100f9fdee7c72cd36c6dce67e9b532743db118beacd016c9687866e

          SHA512

          30fbe1e8a1aa4e1f5a24615a3055e782d66a79859588966dd8f70448f5f96558e824f4edd022fe44f6549f1b232f942178b1f85a7d4c55569be582a8b589c102

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log
          Filesize

          13KB

          MD5

          e8b21a3ad821c0e919e3aa697a2ad04f

          SHA1

          204450b02ace579bfdb14802a45107315c365d86

          SHA256

          2db91f522d1812845c5a3a058cc3409c2ebc7202d3eeac81205b20dee6847476

          SHA512

          68a99f77ec494c2eb102c4467b5e9edaedbc248aabeb74ab7d6339554f44c9479be8677916ee3ec7c18b2b1fe7e857a43063b750078c7bc323de6c67649e8e8b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\LQHDAPZK-20240226-1418.log
          Filesize

          58KB

          MD5

          2a3900c865174684fa5cb09247d5fbab

          SHA1

          874744dcb98a0d7fe83898f8afb35ee076ef8fdf

          SHA256

          c2cd55f65ace263e044c54abb66cc6464123505a9960410238a6caf08cf4b701

          SHA512

          152e4bc3d9d526af6e478629b120a37e363f2ae239bb676b6cf7cd4b6a4b9e7249cfcf1b9458472d976782ff25059ba0db02b82a52f8e3d6148c1daa71971bd0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\LQHDAPZK-20240226-1418a.log
          Filesize

          180KB

          MD5

          b8b163524c5fa459d7ea2f91ab774695

          SHA1

          63745eda14d4c3e8f85dbe403e720a1bb8107bb2

          SHA256

          920dbc2c47207e7c93699a8e70e2481100a2d109877dc99d4e998dd2b8e1bb0d

          SHA512

          61ebe14cb103da26173e7453076548033630b8e8c8ee2a72b84065b3b4a237d5a28f58096e266624d53104ca7677610397aa1e3970194bd62887da2a19b58a20

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240226_141438814.html
          Filesize

          94KB

          MD5

          ced20b01cc880581eaec1e01b3d69ddb

          SHA1

          1db1c6e6dd64a2a7c3ee90b25c98c57b47a8856e

          SHA256

          73215807d5ea7e7bb5a1bd5acb03153b1f3314dd41977993abf741ec51307f88

          SHA512

          81b03bec83339d41ee2d24dc85ea0d7917e45518c5f8f90f5adc4cea000df81bfefd0f4b0ab5b412fd43f5a3dc3e268721c47520eff319ed9a7c6895562b4ed0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226141501.log
          Filesize

          15KB

          MD5

          3d1805b3fc3d3a07b3b2cb7eae747c0b

          SHA1

          ca9e74218b5963f11c91d807bebbeb077259bd79

          SHA256

          f5febbd252cbee7c55a2434ccfd8ca6afa2706eeb56f17e701b72c742a15de4b

          SHA512

          90c901ac9c240dd0a4ebf26fbb8ec2165c94c13f4f1be7ef2b1cb466194bdf8c617d3e9c45515cacebb7dd164451b752751e22aa65dfecc7d91fba4897bb264e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226141501_000_dotnet_runtime_6.0.25_win_x64.msi.log
          Filesize

          551KB

          MD5

          6f9c8b81d47b2be388dd213cb507589d

          SHA1

          057fdca4c2488b936cec1997857b603e0fab9034

          SHA256

          3591e6af19734d0399dd0104e79182c009cbc70ee0c6f1a8b0deea497849adb1

          SHA512

          5d06c8a76d31fa9cfa2c24367d80b2a577dbb5a9caa977d908f2102b822b7c804066d4178e1d5c0ea233d7c1f6bdb8ed465c8e2a798dc72aa1cb20df7fdb4299

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226141501_001_dotnet_hostfxr_6.0.25_win_x64.msi.log
          Filesize

