xworm | 56fdcda181b91eff9f4d42e07decd69028890447301dd07e871e1bf320b24c31

Analysis

max time kernel
124s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/01/2025, 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

59KB
MD5

959192f310b70b735c760587e82cb8ab
SHA1

7841a747d5797ed18bd6c3157e899ba22a374101
SHA256

56fdcda181b91eff9f4d42e07decd69028890447301dd07e871e1bf320b24c31
SHA512

1e20e872a1c9beaaf242c4525623388e4c0ed8961ae806044be33e74278d448ab8a95acd9da68592e079a71e07db7183cf0327fa20618694c017e3100522253d
SSDEEP

768:IyZLhJJzcdVrrnZTptA1STNvdBgWYd/bMOV/Qiaj3Y4wp6jYOFThfZ+S0:IyZLfZGrV4STT7sbpV/w3w60O1jP0

Score

10^/10

xworm discovery execution persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

board-tigers.gl.at.ply.gg:17833

Attributes

Install_directory
%AppData%
install_file
keyauth.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/memory/2504-1-0x0000000001230000-0x0000000001246000-memory.dmp	family_xworm
behavioral1/files/0x000a000000015d2e-36.dat	family_xworm
behavioral1/memory/1344-38-0x0000000000CE0000-0x0000000000CF6000-memory.dmp	family_xworm
behavioral1/memory/1448-650-0x0000000001030000-0x0000000001046000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2016	powershell.exe
2732	powershell.exe
2892	powershell.exe
2596	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\keyauth.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\keyauth.lnk	XClient.exe

