Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

18/04/2024, 20:02

240418-yr4gfsef9v 10

18/04/2024, 19:59

240418-yqw1zsef5z 10

23/03/2024, 00:07

240323-aearlsag84 10

20/03/2024, 19:20

240320-x17psshe51 10

20/03/2024, 19:18

240320-xz2gdshe3t 10

19/03/2024, 21:09

240319-zzr9tsgd4t 10

Analysis

  • max time kernel
    211s
  • max time network
    219s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18/04/2024, 20:02

Errors

Reason
Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-18T20:05:54Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10-20240404-en/instance_30-dirty.qcow2\"}"

General

  • Target

    GH0ST.exe

  • Size

    127KB

  • MD5

    90b828929de1319e5b9bf94f4ae990b3

  • SHA1

    8fc41267cfb9f057e78beca15b775d20fb01434b

  • SHA256

    14592b6ee58e6c1abe76e8148f087b1da84f54892b1cca31540dd728298bb185

  • SHA512

    57e50e8c3e424980bfb96d4d1862e998efd50e45df25478fc80537a67a27b8d7aa8cce00400e0126216395205946a38876a2ff494b74d86043c5e5779a4b5921

  • SSDEEP

    3072:oDk4Rq96liXWAPEV9Ue4znvqg2WVrxuF:h4Rq9UCW7WhZx

Malware Config

Extracted

Path

C:\Users\Default\read_it.txt

Ransom Note
Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt it for free. You must follow these steps To decrypt your files : 1) Write on our e-mail :[email protected] ( In case of no answer in 24 hours check your spam folder or write us to this e-mail: [email protected]) 2) Obtain Bitcoin (You have to pay for decryption in Bitcoins. After payment we will send you the tool that will decrypt all your files.)

