Malware Analysis Report

2024-09-11 13:47

Sample ID 240614-qcdcqasalh
Target svhost.exe
SHA256 09b0ea505f95446356de28fc0eae805f7f3f548e7a7df522c4a6805c50065663
Tags
xworm execution persistence rat trojan ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09b0ea505f95446356de28fc0eae805f7f3f548e7a7df522c4a6805c50065663

Threat Level: Known bad

The file svhost.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan ransomware

Xworm

Xworm family

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Drops startup file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Defacement
T1491
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 13:06

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:09

Platform

win10v2004-20240611-en

Max time kernel

124s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\svhost.exe N/A
N/A N/A C:\ProgramData\svhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\svhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3256 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\schtasks.exe
PID 3256 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svhost.exe'

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4184,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=3812 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"

C:\ProgramData\svhost.exe

C:\ProgramData\svhost.exe

C:\ProgramData\svhost.exe

C:\ProgramData\svhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.147:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 147.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 location-involvement.gl.at.ply.gg udp
US 147.185.221.20:4325 location-involvement.gl.at.ply.gg tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3256-1-0x00007FFB0E313000-0x00007FFB0E315000-memory.dmp

memory/3256-0-0x0000000000670000-0x0000000000686000-memory.dmp

memory/3256-2-0x00007FFB0E310000-0x00007FFB0EDD1000-memory.dmp

memory/1424-8-0x0000012D64EE0000-0x0000012D64F02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3goky3d.jng.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1424-13-0x00007FFB0E310000-0x00007FFB0EDD1000-memory.dmp

memory/1424-14-0x00007FFB0E310000-0x00007FFB0EDD1000-memory.dmp

memory/1424-15-0x00007FFB0E310000-0x00007FFB0EDD1000-memory.dmp

memory/1424-18-0x00007FFB0E310000-0x00007FFB0EDD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dd1d0b083fedf44b482a028fb70b96e8
SHA1 dc9c027937c9f6d52268a1504cbae42a39c8d36a
SHA256 cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c
SHA512 96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dbb22d95851b93abf2afe8fb96a8e544
SHA1 920ec5fdb323537bcf78f7e29a4fc274e657f7a4
SHA256 e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465
SHA512 16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

memory/3256-57-0x00007FFB0E313000-0x00007FFB0E315000-memory.dmp

memory/3256-58-0x00007FFB0E310000-0x00007FFB0EDD1000-memory.dmp

C:\ProgramData\svhost.exe

MD5 b075eb4cf71b6774184891552dfc9ccf
SHA1 80f66dfb79180890efb46df800634dd8e5553987
SHA256 09b0ea505f95446356de28fc0eae805f7f3f548e7a7df522c4a6805c50065663
SHA512 27830f1d0c807e39c2872f274fbc3b486e8d24e83c74de6b75285e9ac32a15b4ebc81d5bc6e2d98ded6e3986d250339218ce2a7e8e3778b0bba30b479e0cbb08

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 13:06

Reported

2024-06-14 13:09

Platform

win7-20240611-en

Max time kernel

126s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\svhost.exe N/A
N/A N/A C:\ProgramData\svhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000f58e120c4b8e762bbff8e43f3ae2c28fb53862d77b3ce0785a98274bcd8bba7f000000000e800000000200002000000073c175b8dd996041e7eca81616d8c77ee206d56e822acb7ec008a189d2c16f8c9000000005fb99dbd626bb8b392f4d035e864fdfeddb42feeb74ac35c015c36f259ea588a7f949307475c54ebd72feb8a0c32fde80ad24add5744871d5b67e3ffdf94b62b575abb47103263da3e26ca5802ba85f6d6815a94fe2fdf2c9f6d506308c27ddaa1310f97b54bfac1b7492aa3741f1c973a2b665fb39d0b1bd666ba8195fc0024ca2e8b17bc2fd460b7e92b4364c198240000000c75a9fbadee225186e8778f0c7bc7fa53dc7b87dc9ae5c0dac760dadc5de966503b7d72fcf16ec0f1b8aa06ca6191e30c123dc21395a76c62833233de32d2cbd C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{15544551-2A4F-11EF-91CF-DA79F2D4D836} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb81000000000200000000001066000000010000200000000c8bb954db5d5cc62a24b92d2e8a6d611ee00cb89815c5d0ceced23d9419cc41000000000e800000000200002000000045bcdd1cbdb0bcc59ad574441a5701c3f415f1a4e8e69aae61008176b501eb2620000000a8247e6052308afa7ecc34f5facac363d4bc9540c5ca9346e7ea8b3491fa353040000000ffefedac6381d0c36faf2bb6e3591763badaf025a256b2ff71840d98bc20df1cf09cad62be236215c5038e5a943743b01852f1e90bbbfe5d911217545a54c086 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 106fdce95bbeda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\svhost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\schtasks.exe
PID 2200 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\schtasks.exe
PID 2200 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\System32\schtasks.exe
PID 2200 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2200 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2256 wrote to memory of 2312 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2312 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2312 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2312 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 380 wrote to memory of 1508 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\svhost.exe
PID 380 wrote to memory of 1508 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\svhost.exe
PID 380 wrote to memory of 1508 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\svhost.exe
PID 380 wrote to memory of 1976 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\svhost.exe
PID 380 wrote to memory of 1976 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\svhost.exe
PID 380 wrote to memory of 1976 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\svhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:275457 /prefetch:2