Executes dropped EXE 2 IoCs

pid	Process
1344	keyauth.exe
1448	keyauth.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\keyauth = "C:\\Users\\Admin\\AppData\\Roaming\\keyauth.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	XClient.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 201f6960d26adb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004e74bd4b8e9b4942815aae9f5c74cf0900000000020000000000106600000001000020000000e34057541ca3b7afe637e44f2a65e886d59df3464b9f9d5040f0d34afbb003b7000000000e8000000002000020000000338cd877dea738a76b69e3b0ce67f0ba6b735be2c524c12fabb0f02b0d5565ff20000000c8b8397c2575ae77c243639ca566e4369a196a4040147668d00fbdda07b2060b40000000f1576e2f4d4f8a0f57dc6fe8f8acda546d94b01616813d2c496025742d20e485160bc1aea47a9611a486d9505eb7246c6aff9bad93a98e2e4aaacd1c930b4c22	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004e74bd4b8e9b4942815aae9f5c74cf09000000000200000000001066000000010000200000006a8a5caa050b2656553f2703eeb9222108f2c89ee5cbd92732ce27d16736d354000000000e800000000200002000000084d536efc310817b06833d392010bc63ccb66bdb992e123572b1db79921d2e77900000005f3f9b09fa1397e975ef4e7650b3e6e6594115846b4dd2915303d07a7aa65bd266ea41ff676a20bcc613522494e095061e9dfcb0775959ac5deedf63395e48d0b7a94b4123e47bb021bbdb422fa7750ab0effce651c061f15e00616f83ee143e43325757714741dc6102c70f0f479a73d1bde74b65460e658c9a3fde699acf322cceba72e74fdaf246b4a20147b67c81400000005d4a14b07fad6a78b90b2ce036f94742588b01d6b3868f5d1630f8bd9b6237f755b7fd36d62e5f6bcef76db1a987ff2a5fc538a390edbfa8472109be500cc0c8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443494810"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8BEA7311-D6C5-11EF-A0C3-D60C98DC526F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2420	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2016	powershell.exe
2732	powershell.exe
2892	powershell.exe
2596	powershell.exe
2504	XClient.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	XClient.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2504	XClient.exe
Token: SeDebugPrivilege	1344	keyauth.exe
Token: SeDebugPrivilege	1448	keyauth.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2348	iexplore.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2504	XClient.exe
2348	iexplore.exe
2348	iexplore.exe
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2016	2504	XClient.exe	32
PID 2504 wrote to memory of 2016	2504	XClient.exe	32
PID 2504 wrote to memory of 2016	2504	XClient.exe	32
PID 2504 wrote to memory of 2732	2504	XClient.exe	34
PID 2504 wrote to memory of 2732	2504	XClient.exe	34
PID 2504 wrote to memory of 2732	2504	XClient.exe	34
PID 2504 wrote to memory of 2892	2504	XClient.exe	36
PID 2504 wrote to memory of 2892	2504	XClient.exe	36
PID 2504 wrote to memory of 2892	2504	XClient.exe	36
PID 2504 wrote to memory of 2596	2504	XClient.exe	38
PID 2504 wrote to memory of 2596	2504	XClient.exe	38
PID 2504 wrote to memory of 2596	2504	XClient.exe	38
PID 2504 wrote to memory of 2420	2504	XClient.exe	40
PID 2504 wrote to memory of 2420	2504	XClient.exe	40
PID 2504 wrote to memory of 2420	2504	XClient.exe	40
PID 828 wrote to memory of 1344	828	taskeng.exe	43
PID 828 wrote to memory of 1344	828	taskeng.exe	43
PID 828 wrote to memory of 1344	828	taskeng.exe	43
PID 2504 wrote to memory of 2348	2504	XClient.exe	44
PID 2504 wrote to memory of 2348	2504	XClient.exe	44
PID 2504 wrote to memory of 2348	2504	XClient.exe	44
PID 2348 wrote to memory of 2148	2348	iexplore.exe	45
PID 2348 wrote to memory of 2148	2348	iexplore.exe	45
PID 2348 wrote to memory of 2148	2348	iexplore.exe	45
PID 2348 wrote to memory of 2148	2348	iexplore.exe	45
PID 828 wrote to memory of 1448	828	taskeng.exe	48
PID 828 wrote to memory of 1448	828	taskeng.exe	48
PID 828 wrote to memory of 1448	828	taskeng.exe	48
PID 2676 wrote to memory of 2432	2676	chrome.exe	50
PID 2676 wrote to memory of 2432	2676	chrome.exe	50
PID 2676 wrote to memory of 2432	2676	chrome.exe	50
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52
PID 2676 wrote to memory of 2748	2676	chrome.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\keyauth.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'keyauth.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "keyauth" /tr "C:\Users\Admin\AppData\Roaming\keyauth.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2420
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2348 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2148
- C:\Users\Admin\AppData\Local\Temp\jjzreq.exe
  "C:\Users\Admin\AppData\Local\Temp\jjzreq.exe"
  2⤵
  PID:1396

C:\Windows\system32\taskeng.exe
taskeng.exe {C3CE3CF9-CDF0-487B-9142-CF16F9A75581} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Roaming\keyauth.exe
  C:\Users\Admin\AppData\Roaming\keyauth.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Users\Admin\AppData\Roaming\keyauth.exe
  C:\Users\Admin\AppData\Roaming\keyauth.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7099758,0x7fef7099768,0x7fef7099778
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=992,i,958852963237666660,3349102830401632080,131072 /prefetch:2
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=992,i,958852963237666660,3349102830401632080,131072 /prefetch:8
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=992,i,958852963237666660,3349102830401632080,131072 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2120 --field-trial-handle=992,i,958852963237666660,3349102830401632080,131072 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2156 --field-trial-handle=992,i,958852963237666660,3349102830401632080,131072 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1144 --field-trial-handle=992,i,958852963237666660,3349102830401632080,131072 /prefetch:2
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3208 --field-trial-handle=992,i,958852963237666660,3349102830401632080,131072 /prefetch:1
  2⤵
  PID:300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3568 --field-trial-handle=992,i,958852963237666660,3349102830401632080,131072 /prefetch:8
  2⤵
  PID:1644

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
575dbb7358d26fa601ad58252ecd9dab

