xworm | a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

Analysis

max time kernel
763s
max time network
800s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sv.exe
Size

63KB
MD5

c095a62b525e62244cad230e696028cf
SHA1

67232c186d3efe248b540f1f2fe3382770b5074a
SHA256

a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA512

5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
SSDEEP

1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

amount-acceptance.gl.at.ply.gg:7420

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

Signatures

Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource yara_rule

behavioral1/memory/840-779-0x000000001AB80000-0x000000001AB8E000-memory.dmp disable_win_def

resource	yara_rule
behavioral1/memory/840-779-0x000000001AB80000-0x000000001AB8E000-memory.dmp	disable_win_def

Detect Xworm Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/840-1-0x0000000000DB0000-0x0000000000DC6000-memory.dmp	family_xworm
C:\ProgramData\svhost.exe	family_xworm
behavioral1/memory/1916-36-0x00000000013D0000-0x00000000013E6000-memory.dmp	family_xworm
behavioral1/memory/1552-39-0x0000000000240000-0x0000000000256000-memory.dmp	family_xworm
behavioral1/memory/1140-41-0x0000000000C60000-0x0000000000C76000-memory.dmp	family_xworm
behavioral1/memory/1348-43-0x0000000000350000-0x0000000000366000-memory.dmp	family_xworm
behavioral1/memory/1376-45-0x0000000001280000-0x0000000001296000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2624 powershell.exe
2496 powershell.exe
2488 powershell.exe
3040 powershell.exe

pid	process
2624	powershell.exe
2496	powershell.exe
2488	powershell.exe
3040	powershell.exe

Drops startup file 2 IoCs

Processes:

sv.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe

Executes dropped EXE 11 IoCs

Processes:

svhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exe

pid process

1916 svhost.exe
1552 svhost.exe
1140 svhost.exe
1348 svhost.exe
1376 svhost.exe
1764 svhost.exe
1740 svhost.exe
2212 svhost.exe
2668 svhost.exe
2884 svhost.exe
2572 svhost.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

sv.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" sv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

788 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3040 powershell.exe
2624 powershell.exe
2496 powershell.exe
2488 powershell.exe

pid	process
1916	svhost.exe
1552	svhost.exe
1140	svhost.exe
1348	svhost.exe
1376	svhost.exe
1764	svhost.exe
1740	svhost.exe
2212	svhost.exe
2668	svhost.exe
2884	svhost.exe
2572	svhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	sv.exe

pid	process
788	schtasks.exe

pid	process
3040	powershell.exe
2624	powershell.exe
2496	powershell.exe
2488	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

sv.exepowershell.exepowershell.exepowershell.exepowershell.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	840	sv.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	840	sv.exe
Token: SeDebugPrivilege	1916	svhost.exe
Token: SeDebugPrivilege	1552	svhost.exe
Token: SeDebugPrivilege	1140	svhost.exe
Token: SeDebugPrivilege	1348	svhost.exe
Token: SeDebugPrivilege	1376	svhost.exe
Token: SeDebugPrivilege	1764	svhost.exe
Token: SeDebugPrivilege	1740	svhost.exe
Token: SeDebugPrivilege	2212	svhost.exe
Token: SeDebugPrivilege	2668	svhost.exe
Token: SeDebugPrivilege	2884	svhost.exe
Token: SeDebugPrivilege	2572	svhost.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

sv.exetaskeng.exe

description	pid	process	target process
PID 840 wrote to memory of 3040	840	sv.exe	powershell.exe
PID 840 wrote to memory of 3040	840	sv.exe	powershell.exe
PID 840 wrote to memory of 3040	840	sv.exe	powershell.exe
PID 840 wrote to memory of 2624	840	sv.exe	powershell.exe
PID 840 wrote to memory of 2624	840	sv.exe	powershell.exe
PID 840 wrote to memory of 2624	840	sv.exe	powershell.exe
PID 840 wrote to memory of 2496	840	sv.exe	powershell.exe
PID 840 wrote to memory of 2496	840	sv.exe	powershell.exe
PID 840 wrote to memory of 2496	840	sv.exe	powershell.exe
PID 840 wrote to memory of 2488	840	sv.exe	powershell.exe
PID 840 wrote to memory of 2488	840	sv.exe	powershell.exe
PID 840 wrote to memory of 2488	840	sv.exe	powershell.exe
PID 840 wrote to memory of 788	840	sv.exe	schtasks.exe
PID 840 wrote to memory of 788	840	sv.exe	schtasks.exe
PID 840 wrote to memory of 788	840	sv.exe	schtasks.exe
PID 1568 wrote to memory of 1916	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1916	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1916	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1552	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1552	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1552	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1140	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1140	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1140	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1348	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1348	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1348	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1376	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1376	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1376	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1764	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1764	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1764	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1740	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1740	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 1740	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 2212	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 2212	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 2212	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 2668	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 2668	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 2668	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 2884	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 2884	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 2884	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 2572	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 2572	1568	taskeng.exe	svhost.exe
PID 1568 wrote to memory of 2572	1568	taskeng.exe	svhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sv.exe
"C:\Users\Admin\AppData\Local\Temp\sv.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html
2⤵
PID:1380

