hxxps://github[.]com/Endermanch/MalwareDatabase/blob/master/ransomwares/7ev3n[.]zip

Resubmissions

19/02/2025, 03:42

250219-d9pqsswnbp 8

19/02/2025, 03:32

250219-d3vy8swmbn 10

Analysis

max time kernel
167s
max time network
165s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19/02/2025, 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/7ev3n.zip

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
1812	rhc5pvj0ejm0.exe
1084	pphc1pvj0ejm0.exe

Loads dropped DLL 7 IoCs

pid	Process
3160	[email protected]
3160	[email protected]
3160	[email protected]
1812	rhc5pvj0ejm0.exe
1812	rhc5pvj0ejm0.exe
1812	rhc5pvj0ejm0.exe
1812	rhc5pvj0ejm0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMrhc5pvj0ejm0 = "C:\\Program Files (x86)\\rhc5pvj0ejm0\\rhc5pvj0ejm0.exe"	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
50	raw.githubusercontent.com
51	raw.githubusercontent.com
52	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pphc1pvj0ejm0.exe	rhc5pvj0ejm0.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\rhc5pvj0ejm0\rhc5pvj0ejm0.exe	[email protected]
File created	C:\Program Files (x86)\rhc5pvj0ejm0\msvcp71.dll	[email protected]
File created	C:\Program Files (x86)\rhc5pvj0ejm0\MFC71.dll	[email protected]
File created	C:\Program Files (x86)\rhc5pvj0ejm0\MFC71ENU.DLL	[email protected]
File created	C:\Program Files (x86)\rhc5pvj0ejm0\rhc5pvj0ejm0.exe.local	[email protected]
File created	C:\Program Files (x86)\rhc5pvj0ejm0\database.dat	[email protected]
File created	C:\Program Files (x86)\rhc5pvj0ejm0\msvcr71.dll	[email protected]
File created	C:\Program Files (x86)\rhc5pvj0ejm0\license.txt	[email protected]
File created	C:\Program Files (x86)\rhc5pvj0ejm0\Uninstall.exe	[email protected]

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhc5pvj0ejm0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D65CFB87-EE73-11EF-83A5-E2624613CFAD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.4355\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50069bab8082db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31163008"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008909e097e45d8d42bb21e09f5806eedb0000000002000000000010660000000100002000000095258b1b02309cc71e0db2b5105ee5f039c1187ba683f26b20dd05bbbdb160d0000000000e8000000002000020000000be35653ec61b1a89db26dfb7296601375c7f7fd6df6a9c904e7a8d39c3569c5d20000000d4560f76847b01621aa4b56a1afca4f56d68dfd8a3adea8d8433348e46a17405400000003d6a0dceafb747d4bb21ead72c25ab238d77e409decb81c9acc05f99dd38c96ffa69942671dd61e754042dd83ae4545f814bd8e7dc170996dce5d6ff2b2945a9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2864725497"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008909e097e45d8d42bb21e09f5806eedb0000000002000000000010660000000100002000000039a2291de55a7b59da2f183c82850c325c41834a7dfc39c6eac169731e5752b1000000000e80000000020000200000009d340536ec4e88c1cc1872ee064c34c253f6ea3c4c5bb97572ccceec9e9ba677200000004ef681a807240b34744c597a77ad49d194a4d992cc2b4ee910acfd50b5184cf94000000015708e5d79dfbd89d9ba35fad68190f65fecab3b42f30177fa1a88568d4bc55787cd2f5c6e9aabf0be36cfd0ec32fcf0a3aebebc22a31ebde2ffb538530040e9	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40509dab8082db01	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133844101784411665"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1095212214-1383118828-1037266802-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wscript.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4288	chrome.exe
4288	chrome.exe
1812	rhc5pvj0ejm0.exe
1812	rhc5pvj0ejm0.exe
4436	msedge.exe
4436	msedge.exe
1764	msedge.exe
1764	msedge.exe
5536	identity_helper.exe
5536	identity_helper.exe
6056	chrome.exe
6056	chrome.exe
6056	chrome.exe
6056	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1812	rhc5pvj0ejm0.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4288	chrome.exe
4288	chrome.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe
Token: SeShutdownPrivilege	4288	chrome.exe
Token: SeCreatePagefilePrivilege	4288	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
1812	rhc5pvj0ejm0.exe
1812	rhc5pvj0ejm0.exe
1528	iexplore.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1812	rhc5pvj0ejm0.exe
4288	chrome.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
1812	rhc5pvj0ejm0.exe
1812	rhc5pvj0ejm0.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1812	rhc5pvj0ejm0.exe
1812	rhc5pvj0ejm0.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1812	rhc5pvj0ejm0.exe
1812	rhc5pvj0ejm0.exe
1812	rhc5pvj0ejm0.exe
1812	rhc5pvj0ejm0.exe
1528	iexplore.exe
1528	iexplore.exe
2060	IEXPLORE.EXE
2060	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 240	4288	chrome.exe	83
PID 4288 wrote to memory of 240	4288	chrome.exe	83
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 224	4288	chrome.exe	84
PID 4288 wrote to memory of 2168	4288	chrome.exe	85
PID 4288 wrote to memory of 2168	4288	chrome.exe	85
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86
PID 4288 wrote to memory of 1672	4288	chrome.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/7ev3n.zip
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffaae91cc40,0x7ffaae91cc4c,0x7ffaae91cc58
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,9037585283731131216,17576294164218961027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1872,i,9037585283731131216,17576294164218961027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2012 /prefetch:3
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,9037585283731131216,17576294164218961027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2448 /prefetch:8
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,9037585283731131216,17576294164218961027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,9037585283731131216,17576294164218961027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4624,i,9037585283731131216,17576294164218961027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4632 /prefetch:8
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4912,i,9037585283731131216,17576294164218961027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4828,i,9037585283731131216,17576294164218961027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1204,i,9037585283731131216,17576294164218961027,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:5436

