Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

04/02/2025, 16:29

250204-tza3nasjax 10

04/02/2025, 16:25

250204-txf6ws1rdt 10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/02/2025, 16:25

General

  • Target

    https://cdn.discordapp.com/attachments/1171221884562587691/1171222232928890991/ZFy00Zb.rar?ex=67a34474&is=67a1f2f4&hm=b70b79b4d5ab317c25206d8808c3dd56f75ed54dfb33519a559050aae485229c&

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5602729079:AAHue5HGrezQGgwKeWyn3WQgaqOZM5nlF_c/sendMessage?chat_id=6067717150

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

Version

3.0

C2

127.0.0.1:7000

Mutex

GNOz84rYzSmQkcXF

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Detect Xworm Payload 3 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 2 IoCs
  • Stormkitty family
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Async RAT payload 1 IoCs
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Uses the VBS compiler for execution 1 TTPs
  • Drops desktop.ini file(s) 9 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 50 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 48 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1171221884562587691/1171222232928890991/ZFy00Zb.rar?ex=67a34474&is=67a1f2f4&hm=b70b79b4d5ab317c25206d8808c3dd56f75ed54dfb33519a559050aae485229c&
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3232
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa08613cb8,0x7ffa08613cc8,0x7ffa08613cd8
      2⤵
        PID:4300
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1840 /prefetch:2
        2⤵
          PID:2936
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4408
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
          2⤵
            PID:1460
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
            2⤵
              PID:3376
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
              2⤵
                PID:4752
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
                2⤵
                  PID:4728
                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1128
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
                  2⤵
                    PID:484
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
                    2⤵
                    • NTFS ADS
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2972
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 /prefetch:8
                    2⤵
                    • NTFS ADS
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3764
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:872
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2824 /prefetch:1
                    2⤵
                      PID:1044
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2536 /prefetch:1
                      2⤵
                        PID:3132
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
                        2⤵
                          PID:4884
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
                          2⤵
                            PID:4756
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,18193683840713863244,18416488244022187056,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5524 /prefetch:2
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3896
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:4864
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2268
                            • C:\Windows\System32\rundll32.exe
                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                              1⤵
                                PID:1680
                              • C:\Program Files\7-Zip\7zG.exe
                                "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ZFy00Zb (1)\" -ad -an -ai#7zMap19573:84:7zEvent2375
                                1⤵
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of FindShellTrayWindow
                                PID:4564
                              • C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0.exe
                                "C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0.exe"
                                1⤵
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious behavior: GetForegroundWindowSpam
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of SendNotifyMessage
                                • Suspicious use of SetWindowsHookEx
                                PID:4856
                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fvbucpng\fvbucpng.cmdline"
                                  2⤵
                                    PID:4704
                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AF3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEAEAEE0A88C94CA1A2B085232349314A.TMP"
                                      3⤵
                                        PID:3408
                                  • C:\Windows\system32\wbem\WmiApSrv.exe
                                    C:\Windows\system32\wbem\WmiApSrv.exe
                                    1⤵
                                      PID:652
                                    • C:\Windows\system32\AUDIODG.EXE
                                      C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004EC
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1076
                                    • C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe
                                      "C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe"
                                      1⤵
                                      • Executes dropped EXE
                                      • Drops desktop.ini file(s)
                                      • System Location Discovery: System Language Discovery
                                      • Checks processor information in registry
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2300
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                                        2⤵
                                        • System Location Discovery: System Language Discovery
                                        • System Network Configuration Discovery: Wi-Fi Discovery
                                        PID:2924
                                        • C:\Windows\SysWOW64\chcp.com
                                          chcp 65001
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:992
                                        • C:\Windows\SysWOW64\netsh.exe
                                          netsh wlan show profile
                                          3⤵
                                          • Event Triggered Execution: Netsh Helper DLL
                                          • System Location Discovery: System Language Discovery
                                          • System Network Configuration Discovery: Wi-Fi Discovery
                                          PID:2140
                                        • C:\Windows\SysWOW64\findstr.exe
                                          findstr All
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:4560
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                                        2⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:652
                                        • C:\Windows\SysWOW64\chcp.com
                                          chcp 65001
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:1260
                                        • C:\Windows\SysWOW64\netsh.exe
                                          netsh wlan show networks mode=bssid
                                          3⤵
                                          • Event Triggered Execution: Netsh Helper DLL
                                          • System Location Discovery: System Language Discovery
                                          PID:4376
                                    • C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XClient.exe
                                      "C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XClient.exe"
                                      1⤵
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4712

