xworm | aee4ca6b2f3b07e85920f81b32acc5350d198439b181e997cd6a8e3ecbe9c939

Resubmissions

21-01-2025 19:47

250121-yh2aqsyka1 10

21-01-2025 18:24

250121-w14gpswnbt 10

Analysis

max time kernel
78s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

popi.exe
Size

79KB
MD5

810d912112f579781879ada392b70a53
SHA1

247bc212d2d44184bae484049765240ac9fa5c32
SHA256

aee4ca6b2f3b07e85920f81b32acc5350d198439b181e997cd6a8e3ecbe9c939
SHA512

30fb6d77563a3a0d6b94a9ea9fc2f67c6dda3dc3ac2afd4e968ec998f2eabd1797d751fdac491a979e68301efc633c47fb2668a8abd0c5f0dcff6d12ed8ead0e
SSDEEP

1536:N/SpZjwaZD0YqEnwqaDrMk+bXxNEPZSBVGGmMRZOf4miljMt8xwR2:CEYqEwjrv+bB8DMRZOf4m8M+a2

Score

10^/10

xworm discovery persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

daily-sexually.gl.at.ply.gg:25670

Attributes

Install_directory
%AppData%
install_file
Update.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2412-1-0x00000000008F0000-0x000000000090A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk	popi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk	popi.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\Update.exe"	popi.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	popi.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff72ffffff18010000f80300007d030000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c02539d9316cdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000052baf68a1ae8304eae9659278491393800000000020000000000106600000001000020000000769e41df5a341f8c80394cf42f0955f96db746a4fc8ce1cc13e38091163282d0000000000e80000000020000200000002ac3239e6575f975f7f25565d64632e6fa75146068a8e0b0addf0212eaab14ba9000000062923da71f5234c5202c708f67987e7f431c0fec2113bfa7e2e86641f1fbb15d3efe5f577f7a66ddff981c6b1d176e4ae1dba0fcaf6cb007d929d362c2810ce31473073f9d63fad29fb830fabddab217c691bb9fd1811b942956cfec956707db12442cf729e7ef3aa9c1f7db13c024e8576fb9dd77c351618b60dec13a5707b110981e9045efb14acf0a1c379f3b01ab40000000d942fd1ed779414f6bdc875766b30be99be799b4f771a464ad0df5c57411c6e3b7348f8276fb384855ad98d8dc6b1e3f7c64383c68c81aa0f0edf3934940bc37	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{04AED921-D825-11EF-9DE0-EE9D5ADBD8E3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000052baf68a1ae8304eae96592784913938000000000200000000001066000000010000200000002d362f0c8d1bafcb7878f5f5f7f6e7b7dab9c295dc43cc06e4e49d7824857508000000000e80000000020000200000009b09dbda45547cd1b824fb846b006a12dfced8bda7e046cbc2dfe6fe6fdce17b20000000bdc7715f0c260db4fa7d0c779cae43b917d8153de2d53c64844294d5fa2cf5be40000000ca021157db6fdeedf77a65a54405adc07f4472a6241c563e6fc6af56d5565b614f34595ef537f06562580f8142e057f0f7b32505968dd894f8aa0cba7332d628	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2412	popi.exe
2476	chrome.exe
2476	chrome.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	popi.exe
Token: SeDebugPrivilege	2412	popi.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe
Token: SeShutdownPrivilege	2476	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2676	iexplore.exe
2676	iexplore.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe
2476	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2412	popi.exe
2676	iexplore.exe
2676	iexplore.exe
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2676	2412	popi.exe	33
PID 2412 wrote to memory of 2676	2412	popi.exe	33
PID 2412 wrote to memory of 2676	2412	popi.exe	33
PID 2676 wrote to memory of 2712	2676	iexplore.exe	34
PID 2676 wrote to memory of 2712	2676	iexplore.exe	34
PID 2676 wrote to memory of 2712	2676	iexplore.exe	34
PID 2676 wrote to memory of 2712	2676	iexplore.exe	34
PID 2476 wrote to memory of 568	2476	chrome.exe	39
PID 2476 wrote to memory of 568	2476	chrome.exe	39
PID 2476 wrote to memory of 568	2476	chrome.exe	39
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 2668	2476	chrome.exe	40
PID 2476 wrote to memory of 1836	2476	chrome.exe	41
PID 2476 wrote to memory of 1836	2476	chrome.exe	41
PID 2476 wrote to memory of 1836	2476	chrome.exe	41
PID 2476 wrote to memory of 2916	2476	chrome.exe	42
PID 2476 wrote to memory of 2916	2476	chrome.exe	42
PID 2476 wrote to memory of 2916	2476	chrome.exe	42
PID 2476 wrote to memory of 2916	2476	chrome.exe	42
PID 2476 wrote to memory of 2916	2476	chrome.exe	42
PID 2476 wrote to memory of 2916	2476	chrome.exe	42
PID 2476 wrote to memory of 2916	2476	chrome.exe	42
PID 2476 wrote to memory of 2916	2476	chrome.exe	42
PID 2476 wrote to memory of 2916	2476	chrome.exe	42
PID 2476 wrote to memory of 2916	2476	chrome.exe	42
PID 2476 wrote to memory of 2916	2476	chrome.exe	42
PID 2476 wrote to memory of 2916	2476	chrome.exe	42