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1700

C:\Users\Admin\Downloads\XP Antivirus 2008\[email protected]
"C:\Users\Admin\Downloads\XP Antivirus 2008\[email protected]"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3160
- C:\Windows\SysWOW64\wscript.exe
  wscript //B C:\Users\Admin\AppData\Local\Temp\pin.vbs "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Antivirus XP 2008" "Antivirus XP 2008.lnk"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:824
- C:\Windows\SysWOW64\wscript.exe
  wscript //B C:\Users\Admin\AppData\Local\Temp\pin.vbs "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Antivirus XP 2008" "Register Antivirus XP 2008.lnk"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:5108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c jifo.bat "C:\Users\Admin\Downloads\XP Antivirus 2008\[email protected]"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4440
- C:\Program Files (x86)\rhc5pvj0ejm0\rhc5pvj0ejm0.exe
  "C:\Program Files (x86)\rhc5pvj0ejm0\rhc5pvj0ejm0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1812
- - C:\Windows\SysWOW64\pphc1pvj0ejm0.exe
    "C:\Windows\system32\pphc1pvj0ejm0.exe"
    3⤵
    - Executes dropped EXE
    PID:1084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.antivirusxp-2008.com/buy/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffa9aa746f8,0x7ffa9aa74708,0x7ffa9aa74718
      4⤵
      PID:1500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,13872040527000061855,136785311364906967,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
      4⤵
      PID:1028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,13872040527000061855,136785311364906967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,13872040527000061855,136785311364906967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
      4⤵
      PID:3172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13872040527000061855,136785311364906967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
      4⤵
      PID:5076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13872040527000061855,136785311364906967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
      4⤵
      PID:2928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13872040527000061855,136785311364906967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
      4⤵
      PID:5128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13872040527000061855,136785311364906967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
      4⤵
      PID:5484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,13872040527000061855,136785311364906967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
      4⤵
      PID:5520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,13872040527000061855,136785311364906967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5536

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3388

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1528
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5184

C:\Users\Admin\Downloads\Deskbottom\[email protected]
"C:\Users\Admin\Downloads\Deskbottom\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
PID:5792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\rhc5pvj0ejm0\MFC71.dll