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\209dc733e00461c146848cd4ae623e6d\msgid.dat

                                      Filesize

                                      1B

                                      MD5

                                      cfcd208495d565ef66e7dff9f98764da

                                      SHA1

                                      b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                      SHA256

                                      5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                      SHA512

                                      31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                    • C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\Browsers\Firefox\Bookmarks.txt

                                      Filesize

                                      105B

                                      MD5

                                      2e9d094dda5cdc3ce6519f75943a4ff4

                                      SHA1

                                      5d989b4ac8b699781681fe75ed9ef98191a5096c

                                      SHA256

                                      c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

                                      SHA512

                                      d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

                                    • C:\Users\Admin\AppData\Local\999b8ce92227f804f885977f66c1d44e\Admin@OZYSBZXK_en-US\System\Process.txt

                                      Filesize

                                      4KB

                                      MD5

                                      a2e48691f372f212255e25c3fd74adae

                                      SHA1

                                      93a7c5bf0c4c182c4939e2b14b79ad0d7589ab20

                                      SHA256

                                      77bcb4bec693bdc439847461607db85c26b1834dc2164fd4a1e506bcfd1d79a7

                                      SHA512

                                      a9cf2e178177008ac1ee043573b7c6dcbf68b2267e573caca47ad5834d0f4a9cf770a72be713a6235a917dda852072b2bc13ab0497d2ffdeae042e2256763bd0

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\77dc0228-dbaa-40e3-8784-20c310c82575.tmp

                                      Filesize

                                      10KB

                                      MD5

                                      8234458561db73d69234fbc3242e3e5e

                                      SHA1

                                      809d13ab892b84a87ab40d8f6e1b095b7e6d0bed

                                      SHA256

                                      2887954ef78010f6e58efff7cfb4529199a2bfd68a605edb1c5eaa4477630019

                                      SHA512

                                      6dc12d4a16dc47bc0077d788cd078ac2434b3d373400a944a4a51407289c4a776592339bfd19383f0a853207ff180c0306aeec1ebb7c24d4598cbab600f90878

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      fdee96b970080ef7f5bfa5964075575e

                                      SHA1

                                      2c821998dc2674d291bfa83a4df46814f0c29ab4

                                      SHA256

                                      a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

                                      SHA512

                                      20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      46e6ad711a84b5dc7b30b75297d64875

                                      SHA1

                                      8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

                                      SHA256

                                      77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

                                      SHA512

                                      8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

                                      Filesize

                                      18.3MB

                                      MD5

                                      ab2f8e0256c255932825ac164dff3b2f

                                      SHA1

                                      4e39451f49758179b706a4770dd535ef19c772a2

                                      SHA256

                                      c0bea2b4d19bf8677f5dd793987312e1119c9fad9d6cff33ced32f821c1f6658

                                      SHA512

                                      7ea8b2414cb9d29c2a04d4fb9594b2c028be1c7a22f3587a1a9495d542e4e7df4d078ab520111d398d59b1b6fa833745af8e291e114b6438188b6397d5afa003

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

                                      Filesize

                                      20KB

                                      MD5

                                      133acee096311f5bbdad0ab962270bec

                                      SHA1

                                      2ed2e4c8cd287a57e746cb3a73d34ed96ce24bc9

                                      SHA256

                                      8f1ec7c84161d853f84679d10810b0f1d11e415ab2404c25b840fdfa2a58e27b

                                      SHA512

                                      d3b407ee5f4883cb10441382af09a0517b0d53ec114d8d7c9018af30ef81b6c1008f47959f1a07b25d0b64ab98437387ae1611d773585246f04160cbb1401216

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

                                      Filesize

                                      116KB

                                      MD5

                                      8f0d97a3d270e6fa4fda7c4ca2b5f7b2

                                      SHA1

                                      3e35a820ab541e65e202458fa7c9faaccc95f483

                                      SHA256

                                      f14af5f36b1151243c6fc524ca49fd161d93e20e58cf2fc4925d4d32a9aa719b

                                      SHA512

                                      7ff4393afad915572c479ac59628d8b472f792ea2b62eb773f92a757297b20c07afd86d2bb8bfbeff8bee35f77175a1ee40cd47e201a21dcccd6009f9ee61adb

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                      Filesize