C:\Users\Admin\AppData\Local\Temp\popi.exe
"C:\Users\Admin\AppData\Local\Temp\popi.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2712

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\TestRead.mpv2.ENC
1⤵
- Modifies registry class
PID:1384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1089758,0x7fef1089768,0x7fef1089778
  2⤵
  PID:568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1092 --field-trial-handle=1284,i,7826545022721107320,13349661567310914692,131072 /prefetch:2
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1472 --field-trial-handle=1284,i,7826545022721107320,13349661567310914692,131072 /prefetch:8
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1520 --field-trial-handle=1284,i,7826545022721107320,13349661567310914692,131072 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1284,i,7826545022721107320,13349661567310914692,131072 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2280 --field-trial-handle=1284,i,7826545022721107320,13349661567310914692,131072 /prefetch:1
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1856 --field-trial-handle=1284,i,7826545022721107320,13349661567310914692,131072 /prefetch:2
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1384 --field-trial-handle=1284,i,7826545022721107320,13349661567310914692,131072 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3424 --field-trial-handle=1284,i,7826545022721107320,13349661567310914692,131072 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3540 --field-trial-handle=1284,i,7826545022721107320,13349661567310914692,131072 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3628 --field-trial-handle=1284,i,7826545022721107320,13349661567310914692,131072 /prefetch:8
  2⤵
  PID:960

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b14f03b4731aaf58a531ad09d804c8af

SHA1
4f20345c833f51e011b04d570b3cd3c19200d980

SHA256
43a0594797ebaba5b316a278c238521750eb6e79a6bbe115a8c940ee6111d921

SHA512
7279f3e5c92ab1552621a7be1ed52012fc3889828215c79cb1cdb5911c59249a61b2fd599d807ae787d035c80391e228ec0f20d9de8e6eeb829be9d1951da86b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9ca9ffb657ba99f7a438ecc37a61b1f

SHA1
d9cb535526a31eceb78f150ddd7e5da03aeffebf

SHA256
dcb563b23030a1432a4c403fad44db36f475f892c8ac6475bb5a8dc7f55f4aa3

SHA512
b6d1e573c65b61c1eb1d5755b7b2a806d487536b836ae83bfe38892feb500604b6013e1b924f7159de8f63ec55ffc0b49f9f60b47c893256d766d9f070980375

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c1ce9ba8fcf1006acca7fefed5885ac

SHA1
a7760e075c937087f6bc766e85aa61089a2819a1

SHA256
a838c82348ef6406d85ddac59477005f9a31b9d9e2ec1cd5f8413bf138ef0ad2

SHA512
2023ee6410fdb9b60040f834f526a78b215eb35fe6843c482f474a1d85f099cddb0e43236d9131db54ae166b16fca2c8d24e96ac8444619ce627505867953701

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a4b44d31a6204ea4badfebcbe55b446

SHA1
45a93a046dee0840109526b7ebe64896312e7db0

SHA256
dd39b4c09f8076cffbd1845995709de73bbc78cd3193ccd5d5e2f03c07054bee

SHA512
7b934e7132bb6f16ae175674440bb88b6a067ec61a150db43ac92d6acbfac7348b10da0c30f586a05a536c7723def3e595e34d1c74ef40ebceb476f744781311

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74247ac4112fa19ad065ffb08635602e