C:\Windows\system32\taskeng.exe

taskeng.exe {22F687E0-76DE-403B-9B8B-22B518FF7B85} S-1-5-21-2812790648-3157963462-487717889-1000:JAFTUVRJ\Admin:Interactive:[1]

C:\ProgramData\svhost.exe

C:\ProgramData\svhost.exe

C:\ProgramData\svhost.exe

C:\ProgramData\svhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 location-involvement.gl.at.ply.gg udp
US 147.185.221.20:4325 location-involvement.gl.at.ply.gg tcp
US 147.185.221.20:4325 location-involvement.gl.at.ply.gg tcp

Files

memory/2200-0-0x000007FEF5ED3000-0x000007FEF5ED4000-memory.dmp

memory/2200-1-0x0000000001260000-0x0000000001276000-memory.dmp

memory/2200-2-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmp

memory/2664-7-0x000000001B540000-0x000000001B822000-memory.dmp

memory/2664-8-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0L74AGXHHV88YWNJZ80K.temp

MD5 75db7e44c073b33c9405f4e04cb00bb3
SHA1 e3e53a6233f06e1d28ea3bc91a771fee32187e55
SHA256 f31f42db1879024bac3424426e7d6d423e7362ce2a92f034898b9026733023b4
SHA512 45c7a521dfead5354ce40989de11fd229ca0595819b339d4695dc02edda6eb7e2fca4caa49e98a4d09bee5109d529128222137b5db22d904f8a377c6c3032bb6

memory/2804-14-0x000000001B670000-0x000000001B952000-memory.dmp

memory/2804-15-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

memory/2200-30-0x000007FEF5ED3000-0x000007FEF5ED4000-memory.dmp

memory/2200-31-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmp

memory/2200-32-0x0000000000C50000-0x0000000000C5C000-memory.dmp

C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC

MD5 6206fbb83f0122683985f504f808021c
SHA1 f571b8afd4cc2ab65724f6cf07198ca91a08c38e
SHA256 e8483d0b0b60f18c97895776d53003c375591302242eb7d395d2038e7c7b4c73
SHA512 b246ca1bfbd1d7c87ee31d7727a224ebc448afe076f1b31041014b4194cf3ba20191f007cb421402e8d3e4d17b3b9624355a756409914e1b5a63efd66f817715

C:\Users\Admin\Desktop\How To Decrypt My Files.html

MD5 d2dbbc3383add4cbd9ba8e1e35872552
SHA1 020abbc821b2fe22c4b2a89d413d382e48770b6f
SHA256 5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be
SHA512 bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

C:\Users\Admin\AppData\Local\Temp\CabE19A.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe7af65a69f0ef794a0d4be6eb3c8aa7
SHA1 9f180f20447463845a988cfd69588d544c2c836a
SHA256 f1a88a5d2b22f401e07fd964891d71e4882c883d790eaa2e7e6652287dcf823c
SHA512 634d57b56c4b1725da59fb23906d2a6db47aa41ef3b56325ece4490706267e51fc483bf8fd49af8ed75244085b8f09163a64a4dbca896863aba9d723b7968d59

C:\Users\Admin\AppData\Local\Temp\TarE26D.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fd2b5a013f1d8c1cd6e5f214d4ce1d7
SHA1 5e2dc65d551425e1e558247189ac2810231020fa
SHA256 7b14122f18852fd1d03c61a4b812cb11076352462fc973d89773649bc9ac27eb
SHA512 cd491ca8f39c13e239bdc3e57cff6ae35953fb5cbcdca54e151e7f4605c564236e75d166b0eb9d56a72ef7f89dbccb7377dd4049f1894bcf1946d04e66a61c6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f4db29ab554f9973cec447802bd8a43
SHA1 f7e69b4622f397002e7b25c5d0fa08c6916aea14
SHA256 d414fd1fb16e2a1cfc61133464afb2d8b2b6319c65c39df80d0e9bbc4f845524
SHA512 fc811bc4a6c783224e4f9cb140261af74e432664570daf8782b30e21e5a08ea0dbae47338b7299818fdc17a0f9373359679e2c7d8eb68a297bc25faec0dd5918