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\GH0ST.exe
    "C:\Users\Admin\AppData\Local\Temp\GH0ST.exe"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3512
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
          PID:1472
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:4796
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3608
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
          3⤵
            PID:4564
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} bootstatuspolicy ignoreallfailures
              4⤵
              • Modifies boot configuration data using bcdedit
              PID:4628
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} recoveryenabled no
              4⤵
              • Modifies boot configuration data using bcdedit
              PID:960
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
            3⤵
              PID:5076
              • C:\Windows\system32\wbadmin.exe
                wbadmin delete catalog -quiet
                4⤵
                • Deletes backup catalog
                PID:4240
            • C:\Windows\system32\NOTEPAD.EXE
              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
              3⤵
              • Opens file in notepad (likely ransom note)
              PID:1456
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:3192
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe"
            2⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3528
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.0.326215572\1643022512" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1696 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c14f173a-581b-4ed1-8b72-5463ea126e6b} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 1800 22f373d6a58 gpu
              3⤵
                PID:2588
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.1.1500268580\1666324317" -parentBuildID 20221007134813 -prefsHandle 2152 -prefMapHandle 2148 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc037da1-733b-40b8-9db5-7dc14b886888} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 2164 22f251e5a58 socket
                3⤵
                • Checks processor information in registry
                PID:4508
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.2.1600050161\139103211" -childID 1 -isForBrowser -prefsHandle 2952 -prefMapHandle 2948 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2cdb6ca-ca3c-4c73-904c-bdcaf480c46e} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 2964 22f3b69d058 tab
                3⤵
                  PID:1724
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.3.592665314\477958844" -childID 2 -isForBrowser -prefsHandle 3480 -prefMapHandle 3476 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cf59885-bbd1-45ab-ad1c-ed08af3d714a} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 3492 22f25162858 tab
                  3⤵
                    PID:1800
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.4.1804941241\627965472" -childID 3 -isForBrowser -prefsHandle 4220 -prefMapHandle 4196 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd935d4f-5e7d-41d1-9b7e-984ce706f4ae} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 4240 22f3d0de058 tab
                    3⤵
                      PID:2548
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.5.1597213562\293354862" -childID 4 -isForBrowser -prefsHandle 4760 -prefMapHandle 4432 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ca98365-2d30-40cf-9fd9-4483b004f980} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 4904 22f3d4dff58 tab
                      3⤵
                        PID:524
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.6.145070365\2004329834" -childID 5 -isForBrowser -prefsHandle 5000 -prefMapHandle 5004 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fafab8cd-54c7-4422-b9ba-33c5b668a736} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 4376 22f3dbc5358 tab
                        3⤵
                          PID:4072
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.7.1189076637\594625862" -childID 6 -isForBrowser -prefsHandle 5196 -prefMapHandle 5200 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1088 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d678c78c-14a6-46aa-bb0b-2429ff681f17} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 5280 22f3dbc3b58 tab
                          3⤵
                            PID:3364
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4904
                      • C:\Windows\system32\wbengine.exe
                        "C:\Windows\system32\wbengine.exe"
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4220
                      • C:\Windows\System32\vdsldr.exe
                        C:\Windows\System32\vdsldr.exe -Embedding
                        1⤵
                          PID:4520
                        • C:\Windows\System32\vds.exe
                          C:\Windows\System32\vds.exe
                          1⤵
                          • Checks SCSI registry key(s)
                          PID:5088
                        • C:\Windows\system32\wbem\wmiprvse.exe
                          C:\Windows\system32\wbem\wmiprvse.exe -Embedding
                          1⤵
                            PID:4564
                          • C:\Windows\system32\taskmgr.exe
                            "C:\Windows\system32\taskmgr.exe" /0
                            1⤵
                              PID:5724
                            • C:\Windows\System32\Netplwiz.exe
                              "C:\Windows\System32\Netplwiz.exe"
                              1⤵
                                PID:5860
                              • C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
                                1⤵
                                • Suspicious use of SetWindowsHookEx
                                PID:4788
                              • C:\Windows\system32\systemreset.exe
                                "C:\Windows\system32\systemreset.exe" -moset
                                1⤵
                                • Enumerates connected drives
                                • Drops file in System32 directory
                                • Drops file in Windows directory
                                • Suspicious behavior: GetForegroundWindowSpam
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of SetWindowsHookEx
                                PID:1596
                                • C:\$SysReset\Scratch\2B1B2DFE-899F-4425-8A67-F36E3692CB23\dismhost.exe
                                  C:\$SysReset\Scratch\2B1B2DFE-899F-4425-8A67-F36E3692CB23\dismhost.exe {043EDAA5-2B36-4C02-9FC9-3354A46F571C}
                                  2⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  PID:5620
                              • C:\Windows\System32\vdsldr.exe
                                C:\Windows\System32\vdsldr.exe -Embedding
                                1⤵
                                  PID:4428
                                • C:\Windows\System32\vdsldr.exe
                                  C:\Windows\System32\vdsldr.exe -Embedding
                                  1⤵
                                    PID:3064
                                  • C:\Windows\system32\vssvc.exe
                                    C:\Windows\system32\vssvc.exe
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4596
                                  • C:\Windows\system32\LogonUI.exe
                                    "LogonUI.exe" /flags:0x0 /state0:0xa3a87855 /state1:0x41c64e6d
                                    1⤵
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of SetWindowsHookEx
                                    PID:5452

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\$SysReset\Logs\Timestamp.xml

                                    Filesize

                                    42B

                                    MD5

                                    af9459ae54815da11918db14933f1823

                                    SHA1

                                    2af5a8a71e03607746ea0db5c74cf00b9a33e5b4

                                    SHA256

                                    382c77297b5aff38c3998f19afacc6b2035b44a6b762c1a2194cc92253afdf07

                                    SHA512

                                    e8ce10fbcfac21df4de0407a3f7bf221cc60664d91e212bf539d12d9e3b9864512568224209517c69838038124c7be0313a63314e052b190fa4a31121fa36155

                                  • C:\$SysReset\Logs\setupact.log

                                    Filesize

                                    28KB

                                    MD5

                                    8d75a07a9ddc517e1205976f5720482a

                                    SHA1

                                    18448b9c8da4cdea8d546f0ef9a0ed4fa9802e6d

                                    SHA256

                                    f5b798ebfdb0fc31763b7fec0a16fa5ced0f6428f852546c0ca3ba44b9679f70

                                    SHA512

                                    adb42670eb1357e1642f2d72ce46e975d0c6e56451a01c8de683f84b62189e8f01161b327c625fdf55c350073ea35ad2252227b7b72719905d632bf95989210e