                                      186B

                                      MD5

                                      094ab275342c45551894b7940ae9ad0d

                                      SHA1

                                      2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

                                      SHA256

                                      ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

                                      SHA512

                                      19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      5KB

                                      MD5

                                      898c9e7232bfe492303bb1333f3503b5

                                      SHA1

                                      9ac50ff592385d5fb0030a68d3977612754e821a

                                      SHA256

                                      77b6a9505196d960bb68115037a1a4a9d562bd1fe54210e13d56340477e83617

                                      SHA512

                                      273e27476213a00cae563d536d8a2cf16fa9fad08d52cab75df0f0eeb7c79cc2673fc058eae96c3f933a60cd960c638905e4f9118f9c1c56c136bdf204fd47b4

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      5KB

                                      MD5

                                      d552e609e157a6520880a86167635130

                                      SHA1

                                      fc548420397dce9145111468165d28f8da410d97

                                      SHA256

                                      f9e02f521f53af9772900ce88a21d07e145cd336332860b8572e38d543346993

                                      SHA512

                                      e02163c13a83b63a9a85c9e20c6dd69af0f7b105df5d8def60aa750cdffabfe4a8dec1d6092f001593f91bd71c3c4c42c7bd17c996a0a5ce33f452e8756d964a

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      46295cac801e5d4857d09837238a6394

                                      SHA1

                                      44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                      SHA256

                                      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                      SHA512

                                      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      206702161f94c5cd39fadd03f4014d98

                                      SHA1

                                      bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                      SHA256

                                      1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                      SHA512

                                      0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      11KB

                                      MD5

                                      3d2abd2f3842dad4d69bee853c03c4df

                                      SHA1

                                      b569fc61fe3a58ede6738e4d289baadfd4e272e9

                                      SHA256

                                      b532d35ce3dbc287ef4911176ef4c8e90694b03ded3134a4aa957c90f546981e

                                      SHA512

                                      7437e056865b452a441e32a31ec89c833cd8d040b18feb090c290e5dbbe3619db424402834a1c99541f1e062057ab44ab533171aaad54d5516b5ec9a0c1a4b26

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      10KB

                                      MD5

                                      1dc3606bdd3366827aa8e634fc6f88cc

                                      SHA1

                                      7d8b8e7114e30139256624aac60de8eb3a0b4e11

                                      SHA256

                                      4b7fb8a014b24d82f47b6ea63b588dad323ce8aac4f122fbdd99c9a11edffcdd

                                      SHA512

                                      7e2711cb31d0b8fbafc79021e3bf31acbbbfbfdf58e79a8be99d3a38ba6a7c33df0b0ca6a1f9efcc22329c0e8a3a79d8e585b5a36640843ac7b2b4603fde33a1

                                    • C:\Users\Admin\AppData\Local\Temp\RES7AF3.tmp

                                      Filesize

                                      1KB

                                      MD5

                                      a1df9d83373034bade49a36915c3a91a

                                      SHA1

                                      38e5e95618469f55dc2a7db35916929eee862a25

                                      SHA256

                                      510844e7f55911f5a82857b71ca25738662c90f0247f2db6708fb26b5119f8c7

                                      SHA512

                                      146e3de326c130962f5d9f584b59b73f4e18534a7f7de0e6bc8b7120bf2bf764b356411738e522a02556414ce9cede3a6f36ea2b5c45d9b83a50436fcaff044e

                                    • C:\Users\Admin\AppData\Local\Temp\fvbucpng\fvbucpng.0.vb

                                      Filesize

                                      72KB

                                      MD5

                                      8385205aa8e94112741a1f193fbdfe1e

                                      SHA1

                                      9cc84ccc9e8c7a2cd967c99317f57ddc98c62be2

                                      SHA256

                                      ed5d79f28b90cf7e4a86d17d189a1b6a36e15e7d2c1c4990e07019012a742c7d

                                      SHA512

                                      94d47fdc1d7df6f841471777ced4cb01e75fab11ff85cc45019982bd28621d8c8318fcb241bde6d776856b53f92f6a51d14e0d38aa8808e8e6a6fa7a6914c77d

