Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

234.zip

windows7-x64

1

234.zip

windows10-2004-x64

1

234.zip

windows11-21h2-x64

1

antivirus.exe

windows7-x64

10

antivirus.exe

windows10-2004-x64

10

antivirus.exe

windows11-21h2-x64

10

Resubmissions

31/03/2024, 14:49

240331-r687xsec77 10

29/03/2024, 09:29

240329-lf9swaeg87 10

29/03/2024, 08:58

240329-kw8ebaed26 10

29/03/2024, 08:57

240329-kwtadsed22 10

29/03/2024, 08:49

240329-krew7sec34 10

Analysis

  • max time kernel
    551s
  • max time network
    514s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29/03/2024, 09:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    antivirus.exe

  • Size

    144KB

  • MD5

    4016477fd044882c78f3c1a47d7322e1

  • SHA1

    6c75ffa25ef2d1d6a658ff415b2e47964032fc6a

  • SHA256

    fbbaef754d6dafaaf32ae5e7937135fe81075806e5e2b0db1d6f9441a1cd8633

  • SHA512

    17706a8238817e135ffe378e60e1e52964a00aeee6c6b9bc7f288a0390ae97d958f053cf693a4d829a35acbe32e3ab9599c13150a3155c671490736e88d19df1

  • SSDEEP

    3072:xokEUyr9ql5n3yU6S4M5Er8zwIMsoE0WNOBKHAHp+FBZ+:er9ql53y04QEwzh0FaAHQLZ

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 36 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 7 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\antivirus.exe
    "C:\Users\Admin\AppData\Local\Temp\antivirus.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:572
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1284
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:4724
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:784
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3208
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3464
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4736
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:4368
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\hahaha.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:3148
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2172
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2116
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1308
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:3048
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ResetOpen.bat" "
      1⤵
        PID:4720
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D8
        1⤵
          PID:1416
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /0
          1⤵
          • Drops startup file
          • Checks SCSI registry key(s)
          • Checks processor information in registry
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1592
          • C:\Windows\system32\WININIT.exe
            "C:\Windows\system32\WININIT.exe"
            2⤵
              PID:4652
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            1⤵
              PID:4816
            • C:\Windows\System32\DataExchangeHost.exe
              C:\Windows\System32\DataExchangeHost.exe -Embedding
              1⤵
                PID:4132
              • C:\Users\Admin\Desktop\decryptor-decrypter\Decrypter.exe
                "C:\Users\Admin\Desktop\decryptor-decrypter\Decrypter.exe"
                1⤵
                • Drops desktop.ini file(s)
                • Sets desktop wallpaper using registry
                • Suspicious use of AdjustPrivilegeToken
                PID:1800

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\.ses
                Filesize

                53B

                MD5

                c29fc8dab98019241e58f381bed6329e

                SHA1

                578ba8c2ca06e405de7fd72e258530e6283e06d9

                SHA256

                91c9dc8117a50d7b5a8e2752dcb4b9a4f965ef8bcd086b9320dacd66978713dd

                SHA512

                eba8f241b53d1c4d01717a4faead34c0aff5162150fe833c3a03aa027ecb40a58b9770e3debf010f4686fc83280fd3c87e1e878e3c17b6e72e3db604b306bbba

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log
                Filesize

                1KB

                MD5

                38c37e267fe1393edec4f9fa42e0f4b3

                SHA1

                83d4dca12536f37deb851073d1590f7a4db0e946

                SHA256

                0b227756de976c2a4924e33f4c5d5cb9c49f69bde6992306799c54f67dc077b7

                SHA512

                b4812d92ea290f793c11f3bca9c63f5258bfecdbb6ac1c6212bbe1d7ad217c1ed4df01abfa312beb05233a9a658c0ff878aaedd516f0417b88ef2efa1fcd60ab

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IDFVLAON-20240221-1233.log
                Filesize

                57KB

                MD5

                6b3a864e9fc296d345cd560bcde9fbc5

                SHA1

                d505ee20562039ee2f90d47186abb4867b1af662

                SHA256

                4ed8a366ea302b5ee4520c7f0108aa78d39a015b8c392d995e7cc54b691136bd

                SHA512

                06492da9e82de0dd5b3c6dbb5134a6b4e3de6f5e1499be4b8202cebd699bc52ea100a476c5ecec47188f71e01a1bed8a1c8a64c3a03bc3f3c5bdc65c382778d4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IDFVLAON-20240221-1233a.log
                Filesize