                                  • C:\$SysReset\Logs\setupact.log

                                    Filesize

                                    29KB

                                    MD5

                                    2066c108fec6817b7ee03a956e85fcad

                                    SHA1

                                    07d7f3ded519a5725ed3e13a4ada98ceb40ae108

                                    SHA256

                                    782dcb1d0891f4028354318dbb49bacb74ff653f9314a7dfeb902b55075aa8e6

                                    SHA512

                                    89cf31cf5f3a05482a430c1e9ed72996cea93e445ea041e4b1e3ff2bb70a1df1d2bce12a99e3088d0cf920ca9f087b75fad6e7b65bd4f7dbc3c52ed9b50f9f37

                                  • C:\$SysReset\Logs\setupact.log

                                    Filesize

                                    130KB

                                    MD5

                                    28b1fd95dd84a09e4b5d098987ebdc0a

                                    SHA1

                                    0a7af60e5094ffbd8b078d448b68c928aa54c129

                                    SHA256

                                    318dd8af22bdf70902bb6dcd6e1cc5c8ac4cfa08573bc5331109679ec1e44eed

                                    SHA512

                                    a04746ebceb5a6e0c2b344709deed50d90e1ae9f0c815ee9b7f2ed6bb243b26b40777bbd5c15a70460a7b7fc5f2189d60127e6416ba7858d86eb9ba492c5a570

                                  • C:\$SysReset\Logs\setuperr.log

                                    Filesize

                                    504B

                                    MD5

                                    c8350cc14095ef49bcde7072efe31ade

                                    SHA1

                                    5382f54f7c34635a20555cdb27a83d78621036e0

                                    SHA256

                                    cf2394a1e04db80a814af467c506c664c726ffab2b6497a5ca7b76b8b86b0e8d

                                    SHA512

                                    3cae93f151452d16cb9de7cc2a55fb05f8332926fdf4e3445fe957aeceebeae3bbca1b19901998c2837084524fdc3272e02294ef1d8dba3edc1faa2ba0555363

                                  • C:\$SysReset\Scratch\2B1B2DFE-899F-4425-8A67-F36E3692CB23\DismCorePS.dll

                                    Filesize

                                    160KB

                                    MD5

                                    4e43afafe9483d72a5838cdb8ea8d345

                                    SHA1

                                    779d8c234343da4ca7fbdb16b5861eecb025f6e3

                                    SHA256

                                    80e83929245c4377ecc73b7596ebf885d8e919b69ef975701a082d2b5cf2150e

                                    SHA512

                                    22267fe42128333940b9574fc5f5a70f0411280bd4e294bb456f987eb30c5ec1be12f4e5ce44e7007d793a3924032315782eaea96ab18da832ce56c1f0a3fe3d

                                  • C:\$SysReset\Scratch\2B1B2DFE-899F-4425-8A67-F36E3692CB23\DismHost.exe

                                    Filesize

                                    140KB

                                    MD5

                                    9ad8d8d2c6126cf9f65f4ba4cd24bcd9

                                    SHA1

                                    505e851852228545903c2423afa81039e0bd9447

                                    SHA256

                                    3687d79e43b9c3aa9ff31dbaafdd2f4674ce0937c7fe34813f43531f32e7aded

                                    SHA512

                                    e38d6af47c7443119fb73fcd6bcb23dd6b96bce19c4a98802af96fd6751e12a8add8c48cc0062ffe315aa7a5ffa6c38787c4f2051a8f6b97ac0dc86b3f8d279e

                                  • C:\$SysReset\Scratch\2B1B2DFE-899F-4425-8A67-F36E3692CB23\DmiProvider.dll

                                    Filesize

                                    389KB

                                    MD5

                                    a5661f7b81dc9ed60d9c3300188447e6

                                    SHA1

                                    9185aae37ad34a4e749de06b1df53d19d5b3aee2

                                    SHA256

                                    945ff6d452fd107e81176e28716bb2877a2ca00f3099634f949c795034788f45

                                    SHA512

                                    55598e15620699ea115e597783cd128c659d27eb5c18ee813bbeb266b7baf083f9012219b991fefa6b540b46552c73b5e7ca8fefa24e7b124017144b1dff1d8b