Filesize
1.0MB

MD5
f35a584e947a5b401feb0fe01db4a0d7

SHA1
664dc99e78261a43d876311931694b6ef87cc8b9

SHA256
4da5efdc46d126b45daeee8bc69c0ba2aa243589046b7dfd12a7e21b9bee6a32

SHA512
b1ced222c3b7e63e22d093c8aa3467f5ea20312fe76a112baed7c63d238bbe8dee94dfe8f42474f7b1de7aa7acb8ba8e2b36fdd0a3cda83ee85ac9a34f859fa4

Download Submit
C:\Program Files (x86)\rhc5pvj0ejm0\MFC71ENU.DLL

Filesize
56KB

MD5
baf751e7061ff626aa60f56d1d5d1fdc

SHA1
b0382c3ac0c0dad7d793c9a3335316b5fcae2690

SHA256
177b0bac987e7882449bd7c5900406f61a997f97ea1797614c8d86f40f03648b

SHA512
f7333b481f1498b5eab2688856a5b86fec96b6bf7b781564dfcc018882ded4d7ee5a1fc0c2498607195a66d42a74034f9649a8b61fa548d3d6029f25c5a9648d

Download Submit
C:\Program Files (x86)\rhc5pvj0ejm0\MSVCP71.dll

Filesize
488KB

MD5
561fa2abb31dfa8fab762145f81667c2

SHA1
c8ccb04eedac821a13fae314a2435192860c72b8

SHA256
df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

SHA512
7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

Download Submit
C:\Program Files (x86)\rhc5pvj0ejm0\database.dat

Filesize
1KB

MD5
c19b001e6fe6c082e5069e4490898ccc

SHA1
67a845bc07a68f04736b81ba45ff9d8186ae5314

SHA256
cce53b914eb6cfeecf42d38933b4ed9cae27e06bb97c9ade3f79342c74505d09

SHA512
c284caa36c69d350af80b05d6a2a8680a329ff64dd3e1a4e4ac385709f34f534a4035213980cf218a2c4027b038dbec344adb9eec9475868c7176fe67f15177f

Download Submit
C:\Program Files (x86)\rhc5pvj0ejm0\msvcr71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Program Files (x86)\rhc5pvj0ejm0\rhc5pvj0ejm0.exe

Filesize
9.0MB

MD5
04b88c7067b53a9bdf844cd1cb4b9c30

SHA1
7d081a1053cd9ef3d593f5ef9a27303824b779f5

SHA256
d42b135a1e70b6f7d0d98c340f4b529f722953cf57e573bb21a078f50f2016b9

SHA512
566f36f804d3027daab0e01f6d816b0420ba21fc276f2fabda4d0ed37b0e830704dcba8ccc3d30a7023c69f8ad3da0b9b58a49a26b3bb239d8ae0762bc157a42

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk

Filesize
1KB

MD5
9d6ff7d4f87a5019b5c38e8b43d52029

SHA1
dca4701861546065383298422c632e6a710f9fe6

SHA256
55e7c3bf41060de0d012a1bbea8def39982db48dd6dc1ea80b1e5fb81d50ede6

SHA512
f4addfbfa279357d4c8b819bfb02ab7eab336fb1e3a9e2b17755a59d42b2548e0b29545bc3882df016a2b14b064de0885c830965b9fe3f86bdf13017564d88c9

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk

Filesize
1KB

MD5
d149d5899749472ed5bea73bd8fbefd8

SHA1
ead74dbe8f1f79b2ef9d74d1fdaa332b864e5bf0

SHA256
0ee328948d8128f3fc26dc1e8a812b377d29b45f2b6aec0c4d543af5f5fa94a7

SHA512
210a5bf189d51c0944910e660bdfeb0a92c12912fda5b4e42769bc724f85da4357fc2cf230bf1e46dfb4b3ff25d89cc665f1f4ddbdfd77383edf853ffef0ed9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
73c16d12f2214ad5fac3cb0b13ade7f8

SHA1
018feaf416ba74601bf875872a4f21bc747955f0

SHA256
76df0f772995fa1295e2dca91c022753ec7f4dbd7baf7648059ff4159e8a9d98

SHA512
7f0e845e6aca14a2bdb26b10df48bf2adff845da894d4c84f712640bce6f5e0c3e6a6255d75f00ce08a07757d2c9f0d67cd09ff0d7ec29fd99f0eba9b85160ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c53303a8ecc9fed4a60cc82ba9fd06ca