                                    • C:\Users\Admin\AppData\Local\Temp\fvbucpng\fvbucpng.cmdline

                                      Filesize

                                      375B

                                      MD5

                                      df4277a35da44ca5787f653cd8cf318b

                                      SHA1

                                      10d28abb2194e081cdd0728be3bd4a98bbc0f145

                                      SHA256

                                      7a3511597ee00ecb7010df5afbc9e8422461da6c566417c5b9b70c8d8e6e5094

                                      SHA512

                                      9c07f5e695fb1b2650da7389467f2188b8c7f36a342bac1bc968bf4f48a33a2173661236356f8addd21a1f97bd2792ee11285e75bec270a4b3445ea56e0627f2

                                    • C:\Users\Admin\AppData\Local\Temp\vbcEAEAEE0A88C94CA1A2B085232349314A.TMP

                                      Filesize

                                      1KB

                                      MD5

                                      d40c58bd46211e4ffcbfbdfac7c2bb69

                                      SHA1

                                      c5cf88224acc284a4e81bd612369f0e39f3ac604

                                      SHA256

                                      01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

                                      SHA512

                                      48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

                                    • C:\Users\Admin\Downloads\ZFy00Zb (1).rar:Zone.Identifier

                                      Filesize

                                      219B

                                      MD5

                                      6e6ccc60e9bfbd35b27342913fe02d09

                                      SHA1

                                      d7b62cde93d56b2c7822307068fa7e2fb6c17963

                                      SHA256

                                      0eaccdf4b734a3ccac62cb14f4cf5047cfb3653cbbe03e27771bec05a1172bbd

                                      SHA512

                                      c6c0e5cbf17284105f6e2684ddf8d06250025ce2c549fc518c1038592894438c53c18228cde0e7a60174e54e00de06693d05cc989193b284b9025a66394b1779

                                    • C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Builder.exe

                                      Filesize

                                      273KB

                                      MD5

                                      2a388e389df3136db839745d13a2bbd0

                                      SHA1

                                      1ba063842110c80d2a6bdf8280ec88b426b9d4ea

                                      SHA256

                                      a2251164857af32d0a13d3d91c9cb17af07f5858ad935c666a4787f12d585622

                                      SHA512

                                      01715c872281fffd8587f5cdabb5a9d80c720871424a6bf50ad0e8de7aae69536d0d4ffecb611ecfb8e98190e96b8ba896c96bf2dc0ebdda511f74909b5cb559

                                    • C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\GMap.NET.Core.dll

                                      Filesize

                                      2.9MB

                                      MD5

                                      819352ea9e832d24fc4cebb2757a462b

                                      SHA1

                                      aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11

                                      SHA256

                                      58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86

                                      SHA512

                                      6a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a

                                    • C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\GMap.NET.WindowsForms.dll

                                      Filesize

                                      147KB

                                      MD5

                                      32a8742009ffdfd68b46fe8fd4794386

                                      SHA1

                                      de18190d77ae094b03d357abfa4a465058cd54e3

                                      SHA256

                                      741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365

                                      SHA512

                                      22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b

                                    • C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\GeoIP.dat

                                      Filesize

                                      1.2MB

                                      MD5

                                      8ef41798df108ce9bd41382c9721b1c9

                                      SHA1

                                      1e6227635a12039f4d380531b032bf773f0e6de0

                                      SHA256

                                      bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

                                      SHA512

                                      4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

                                    • C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Icons\icon (15).ico

                                      Filesize

                                      361KB

                                      MD5

                                      e3143e8c70427a56dac73a808cba0c79

                                      SHA1

                                      63556c7ad9e778d5bd9092f834b5cc751e419d16

                                      SHA256

                                      b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

                                      SHA512

                                      74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

                                    • C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Intro.wav

                                      Filesize

                                      1.7MB

                                      MD5

                                      dc28d546b643c5a33c292ae32d7cf43b

                                      SHA1

                                      b1f891265914eea6926df765bce0f73f8d9d6741

                                      SHA256

                                      20dcc4f50eb47cafda7926735df9ef8241598b83e233066ea495d4b8aa818851

                                      SHA512

                                      9d8c1bb61b6f564044aad931e685387df9bc00a92ab5efe7191b94a3d45c7d98a6f71d8ae5668252d6a7b5b44ab6704464d688772aedac8bdb2773d5765d4d56

                                    • C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\NAudio.dll

                                      Filesize

                                      502KB

                                      MD5

                                      3b87d1363a45ce9368e9baec32c69466

                                      SHA1

                                      70a9f4df01d17060ec17df9528fca7026cc42935

                                      SHA256

                                      81b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451

                                      SHA512

                                      1f07d3b041763b4bc31f6bd7b181deb8d34ff66ec666193932ffc460371adbcd4451483a99009b9b0b71f3864ed5c15c6c3b3777fabeb76f9918c726c35eb7d7