                181KB

                MD5

                6062caebbe1804189024b1ca6f526375

                SHA1

                96916acf4d3e717cb5d7d6531fc850410e047133

                SHA256

                3a731a908c60658d56f5c23c3cb77ce3bf10e01a70fa4c01f562a94f5d96ddd3

                SHA512

                52a74b437745d2410886ec8e938de18e5056783045577294a63485b4b45686783d846c1510907be36e58fe3348eec2279de665793d1d724ffcb68822a4badf1e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log
                Filesize

                13KB

                MD5

                febb2466d85d397ba8a2b4a387aca089

                SHA1

                b5cce6fbdcc333ea18c588c29acb53594c38bd25

                SHA256

                6216714b8839f13d0ba5d4fa5b1627740d0ebc4998bf72f03e60ca5f6a98747c

                SHA512

                806aeebf68bf79680ffbd9b9963064c860ac38c9d74a62c8f88e1924ab3823cecaed9dfbba34a5282c2fa701af2ef951de21097058572e5fdf55f2eddc48d8ee

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240221_122928500.html
                Filesize

                94KB

                MD5

                9783e25158aee0e1d1ed22ec6bfda917

                SHA1

                3ac7b47b63dd2a8ca275dd2ccc7960fca93bf131

                SHA256

                3a30d9c9b7de7c6c7b57b04fdadf792c2cc6fed1a7fdbff940c04c57dd0598dd

                SHA512

                220011103c760ee0a5a65c8ea4b495072330b6d03c03ee365129940afae0e409b882b2c005dcb77a0629c1a570ecc53c44435c1edddc48caf74c20d7af5153bb

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240221122953.log
                Filesize

                15KB

                MD5

                b416879f686d255f37fa09a30b604fe9

                SHA1

                0bc68e2d952adac120a16ce666d85276fc6fc309

                SHA256

                11445a9644dcc4d9b24d908788137724861253b7088fc9c0600bd8337f6257e2

                SHA512

                d8e264a8c05954ef565aca50a55331a1a3d403eb143acd3adafac6cace4c330e771a62c1822f2182f3aa183ce3c8544ca3f226ceb615a80c780e08204bfcd3b6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\aria-debug-2880.log
                Filesize

                470B

                MD5

                0cec55727b8fd7f37260ca836aa7946f

                SHA1

                a5ddb5da84ab3109080af98921ce092104b08f01

                SHA256

                6caa8fdbbee5b7e8f0092c800f64ac9b0462e196d87ba0b6613e64b9a2cf7fc5

                SHA512

                c9362db0355429262552eb5ca3e2b22531b3adf34a91c72d6439036fcbd5f7d9059f76c9e6264b8eeac820c35c778f4e462f80d7c7a6348bf16b054eeb3be55a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
                Filesize

                6KB

                MD5

                a9ae28665489552dfeca3372506f8c67

                SHA1

                9f9e826d69047b22040f41a1934f5cd93986a526

                SHA256

                92c1797d8c66ceaffba8b5147e6ea2209f251860b70d16bd4c54fe4f8954fb41

                SHA512

                329d7279f678f5270e48fbc34315d1bad9f7b8e1e959b3b9c7b9ba64c599676b1aa644389e1b25e9ed9c6d370eb8e62c24ac60dcf7a2606c34e9ca9b891539e2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt
                Filesize

                1KB

                MD5

                92d9363a05627847915c33fffa12f014

                SHA1

                2e8e8cb95e0bcd56da3b7126d854be3c015071be

                SHA256

                f912c90d490a6ea6184a1e08bb6587b1c5992898f54c85b97d7eda145d7671b6

                SHA512

                58343be2706c83b674e3198060818e2c9ba4f10c4b6b5c755d558d1823a5acde522c977897fcb9d066ad067a563a6d6f785cfac5b0e42638155bfdc2cf57664c

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI66C5.txt
                Filesize