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1380 CREDAT:275457 /prefetch:2
3⤵
PID:1668

C:\Windows\system32\taskeng.exe
taskeng.exe {90B9BB2F-996C-4996-87B0-C85E27D7A773} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feedae9758,0x7feedae9768,0x7feedae9778
2⤵
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1412,i,13101070882314794241,16686363111618503959,131072 /prefetch:2
2⤵
PID:1280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1412,i,13101070882314794241,16686363111618503959,131072 /prefetch:8
2⤵
PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 --field-trial-handle=1412,i,13101070882314794241,16686363111618503959,131072 /prefetch:8
2⤵
PID:1976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2200 --field-trial-handle=1412,i,13101070882314794241,16686363111618503959,131072 /prefetch:1
2⤵
PID:1504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2212 --field-trial-handle=1412,i,13101070882314794241,16686363111618503959,131072 /prefetch:1
2⤵
PID:2620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3252 --field-trial-handle=1412,i,13101070882314794241,16686363111618503959,131072 /prefetch:2
2⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3248 --field-trial-handle=1412,i,13101070882314794241,16686363111618503959,131072 /prefetch:2
2⤵
PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1284 --field-trial-handle=1412,i,13101070882314794241,16686363111618503959,131072 /prefetch:1
2⤵
PID:1660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3456 --field-trial-handle=1412,i,13101070882314794241,16686363111618503959,131072 /prefetch:8
2⤵
PID:336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3588 --field-trial-handle=1412,i,13101070882314794241,16686363111618503959,131072 /prefetch:8
2⤵
PID:2912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3820 --field-trial-handle=1412,i,13101070882314794241,16686363111618503959,131072 /prefetch:8
2⤵
PID:2416

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1512

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c8
1⤵
PID:2792

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svhost.exe
Filesize
63KB

MD5
c095a62b525e62244cad230e696028cf

SHA1
67232c186d3efe248b540f1f2fe3382770b5074a

SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2cda6c942300e8cfeec264155c879d18

SHA1
50e57fb39b92db475f079457b27e3faa7fffc8c9

SHA256
5fe53ef5b9c28e7c4ab2919269ccf026ff717464ce9efcf5ce097cb5233a4b88

SHA512
25e7d75ce9bc0df503071a1adb72c2b11fc657353b826eecb6f0afdd90c56ee91c30dcfd2cbbabc913248c31138fd48804909a44d34a94afb884ede14030e6cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
90a78319f418440823391ba70fb8d1ed

SHA1
59774446e01a37900164486caa6e65d20dbcc0d5

SHA256
9a1bb1cd9f1105362a7a580b4db304b0037d0adaad6d52d62fcdbf3e112f9c85

SHA512
73e09ea3234ce2f6a9351a091bfba89bd7f9cd3b291425a853c24c32cf4eec86f2b2557c9020d91efcec996a9badcc137a2838f29b1b435d06bb07761e94c775

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
192d3d5c1fa69e921af715b33377af69

SHA1
345c2bcf07d42892a0976d9f25f2af6c39042af9

SHA256
8894286754e7ec1e26189976ff08607de2a3a80a58dfc12e6c9e42802d4056d4

SHA512
053bb3bc6a5743456c6c7a718f53689a5aaa92caf03c717e9a5657ade3d43d4f3fcbf81c40fd37b8e79f90b9debfbbb382ffaf63efe1e6f5b33013c0f66f26bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
59a6d77cb4d313b81719f8fa5a0329bc

SHA1
411324b0b296df38fff99d1ef1d440cc04128726

SHA256
f85c9b4cf5429db765db55e09602f44a91486d201efc6107d77db13d9a50315b

SHA512
d661f8312727ca65d2dfcd46440c883b12a82b4bd410a3b4acac67537127f7b196c0929fb68db059f0852c130491b091572099af88396334a6fbbcb10655d5ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a7984074d62ba5ff01bbc0fe80f4aa6f

SHA1
2bd0bad74bfd546a9ab9f49635ae9e8b2a6343c3

SHA256
a4cef31240dd0bea4038d47a2c0a608666f7606ca03ec31c018792cf309d640c

SHA512
a4fc47cfaefb93e3a299cc9231f0b20721ea43055739518e6e601f3d06ced7f539d12a2fda6ab80dd6e65970b51ba0130c936936cdbb73613d402bad11c87cb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
496c7cbcee24588660c9763e38bf2246