SHA1
2819effad073e34c737cdb25e70506e0e30fb671

SHA256
140c8ebf464db2a6fe37f24a70db0c5697514cfe1c02646bf006709774b4129f

SHA512
56f1d572d5b809ce7addb55c616a1846d588b4639a621035defd54c1ec79c2dc809ce56431561c99a717283dda630af9d8a45edd0148b0fe8ebe00e544f7af2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b73f88968d23e9e0b059ee827ffda373

SHA1
622e3c586866493dc93a50d9cb0f2796a26fb5af

SHA256
3c1d91f885dd2cd08d6ed7eb72ce5aa95b809bcf13a813979ec7db40f1723fd3

SHA512
c30de9e49711f1b7f336f1a2b7a13d3b05897dd61ed126eb2df280e73a9093dd0bd3284e7edb54bb49eeaabf6cb752d84fa4767d352b3ae17a6ee7cfa9d4e091

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0fbd499c459f69360a9f74644f4a0a4

SHA1
a48fa2141387060ea314397f5cb4fc4d5a3d496c

SHA256
925c08ba7cf63f415cd4ca61e9935789e6a4642c21dda3406710fa784e63f78c

SHA512
746e5186a945f2fed5a07162c9ed8f3ea5530269c18dd69f5cb8528c66b5376705e6745d27f8814cfb38f9f14b2b07fd2908217deba3053d0fc4e2d1868d9124

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9296325abedc008889302432f96eaf1f

SHA1
f47800e046e49a99ed3f7fe817758e84437b363c

SHA256
1f63694ed32f5ad7891c49d845730aa4253e7360ac52f76d13da24acd5f28987

SHA512
487c55be6a89df8697feec9caf15d692da81f87eb800e88eaa2c88d37a3d00b999b8276d6a8de09d0fe0acfaadc38a9658ae720788b71225c08968c561eba179

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
239d1a12661a9217e4b1b245d1e1c1b7

SHA1
c3c2e6eaa91598b26de32ac59ef6b18425d65e12

SHA256
aa7afa479493ff76cd17f40b04c3fdd4c01bf3b7f0c0a865759de4c5c7e8efc1

SHA512
a7bf8a842b5a05b18689ca37080625bce468b9f6f2f0fc6701ef89679db2d90618d5be22448ad547b27b404d41837cbcb0655952e17e0244cad2378fad038516

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48b4a9f3ab5c83b3089f02fafb8f058f

SHA1
4f4c104e9274c681a1e6a933bff13cb5498b693a

SHA256
7817548f9dac8faff73d031aadd82ca268f43c1c13284f0a2a40ec6e2bcfbcb5

SHA512
7d2717d2cda16257cdc67927c22e75178509e60b27b7cd62545df8d3c4ce518f373717e26de0e7828186aaa712a6fff11ca0a13298e50188011dac762c986694

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a06273d46a23daad8fd17d9b6b40178

SHA1
99571bdd7665a241f77128ccce4f50d06c6e5a17

SHA256
123318c51d313ec99aafbe17bc3be1d302d433df1ba8d686602aafd147702861

SHA512
89cfe0e0f6eb9d2fecadbc7e252ab1d5f5d2bd33de347655c1db4ef1c8a74466dc4e9e679824b9d50c3e427e60a56698919532e3834e03e8fefec8458367ab6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96136cd9bfa1e7e75bf5abfc9c650c97

SHA1
2ce6971120d3274af500c12990643a3dfe7e17cb

SHA256
3e367b01eb9a650ed2fa328b7b1d0a84a11e1959dfb156c67c663ddae0cddf65

SHA512
a9179a73ca57cb0091549127410a65e33b8d969037442ca6cc9df2a712ae3d0f10bed746163aff7aec1c013fbfc1d905c82389fc19cba2572a6ba7927a5abfb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a902271b02f5e8d958bd8740e169bb22