                428KB

                MD5

                a2f1f21da9bdc51256ce7bd0cf096322

                SHA1

                b0ba2c19436ec7f663f91c67d4f45f9d9ea4c35f

                SHA256

                bdc691f3a450c0f0aa4a522e284dee90290f9391f286a4f9f0d2454045fc47df

                SHA512

                1142a6f336abca007a9e6a14e70edca9f1e5fff43c21d753d77d6f3a1a92531f6ffd1310fde3078aaa73b9346172f92eda06c1538f5dc82d03f408164d84d281

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI66DF.txt
                Filesize

                414KB

                MD5

                908a6356515f3d4215fb98a9a5bb0d62

                SHA1

                d895707bfc712f9947b17aa8b474358d0d1b5dc1

                SHA256

                6fc2f89be384f099da60bb8aa87fadfea662adf73dbeaaabb65d7da4e860347c

                SHA512

                be6915a343449c228644debc3ca6048db456267acf0b1f4993a68528dc07e95070ad00f6c3a2d006dfbd39c3611969604c23d487034598259d4b308b5028c264

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI66C5.txt
                Filesize

                11KB

                MD5

                12c38938d8adc89d241f797f27c21554

                SHA1

                88a1c7140f4a5edc9aef5f7ee002a25d6b336694

                SHA256

                a9f6935eedba6740c00ef867f4f840c40d802edd1170f49fac44c0226f0c988b

                SHA512

                d4afc79044ea89596230f8c1850b60259544f160a61852464cd09e8a5c9dc2c25b204c1cec2a5dd361c4af84e9fc64d4432fd5d1fc2c5846d07919d9b95560d2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI66DF.txt
                Filesize

                11KB

                MD5

                94ac936f643f65cab18b82fda84c1e92

                SHA1

                9343f855f587d4d2b80f9ebd9bd40758cc25b3c5

                SHA256

                015b0d42a9ecb820b26e493771068fa197a1cd6a86ce092fe587d72ee57b38b6

                SHA512

                165446d33610f7dd754cb8d32d9b14d50c5ca1235c50aa9287236c3f657431fdb161497123851cfc8e5ea1de2fdbc3821d876bcb1ff18ca4812edf6328f35c02

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\jawshtml.html
                Filesize

                13B

                MD5

                b2a4bc176e9f29b0c439ef9a53a62a1a

                SHA1

                1ae520cbbf7e14af867232784194366b3d1c3f34

                SHA256

                7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

                SHA512

                e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\jusched.log
                Filesize

                153KB

                MD5

                b5a37e8de14d397cc8754e0527339b84

                SHA1

                359b5fe5e251c65527c135395d448666017d1e19

                SHA256

                cf6b5d36fc0ce15c0094ea953e2090500fe9473c36319a996cf59cf315d58384

                SHA512

                1d2b9c722624a1b68f8d795dd488930c7bc350edb198682e27f4a7bbc51d7bad21603c143dd48244f8dca61143c84fecfd9fcbebcf8a7c8857c061d789d8254c

                Download Submit

              • C:\Users\Admin\AppData\Roaming\BackupConvertFrom.vbe
                Filesize

                235KB

                MD5

                a7a53935d0588ab5d37a7754aac51805

                SHA1

                5d20d7e5058ffa9bc5b7723ba96d32e478bd651e

                SHA256

                5caad74b0f90a261677cb028c07db4cd9052dfb65e8b6ef8e68701c084be9d82

                SHA512

                78e7e39c13397900e072391e1d66061059c376098cd21e53f85946eef1fa974cf8398783851192cf1dd9356ed5168b54bd284806374134ec3a5526a24c09db8b

                Download Submit

              • C:\Users\Admin\AppData\Roaming\BlockAdd.svgz.3pyz
                Filesize

                174KB

                MD5

                e6c37cb8886bc08ad14179ed2bb289d1

                SHA1

                5689c57ccb816be4f7ad3f24c241552b8091eb27

                SHA256

                d988709e089734ba829de1745a91abee145009b9a0b19c594614d2081c7faf47

                SHA512

                d04e04fcd7e1b5acb974c818b0b83f926f7850dc9df47238f1860b0732aaccec319dac63e472b93cad698a5036f1fdc8b617bc20c2ea29fd7d5e4420f7f3f770