          95KB

          MD5

          b6124ca210f8a004734c0584a83fb04e

          SHA1

          6c4b121c73dbcd655cdfec3ebf4a3671a7f6aee4

          SHA256

          ee59b1168cf16955903c4b5bd7dfa7db6f9b666ee71ac6b12e982217f18f3a07

          SHA512

          5cfdb6bd088d115721aaad58ac032d1df65d5a81e99d4e239d847230c21facdd3e44cf4529035bf36277135b91cb2e2a180274cd3fc7715c4075e90f68a75e14

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226141501_002_dotnet_host_6.0.25_win_x64.msi.log
          Filesize

          105KB

          MD5

          49a0b8819f077509a646c7d907b05a8d

          SHA1

          ff33cd147058779cca33b18e7af0bd832ea64d70

          SHA256

          60565c75e3e9ef537c57e05c89a42dd41dce727c8cd105eae8a40843e537cf50

          SHA512

          d66a20e8be59d60f7d18cb09b2a3d0943809c1ecea497d42a1141abccb6862926b7933738db2c6ce4c2329c9f7c487bb98723495c355895c2a567dfd7eda1d29

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226141501_003_windowsdesktop_runtime_6.0.25_win_x64.msi.log
          Filesize

          849KB

          MD5

          160a989f7f51af0ad8a078c5749939a6

          SHA1

          a4b7ab394bd6bbbe5708ed460d42e0f3b8ac902e

          SHA256

          447e798e3d520da0022b917b0544548f9a7e936ba78f51ba0f98305fb48c92c3

          SHA512

          f682d87d61c8f5e7ddfe80aa1011ce00e84a1667a61b101360e98743607fc838473bfc552fc95a93256346379b0d7cafe1678290e9865816bf0883731c89aea2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240226141522.log
          Filesize

          15KB

          MD5

          a786aac1152176158bbfb3c547ba9257

          SHA1

          9f5ff3f5eb725456b8602adedd2bb7af8c839ec3

          SHA256

          5dd0d3027771e794b135e96a7964683b10ce79b71d04d1a3889ba92928b99a24

          SHA512

          d1d364ee910a0750a70ff2941ae55f812f7b7911f849e7a42dc5f7c190c89d64aa09f05b6bd88025e55f90e729f3b1e5a62c0b90694211680b110cc0d5014314

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240226141522_000_dotnet_runtime_8.0.0_win_x64.msi.log
          Filesize

          469KB

          MD5

          6f72c07e466b2986ddcbf373a835b774

          SHA1

          e50af0231182dcbc39b65b76ed7273f822c48a48

          SHA256

          fd5313a5df84c6a539da45a67528b8a9e3d39a58776beb2af43d1fd1830d8ad9

          SHA512

          9708bcf6a288efb51efb3e25b5c2ce926cfe988794076a810589da0b973235c492e831b47a712acf075de451168fd425c29a5cb99c1736b093aabaeef5268c25

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240226141522_001_dotnet_hostfxr_8.0.0_win_x64.msi.log
          Filesize

          95KB

          MD5

          53f3e993d88f675e95ed952684cf4ba7

          SHA1

          19605ef56aaa38392893f7c87c0298fcaa959330

          SHA256

          f40dc74d7693c6e7271cbd2eefaade824124878cf454f248e0e9687b50356376

          SHA512

          8ab50c2262ec06c0623e253559d5d4461b426c24423816b536e387157a97822ee8137eb8a7c466e936368fea822028e46559aa1390ff36921d205e9e7d4950e1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240226141522_002_dotnet_host_8.0.0_win_x64.msi.log
          Filesize

          109KB

          MD5

          baf5b856ff02f7719184976cdfeae5a8

          SHA1

          ed3697e3932cd4fc717e1bfdd64721d4c3e4a2e5

          SHA256

          a79d907e21b8325c01e2a0d979b2d20f1f18e3407954e388a9446d3a00b838e5

          SHA512

          802d87f97d1d32237aad9f8fddbeb07c3e157a337b28be5cf032eb6df978b7d4b14c01db83e4e9236a0a5ab990ae3c6c97da138365d7f4a3425ef1f288023c07

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240226141522_003_windowsdesktop_runtime_8.0.0_win_x64.msi.log
          Filesize

