Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

письк...т.exe

windows7-x64

10

письк...т.exe

windows10-2004-x64

10

Resubmissions

23/07/2024, 16:29

240723-tzcw9ayfrn 10

23/07/2024, 16:26

240723-txm97s1hnf 10

23/07/2024, 16:20

240723-ts2l2a1gjh 10

23/07/2024, 16:15

240723-tqjnfa1fmc 10

23/07/2024, 16:11

240723-tmz61s1ena 10

23/07/2024, 15:54

240723-tclwms1blb 10

23/07/2024, 15:48

240723-s8v9hsxfmr 10

23/07/2024, 15:45

240723-s683lazhmg 10

23/07/2024, 15:10

240723-skb6qsyhnf 10

23/07/2024, 14:52

240723-r841zswapq 10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/07/2024, 16:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    писька чит.exe

  • Size

    71KB

  • MD5

    ed3794861ddc34b4748ff8081e80cb2b

  • SHA1

    e63cf084552f0c2803de0109e3d2fcd3102c4738

  • SHA256

    6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f

  • SHA512

    df771b8eecb7e065628c06b8cca9aa7df6dd05bbdba0f85ed34010e264a286a17129289d6ac3e9f87c56152ed7a35302e88ae6643a1bb06c45745cf3d5ea0b03

  • SSDEEP

    1536:EYB+O1NIBlJ4wlA0B4GI0b0xEPdB8QlOrIXt6fT+S1va+OuPyGV54:EOgQwlRB4wb0xEFBdMIk+S19OuaGV54

Score
10/10
xwormdiscoveryexecutionrattrojanupx

Malware Config

Extracted

Family

xworm

C2

main-although.gl.at.ply.gg:30970

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\писька чит.exe
    "C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3312
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\писька чит.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3760
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'писька чит.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2036
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4488
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5096
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ygxtbg.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:17410 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3492
    • C:\Users\Admin\AppData\Local\Temp\ergdxv.exe
      "C:\Users\Admin\AppData\Local\Temp\ergdxv.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\308C.tmp\308D.tmp\308E.bat C:\Users\Admin\AppData\Local\Temp\ergdxv.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3344
        • C:\Users\Admin\AppData\Roaming\aga.exe
          aga.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:3116
    • C:\Users\Admin\AppData\Local\Temp\axxndf.exe
      "C:\Users\Admin\AppData\Local\Temp\axxndf.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5268
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C588.tmp\C589.tmp\C58A.bat C:\Users\Admin\AppData\Local\Temp\axxndf.exe"
        3⤵
        • Checks computer location settings
        • Modifies registry class
        PID:5336
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\i.VBS"
          4⤵
          • Enumerates connected drives
          • Modifies registry class
          PID:5492
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4976
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2912
    • C:\Users\Admin\AppData\Local\Temp\писька чит.exe
      "C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3596
    • C:\Users\Admin\AppData\Local\Temp\писька чит.exe
      "C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4512
    • C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /s
      1⤵
      • Drops file in System32 directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:116
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3296
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff97338cc40,0x7ff97338cc4c,0x7ff97338cc58
        2⤵
          PID:2992
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,1974023705038151003,9726580466137177064,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1904 /prefetch:2
          2⤵
            PID:4480
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2208,i,1974023705038151003,9726580466137177064,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2220 /prefetch:3
            2⤵
              PID:4204
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,1974023705038151003,9726580466137177064,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2472 /prefetch:8
              2⤵
                PID:556
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,1974023705038151003,9726580466137177064,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3192 /prefetch:1
                2⤵
                  PID:4828
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,1974023705038151003,9726580466137177064,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3276 /prefetch:1
                  2⤵
                    PID:1108
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3744,i,1974023705038151003,9726580466137177064,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4528 /prefetch:1
                    2⤵
                      PID:4436
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4860,i,1974023705038151003,9726580466137177064,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4868 /prefetch:8
                      2⤵
                        PID:5400
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4912,i,1974023705038151003,9726580466137177064,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4904 /prefetch:8
                        2⤵
                          PID:5508
                      • C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
                        1⤵
                          PID:2736
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                          1⤵
                            PID:5484
                          • C:\Windows\system32\AUDIODG.EXE
                            C:\Windows\system32\AUDIODG.EXE 0x150 0x47c
                            1⤵
                              PID:5700