                Download Submit

              • C:\Users\Admin\AppData\Roaming\CompressSuspend.xhtml
                Filesize

                111KB

                MD5

                01edd6b7a872fc81e9701bdf5fd346b7

                SHA1

                ad7a4d13b372670d5f8558adc9d108500b1a0e27

                SHA256

                c36bb4da7df349f2fb9122a9a4d64445540b5090dbfd5c9653e2312598ac5fc9

                SHA512

                b31b3d2c9e7b52300bbee5d4691d67f728621073b1cd157a1a74b0bce42b24f761a5ab9b5d1dea78e1360f28cecc53122738df321014cf15b270c105af8923a3

                Download Submit

              • C:\Users\Admin\AppData\Roaming\CompressUnregister.mpg.cums
                Filesize

                183KB

                MD5

                1537f2d5ad04ea4d59841047c7e120e4

                SHA1

                e8354636f3a1a07b529a23f06eaeb30885bb00cb

                SHA256

                c8cbc92e03d408b8a098337199ad06e3cfbc7a8b2221eef7ed2a477f7bd414fa

                SHA512

                017b2d8a9bf98019a93f6e7b8fd9aabf07c011a589b52e57c2f4a1da65382320740c57446bd7dacdd69b09ebf8386e18097c2e36044707c10b0320706e0bfa80

                Download Submit

              • C:\Users\Admin\AppData\Roaming\ConvertFromJoin.vbe
                Filesize

                169KB

                MD5

                0b5a2498d90b8aaa294d6fedc551b632

                SHA1

                221e7d3f3553c137f220c5fc7c1d16025c164539

                SHA256

                10ab9211cf192371cae9223bae26b14821ee9624f0611ce00744ba3ee2f35051

                SHA512

                3f4e7d56e92ce8e7597abb6b1a0b613fb64c8bf20b5df60ba60cfd1c83f67be946ab188a8e687610b6072a0461e339917127d62f1585b662e1a2331b76b109ac

                Download Submit

              • C:\Users\Admin\AppData\Roaming\DenyCheckpoint.txt.1qob
                Filesize

                339KB

                MD5

                ba4f6c63f44b5bac8aa9a8533f376dfc

                SHA1

                07bb356f22b6601ba35a8472dc10d68080bd22a2

                SHA256

                5d1fc3b7544d99fca702cb0813c9cf5b0f157da42c6cdbac59d3b8b93fa39ede

                SHA512

                62109ffae3fac3d07b0939391ec05524e16b8f73e467c358b9b11dd1fe1b92ce6f4ca285f3ab63cf482d9d493c2fb5eb99f4cee3f5cc1e7fc41733ab2dbf51aa

                Download Submit

              • C:\Users\Admin\AppData\Roaming\DenyOptimize.iso.egb6
                Filesize

                139KB

                MD5

                c4d24ab9747695a50b722cb09b82a436

                SHA1

                4062ce7a79f97b325d73169c71d2198a3bffcd3b

                SHA256

                f3ad77b402f88d3c31024b56f7ca93b864d685ffaf7e0db48844d5ffaee737a4

                SHA512

                d28a1597c2764905ee7969b5c90a45663aa75cca4ce6463962d6b97f2771aa7e90403210112948fcfb9bf9ba512c9db5e05b6962eeef2413f299e119989feff6

                Download Submit

              • C:\Users\Admin\AppData\Roaming\ExitBlock.mp2v
                Filesize

                215KB

                MD5

                04304138b38ca3cd6747f0066c826edb

                SHA1

                cc0d5c3c7008358e5c214e9f4c9e1da0645fe67c

                SHA256

                445fdf55b94c426b8aeb5e68ce43057b8db7296f75c6040294ffe994faa7ed3a

                SHA512

                56667ea67b7a3375d02b8c89634f171ae365b662bfcd32645fbd60f21453b97f96147fd6857a4257663dfe44dd5644b41b88a6d22a47d875b01bf9ddf23710e9