SHA1
6a5a0dd99302dc47a4b94e5fc2eccd5b7094e65e

SHA256
7ada3943f44e71616f96dd8dea0e65d227f7676fd6553b3d99748b527403f4ef

SHA512
30d6f0bad603f8700e0cee541441cef3a471bd7a570b17ade5d020b27c45ddb59f485730e0ff5e6adda9cead0bc081332998ab24efde8a223ff0986fd8e962f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
335f4b8043bf7827993dfe5825414705

SHA1
6381eb8d6f7a0b7b2d85370ec93cd7fbe4baafe6

SHA256
5f30b2f54f2c88e47624ce27c70931a60653d6aa21fb45930ec021cffe19853f

SHA512
54fddbf39130dcd5c7f0e715ad2b4c3eb5669ab4f8eeff3a6c06775926a1fa55e33f0f3d7aabd081d7a31483386716b582b4891bfa1287f2b53c65a665cf3399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72efda5f160b745b34b41860b357519d

SHA1
965ccfcd05361cfc30673583d77a63a725fea1c0

SHA256
5d8a48cbc2761a6e3fddd83d95ddb30fcb8e24944c5b378c487d62d10bf0dba2

SHA512
c9f67ee69851644bf4e47d0b88f60ee863e12df934bc81e9a8eca39762d733599c461b7bf5845a8a01e36123fec575398bc91da9e0f18b751c87a6e3ae3f87c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
908eb728156610cef5f567d85258265b

SHA1
07e7bfef37c52a23d099fde8b5970c9d3900cb59

SHA256
43fa1a1be5cc40fe4c842d072094ed84ad40cc6fe625a853c7ceb6b251a7b782

SHA512
58a8b316b4a48fb52fe33dc7da9fd6fbe52359bc129934c7775eb0c47c5dbdb0079757f49d0d9bdd229d0806cefb5701eeaba1d599a081a8d6d96b96c374463e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6fdedee916c65ba7f8917e19c6f467c

SHA1
efbada655c9e59273860ab34ff70d7468bcdf696

SHA256
e9eb9cac927641f00bf3fa423665653c7b1fbfd742c4f2f536bbaa87163b5eed

SHA512
a0a0c6f116c593602cb1af44afd78ed6213c0cf57a47124de10b4440094eb0dc75d5b4f8b38561206d8e209422a324cc05daa04ad747e726c28712d2c503ff3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c8ee7754e088742f34645bd29cb6f13

SHA1
c8962166aed71d4f0638d3f69d940017ce2b61b3

SHA256
49ffc3dcd3b10ebff1e3582fd624259ba91cf1525e2038d9456ad931fea1fad6

SHA512
93e72916722f92ef6f84149b95e798ffca5b4a0320f4db382cddb4282987c5507aaab739a8369d0ffbbc37c514b179da7351c94366efc8f370df086b414b5eb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
691fde4706792a453cda0db7669375fa

SHA1
f066c513a716b4c7fdba8f21018332a4d552a705

SHA256
4c66d4b44a70296372622d09edb968e44d2eb789995cd14002740a58410e330b

SHA512
42c8827b7a16619060cdbe65f309fe969fe3c8858b288d0b198e8f26f60f0ad526728a4d096dc17a028c60bb9524a150e4622a11a27f14beef516da32422170a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e274ee667c5dcfc0e2bfc0b4fcc5dc69

SHA1
d45f7e89cbe5da9322a7e27f3541d56e0574d518

SHA256
5cfaf44ebfbf5b0b755235706e23e79c57e13078871fdf8106eb4e4728ef3bfd

SHA512
0f290bc94c802b67604406512cf48a1425826bbf8d4b5d8d68477d76b4d7e26e8b0a08f37599f7686938dde493a332a7be7fa46b320346a5fc4beb4895f6cf28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5931fb8baa765b13b88841a218c1f8b4

SHA1
4afd36d33cf51cdfdac2eea045e84a477002d582

SHA256
464607c211da10143a5664c1445b14ca253f8fd9597f9a24387525b8efbccedf

SHA512
b5996bfc19d2d1b1b9a7f8f1bf09c2a781cd488aa412eb8fc7bdf11857ceeea9fbc705e415fba35361274b76d87a3e81879b458f1847a5850cb08064fa8a483d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
530c3bd04a63ed38fae8aa5ecbef7989

SHA1
97abd708381a360877390ea96d7412853898cebf

SHA256
185e628634334773dd8a2ece8b3007404cd4899e7ec3ed96a163dcaad429c5ac

SHA512
27e9649db683572e00764ce147e7ea259a24e788325eca63508f5035ed991ff975d5c0a0d48d2fe0b96234f27d0347591540279297b4c26ff03ebc83ac96ddd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af58dcf7ded47655e860a31aade9a4de