SHA1
cbcbcc67e22f640c74a7e79b6d2635e8de3ddeb1

SHA256
37e5565f68b535cdf9087327b4d27d93d94ad73774e4b470951070acf2ebced1

SHA512
a314f248e49d802fbfb3e21b8e4752779159e3856cde6ad4df4f5808d24c1218c65fb3c936b1c437f7fc0f4813a83db78cf96e3f641f22d939834bdc19d97e3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0840497468445979719d5fa856273cf9

SHA1
a49ac24231c3b201c80a070238e2a9dc8be90d3d

SHA256
502d6a75b35d578de2fe26bcd252532fa94825b4911399bfd14d701ffffb43bc

SHA512
b1bb4d814ced9aac4fdb3eda1dca03d6067d60366c61acf5d66ccf591d1de426e14fce2f97cd2c8f6ad2a5eb79e118a4265ae2520b791e9360c873411284cf42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35ba1705c28737b9f29be3e9ed3b4205

SHA1
dfa8a9bb50812b65e4d79ac1064c0600fc9bd68d

SHA256
20a4ac493344795e27830e66a4ae5e07211d509d201b79d02011fa574c60acc1

SHA512
1c8db6655e9844ad1afbe12fbdaaefa8f541c9cae8ea69bb919615f3c6a15b6034a0b01a56615c2ab8eb67fc550f29aa3e171cfc2901426583a6c8d62a38d285

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcc2f36e70a569a18430182c468ddcac

SHA1
231c626c5a612805505b36752ebcafa3b86e1545

SHA256
e87d596e841e0fea8598e3edef75befd9fe481e520279aca2879a1dd549b552f

SHA512
b2cd3dadff1b9c510a44834e9bdae75c2340314f7cdfae414c5321d766c19799f21772dc0a7ef413c634f32a1607af46ae5b68fd6e7180143585785bf46cc651

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
203c51d6d88b0809c763421a344207b0

SHA1
54c3654790885c8d5bf72b47ed952bcb1533f0fa

SHA256
e8369c52b7a4b32bf6bee68d2965c1a36669ba660375b02bef2c19c5c9cbdc90

SHA512
c681495d14e872b9633ed43a98261751cda52be1558a9d0a1faf1f5f5095c56150683b3ac657903cbc3bbe8328a5bad1c623c26a845dd6469253db74774e6148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c85bcd25745dfd4233de580fd69dfed2

SHA1
b643b4b7f6b73869b6de5100924919e134b78014

SHA256
21c4b9d2c104b20a6b9f41415e0520837b8dc9224001a2d92e52f426abde08b7

SHA512
7c57336149d06cb79b9d21c43f95008a523b14bfe5dc54becdfa3770eab1fabe490598b8c58e26f2c2e4c60873d8f04594efb31fc6e5fdb47e767afdd30eeb22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
088ddb8f78047bc0dc99b63121d9abdc

SHA1
739f990f3453dd0e90c2ea5376d87614860e6c40

SHA256
c5b01b0134dc01cc37bffa203c2617f0c5a2cc85c5f650072998a4f0a9c32486

SHA512
90f8bad6f2ab909a9a2fc8235a1d2c2c0a42f56715c2708ae0975a6920793af9ed9a51b10d23f6348980c5f2fd9cc3670851287f22aa66bc8730ddd73e908683

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cfa287131f4a73f643bedf8fa7db631

SHA1
b523a00aae166d68891ec5e22e7d9dcfad4fd656

SHA256
0963977cd7b5ad0c3d6c10364c23115bf24f8561e07b6705e1719b74ebacf8b2

SHA512
8c753eab3ab4ccd43f585d63b1492bc44fabcdf86dc41499e5dc174c9573d8d90e9079cc90d27339ea482d16dd429a64d22585446420657769b7e5847c3e3430

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80ce5e06e680079e668422ac541f4747

SHA1
9de4f3095f50530837c94abf028ed4ef817024be

SHA256
7d4d0859caabda7b4ea970da5ff9f0aee31a93baf3fc03c80e741346fc68bad0

SHA512
1ba2c1a79557dd6ceb9723e0166210fa19d8147e1a78659ad2a047e43ae137c6ebffc74178c603de477b934cf3c5dfebbcfe0eb66e5fad952d6a0a8d8b52116a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a21360108d5470e0ac7be92d957545a