                Download Submit

              • C:\Users\Admin\AppData\Roaming\ExitOpen.edrwx
                Filesize

                202KB

                MD5

                a234cc6a8472fe100e5bf364c4150bf0

                SHA1

                1fdbfdaa9946e2c588ffbdef6f16d4216570f87b

                SHA256

                ac184d358ca7de1db3fbe26c43326ff85401f33200bb802acd8222677ba036a3

                SHA512

                cf8f525290372c19a36b2ba2842a9f98096675cdbfe11677bfccf50cc2c8bb82cdbbbc661465597424f60c7ce551ebc435e2ea30cbb00feb128b2f494b98b2c7

                Download Submit

              • C:\Users\Admin\AppData\Roaming\FormatDisable.3gp2
                Filesize

                91KB

                MD5

                c37981d090b6e4bc2c30cdec24d9a47b

                SHA1

                c9e5717d6e15ae7c2351628e4486da66dccca06b

                SHA256

                d67b1ec036ee144957e3886ca5b702fa641089f3d05a224282f73f649000c7f7

                SHA512

                dc6d5c39472a2103aa9435ad926fd21cf47038c9d9be270efa7f5203b2ab1ba5460286f0d5aa5259713b4f7802433f3d425032b5faab11eb8aeacfc2172683d7

                Download Submit

              • C:\Users\Admin\AppData\Roaming\GrantJoin.cab.gfj1
                Filesize

                304KB

                MD5

                65bffc958539555ce83619a122f49114

                SHA1

                5fb201da2916475f6a963d0ae3efc54b8380f5f9

                SHA256

                21c43111c0328db00a30469c49c3dfa10677a04a35617402d7d10dd77e50d4eb

                SHA512

                f258905f613a0ca39065a9d6ff4a6589848a848580dcbaf31f18102558d8f4849f7d1fd419216b471bace61a18dbcd781019075375c0f43a5a9465c5ce1850cb

                Download Submit

              • C:\Users\Admin\AppData\Roaming\HidePush.dll
                Filesize

                97KB

                MD5

                fbb399e5b8ae0f18b0a7a194bb7d6825

                SHA1

                33976d583c480d181aaeb1dcb0043dcf6870b734

                SHA256

                e84915e6bba41b9e9521ec02107f172950af46bb8407ec7780a0804bc86ddb51

                SHA512

                9386882f6b734245e729bc1daf155c9732241d4e349eecefc183aba6146373b996fbdf2ee1b0b44e4c30e369f90bf8f2cd9af3fd852a79f9ec62278157bda36c

                Download Submit

              • C:\Users\Admin\AppData\Roaming\LimitCompress.mpe
                Filesize

                156KB

                MD5

                81f52527178851f4ad45c27238a826d1

                SHA1

                b75b036cb0229843657dac19c3a71b978382b8db

                SHA256

                d824ef1582d089b83bde2f0829336f1ed2cb0edbf1aefc5d1ab1d13761cc56c2

                SHA512

                980e55ded6d2af59b0ce11b4d875b1d2f3a120688687a915c57f8488af7cfce97fd634a01a5cac7edb0fac86be25e7420aedeca2ef9f2047f0eb0d4bd8271802

                Download Submit

              • C:\Users\Admin\AppData\Roaming\MeasureSearch.vssm
                Filesize

                150KB

                MD5

                9c6dca3f82abaed1efffa1a351d3459c

                SHA1

                6ac1bcdf6acc11a2ccc0329c64de6d8519e1b7c4

                SHA256

                60d8b8436c33327af7adf3c73b18ab5ca855bc26fee0f10f8719cfcfb1497076

                SHA512

                1ff9f9ec308b1a6f04aafc14d5cf69620348df529cd713be024789cadd192f07746cac9e41c87f51b7adab4536d58f09953dad73d2dd4efc3e46fb609d757925

                Download Submit

              • C:\Users\Admin\AppData\Roaming\MergeUndo.csv.oczc
                Filesize

                348KB

                MD5

                2a5a8f8e60e398ea5d7759d8909488d7

                SHA1

                9f598af8e4fc47bcd7aa2b6a3b875d75925385ca

                SHA256

                9ce6ebe13380dc66f6a3eb2414c472189157c02b0ba27221781d7317a488be67

                SHA512

                c755f6e1f90662d4e3da762ff4b916bb2380645507d895f4fda1e89553e0fb0e33735a17a5b9f3fa5d1680db4855f6d07f127f580d6a6e13709e19bbdef244d9