SHA1
646ef75f17f8d02f180e9d67f2cecf5dac7efda4

SHA256
fb39fa0760782b78b121f15ea7cab1591a3e180c80849ba09c79a5f0043260f8

SHA512
8c27f2c49626eeb8cf024df6f1ade1658570a8e83b0243b51a642de411b23dad617a5996e810d61604476c1ea2ef66217313f4a8254648ad071ad38805511b5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd37e412e819dc0a50eb9b74aaad5b42

SHA1
58057ac54334c8554d6a7d829131e619372100de

SHA256
3af02cab03ae94a43ebdf0f11997007948292b3c733b420efa3fec72b2df0ee1

SHA512
71905ae187223f3d883aee9d0a29f50a1566be34fdca5f244f0454f45ae409414b92aa4d82bfc37148621287abfc98db23031cb4c5cab0cc3b26eb428e4d0582

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9cca020862e2f90815f5a431536feb8

SHA1
3c0bdf7584fc2fd5492ea90937931f00b8102f92

SHA256
08c97cde951ab6f1edc73b6ddee729812ed9c08576b9980569a06e33b7d059fd

SHA512
19c29aa9098a605399fb144678ea4090a0b81aec109bd92822f9e77be7c1dddb0d186978d938275026cb5f879a3750f795fa923cd34bea5125ff8ddf0ea073af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a92bf18360702441b282b9f7ad57094

SHA1
b08fcd6cd6a3a86bab6156a7cb70e666acbad095

SHA256
9ae1c8df94afb73c17ca6eb7d2d39d68760cd153cbcd07f4d496669f6bca649f

SHA512
f7f1b4221fd69c56e87323124a0f8058c6c7792ac7c8ea9908dcf6193e131485b556cf2c105ebfff93d14c6916fcaefd6b99b18322b27676209951974209823c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
151442d232a96c0d56d0ca56705d736c

SHA1
f211a565620efc6eb852180d45013a047845de56

SHA256
fdc3d1ff88fbdbb4d061390b64b968afd08c95a95b829ffff09373b022e21bdd

SHA512
b44822a2cdcd9f0681f367bddbe5a86b8aed5633f8cd4a24a0185f6acc586e1247d4e5e3f1175a4131dcc3301813d31680791d4435906daa54e40d63ac52abc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a6bc6908ec790def1295a3064e774263

SHA1
51969d2948f5ac0a2976307c9b8d4d3c405ed266

SHA256
5357e6c49b92f1cda4a4da0d88712cd18b30e4bb78451dbcc73c7faf071f43de

SHA512
3f372d3201d6d65d1bd7ba264195b428a8be6b2d1bd413ffc64e6a2fe1dd65ec72c13de9aab3d874b3bf11217eb7e0446c8505b767226e953b834699ca165955

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
46e07f1ceb41f1ff12c89c3ad52ed7fd

SHA1
ec6ca2e51fa4399ff12f1858ffb26e80fefb397c

SHA256
92e00e073a4bde94d2e32d88bf4fc3ed115e0b79a38f29ea3a7dba55c26f6c2c

SHA512
a12fb9d7bf23ebe57db50a8b06ae095e7bcf19e23dd1fc9baada35e5e688d4fa355f67d2f12b05604592019f2f58adcf236c657ace1721618f81f9ed68fb445e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6D66.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6DD7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
6094b4a9dcff92f1341247ac2341d0c8

SHA1
a40cbb49658f52c2726c1c43302852973ced0935

SHA256
1dfb744ff65973e23192bfa9cb2258c10341b87362e4309a642c37d61635ee40

SHA512
a9bba94a0a9ff89277f34179fc74895ded154e6db1c2fe14896a92178009d974545cc0ed63cafb9a4c4a861cc0dd90b3f6775847caae31465d9cb1b976ca7c59

Download Submit
memory/2412-191-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2412-0-0x000007FEF5463000-0x000007FEF5464000-memory.dmp

Filesize
4KB

Download
memory/2412-797-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2412-632-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2412-10-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/2412-9-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2412-8-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2412-7-0x000007FEF5463000-0x000007FEF5464000-memory.dmp

Filesize
4KB

Download
memory/2412-6-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2412-1-0x00000000008F0000-0x000000000090A000-memory.dmp

Filesize
104KB

Download