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f8b41e3dfbe3d5ceab5376441e1019b
SHA1 7e5ac46f0886f4a5c116b61711621c16118eac26
SHA256 daab3f13bbbfe365e7639b748fe73e780710a038ce1052a8a0e42760528ad290
SHA512 cb71cefa632609260da98203bb65323a91980b6529103403461a62a7c9c0957a934dc993f0ff133a1886ff208691f0542f9f2d502c36ac65ec8c61cffcd87af9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff46ba843d021e0674a25c7b5d8459ba
SHA1 243c87b2a597ab0c6598d4b90298293a8b7048db
SHA256 5544a25995e6d20519e61ef5550c414affa0495c90e8fe5378f3acf7e25b4b05
SHA512 4b983e2f31b559cae90f220e1319de968e1d31954ff32834b23472150ed8bb46cc22d45ee0dde7c2ef45c5a2eefa59ffff7240ecee1bf6283c0584cdc110b15d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05aa754414e2663361b9bbe445a62970
SHA1 4cd4685458e034ea1f4ef0839e7a16b8ecbda6fe
SHA256 fb00f53fc95ce762cacf20d95a736b9ea0ead11c84814d337b337d746bc919b2
SHA512 0ec169a4d438e869530457db85ef93e8e3f88397dea0931f6a62f685b1024fc260fb58ccf359faa1d1cc09eea5f00d07c6c3f22c602c65c0619454666c6abb90

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8cfe620d19449be560e57dd11c4f7db0
SHA1 5eee3130de30c8a63a049d208cedbe232bd403c8
SHA256 acaf9048511085740113f2415b63611bb2b40daef1bab29b4c8fc7b095c10bd8
SHA512 3ed22058583512cc54e6da7f0bafc0f91f9caac757b88bc04dbfd9ab6c635b5824467ad82c90c4c4abe927c15ee7e4f12bfe426895e4a53abed7d8b8b56de3bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39f2f416395b265711e3f4ac30ea40ee
SHA1 a97390565c27b24ad4407778d680ae92aeeaf8d9
SHA256 0ebed21fbabfbf085c92ed44bd4671dfe311cfd4ccacc60cbbe0357b3950774a
SHA512 8f50f01302d8c3b3774f173534f86dac32300119f63b501d01ebb7d229a563af318cee1f2eb3377b082008881933841281ea7389e55a2107e208cf52e5d525d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f1548b594454935524dba92de4f9bb5
SHA1 bcdcd29ce4d2aa52aee4cdc44a75995dec89ccb2
SHA256 915a75c95ae75b5b4595df2e12d3763b6cb8a91f003a1fa9fc600dd92d78f700
SHA512 bb7e1c987648218bc962a987dacbf42b28089d88268b828e4bbc0b6d7cd83b6c148323955eac68ecfb804687f66720ff30ace055d6ee169b6e48958a1804d4be

C:\ProgramData\svhost.exe

MD5 b075eb4cf71b6774184891552dfc9ccf
SHA1 80f66dfb79180890efb46df800634dd8e5553987
SHA256 09b0ea505f95446356de28fc0eae805f7f3f548e7a7df522c4a6805c50065663
SHA512 27830f1d0c807e39c2872f274fbc3b486e8d24e83c74de6b75285e9ac32a15b4ebc81d5bc6e2d98ded6e3986d250339218ce2a7e8e3778b0bba30b479e0cbb08

memory/1508-626-0x0000000000090000-0x00000000000A6000-memory.dmp

memory/2200-627-0x00000000010A0000-0x00000000010DA000-memory.dmp

\Users\Admin\AppData\Local\Temp\tmp3F61.tmp

MD5 1b942faa8e8b1008a8c3c1004ba57349
SHA1 cd99977f6c1819b12b33240b784ca816dfe2cb91
SHA256 555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc
SHA512 5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

C:\Users\Admin\AppData\Local\Temp\~DFBD64E82B3F350D8C.TMP

MD5 bb74bdc2633eea5b9bcd626a058aeb2d
SHA1 554f23e9b7eb9f80283bc0f637df1db41b825935
SHA256 44e6f69710cc15bbea4a70b0dbefa51df223567fb7ee4fd5ad03b8eb2db39bb3
SHA512 2eebc67fc99e854c0ea1768b4ff219f21cf25b2f75cfefe8e0486b78052b46050a851292fe1027b2cb2c8e9a08c01f69db09ede3a9c9ceb8d6a6fed80a0984dc

memory/1976-638-0x0000000000E90000-0x0000000000EA6000-memory.dmp