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.pvog
                Filesize

                436B

                MD5

                fd6f22f5983550486f2a28096c48ce10

                SHA1

                bafe6204a02f0c8ed3dce5de991c9e0e30602430

                SHA256

                06f26cfa52d28715697f233ea3331304743e517ba69c7b899a2a1b8c244da91a

                SHA512

                07380de784b9c2bfb76f87265fcec9fc3ff679286bcd70b77dec6506d75efe196735644154c45cb0212c80f868c2d80894805ea7f6880d2428e3cdc0eea9df40

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url
                Filesize

                142B

                MD5

                1a09a38485cbf1d59c29d8e3213e1ab9

                SHA1

                9cbe6ebd07b13a0d4b2565dc15a273629aa97251

                SHA256

                0a3bdc40dc0d243784bc5fa887b79110350b3d3200684f3ba99880fcea40e3b8

                SHA512

                a33c228196a4b3f14e40ac6ccb6c43002de28063594c472db852bedac20a6725f4e7601b9f32516e2c6bea35f83746973b3f1d200d9e5d668bda7553b62ac616

                Download Submit

              • C:\Users\Admin\AppData\Roaming\NewRedo.xml.x63t
                Filesize

                235KB

                MD5

                262ff760d7355f91714aa49c12123086

                SHA1

                b220915ad4f8b5ece2b7a25455a5fff157bc66c0

                SHA256

                6ae0e8e925658a15de1a8dbef36492e6244e154c86fc2974f004f0012af5f882

                SHA512

                00d38addcff22be1c0c80074d24e58d4e67af18f2f56fda6e889173ab4f34a2821aec1dea6ecf4a4c04ca35af21681243cd2f897da82258fc4ea19814a5b807e

                Download Submit

              • C:\Users\Admin\AppData\Roaming\OptimizeCopy.vdw
                Filesize

                248KB

                MD5

                6df54529a7db427c887e0d4341cd790b

                SHA1

                9eacabe62c4596697a061adcf24cdd01cdfd90a0

                SHA256

                76e5099b5fc1c425294dcd0a7d4f349ee5f7a6402c21db2fdac451378ab474a1

                SHA512

                bd5d526deca50232840dd354566de0676ac6b8d53ba75145864b0aa4a74926e4d64f841e1852460f66eda1d8fb93ed3c481931b0694efd46cd4d01cebcca3c5d

                Download Submit

              • C:\Users\Admin\AppData\Roaming\OutSplit.html.15dj
                Filesize

                278KB

                MD5

                0ac8a347901efb7484809aa0f59563d5

                SHA1

                cdb50e9ef802c6cce020e52705fb67be8c08ed78

                SHA256

                2df9a9e924c2eaf298e18718f4f8a97b861d62d97d29543b0cc7e443cfb3ac05

                SHA512

                499b603d64a91b0096255a093ddb80aafaecba6849967feab61d36c7994620ec61e66bdceb2e08fcfd73a5259994dd63e66e668cf40598662bd4320bb51c1e1e

                Download Submit

              • C:\Users\Admin\AppData\Roaming\ReceivePublish.rmi
                Filesize

                222KB

                MD5

                914efa5e9a27eb511868c4ad622676ce

                SHA1

                4277422e2cfcdf4146834a8147ba27f39280577a

                SHA256

                9f968cb2a417dfd67d40264179e67ca0ba5528c4bbaa09276ea2619528bf654b

                SHA512

                fe83ae9ea341899d07dd53dcde33b90bbb60cddfe9f79378d3068791aaf2f1db043aacb2e335e12db5dd067c1696317320cdfa8c7202b394243883a9357187ec

                Download Submit

              • C:\Users\Admin\AppData\Roaming\RequestPop.mpeg3
                Filesize

                143KB

                MD5

                90814fbcd3adfd8f02c5a8cf7b381cec

                SHA1

                c10c1c04361ec718e05446e10578983d061db81d

                SHA256

                82e00fbd2c08c34db91a277c1d4ce25f948321dfaed190478c14267f84b61131

                SHA512

                e8be36361ef7f6d6c1e4250bcd7b5d7ffe549fbc9260fae80dbbc28cf02f55eb8a32c25c2681618529802ef34917a30e8490c587e657d7988ec492188ed361b5