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                              Filesize

                              649B

                              MD5

                              2dbf350bb419c9f9b7f519f5a989573f

                              SHA1

                              875fddabb9fdf07e5cd397c8bce2d5e9f5b6d409

                              SHA256

                              fa45eda3cb21370458b6d481a4a9f06b95cddc50fd06680e81e60bf380c0cc60

                              SHA512

                              6483ad735f5d8c93ddeb1ffc130e68e1c274cf3b36e30d599d6370b8773b43bd203b0fe660ee0ca18380f1a58694fba1aef5f720a09656226ae36dcb5d4a68d2

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                              Filesize

                              2B

                              MD5

                              d751713988987e9331980363e24189ce

                              SHA1

                              97d170e1550eee4afc0af065b78cda302a97674c

                              SHA256

                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                              SHA512

                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                              Filesize

                              356B

                              MD5

                              191d73d27b3a47739baeb92928a25a9a

                              SHA1

                              b314e3ebef2cb17ee67d429864e513a567b3aee2

                              SHA256

                              40a79f1034b14359e1a2f6c8b99b60f975058e0b0256b11cf7aa9b47c2acdebe

                              SHA512

                              23acf86a8f653f317cd0d88cf911b15f093d2119f70814a665e6ce9e58e362ef0c1617a43fc225d5b4d6b35eca64138bbaa3a60783c9d522f00a0a2ca11bd80e

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                              Filesize

                              9KB

                              MD5

                              e62c1a7901b19e6753a697579edfdba8

                              SHA1

                              b18bce85fdcc84a9593b455b0bf189062117044e

                              SHA256

                              f876edee2a8a1e28eadf2e17bc56b101082b25f281bcdaaa1df75b5435aee514

                              SHA512

                              520751df6f6e2a59146ac6bc03d8ad218a0fa5a4e4a418fbc7ba4b84a770c6c4b525c54e3ced1acb42e1648c739451fccbc76ffe0a3cfe0390e6f870504abce9

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                              Filesize

                              9KB

                              MD5

                              66683f257cc359b8fb6b619c1ac9e052

                              SHA1

                              8009ed0bf0745a0a7043e17dbb7ec5b224760c96

                              SHA256

                              b7af42b6d9df10e6a2bcf85c1917a8e9a43574fd1a45d5aa28bdbb1264f4e6c4

                              SHA512

                              91e010c644951e7d27d093adea9623eba1670e5bec4ad4ee5bb69ae4309cffd9fd8a4828ab7a7700976385573a013ec1a02fde7c20a869cbe7220a261d5c7c12

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                              Filesize

                              15KB

                              MD5

                              97253788945f91cb6f2c05417f3c4173

                              SHA1

                              2270d9617f7c25f3f431bd3278135b69a1d56e93

                              SHA256

                              365dd49f97501eb5f11601387d32d73ac9128dd5ea47a84f492c7cda7d251af4

                              SHA512

                              b6890a4c96dfe06e1ce19ecb71ee0ba0807050255c2c43be37818045be4e5f73a32378b7cb38963f02e594f9d4e63439cbf871eff94e3db79fb171481b98e205

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                              Filesize

                              185KB

                              MD5

                              165d54218e4da76993b2d82420216557

                              SHA1

                              2e713fee97aa2bb630c7aa32d19a0555f224d1f0

                              SHA256

                              52a4ab6cf9b5fff7d9e8aa18e0304019691fb7d769346c0feb4238ed8ec3cf0b

                              SHA512

                              85bbc73430005fe80ccaee1b0b66d10a289fa63f08c23e0806ef5ffb6edb18dedc6505b1faa7c24eed9687dd303352ee98c33290a0c247658d17b6a79ee82000