                                  • C:\$SysReset\Scratch\2B1B2DFE-899F-4425-8A67-F36E3692CB23\LogProvider.dll

                                    Filesize

                                    139KB

                                    MD5

                                    76dccc4bec94a870cb544ea0ac90d574

                                    SHA1

                                    0e500d42b98d340aadd3e886b0c4abefa8b92bc5

                                    SHA256

                                    53637290e64e395a0f07d7423096ccf341ccdf1dcb6e821f4e99d47197ea849e

                                    SHA512

                                    ef01adbf1dfb3856d5a84512556f38af291c0938c1267c8d627e1205385f7be56b0a7e2127f18818f987b53f0a3f910bc930d692be2a8429d03728d086e91a0b

                                  • C:\$SysReset\Scratch\2B1B2DFE-899F-4425-8A67-F36E3692CB23\OSProvider.dll

                                    Filesize

                                    126KB

                                    MD5

                                    bb0d5feee5b2f65b28f517d48180ce7b

                                    SHA1

                                    63a3eee12a18bceec86ca94226171ffe13bd2fe3

                                    SHA256

                                    f6c4fd17a47daf4a6d03fc92904d0f9a1e6c68aadf99c2d11202d4d73606dc16

                                    SHA512

                                    d1fc630db506ad7174da9565fd658dc415f95bf9c2c47c21fa8fe41b0dbff9a585244a0b7079dfb31697f14edbc1c021fccff60ffd53b447c910c70de117dc5b

                                  • C:\$SysReset\Scratch\2B1B2DFE-899F-4425-8A67-F36E3692CB23\dismprov.dll

                                    Filesize

                                    242KB

                                    MD5

                                    2737782245a1d166a1f018b368815a16

                                    SHA1

                                    4fd57e0de191c817a733d07138c43ce9a010d64c

                                    SHA256

                                    498c301c9b5dfc36f1031988cb4a440ab17effd606345abd506a807f277b1938

                                    SHA512

                                    7830d377ae880183a2e51a9d557bf0fa324913df28b12f5d7aca815fb2e8a6b0373d76f36877f28cba4ce8bff32da62309fcdcb8ff3930c5f8a54963b7cfdeff

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GH0ST.exe.log

                                    Filesize

                                    1KB

                                    MD5

                                    d63ff49d7c92016feb39812e4db10419

                                    SHA1

                                    2307d5e35ca9864ffefc93acf8573ea995ba189b

                                    SHA256

                                    375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

                                    SHA512

                                    00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pnz8mntc.default-release\datareporting\glean\db\data.safe.bin

                                    Filesize

                                    2KB

                                    MD5

                                    68fa6acb445d68ffd4fc9f4be6c39bb0

                                    SHA1

                                    0b6f4a441312aff6dca19815f2d80c4a2cf2184e

                                    SHA256

                                    148f790d8131fff5eea66c6590ff949cdfa0c2429f73ebf1e8deeb4d94d8083e

                                    SHA512

                                    20320f866d4695c5bc0bcf89d0e651fab6811585a672e93f907b1c366b2f736367d96eca68eaf805808c55947e19bd753df79ea4fd67fe689dafad6895b38abd

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pnz8mntc.default-release\datareporting\glean\pending_pings\0ce22e04-76cc-44ab-b1e8-278133432167

                                    Filesize

                                    746B

                                    MD5

                                    56378568b07fbc2c713ec3d9aaffc09e

                                    SHA1

                                    87d987fa5990fd94c5798c3f26628cdc62c10db4

                                    SHA256

                                    42274126e0dce469071a10e877ab8412d2fb2be6ffd3676c42098f32cea6b522

                                    SHA512

                                    91c1aa6420f1c711a81d9592c9fa4f8e3bb7da9bbd3c7b2eaee978ead1f666f51f8e957bb977ee39a1544e170671b761fabbf7a42bfacc2b3edd3153e4dae888

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pnz8mntc.default-release\datareporting\glean\pending_pings\328ca330-a204-44a3-a929-c08d9edf4038