          847KB

          MD5

          cf31c7edc94fec8a65e3c5cd99b87ad2

          SHA1

          9cc4cd15b22a1330cb185e6b28bfb10dd6cdf780

          SHA256

          c9f608d70d458ea0b4dcb0c5a96b7da6518712df590f5ca2ecdcf1d6136a5b43

          SHA512

          171b478450e7665537a1d7c9b69c39d955415865927666d1416d39256627999d2922f79dc333a19db32609446e84da7b395ba67e9d15b41a24d63c45da50b39a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\aria-debug-532.log
          Filesize

          470B

          MD5

          4ec2ed4d2b04715d3d2cd267df0ad880

          SHA1

          ed2940d0a08b3b0b3d46172b6c5a4fcfdb231e7b

          SHA256

          babbef673c8c6a6ba8cb3269f56740ce77b4da020b69cf0a9a21463acfbcdf0f

          SHA512

          8c22646fe448ea0c6a461677d329e51728d1722b1e8103dcebc7e655ae3731cdf1f503424a4e26b5ae49dadda50c20213e035c16b4af468ab3b4afe9e89501e9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\ay3q8c39q.jpg
          Filesize

          46KB

          MD5

          287bc47f9ad0a559fb0d88ee32447c96

          SHA1

          c32c7cc1604d9bcdc09065c4589cf3c60ac92acd

          SHA256

          e499873a9cfa83012bf8248fc1bfe6d355c4e286f7f2efb072b9da5b5451d738

          SHA512

          51308237be289df669573505c67a869e3957b5920f2216147ca512dcced1c9f8c6af67b1f97d85e343d287f144e207f5933a8294c00f8eb022d9680efb690640

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
          Filesize

          6KB

          MD5

          9ccd894b84b51897eccc85c34606de39

          SHA1

          f3de0bdaaced16c238b4fa0d9c9c1178a40df268

          SHA256

          a611ff4efcac289bb4b7050f3446eb24d53d8961c7707c34dfa62eeccb214bba

          SHA512

          72621511445406b0365fee165797e8cccf2585ea7729efd8049b4579775393c007f864ff8ce320f704be2f813572ffef747224b34a7677936db91944c09dd6ed

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt
          Filesize

          1KB

          MD5

          257f95cb5ac0f47c1c1affdfa2022f41

          SHA1

          4b37029dabc1ad843757bd08d4620cada77db343

          SHA256

          09b709889cab5efc0a4629d3e895066f7955af801156e7cf43c93f6a4c1fb2fa

          SHA512

          d0c2f22e3053f5b00fa39d0c802373eb7a06ecb682d862052b32217d9f8dc3164ebb86a25568dd530b85103cd917a3a9c6aa8cfb7c5284a35f9ee978cb3052ce

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI3DB3.txt
          Filesize

          427KB

          MD5

          e4eefd3ee62539b7ad014c1bcff5cbd0

          SHA1

          64a3ab72157e839697a4e8d5782a5e62b0528282

          SHA256

          a6b3e45615655c66a0b8ec8876df01c1bd02fe6c603ff367baccba957375c8df

          SHA512

          5c0876ff1276cd59f4e80bcbf8026e5ed5c83685734a1721cdf2ae81e0a8350d5049b429f3a601bad83aa8dcbdca9fdaed35c8ba1ec1b08e5a3c54183b6f172f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI3DD3.txt
          Filesize

          414KB

          MD5

          1dae049639e9c2158c0a7436b7295ede

          SHA1

          fd8eebb4ae9eda06dad816163c36295a12ffe3d7

          SHA256

          1c23746d103a4254ba3fd014337d9bae8597dd1ec6b4893c91d2f7f95c5afffd

          SHA512

          48b6c14cf16052eb9d81b64380b34747f5a66ae20476f77c43615cf9096aaaf5c2e2ce328acb53f0b816aa7be9b1a0ff5ff5e9f6a48c77f660d98beef25f43a0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI3DB3.txt
          Filesize

          11KB

          MD5

          aa35aeeb2f1ccd06345a6bae458977c6

          SHA1

          f804b5f6f8b323caec9c27cfed7af221c2a4c23d

          SHA256

          34827b7fdf3dab9ae74a892222b74779c72c02253ce78e05ea6957bb1046d9d5

          SHA512

          24ea4b6c8fbc49512597eef5e2378dee925a5683cd025d5acdee227188e79f8e0ef37542ac1eaf01e8aff25dbf792d3ea60e25909a5e408767aea6ce71f92cdb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI3DD3.txt
          Filesize