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                              Filesize

                              2KB

                              MD5

                              d85ba6ff808d9e5444a4b369f5bc2730

                              SHA1

                              31aa9d96590fff6981b315e0b391b575e4c0804a

                              SHA256

                              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                              SHA512

                              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\писька чит.exe.log
                              Filesize

                              654B

                              MD5

                              2ff39f6c7249774be85fd60a8f9a245e

                              SHA1

                              684ff36b31aedc1e587c8496c02722c6698c1c4e

                              SHA256

                              e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                              SHA512

                              1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
                              Filesize

                              64KB

                              MD5

                              c374c25875887db7d072033f817b6ce1

                              SHA1

                              3a6d10268f30e42f973dadf044dba7497e05cdaf

                              SHA256

                              05d47b87b577841cc40db176ea634ec49b0b97066e192e1d48d84bb977e696b6

                              SHA512

                              6a14f81a300695c09cb335c13155144e562c86bb0ddfdcab641eb3a168877ad3fcc0579ad86162622998928378ea2ffe5a244b3ddbe6c11a959dbb34af374a7d

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
                              Filesize

                              9KB

                              MD5

                              7050d5ae8acfbe560fa11073fef8185d

                              SHA1

                              5bc38e77ff06785fe0aec5a345c4ccd15752560e

                              SHA256

                              cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                              SHA512

                              a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3WWFCFW4\suggestions[1].en-US
                              Filesize

                              17KB

                              MD5

                              5a34cb996293fde2cb7a4ac89587393a

                              SHA1

                              3c96c993500690d1a77873cd62bc639b3a10653f

                              SHA256

                              c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                              SHA512

                              e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              944B

                              MD5

                              2e907f77659a6601fcc408274894da2e

                              SHA1

                              9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                              SHA256

                              385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                              SHA512

                              34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              944B

                              MD5

                              0fd3f36f28a947bdd05f1e05acf24489

                              SHA1

                              cf12e091a80740df2201c5b47049dd231c530ad3

                              SHA256

                              d36c21211f297a74a801881707690fa7a0a0a31addd3c7ba1522275b8848ab50

                              SHA512

                              5f132308b06e621aace1091f523649bcb5d1823b478691799791f4154cb96b9897f563eed8ad8db4a03714d815246479372e0920c659eb3fd9006271e58429ee

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              944B

                              MD5

                              a63d086dda58959470eed6794ca42055

                              SHA1

                              eefdffb54639a5d70120c78ceedfee2f9ccd961d

                              SHA256

                              7a20d3ba2fa46dc27544a5e5e94739322d6d0262fd656be50118bb2632c9032f

                              SHA512

                              40733ebb0db913bb7b4c6d96291ff08a737a5087c86fe54d74859572119c5366caa4e04062c404e890d025d7f3c1ee1fd0d03ee23c0144e21e78670026a658da

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\308C.tmp\308D.tmp\308E.bat
                              Filesize

                              29B

                              MD5

                              d17cad72c39d269760f74242c3282f3d

                              SHA1

                              115ce7e379d617272ed0d8e91c1b2430987b8977

                              SHA256

                              c35b2b25735dce59d5b4e11846ff0c761703696df0c54fa5718c8ca938c17b92

                              SHA512

                              670696460ccbdb75b296591714ae0045a36c1f5a12aeda4f8818943f6ffb6c85cb66be6bffcf7df7da76b8bdaaa662ca9f22654d78190770e8a3e45ab7ff4f06

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\C588.tmp\C589.tmp\C58A.bat
                              Filesize

                              27B

                              MD5

                              73fe4a3a31192292dd762ad07ba14ea5

                              SHA1

                              81e8b9bed4bed6f82d8b277e1f4ff087651563ca

                              SHA256

                              2a0e0e7e8f76678e692b14c6be787c536428226dd9782495f1abea66b90fa6bc

                              SHA512

                              5ad959ca609da146d093de2c731b370a5c1f8ab56a0968307bba5859ec0d8e067d79da04d26f66fdd7aa81fdc35e0812e9993f848ed927c187021107ce44357b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4lsc5uwk.zwu.ps1
                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\axxndf.exe
                              Filesize