SHA1
8a15528b5156a688f3aeec556b0d15c9057544f7

SHA256
1387c3ffe73db5d7495b612c2505de143b74d8474c75fbec415d2a07f9d3b6c0

SHA512
194421ae5b3bc06d8da95184b2793330f36b9e0852bd6058ba32ca4c5e1f432fd75d36f22fdceafdc1c6914582ddc25080c4ef0b8412376d1b353f5db112aad2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
2a72f5cec78d0b383c81e6c1dc643909

SHA1
481a7a0740d4f2796586fbb1f31c2474d4063bcf

SHA256
a335daa9052f22991a544a8c9a3b75ede855d5e0435ed5633a30e7f9e95e9d22

SHA512
bc3607b7eca2b346bf3a840946b1d43a8a7766b37529145097fb43b5f9a0b4fcf26cb07fcca5f7cf53f7ffb5b253a2300ec78489b317b956e176e90f06a3210f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
733853243da1cb101e408b449093f88f

SHA1
1778f0fe18d6d0de76d03e36fa7e5e7f278dfe3b

SHA256
571e9852b4e1f1ce684cb226c67a9ac9b7ec897bbf3bd9cb72cc12fcf67c5e47

SHA512
254aa1ad9d632a22b2900f84e476b48fc685b572741d978ce7346c66c47cf14e28621d8fade4c1278f0d9b63ab25eb604f7dfd40ed527280c58c241c2471e9d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c007b1d837fc9978056968b116ed1b0d

SHA1
6306643daaf8e870c2226004463176725d9d685b

SHA256
f8575c184a568f143140aa3ec450b2754867d03bb3c36e94723b154747531eaa

SHA512
172fb416226e5165b1a12cb8fc128b4ea24eddbb56ba5ac8afd30f222f156919d558812a9136b01055605be633f47f1011a4be564e3376eaf94e7096e9910342

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f84f512933c7774941eb10051144f5eb

SHA1
f3aaadb664f4845b54f76a6a5a97ff5a1db6d152

SHA256
c1d969cccfa07ed131e716117ba68d4f89165350dba55bd5f7a9fb8acc503020

SHA512
6dbe18b10d70131b600b0574c929ad415e95ba37a00d7f297876fb2e8605bed9b3faeac52aecaec9db38cdebc47788c3e50c2e202f67411c966648e798a0cc64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7cc3d0cfd9876a44f4bc73418c2793d0

SHA1
d1d7f8283e876d74d4825e7620eacc5b192909c3

SHA256
ff4c3e94211bc7976482ef0a82b78803062c0645a98f9b0b8c9d8a25f364eb13

SHA512
e2edaf2815eb2457aaf6503afad5f61f2284e9650678afc6a16ffd658d32d16c510e4c0cade579c43166d0812b3b8a86be4b38b6aa11a7b42f1016f188f7cf5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
47d99ebd4c973a7665f9a6d710bf5d47

SHA1
b0b856ec49b55dc10fdab38d03352a35c717c730

SHA256
d5f268baa26bd636c8c729e0e053d481a46889550151255f1a769dc6da06827b

SHA512
6cf307a481095886689358b15957e376bd78baaa5339f8b47707839bdb9ead1affc9a9878173ced40d1d3b1cc75c6bce2067b11c49e20383ec3f04f931f0bd9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4c3feb45a2a2a5f827e2f4be448d8413

SHA1
841edf54a4eac6d2d958f6e37c692129723af037

SHA256
0c89623d666f33f045868324ce472f2017b599da6b100cfb46de328b0a9ef67b

SHA512
28189a2564590073acca6508862ca36f4af0abc91d64b941a01f7b70b8a6af4f2ea542c1ff5d2c55bcf1386feb8ea7144b4a88ad34942bba2b04a7a26495978c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2725d4b33e4aaaa567f4fa86aee390e4

SHA1
6f4b054b0c1ac33f200294c784f7e2ec164f5c6c

SHA256
cf072497410ac8eaa4345438ebfcff29b9bfeffc95ac104df65298fe617b2d9d

SHA512
0dfef614b3a87f8c2e2d17737bf467417d22a8f579001878b7fa93ca14e37470e40e3dc0729a77b6d8f908e9ec5968fa076bcb8ae7cf3c4862eb9c35b7f9e4e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7b13d9341d7e188ce2db79d285ee6136