          11KB

          MD5

          1e2de3be70e87664ccff61607f9d612c

          SHA1

          177aa9b2a149f5ef0817ee73d0b2e3cf470cd1c9

          SHA256

          3a85d9347619c893fd409f03924f075b2a9ef91cf56488d61d6f93aff15b0ace

          SHA512

          98f8a222a4aea7fc759079613ce189d1555e9375407116810f59ecb8618cdfd201027a0bf37e77107660797b4405ec70bcdd40657898bf1eca890f77c8efa454

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\jawshtml.html
          Filesize

          13B

          MD5

          b2a4bc176e9f29b0c439ef9a53a62a1a

          SHA1

          1ae520cbbf7e14af867232784194366b3d1c3f34

          SHA256

          7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

          SHA512

          e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\jusched.log
          Filesize

          153KB

          MD5

          e91af86515e3a638b4e0712858281f1a

          SHA1

          42ebc044d07849d273a7220e7c4849ca5387c877

          SHA256

          6f78be4214a0c2eb246d567c762d28ac72097dbe1a7acfebd2302004032455ad

          SHA512

          93c4894ed92e38f88a5cce2ffb897acf3ce489a436bccd3743cf6e888e5ebac61423e2e6b8881ebcc53af6d064d3fa7ef26cd7a526b1a85ad1164d3e9ac5773e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\msedge_installer.log
          Filesize

          6KB

          MD5

          c5cb40d69cb371bfbdca73b02c7fe866

          SHA1

          7caf3dc4f286c85dcc387f3451769ccd9e4e24fd

          SHA256

          2761b9f51d0b58118770b83963fb0957ecde5279cfd7f276dcd92430130c840c

          SHA512

          8f2a4342523d2babbbeffd0b0c8dff6c10ff876c6554567d23257f0c326dbf1a69726468cb14fcbb5e5915796f4a2fc34405d004780a5d915ae241227c1de343

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpB7C3.tmp
          Filesize

          25.9MB

          MD5

          bd2866356868563bd9d92d902cf9cc5a

          SHA1

          c677a0ad58ba694891ef33b54bb4f1fe4e7ce69b

          SHA256

          6676ba3d4bf3e5418865922b8ea8bddb31660f299dd3da8955f3f37961334ecb

          SHA512

          5eccf7be791fd76ee01aafc88300b2b1a0a0fb778f100cbc37504dfc2611d86bf3b4c5d663d2b87f17383ef09bd7710adbe4ece148ec12a8cfd2195542db6f27

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wct2745.tmp
          Filesize

          63KB

          MD5

          e516a60bc980095e8d156b1a99ab5eee

          SHA1

          238e243ffc12d4e012fd020c9822703109b987f6

          SHA256

          543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

          SHA512

          9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wct79B4.tmp
          Filesize

          40.2MB

          MD5

          fb4aa59c92c9b3263eb07e07b91568b5

          SHA1

          6071a3e3c4338b90d892a8416b6a92fbfe25bb67

          SHA256

          e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

          SHA512

          60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
          Filesize

          697B

          MD5

          1edab3d51537c672529d2b982e28f595

          SHA1

          89e4810d960c1ed2fa9732ac62c78699bd288ebc

          SHA256

          0810c8d6f330d7aefe867f7ba76ede7b7173a9d92da9934b57d0eb8df9857cad

          SHA512

          6872089094325f68050c0a3fa1ba7a21bac7d81119c1b5c800637bf61ec2511507501e4dbff89c505a8016f26bda5fc64d0bb2a6ed2d06ec742c57cc310b823c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.ivng
          Filesize

          436B

          MD5

          e9c088257670b98f4564200c1e24171f

          SHA1

          90229fd895f403e55f4260fabb350969745c5e2d

          SHA256

          dfc76e6b79b3422d73087f2c4fa1312ca1dda53bdff6b142f79e605e66782a77

          SHA512

          4e8610300356e59db4021c911ac1164ab8577fe2d0781be016eaf33b30e9a9357f9beda7ccbbdcaee006269d0199018b48372516e315d7baeca0c88b5a6a55b4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url
          Filesize