                                    • C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\Readme.txt

                                      Filesize

                                      235B

                                      MD5

                                      85122ad50370f9a829b6602384b1b644

                                      SHA1

                                      6d0dc94e7fe82650422a17368314da0da58af6b5

                                      SHA256

                                      444cbc7b57b4a6198ee1474fd9623e1afcb8c7a0b180f05e961a822f4365499b

                                      SHA512

                                      a3ccd49bc0424534ba3b5ee558709022dd31d257ca48fd2eb8d7305ec098dc9275e016da332d293b7cdbdc5e91b82c7602c15abc52c0c0c4f3c81d4126b4afd6

                                    • C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\SimpleObfuscator.dll

                                      Filesize

                                      1.4MB

                                      MD5

                                      9043d712208178c33ba8e942834ce457

                                      SHA1

                                      e0fa5c730bf127a33348f5d2a5673260ae3719d1

                                      SHA256

                                      b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

                                      SHA512

                                      dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

                                    • C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XClient.exe

                                      Filesize

                                      33KB

                                      MD5

                                      a1db3b2036e7b2332328c2d93c2e05a3

                                      SHA1

                                      4dc0abb2f93d6f9cc14f2ca077bf93059dc182e5

                                      SHA256

                                      7d393196743add4cca8597935381b418d88965814e363858d143a2ac75bbdd17

                                      SHA512

                                      2dc139037d37c941c2fd4ac95e5f9b424db69ed2962964ca3229176b0fd2e163b3c239f81e0473187579be4f1329cd22c45260a399a47020066ef7372ff7228e

                                    • C:\Users\Admin\Downloads\ZFy00Zb (1)\XWorm V3.0\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0 Bin\XWorm V3.0.exe

                                      Filesize

                                      7.1MB

                                      MD5

                                      a3607b02e971c7ca441ac55aa4721a52

                                      SHA1

                                      c253f23fd3e8d2a62372930853341a9dd2e6eb98

                                      SHA256

                                      27e652193898971746450f86b547945b5cdb47cd6e9a095481ee5db32e9bbd0b

                                      SHA512

                                      5c02782a35470f20898bef2e6965a6e9cbe041cd66f66c41261d96163bc1e2badce0b747ec51607314826a89cd1c80788793adb987a22fc30bce0d02c03d99a5

                                    • memory/2300-274-0x0000000005840000-0x00000000058A6000-memory.dmp

                                      Filesize

                                      408KB

                                    • memory/2300-273-0x0000000000C40000-0x0000000000C8A000-memory.dmp

                                      Filesize

                                      296KB

                                    • memory/2300-449-0x0000000007170000-0x0000000007182000-memory.dmp

                                      Filesize

                                      72KB

                                    • memory/2300-443-0x0000000006390000-0x000000000639A000-memory.dmp

                                      Filesize

                                      40KB

                                    • memory/2300-436-0x00000000068E0000-0x0000000006E86000-memory.dmp

                                      Filesize

                                      5.6MB

                                    • memory/2300-435-0x0000000006290000-0x0000000006322000-memory.dmp

                                      Filesize

                                      584KB

                                    • memory/4712-495-0x00000000002B0000-0x00000000002BE000-memory.dmp

                                      Filesize

                                      56KB

                                    • memory/4856-477-0x000001FAFE870000-0x000001FAFE9D8000-memory.dmp

                                      Filesize

                                      1.4MB

                                    • memory/4856-234-0x000001FAA4A80000-0x000001FAA4ACF000-memory.dmp

                                      Filesize

                                      316KB

                                    • memory/4856-214-0x000001FA98E80000-0x000001FA99996000-memory.dmp

                                      Filesize

                                      11.1MB

                                    • memory/4856-213-0x000001FAFB2C0000-0x000001FAFB9EA000-memory.dmp

                                      Filesize

                                      7.2MB

                                    • memory/4856-509-0x000001FAFECD0000-0x000001FAFEFB2000-memory.dmp

                                      Filesize

                                      2.9MB

                                    • memory/4856-511-0x000001FAFE700000-0x000001FAFE782000-memory.dmp

                                      Filesize

                                      520KB

                                    • memory/4856-507-0x000001FAFE090000-0x000001FAFE0BC000-memory.dmp

                                      Filesize

                                      176KB