SHA1
9fcd6b1e3fd8f2186dd1601e9e8e6b01e8fcb37a

SHA256
7404b0b11ae094c98aeba7648c221e145ab3fadfb56701e869b50a756f6b823a

SHA512
9cbde26ab2c9f34246a5e45796976f7bb433e76220c292f1e94539f8a2b0e497a81d0905a42bce62ff2dd192bec1f90ebbed859ba387d0a90c1be461b965c5a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3760bb8cb76182c60812e6c1a4ee18eb

SHA1
48002fb3bfd3ecd31e33e22d4010d76e84f9ce7c

SHA256
cf156e42ea1a9bd92bae178478f51a62aebc7e340de2dfa3bd5c929be4630d33

SHA512
5ff66a73522949e0a817f091aabe89714e7785476774a69930f8946c4acef051cdd0001397bf09ef6f6f79c2116cbf847938cd707ce183acb12db1155a63d188

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9cdff9d150194ccea4931d95adea64ce

SHA1
fb114011f56508dcf73ab90bc6012f713cdf03b9

SHA256
a962e4e34b053af27cfeb11625b165bad506f3f8a293e090c1550026b8c6d89c

SHA512
57ccd17eb6e83cfde6f824ee75212585a3e891f5791e4e3f973d594fc7ab36e1b5ab75ec059cb0cdf5e6bc7886e7397f36299398d33e613f74179c99ce82a337

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e6431a62f545ba9e69f7f4410b7fd36e

SHA1
d28084901eff354a4a84469373885010681e008a

SHA256
678a6db52ad45ef982473d0c6fee496da9bd1ee0b244496ff0cdcf9f4e1aa47f

SHA512
eb862b102d262f206d40846a9f3878b8fb891668900da310d2ad2cc284ce35c514f9f19acda9397e1a0dd69cf1b4d032c665bb388623d758f68d1ecaf39747ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c6fe0288d57d0dec79502b519d03a870

SHA1
6d0c431c914d9369301a0ff17287ad36fd9cfe20

SHA256
f2076aade3725f092630d6e09bf90697a429503a47eb91ba0949a0490fc15937

SHA512
58ac35e81471d04f2ec035403ae0354e20c37532c2abf2ae0146f4326bd62386eb1db3e64be7ef1b8eca64b9cb68616d0675c07a924e07e66ff5b3041767e28f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0630586f1ea061c4b786522a9eae7e08

SHA1
8bc042e945e25326c237ee68b0936d5db86d995f

SHA256
2e08c9694d90212ab6aba51e6eea1f119d1c2525199f9deeae2c945d4eb77d21

SHA512
967e39493479fc5749f5ff18cfb4e356d17ffd5d9d27409d5a5f757e08249423b1f79c91e198c873f97a85ae9a70e218dd7c6cc30d7d8d112c2a24951ca67240

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0964be1e6615730e088ad4408e0bb1b3

SHA1
4426378ad078159998a9701c188f61e4038ba27a

SHA256
457fac9960ac226957d785a78c71854686a6d97c3b42d78b1806c929dff2aaf0

SHA512
5c331b3177df56afdfa05fd39fe7f9f50aee6539cf01c992aefc8763f7ca9c0d0c5d874cdeae7b928f48647fd44327dd1be5470b4714ef068c59bbe0be595216

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
c95ec19091be7310d3581143d2d2d0f5

SHA1
96034d6f07fbeb51dae1494353ae9a80e2468b26

SHA256
6959fd65067fc87972f8a13e62f2dd0e547c11e4b7321da1887249552458449e

SHA512
c6b19144c6f8e7908b5c38fcc3022cbb49bc788e50da21f614bf135bfeb1f70e5f3ed06a9b8fdb01baeb4145d82f60ccdfa9ec88d0904dd2965388b4ff5f300e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
2d17c707509291caff0ee0fc96d5b411