          142B

          MD5

          1a09a38485cbf1d59c29d8e3213e1ab9

          SHA1

          9cbe6ebd07b13a0d4b2565dc15a273629aa97251

          SHA256

          0a3bdc40dc0d243784bc5fa887b79110350b3d3200684f3ba99880fcea40e3b8

          SHA512

          a33c228196a4b3f14e40ac6ccb6c43002de28063594c472db852bedac20a6725f4e7601b9f32516e2c6bea35f83746973b3f1d200d9e5d668bda7553b62ac616

          Download Submit

        • C:\Users\Admin\AppData\Roaming\svchost.exe
          Filesize

          144KB

          MD5

          4016477fd044882c78f3c1a47d7322e1

          SHA1

          6c75ffa25ef2d1d6a658ff415b2e47964032fc6a

          SHA256

          fbbaef754d6dafaaf32ae5e7937135fe81075806e5e2b0db1d6f9441a1cd8633

          SHA512

          17706a8238817e135ffe378e60e1e52964a00aeee6c6b9bc7f288a0390ae97d958f053cf693a4d829a35acbe32e3ab9599c13150a3155c671490736e88d19df1

          Download Submit

        • C:\Users\Admin\Desktop\AddPop.xml.9r3s
          Filesize

          1.0MB

          MD5

          3d33b2686d6a52c51bc895b358352de4

          SHA1

          1a9872a392cad923d891d08f625016465c4cdc61

          SHA256

          ba6dcf1b74b5924e0e1f544c3660bb11a4e8fbd4701eb9a7a6e389312627a185

          SHA512

          e73a3e61241ca92ddb1663bcb7607ad98605c3e73c11e13ceda6811b2a6a9b16f6fee1d961f4c43ecbb2d0b15626ac8222bc853960742dfe1fd9cfcb18f18ffa

          Download Submit

        • C:\Users\Admin\Desktop\ClearInstall.vbs.vbjd
          Filesize

          840KB

          MD5

          62491c80b0d66f58df4d8e206bb38910

          SHA1

          d8de5f0dce8e691a26463320e060415ade8c0549

          SHA256

          bacd4dbbcd1044c0dba68765c33056d2a156cf44f9e7924f8518a1bdff115c5d

          SHA512

          07dc4e9a1f7f016239477421d6d41073b091001fe42c668f8a3f3deb747ba2a623fed84f1a09b51d82e2c439ab62d529518abb1d6e9245d89a4481c93b7d6f8d

          Download Submit

        • C:\Users\Admin\Desktop\EnterRepair.ods.90o3
          Filesize

          1.0MB

          MD5

          978f0dfdac7b08d6925bacc7e47e7418

          SHA1

          c9cd5ccff4cc4712c16c2ce4ab8d49d11c4617be

          SHA256

          a21ca96d1b3d1a29de1812cc57b550a687134dfda2209441da2ec3a61b360551

          SHA512

          f2f52fdc7062796352f7436e2ed22417eee69da51a0ff89242e8db41d435b94e5288a06141c50601903c23e9a747a3c969c1159e8df3d3835624095eb8241966

          Download Submit

        • C:\Users\Admin\Desktop\LockSave.asp.wpyn
          Filesize

          614KB

          MD5

          e645a34a8014c62d9b82b12c7d738753

          SHA1

          8a58c9da859f7aafa1f179d74a641fd940e33ba2

          SHA256

          f4b57bc7e8d17dbef3a0d7799adec042531ecce2ee75222b095ccbe19dc0aba7

          SHA512

          6797ae8cbc3b629b437143cf6e0718fc639ad5a46254973536855fbd6ebcf7d3e712478a1ff371ec4f8fee76a24160173120b64c0f19517cf00e872639f7b700

          Download Submit

        • C:\Users\Admin\Desktop\RedoHide.mhtml.qsa2
          Filesize

          678KB

          MD5

          48426eafcfff43d9dfa8c9b7fe9b18ad

          SHA1

          cd5e6eb434480c463b84139d812fcb47f8aa9ce8

          SHA256

          5413112df63bc9ec1bb737d8546c47e710c2c57cee018c526664dbf20033ab8d

          SHA512

          293f31c8c9b846d065ce7a03b9df5786f20432313e684150694a05d45f7472bbedc3f0c9535078c0e83ec80940bb4554907aae472d8c031eb62c9e73c0388c1e