                Download Submit

              • C:\Users\Admin\AppData\Roaming\SearchMeasure.ram
                Filesize

                124KB

                MD5

                aa7ac3f75da3dda16ed30520880955ee

                SHA1

                4e9e0c5ed4faf68ef7ec87978615bc1b13066bae

                SHA256

                d9cd104adf3c5d2911dc843c632ce31345d75511b57a098b1c8c15f00cce2acf

                SHA512

                32587e7e344c83b02435827db45471296842c7a676d5af1658fa3fe5666b06f14ff2fe055aad03229514fb6e83d5812b469fcc5277f5f06e5391c17df0a5b205

                Download Submit

              • C:\Users\Admin\AppData\Roaming\SearchSubmit.txt.xxyg
                Filesize

                217KB

                MD5

                5d3de0545316f8022373640d20425587

                SHA1

                8c8e4e2c607dd7837fa1734cf3ce96c53b7d1ec6

                SHA256

                359428b29cf81f1a25fae9129c62d36a1f4649f8cbf5d93d92014c6cf93a69f6

                SHA512

                e3cdf688f18e16554b9efcb78f593f3fffc46c9bade69c627d8095c4c0e92387682c3200d2923576e85fdac63661fe216ea8363f680d35eb721e7edc61dc4aae

                Download Submit

              • C:\Users\Admin\AppData\Roaming\SkipFind.easmx
                Filesize

                195KB

                MD5

                ab2c33ea3637390bb87740e4cbbe46f7

                SHA1

                1775fbe8693ae45cf32aa538d0248a407f3a9fd2

                SHA256

                39fc29ab9110111f8184c4fa14ab8461e2aec88be20b12869f268c633fcce432

                SHA512

                ffd3f5301bebb7004c02d92540dc2b047931bec3f0e0664ded7bd5662c09948153b61b7b4bcf4f3f45fe39010a561b948566d53d3419bca8e8e22f77022b4e7a

                Download Submit

              • C:\Users\Admin\AppData\Roaming\SkipProtect.aiff
                Filesize

                117KB

                MD5

                85b866db9fd6a2ee03ec0e9a673d3a42

                SHA1

                525789cca1808e876138efd4c70f24fbe2bb6b4f

                SHA256

                0f6e0138486fefcec11555b5256e9f2c1abb05cab8ea09e138f72f363bbbac0e

                SHA512

                e587ad1c6fb80e79068b620d16068894c1736c53d682822a4fbfda936d1337c21ab88e3c5877c063bab7286fca6640eba17b6d4237369847225bd8d7bbadb348

                Download Submit

              • C:\Users\Admin\AppData\Roaming\SplitRestore.odp.1c5c
                Filesize

                479KB

                MD5

                37e3cfdb5e4992b0b86d1bb3d2e80e58

                SHA1

                e1ccd9dd71d0ad3149396f3f4fdd1ba6f9f76d8d

                SHA256

                c74a786fcf37fd9e309ba7e33f9b22085cc7eb83f0e754e1a3a21bde8624aca4

                SHA512

                ed9f4edb745ad2a61b7093c93420a9a20daa2a9ed2cb82c4a4a836394b0718cd4a5c5351f0a102155eb07bc80c69675b7d654d9c7f4b459d721c7325696422c6

                Download Submit

              • C:\Users\Admin\AppData\Roaming\StopProtect.rar.b4fv
                Filesize

                244KB

                MD5

                8fd0095b6bd24eb269f5f8b4f9e1a2cc

                SHA1

                5a59af2292b3a7b0d54b712f16e5e3827a49cc31

                SHA256

                3268d3204742f2c4906b6f0ba8867125283b7b5592d4c8dbc82c8759d8b5d239

                SHA512

                ecfdfaf11d3650d8d9d9c1cacb77b609b7674bfc26730f0a23f5724f8e2f255807f28c3ff3f5e3ee85adb034dc2d3f5db4f057f0e74279c4fc3fcd4e35fef799

                Download Submit

              • C:\Users\Admin\AppData\Roaming\UninstallEnable.csv.vxrg
                Filesize