SHA1
de70f5cfa202d1bf3c81559a8fefe87eec24edeb

SHA256
b87475dece0129b4a92f08a5fe74aff5dca6149724fd7b3a3a6a8fe2e95d5310

SHA512
412b7b053f13fddd3eeaf556a5cd095a98725993472f7a02e1a1ef9c498f7e6937044317d2e1a254c8d8433e39b99744b0a056753fc84ac84e15fc793a5b5d39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b0dfbdad47d1a5d0e150f7ce1c87a2c8

SHA1
7163d90657a956bec90a73af78c3393168a2c114

SHA256
d29eb9e2fceb8cf4bb4ed7b032efaf38d893586e0bc2cb672d7d5550603328f8

SHA512
aa60297fa8652377bf3e36f6caf10cef8e8be1986565e99c369fe92625059d36d1f4b23b8ec8cd4b9fc4133702d9b7fda189b21821d2019d4eb7fed4f997010d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\25932e48-a173-4b80-bce2-d751577c0aa7.tmp

Filesize
5KB

MD5
59a88b7bba9f1e5d4f8216aeaaad2b69

SHA1
46464b9408e44264882fed5db0e957d8cf155d66

SHA256
698d2538935fdd9f8f58de6cfe8395a6cf8471a5e1a6a3336eee4251c52b21ac

SHA512
1d0bbadb064d668f6f347c3e51b11410d5e7611824d3662e8f86b70e567a3c93f16ecc90a2c68998183d2d6db6aff769cd59bc0219812bf697ea42f1a9d1ece0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
685b11f44b4fd18ac7205c85bf2541dd

SHA1
16fca74da3eeb0da0a8445d3e01f79a86d42501a

SHA256
3dbfef5ee5733df42c112ef85a4faa851c74f6572dbb39d133902860b536e590

SHA512
7647bd15136cbc662545b881f3307e38505880c2b9bdad04d0a1d141d7fc5b29877301b1b6b906757074d5646fc73478e9e4e666750c311785545a9854659ed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ecf45055c05a7f495a736c04e98b0fa1

SHA1
9c13c6611353423b173c8ccaf38db91dd37f8414

SHA256
35a8471cdb02db0a82557fb3b62ef871960f488c4b0fc6fafed24f13c07939d5

SHA512
a58ea15cd2dccc6890380d7d331a7bb1fa034be5b3d440b2d673f513336f7bd892ebab928ecca4d9f9e87f343136d48501628dd036ce16660766836f9339a4c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7308733747c38457c2e2974d54eac413

SHA1
c8de18441fa22a6fe47227c1be731e5429048658

SHA256
681c99914cb42dfc40fca6da14f920c550c42671609be576acab22b8eb8f11c9

SHA512
5769d3b11dd2e877a52bf7de2517e6e360bb2ea0cfae0c50cb3029ca24d010e379ac2a157033ea89828a9420e7ad18ca84ce8dd5f05a86a2bee4a7771e0971b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\jifo.bat

Filesize
70B

MD5
bc5aca38e505da47e1ea8bcfb9df5bbb

SHA1
67dd2324979ff2c2dfc97f89db0fb939bd08c87a

SHA256
30c55012548697052877b13150bedae3156f9a502557d1ea816dbed647b4a8f8

SHA512
37ce0ab1b0ea58d3fddb8a25f6da6b970c454a7cd614932ea3a2c7f8d9c763172fee2a455d7d381397a67071d3f10e7b9159ce02dde0e0176c8e4180c47451cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE183.tmp\KillSelf.dll

Filesize
5KB

MD5
8b49e96b0bd0fe3822bd4f516ad543ab

SHA1
3d04d3a4377e2e1888cc2be333b129daa8d2894d

SHA256
c25cbc60ff1ccca811239655636717c9ff4decb9190a557489389504b248d037

SHA512
46826285f213137cedefe379ece413730a36dcde016e5ac114743cb011e587fde503df1d70ea0e6c4213993749ac4d246e4c3c980b02e01239b392d0f5892e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE183.tmp\MachineKey.dll