SHA1
df5e77283044feaa789c55b681842551c2f1dd0f

SHA256
7ae4e2e97084289b84424bc4fa9ce14bee01501c7b08f688f26b5d853cf3cecb

SHA512
5b689e31d9cbf3fe7d84e43a7d664f9635dd8e18231797f16534b15dbc123d0450b5b6b3bb3992e61ff647e73ffa17e46c3c8a9fdb5cbd406258e3920919b0e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4cd3be2fbeb1b19cef719829c832ccc5

SHA1
ed3c51a0d67dfff04fccf1079cdb45e786957c88

SHA256
d6544d7b0906efd78edcb20a68011c6116c93f7e10f4a95ba37380bd2c0b5365

SHA512
55474b7a6b5029e2457aa1db446d6d67b3724e5c5032a13168a205b1af01c17d4ff2f3a7091df4f39c0627d45bcf78ccfa791b8bd1cd9694f614adeb6bd170c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b69203f3288829025f5d9d59e9378909

SHA1
4c69f2d8517dcef28a3637b087c13f365da8c406

SHA256
f640e98537a91e120ec98cd64a25f993ef62403fc9e66a3e22d1b72bcd6af9bf

SHA512
c998518ea91f0a4b8bc2341cf89edce86619e5451e80bde5ac2d1d9d9b1c458b19decf8038fe7e7e96becc6baa4a4f18b02386ef5abe3614bf661484b09b57e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ee72551caae39ffa67d09090e5c41051

SHA1
811565d9c7612e0c42a3740492ebc8943b838ed9

SHA256
12307762323450b0af9e77968badcfcf119d6cb1fdb2d773dde02a1b954ea9c1

SHA512
217269046c975a03f5461d625a6b2672d07a4b8b24ccd4f07af44fba391fd5d920f96196c54a4866f8e3994ce4846cbe84bc6ea36132f9a1fcfca4dacacfd441

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4CDB.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4DB9.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
06b92ad43e6d494562a81121dfe73e2c

SHA1
c14af3106f56831f78b81d93ed56689c310e2cc5

SHA256
4c462724fe9105c8bf3e7fe6b53f1a77fee463d549448f371e32c485b4f587d4

SHA512
c42fa5c0bfa3d054eb368489643582be15af8f4c0c8296c2bd7d5ea27675d814a697cbdabf026dddf783913f75a77f3e2ed45eb7ed4bbb564c5b42afa268fbe1

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html
Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC
Filesize
16B

MD5
5c088134b8d44512417f3c0c5b5e0b28

SHA1
9fa38efde1cf2b2f30746e1524d12c6f188068a8

SHA256
65ccc62d0c35f7f700c9801ef817968ad89f6d711897361b62d5556234387d74

SHA512
3d01738706d99d989a63caac5de5fd4fbc2a062949437231e29a54a74f2912e5f042c1476be135be5eeafb1dc222441cf4ad67ea8ad443bde59566ff1186859c

Download Submit
\??\pipe\crashpad_1936_EVLSRAKVXXTFLSLO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/840-30-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/840-0-0x000007FEF5143000-0x000007FEF5144000-memory.dmp

Filesize
4KB

Download
memory/840-779-0x000000001AB80000-0x000000001AB8E000-memory.dmp

Filesize
56KB

Download
memory/840-776-0x000000001B150000-0x000000001B1DE000-memory.dmp

Filesize
568KB

Download
memory/840-52-0x00000000022A0000-0x00000000022AC000-memory.dmp

Filesize
48KB

Download
memory/840-1-0x0000000000DB0000-0x0000000000DC6000-memory.dmp

Filesize
88KB

Download
memory/840-32-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/840-31-0x000007FEF5143000-0x000007FEF5144000-memory.dmp

Filesize
4KB

Download
memory/1140-41-0x0000000000C60000-0x0000000000C76000-memory.dmp

Filesize
88KB

Download
memory/1348-43-0x0000000000350000-0x0000000000366000-memory.dmp

Filesize
88KB

Download
memory/1376-45-0x0000000001280000-0x0000000001296000-memory.dmp

Filesize
88KB

Download
memory/1552-39-0x0000000000240000-0x0000000000256000-memory.dmp

Filesize
88KB

Download
memory/1916-36-0x00000000013D0000-0x00000000013E6000-memory.dmp

Filesize
88KB

Download
memory/2624-14-0x000000001B1A0000-0x000000001B482000-memory.dmp

Filesize
2.9MB

Download
memory/2624-15-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/3040-7-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/3040-8-0x00000000025B0000-0x00000000025B8000-memory.dmp

Filesize
32KB

Download
memory/3040-6-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download