                252KB

                MD5

                c89e369da25f5a7b07b10b72d021f621

                SHA1

                f813c75148eba4856633f0fb3c26de0aa6729312

                SHA256

                e48d91668aa0fe452badc513905a2d1b7dec30bf60701d35f6efc03e0241f9df

                SHA512

                2ce44fb22839a18503b081df9d4edadcfc0ee65cb5c92811619f0cced55c7004e074bfe53c089e8c62f1b86c8809124965767a8359f9ab4817c38f05fa4c7037

                Download Submit

              • C:\Users\Admin\AppData\Roaming\UnregisterMount.dotx.wcja
                Filesize

                322KB

                MD5

                189d8f91ff8c904339b3f2d60b55ccfd

                SHA1

                c0c02f34bd09e5a304ff87c45f14707af2f89f5d

                SHA256

                ff54286df226ee918bd06571584faf34f7f021fc6f4e33c7a43f7ce86b47df6c

                SHA512

                010cbc854beb88a59ca3bbf81485c64acbbeb74b48bad1167b3f5b993546e6d6644f0e4ba0a1ce00265df8b52a3da3322469cb30d3b7bd40d6c7fbbf163bb995

                Download Submit

              • C:\Users\Admin\AppData\Roaming\svchost.exe
                Filesize

                144KB

                MD5

                4016477fd044882c78f3c1a47d7322e1

                SHA1

                6c75ffa25ef2d1d6a658ff415b2e47964032fc6a

                SHA256

                fbbaef754d6dafaaf32ae5e7937135fe81075806e5e2b0db1d6f9441a1cd8633

                SHA512

                17706a8238817e135ffe378e60e1e52964a00aeee6c6b9bc7f288a0390ae97d958f053cf693a4d829a35acbe32e3ab9599c13150a3155c671490736e88d19df1

                Download Submit

              • C:\Users\Admin\Documents\hahaha.txt
                Filesize

                63B

                MD5

                45dfa78907ccd5154a672941b7fd7805

                SHA1

                c96e039c5d260e3fc61d65da6718d3a832a182fd

                SHA256

                7d6a89c0a71eb6607c0f9226cbdbc241a154a49e463e599ea8ff126c161ad6af

                SHA512

                45b88dc885c14920f7e309566475c1c0d35b43dfade79ae951d41b422a4cba511f36b6305f0fde21af780399929f529661e1e9f1bcf0190e2b73472ed9950f2b

                Download Submit

              • memory/572-14-0x00007FFB28050000-0x00007FFB28B12000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/572-0-0x00000000001E0000-0x000000000020A000-memory.dmp

                Filesize

                168KB

                Download

              • memory/572-1-0x00007FFB28050000-0x00007FFB28B12000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1592-463-0x000001AFF4650000-0x000001AFF4651000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1592-461-0x000001AFF4650000-0x000001AFF4651000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1592-462-0x000001AFF4650000-0x000001AFF4651000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1592-460-0x000001AFF4650000-0x000001AFF4651000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1592-456-0x000001AFF4650000-0x000001AFF4651000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1592-455-0x000001AFF4650000-0x000001AFF4651000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1592-454-0x000001AFF4650000-0x000001AFF4651000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1592-465-0x000001AFF4650000-0x000001AFF4651000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1592-464-0x000001AFF4650000-0x000001AFF4651000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1592-466-0x000001AFF4650000-0x000001AFF4651000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1800-530-0x0000000000080000-0x00000000000BC000-memory.dmp

                Filesize

                240KB

                Download

              • memory/1800-531-0x00007FFB27B80000-0x00007FFB28642000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1800-532-0x000000001AD00000-0x000000001AD10000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1800-928-0x00007FFB27B80000-0x00007FFB28642000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1800-929-0x000000001AD00000-0x000000001AD10000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1800-931-0x00007FFB27B80000-0x00007FFB28642000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2520-15-0x00007FFB28050000-0x00007FFB28B12000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2520-452-0x00007FFB28050000-0x00007FFB28B12000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2520-479-0x00007FFB28050000-0x00007FFB28B12000-memory.dmp

                Filesize

                10.8MB

                Download