Filesize
52KB

MD5
819265cb9b45d837914f428373b06318

SHA1
0725f84eba20acdbd702b688ea61dee84e370b0c

SHA256
dd2f2d8c0a7d767be40b0f83ac6339ec86068e4ba0f4cd0e3e5b99050dd84fcf

SHA512
ae4dd3f773568072e86e694c72a08d06b9206cb704a22ced1a922bc04a61a504aee67fc32ffb4d39f9e75f74c533d409756d4d953eaf9ab89cc9fe11f702b30c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE183.tmp\Mutex.dll

Filesize
3KB

MD5
6899249ce2f6ede73e6fcc40fb31338a

SHA1
385e408274c8d250ccafed3fe7b329b2f3a0df13

SHA256
d02a2c0c9917a5ff728400357aa231473cd20da01b538a0e19bc0c0b885ea212

SHA512
0db15d8050a3d39a14ebe6b58ebd68f0241d3ee688988e1e2217e2c43a834dff0959ba050d7e458ab6dfb466c91a3109ead350fe58fb3daa0753f6ca1ed9d60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbE183.tmp\lastpage.ini

Filesize
214B

MD5
14f51baaf9e518780594e20887e6fe36

SHA1
19f934f6a8cb11c53ae06f71457bfa643bb06576

SHA256
99cc25682aa82e36757361afdd6e0436ff56cdc03993e6d60f20d052f8b9dbe5

SHA512
d48e9a9e12a69fef2b6c324a9c2f1fb46d8eb931a4cde955f2c196c3ee78ac80dcfdb98cc17530854c3775db41de66b09b9ba498c550ac500ec40cdefe4caf81

Download Submit
C:\Users\Admin\AppData\Local\Temp\pin.vbs

Filesize
287B

MD5
3f764ed6ee61afced5405a2e3f62738b

SHA1
ce56c02f451bdbf20a1003df87fc2692ca06d0ed

SHA256
22804ed36ad186b3ab18605719c83e70b6244f60aba00e16ca8f97d80b5cc0e4

SHA512
6ed1d6327b67b3c863f71ede1d8be2f24c51454aab25b104d474024bfafcd732ba84a63ea60b218ce0e97a740c2717f87f4a38fcf211e780d027d36f4bc1d859

Download Submit
C:\Users\Admin\Downloads\XP Antivirus 2008.zip.crdownload

Filesize
1.3MB

MD5
a06ce8cd000f726c1aa2485a841f9640

SHA1
c2fad57e9c22ea6714d8bee9941339aca1cc7e8d

SHA256
20c562166df0c0a76fe9ff901b20983321b2e9a4b045e3c3c3a20f8e4f22a5a3

SHA512
32947e6424359499ec393db8e9776b4fcfb4419e5b8e821515d1220078458d3bbbe879b22a6a18b6d3f457369ba9369b0970f8905b431dd5e9732c805b0d7be2

Download Submit
C:\Windows\SysWOW64\pphc1pvj0ejm0.exe

Filesize
92KB

MD5
c90738662f7ea8dfcdf2ad26617171f9

SHA1
9a3f3b0458d0e12d0789a73fd0c6151d0e158cf4

SHA256
f6963bc0c9343d33102628766539d849939188c7fb05db82e9a9f49920a98330

SHA512
e645b1113e4683fc88b7a442b5dd87c846810d639d07b87fa32bddf96fee70645b051154594560a36a8460d6ff7b00bc0f64f7b0bf3ef8c6c46ca544fd21aa4a

Download Submit
memory/1812-302-0x0000000000400000-0x0000000000D72000-memory.dmp

Filesize
9.4MB

Download
memory/1812-522-0x0000000000400000-0x0000000000D72000-memory.dmp

Filesize
9.4MB

Download
memory/1812-362-0x0000000000400000-0x0000000000D72000-memory.dmp

Filesize
9.4MB

Download
memory/1812-352-0x0000000000400000-0x0000000000D72000-memory.dmp

Filesize
9.4MB

Download
memory/1812-299-0x0000000000400000-0x0000000000D72000-memory.dmp

Filesize
9.4MB

Download
memory/1812-300-0x0000000000400000-0x0000000000D72000-memory.dmp

Filesize
9.4MB

Download
memory/1812-301-0x0000000000400000-0x0000000000D72000-memory.dmp

Filesize
9.4MB

Download
memory/5792-593-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download