                              1.1MB

                              MD5

                              49edb4ec07b391ea6870fe2ee46f3a12

                              SHA1

                              949fc2320265bfa9fbc8c14f407b65f9c021fc60

                              SHA256

                              30753793ce4b36830eb0d39ab6c252c2d1054f0a29270f9719696353bde316c7

                              SHA512

                              6f975eae7906d55fd8f3ea1abcd8d455058d76c1add9a31b8df3377725aafd0d4bb7726fd2c31a024894d362ed132e98a4e30f569d37c2bb3ed1ff79d7d429c4

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\ergdxv.exe
                              Filesize

                              4.3MB

                              MD5

                              8c04303e97c6818afa890e9577c40833

                              SHA1

                              8546b2e222b9f6166bae7ee6a886eef31696de62

                              SHA256

                              c9cb4f211fb4fe0f03897a19bc4fdb18f624b44c47878a7e1f36bb23c3f8bb6b

                              SHA512

                              3b688c8480368208a557132138b60a2fa41bfd3e5f3ec32729e22130bfedfdd4b690c236e18c2db2a905ccb84d5b6ae95f7f52d00600788faa405a263f505235

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\ygxtbg.gif
                              Filesize

                              33KB

                              MD5

                              f0c07b242a7c473a1e07206c047175d9

                              SHA1

                              70a4116437a42c7bfa974e9a7022c2ca533d00a8

                              SHA256

                              f5d37d2439ddc9f1b496d07ea0cee7edef54496dc448bfd9bff755a8244dd848

                              SHA512

                              ece270976f348229f5fef050ffb7e28c58b20ce01f5d903344ebca13f685906c942b47f369f1c1ad6a8c4d0623d80a5909197f0f8e6d647e9e7d7ab9aa78faf7

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\~DFBFFBF88CD7BB9D55.TMP
                              Filesize

                              16KB

                              MD5

                              e4e5d1ba7ff0cbf2f48cf9fd454d318d

                              SHA1

                              a3a74cbc06fa039b818965a9baa3f0154a2fc822

                              SHA256

                              d3633a9bba9421e4e0ecdf1a49e05c8a3cc7aaf57b87bac25cd740dd1bc64ca3

                              SHA512

                              eadf5470f2890250edcc3a7264b0f7043f98296c266175e8cbabd1253a51d392d8992c8c455d0485c0d9149748f6713d9aefcd6dfc970598be63210be12d5793

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
                              Filesize

                              771B

                              MD5

                              7024f402df4ac8fdd0e4d78bba64095a

                              SHA1

                              3599b9e7e425ccebf7793ab39c055f0fe629c635

                              SHA256

                              4ce7af1bf31f6649db6c4e29052bf9ae459bac29eb97a5f58c13ab4a778389b6

                              SHA512

                              e86a99159d3d14bc8daca07821d6f77e4c6fdb2fff00d853e11a7b4cc734ef1cc0d645c87d4008856e241fae86ccd7f4c6c06d343647a0c5b990ebc9be1880bf

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\XClient.exe
                              Filesize

                              71KB

                              MD5

                              ed3794861ddc34b4748ff8081e80cb2b

                              SHA1

                              e63cf084552f0c2803de0109e3d2fcd3102c4738

                              SHA256

                              6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f

                              SHA512

                              df771b8eecb7e065628c06b8cca9aa7df6dd05bbdba0f85ed34010e264a286a17129289d6ac3e9f87c56152ed7a35302e88ae6643a1bb06c45745cf3d5ea0b03

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\aga.exe
                              Filesize