                                    Filesize

                                    10KB

                                    MD5

                                    f401bd1403784b2006930952212a2a05

                                    SHA1

                                    1450d2493bbd94ad848684f962e880a6ea8d836c

                                    SHA256

                                    c83a3a87b1e6765ccdd1ad8c4978bd7ddb4b2cf17303d518a83e31eaf14612a4

                                    SHA512

                                    d9c92241fd51d46dfbc039ecd3ce0d68deabe70c4232ac923c25aeb1851b2b5e874d5fd0321a1adac8cbca270a5b23b70e67ebd3a9a1774ccf0b971fbe5930a0

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pnz8mntc.default-release\prefs.js

                                    Filesize

                                    6KB

                                    MD5

                                    294b7cc37dcf173abce7ad9362e771dc

                                    SHA1

                                    92d02ed18a240f55ef55b206a92a4519efe22503

                                    SHA256

                                    22631b1227a23b6b2ad422fc6121d8fa78bf6bf1fd8dca7bb2646035c9420825

                                    SHA512

                                    88cbb24be8bdc51c6a6ca317c93b0f2f36ffee17311923c66529e5dbd40b841d5c14150cfc813f460fb787c72ad5b257b672ef2a9a6f48562653887ef6e7857d

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pnz8mntc.default-release\sessionstore.jsonlz4

                                    Filesize

                                    882B

                                    MD5

                                    4f71854465478da602216692090167b9

                                    SHA1

                                    b630ab6d32d35034ff480484f9752c110d41f570

                                    SHA256

                                    e68c7a7f5b1dbac985f9dfcf85a549e9184b3d6ddcf564ef16ad5d72de3700e8

                                    SHA512

                                    a689d77789206156691b25d0d23d69e355d27ba739a4de94b70839893634dc74a718cc9620888da2a4033818401028d9295642e33a482abb218e001845e4bba1

                                  • C:\Users\Admin\AppData\Roaming\svchost.exe

                                    Filesize

                                    127KB

                                    MD5

                                    90b828929de1319e5b9bf94f4ae990b3

                                    SHA1

                                    8fc41267cfb9f057e78beca15b775d20fb01434b

                                    SHA256

                                    14592b6ee58e6c1abe76e8148f087b1da84f54892b1cca31540dd728298bb185

                                    SHA512

                                    57e50e8c3e424980bfb96d4d1862e998efd50e45df25478fc80537a67a27b8d7aa8cce00400e0126216395205946a38876a2ff494b74d86043c5e5779a4b5921

                                  • C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk

                                    Filesize

                                    1B

                                    MD5

                                    d1457b72c3fb323a2671125aef3eab5d

                                    SHA1

                                    5bab61eb53176449e25c2c82f172b82cb13ffb9d

                                    SHA256

                                    8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

                                    SHA512

                                    ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

                                  • C:\Users\Default\read_it.txt

                                    Filesize

                                    582B

                                    MD5

                                    ed5cc52876db869de48a4783069c2a5e

                                    SHA1

                                    a9d51ceaeff715ace430f9462ab2ee4e7f33e70e

                                    SHA256

                                    45726f2f29967ef016f8d556fb6468a577307d67388cc4530295a9ca10fdfa36

                                    SHA512

                                    1745aefb9b4db4cdd7c08ee3a7d133db08f35a336fd18b598211519b481ef25ac84a3e8a3da3db06caef9f531288d1cf0ca8d4b2560637945e7953e8b45421f5

                                  • C:\Windows\Logs\PBR\DISM\dism.log

                                    Filesize

                                    214KB

                                    MD5

                                    2e5dd7d81e65343ecb59f204b2c257fd

                                    SHA1

                                    57e9406abc294cbbe231d86dfb1718cbbca56851

                                    SHA256

                                    0ef43d98a6ca45af13f05828feceb5de94dbbed854a259406e64279a0380cd04

                                    SHA512

                                    f25821b64f170e28492a2b7fc60fc219546fe684b48d5602eae9d9338404f10056b334436019bbee57c67886d62b4b83415ddda00147c4b824e950287018324a