          Download Submit

        • C:\Users\Admin\Desktop\desktop.ini.i0c7
          Filesize

          584B

          MD5

          5186607ff1daccb1a01ec324f36b158f

          SHA1

          0935824e46829f2e3ab31c897f0cd98989a7aa53

          SHA256

          12067a62bd6ff56c74c97f51c8ab656a5439efa59d23ffe847a7cfd3790b0945

          SHA512

          d7373a11e4451b4ea1ac8a62117e32dbc520f9a9618d4b663a67a409ea8c30073181af9c2e68e04d1454127127e9860235004908a92760bc4e9f964f1408c1cb

          Download Submit

        • C:\Users\Admin\Documents\hahaha.txt
          Filesize

          63B

          MD5

          45dfa78907ccd5154a672941b7fd7805

          SHA1

          c96e039c5d260e3fc61d65da6718d3a832a182fd

          SHA256

          7d6a89c0a71eb6607c0f9226cbdbc241a154a49e463e599ea8ff126c161ad6af

          SHA512

          45b88dc885c14920f7e309566475c1c0d35b43dfade79ae951d41b422a4cba511f36b6305f0fde21af780399929f529661e1e9f1bcf0190e2b73472ed9950f2b

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini.pt3q
          Filesize

          392B

          MD5

          2b4c3616a4c66e7eaeb294a8d3ef30fc

          SHA1

          6b96ae3709d2df8fcc2fcfa4b4844b2806e6991d

          SHA256

          aa639eddba0f0c02e9ab853283d7881d17b8d60d7cfb2c05728401db3a6cd53c

          SHA512

          bba700273f2874e09da083773de0a5b777093afbb10920ac3d403c6e73bfc1b78834dd3a864567b074679a60cd4889ac6257056cacd47f025d0b67d14c05eede

          Download Submit

        • memory/1044-429-0x00007FFE8CE20000-0x00007FFE8D8E1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1044-15-0x00007FFE8CE20000-0x00007FFE8D8E1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1044-447-0x00007FFE8CE20000-0x00007FFE8D8E1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2412-432-0x00000233B12C0000-0x00000233B12C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2412-440-0x00000233B12C0000-0x00000233B12C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2412-433-0x00000233B12C0000-0x00000233B12C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2412-442-0x00000233B12C0000-0x00000233B12C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2412-437-0x00000233B12C0000-0x00000233B12C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2412-443-0x00000233B12C0000-0x00000233B12C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2412-441-0x00000233B12C0000-0x00000233B12C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2412-431-0x00000233B12C0000-0x00000233B12C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2412-439-0x00000233B12C0000-0x00000233B12C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2412-438-0x00000233B12C0000-0x00000233B12C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2604-497-0x00007FFE8BDC0000-0x00007FFE8C881000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2604-504-0x000000001B1E0000-0x000000001B1F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2604-496-0x00000000003A0000-0x00000000003DC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/2604-893-0x00007FFE8BDC0000-0x00007FFE8C881000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2604-894-0x000000001B1E0000-0x000000001B1F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2604-896-0x00007FFE8BDC0000-0x00007FFE8C881000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3708-1-0x00007FFE8CE20000-0x00007FFE8D8E1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3708-14-0x00007FFE8CE20000-0x00007FFE8D8E1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3708-0-0x0000000000300000-0x000000000032A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/4504-898-0x0000026E038D0000-0x0000026E038D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4504-897-0x0000026E038D0000-0x0000026E038D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4504-899-0x0000026E038D0000-0x0000026E038D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4504-902-0x0000026E038D0000-0x0000026E038D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4504-901-0x0000026E038D0000-0x0000026E038D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4504-903-0x0000026E038D0000-0x0000026E038D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4504-904-0x0000026E038D0000-0x0000026E038D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4504-905-0x0000026E038D0000-0x0000026E038D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4504-906-0x0000026E038D0000-0x0000026E038D1000-memory.dmp

          Filesize

          4KB

          Download