                              2.5MB

                              MD5

                              caf5c8ceddccb91429f7624f6f32654b

                              SHA1

                              d6e9690efd4cce90e9580f49a6c90f63a1bb3d8d

                              SHA256

                              f1028c939d09cd33e20125614ab8788998307adc840dc8c888ce53ae0820341f

                              SHA512

                              1526e9135c831704660b0fef5a0f59ba80ee81f985d60666230c8004e955ec0ad8c4830873d3087ae2b49efbd6ae6b56fcfba5201534dd4db84cd982e13c24dd

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\hh.mp3
                              Filesize

                              1.1MB

                              MD5

                              e5ac8bc2410ac31a25e81fd066e446fd

                              SHA1

                              af005df3d4bee956931c1228f784e738a742319f

                              SHA256

                              418b3618c245f1f853c0c8389f6dd16f45ba36851e1dd7d05f3d70e325927d33

                              SHA512

                              116eb01e08bc7d7812c5985b9f0f73b53420c188dd3c5bd540342a16405eddd0a3cdcdd36f6b39baeb7f8509bd60ca374cadeaade3e6e00fdf12cb1d41aa7aed

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\i.VBS
                              Filesize

                              118B

                              MD5

                              64ab69f1167c5ab2bdc6e27119317d94

                              SHA1

                              c3d0fa731e7b82aab121a615fba5f7556013695e

                              SHA256

                              7a26cf62afb1ba6efc63865a151cb64a0cfb2de1b22543aff89ecfaacacf0f4d

                              SHA512

                              0c13d4c5b4d6055acf110f88d915ad24885bdaa91189c6fcd4f769605ae010764b4f7b848ad394ec74979c2b9b65cf354a5847ee54805f935f711f128f444189

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\php5ts.dll
                              Filesize

                              6.5MB

                              MD5

                              c9aff68f6673fae7580527e8c76805b6

                              SHA1

                              bb62cc1db82cfe07a8c08a36446569dfc9c76d10

                              SHA256

                              9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4

                              SHA512

                              c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

                              Download Submit

                            • memory/3116-136-0x0000000000400000-0x0000000000653000-memory.dmp

                              Filesize

                              2.3MB

                              Download

                            • memory/3116-137-0x0000000000400000-0x0000000000653000-memory.dmp

                              Filesize

                              2.3MB

                              Download

                            • memory/3312-73-0x000000001DC20000-0x000000001DC2C000-memory.dmp

                              Filesize

                              48KB

                              Download

                            • memory/3312-0-0x00007FF97A5A3000-0x00007FF97A5A5000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/3312-72-0x00007FF97A5A3000-0x00007FF97A5A5000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/3312-1-0x0000000000CF0000-0x0000000000D08000-memory.dmp

                              Filesize

                              96KB

                              Download

                            • memory/3312-2-0x00007FF97A5A0000-0x00007FF97B061000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/3312-74-0x00007FF97A5A0000-0x00007FF97B061000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/3760-18-0x00007FF97A5A0000-0x00007FF97B061000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/3760-3-0x00000295E0CF0000-0x00000295E0D12000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/3760-13-0x00007FF97A5A0000-0x00007FF97B061000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/3760-14-0x00007FF97A5A0000-0x00007FF97B061000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/3760-15-0x00007FF97A5A0000-0x00007FF97B061000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/4976-61-0x000001C3323A0000-0x000001C3323A1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4976-54-0x000001C3323A0000-0x000001C3323A1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4976-55-0x000001C3323A0000-0x000001C3323A1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4976-53-0x000001C3323A0000-0x000001C3323A1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4976-65-0x000001C3323A0000-0x000001C3323A1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4976-64-0x000001C3323A0000-0x000001C3323A1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4976-63-0x000001C3323A0000-0x000001C3323A1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4976-62-0x000001C3323A0000-0x000001C3323A1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4976-60-0x000001C3323A0000-0x000001C3323A1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4976-59-0x000001C3323A0000-0x000001C3323A1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/5268-203-0x0000000000400000-0x0000000000536000-memory.dmp

                              Filesize

                              1.2MB

                              Download