                                  • C:\Windows\Logs\PBR\ResetSession.xml

                                    Filesize

                                    7KB

                                    MD5

                                    ea9a4f236006aa3496779ae71bd1e7fe

                                    SHA1

                                    0218c3b52bab6834cef7b177ddada74fcc60cfc4

                                    SHA256

                                    a26d89a80f82abdd4f4d05cbd33475768014d01fc2165773f3474c4f15b10837

                                    SHA512

                                    05e72a55758ae11b33a29556e00bfba1cc811c07a6b322dc217cd81d0e630ab470acdb2ad9ac8350fc890152d963832130a0bf1dcd8b366a98cf2ae72155df7c

                                  • C:\Windows\Logs\PBR\SessionID.xml

                                    Filesize

                                    106B

                                    MD5

                                    0d8f1e482d13a2d8739029e2eed8076f

                                    SHA1

                                    71c774a44a4ccac0c6fad69ecf525f6c4ceef349

                                    SHA256

                                    9ef7ba3d0dc7262763e5d94e4d325465c068615ed69a070b0d55c92ebce3fbf9

                                    SHA512

                                    ba1ed62378fdf0624ed5f4784f89554bafaded2a5ff1b80e6bf90952dc7b265c9217338a64b812779a8baf685c9ba0ceb69feb6a8e165747074fc573a19cdd63

                                  • C:\Windows\Panther\UnattendGC\diagerr.xml

                                    Filesize

                                    10KB

                                    MD5

                                    9f2521a2b53561d850a4dd046ee888d9

                                    SHA1

                                    5e9debeffd7dddfeee8a530de92a1bc6d13032d0

                                    SHA256

                                    238543e1a5c742a6b73b4e63b9e62d4711a2ed831ae71a7e27803d02c994578d

                                    SHA512

                                    2c4fd480114a860b55500463918591d0538e7b572ac034912972578e45d40c82b8adccee60958b230ed82742fb0ce313327d8f2740285ed4d8c00aa414c33fee

                                  • C:\Windows\Panther\UnattendGC\diagwrn.xml

                                    Filesize

                                    14KB

                                    MD5

                                    8cf0083aa83aa0cfb9327c55ff87f3cd

                                    SHA1

                                    b96665d8e2a8a9aec3ac3ac655c40a6c7f29bf85

                                    SHA256

                                    fb48ae4d847d139b5205c7965bfa523ee7bd79f86e6a1f22fb5f34f9991bbb43

                                    SHA512

                                    10ef9c7c0aa11731d604c1917d8fcbe2ef187a52cf393bdc3606757c67ef06e575bc936e3f4adda44a96ebfc21881234db186725157bee42c92c76b4807ca84b

                                  • C:\Windows\System32\Recovery\ReAgent.xml

                                    Filesize

                                    1KB

                                    MD5

                                    c4be85ceb3e1bc1352a3a7660107a8d7

                                    SHA1

                                    de967eef23adda940c2b163a5ac6e29f27906bc8

                                    SHA256

                                    2bd3b114f0223215ffd7fe1616214f3a47fd70eac0eb6d61dd0689e9b7e3d433

                                    SHA512

                                    154bff830a2177e22b20d4fefe2c98757a19bf4faca38b5a40b10592096b1b8cb082f4b27b184e86fa2706347dfef32366e2876d3cea02b689b001d0ea6fccb1

                                  • memory/3512-14-0x00007FFDA6A80000-0x00007FFDA746C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/3512-1319-0x000000001BB00000-0x000000001BC00000-memory.dmp

                                    Filesize

                                    1024KB

                                  • memory/3512-1318-0x00007FFDA6A80000-0x00007FFDA746C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/3512-15-0x000000001BB00000-0x000000001BC00000-memory.dmp

                                    Filesize

                                    1024KB

                                  • memory/3512-2310-0x00007FFDA6A80000-0x00007FFDA746C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/5060-0-0x0000000000F10000-0x0000000000F36000-memory.dmp

                                    Filesize

                                    152KB

                                  • memory/5060-13-0x00007FFDA6A80000-0x00007FFDA746C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/5060-2-0x000000001BC50000-0x000000001BC60000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/5060-1-0x00007FFDA6A80000-0x00007FFDA746C000-memory.dmp

                                    Filesize

                                    9.9MB