SHA1
186d01199b10bb2988f4a4c09037796954c3f8b2

SHA256
9a56ceb4abf083a1f3c5b16ff86453b2da35273aea33159c56165a3ac54b2914

SHA512
b5488bf08329571c672d7e7cfb97454539991594627c1a4aaf563e2a2fcc7c5970985c8d9c073e841559883ded0fe046864cae10cf7ddd6b28e985401d39c65d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10568f82d49e95996a4adb23fa1536f2

SHA1
c09f4b9bf3d76fd64a0ac1f191fc53a7bc626438

SHA256
d495bba3d9a242f9f3ed527a3ab1536ae6ff9e3c6ed71b99cc09cec7ba01897f

SHA512
caf96d9f525bb094e57441e2b505e207ed146d9b6316a84f15fd96a5bd49bced83d92ce85569c1db6b3ad4c5e163cca7c6a42532e635816005ebc8e038d6fc96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8A87.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8B26.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjzreq.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ddea1f4f510b5b53e87a9141ad18ad86

SHA1
053733d48d3c29e94df01ac6072a55fa4dbf309f

SHA256
cc19510877b36a7ba8c0d38efe5629ccaedd62db9cd0668e9ae9b5a4208185f8

SHA512
61d84e3101b1158d0d9252481e2de7f1dbc81912631b11b484d54072b14e9b4e1981ba5a4eb591bfe78f7f7bbd5b80e96a23f03e903d26f25574b29abcb9b7b2

Download Submit
C:\Users\Admin\AppData\Roaming\keyauth.exe

Filesize
59KB

MD5
959192f310b70b735c760587e82cb8ab

SHA1
7841a747d5797ed18bd6c3157e899ba22a374101

SHA256
56fdcda181b91eff9f4d42e07decd69028890447301dd07e871e1bf320b24c31

SHA512
1e20e872a1c9beaaf242c4525623388e4c0ed8961ae806044be33e74278d448ab8a95acd9da68592e079a71e07db7183cf0327fa20618694c017e3100522253d

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\Documents\CloseDismount.xlsx.ENC

Filesize
12KB

MD5
b5cb29a1e5391d0b78d1c5e24d95dbc4

SHA1
8ee7fbca3eb5c18cd6625cb756fd4712347e590e

SHA256
a5d1c07a25dcec82b242d6238fead28425f8471214553d12bdd1d6599ce2c35a

SHA512
75868c2470df9d3c64f7aef23f96e0167ec5dcad795aa022b7667166e66ad9150a7000570250e16921796aaa536f6e5bb7930e6aa306d82ba22882a5665caaf2

Download Submit
C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
cad1adf0e9ac262aa4e9671ec3d6b515

SHA1
c00e04d62fbf07b877639de9d61980ea23a145eb

SHA256
f8e0acc5fecb4fb62c5e667a06772744d731b488164abc7c34fb1cf0c9349aa6

SHA512
eef60ed18c16ba2a14767fa5bf45be9b739f10cd28075cc44fae79b807b23ed043b16119d38215c7b0bac01a4c068c3b3936e28d0e0a144b18ffce6336a10ced

Download Submit
memory/1344-38-0x0000000000CE0000-0x0000000000CF6000-memory.dmp

Filesize
88KB

Download
memory/1448-650-0x0000000001030000-0x0000000001046000-memory.dmp

Filesize
88KB

Download
memory/2016-7-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/2016-8-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2016-9-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2504-2-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2504-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2504-28-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2504-34-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2504-39-0x00000000010A0000-0x00000000010AC000-memory.dmp

Filesize
48KB

Download
memory/2504-1-0x0000000001230000-0x0000000001246000-memory.dmp

Filesize
88KB

Download
memory/2732-16-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2732-15-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download