xworm | 14e1b5a22e7e68cfd1908bc0b7c6c7db1889c9109967bdd8fc06cd01ad3da042

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XvcClient.exe
Size

39KB
MD5

8a1f910de42bbdfc2967424952092c93
SHA1

c9eb6e94e8f11e023e524eea898c14e1084568ac
SHA256

14e1b5a22e7e68cfd1908bc0b7c6c7db1889c9109967bdd8fc06cd01ad3da042
SHA512

6c8b01d99e3a8fb4c1e4d671616abe4e523202aba8873ae2eecd92d4a5020330cdb1635344c846b8e8189fd3ecb15f98a2da907a89ab2d1ead5d14dc3af1689f
SSDEEP

768:vMi7NoXNEbgnMpOMb9anqNiAvHzFN9pPOphISv4:H7NQObjAnqNiAvTFN9pPOpjv4

Score

10^/10

xworm discovery persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

cities-annex.gl.at.ply.gg:28648

Mutex

ZcxxP7wB83cGDNRX

Attributes

Install_directory
%Userprofile%
install_file
msconfig.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/3544-1-0x0000000000EF0000-0x0000000000F00000-memory.dmp	family_xworm
behavioral1/files/0x000a000000023b92-9.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	XvcClient.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk	XvcClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk	XvcClient.exe

Executes dropped EXE 1 IoCs

pid	Process
3088	msconfig.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Users\\Admin\\msconfig.exe"	XvcClient.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	XvcClient.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2104	msedge.exe
2104	msedge.exe
2440	msedge.exe
2440	msedge.exe
3184	identity_helper.exe
3184	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3544	XvcClient.exe
Token: SeDebugPrivilege	3088	msconfig.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 2304	3544	XvcClient.exe	85
PID 3544 wrote to memory of 2304	3544	XvcClient.exe	85
PID 3544 wrote to memory of 2440	3544	XvcClient.exe	97
PID 3544 wrote to memory of 2440	3544	XvcClient.exe	97
PID 2440 wrote to memory of 3032	2440	msedge.exe	98
PID 2440 wrote to memory of 3032	2440	msedge.exe	98
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 4828	2440	msedge.exe	99
PID 2440 wrote to memory of 2104	2440	msedge.exe	100
PID 2440 wrote to memory of 2104	2440	msedge.exe	100
PID 2440 wrote to memory of 4336	2440	msedge.exe	101
PID 2440 wrote to memory of 4336	2440	msedge.exe	101
PID 2440 wrote to memory of 4336	2440	msedge.exe	101
PID 2440 wrote to memory of 4336	2440	msedge.exe	101
PID 2440 wrote to memory of 4336	2440	msedge.exe	101
PID 2440 wrote to memory of 4336	2440	msedge.exe	101
PID 2440 wrote to memory of 4336	2440	msedge.exe	101
PID 2440 wrote to memory of 4336	2440	msedge.exe	101
PID 2440 wrote to memory of 4336	2440	msedge.exe	101
PID 2440 wrote to memory of 4336	2440	msedge.exe	101
PID 2440 wrote to memory of 4336	2440	msedge.exe	101
PID 2440 wrote to memory of 4336	2440	msedge.exe	101
PID 2440 wrote to memory of 4336	2440	msedge.exe	101
PID 2440 wrote to memory of 4336	2440	msedge.exe	101
PID 2440 wrote to memory of 4336	2440	msedge.exe	101
PID 2440 wrote to memory of 4336	2440	msedge.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XvcClient.exe
"C:\Users\Admin\AppData\Local\Temp\XvcClient.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msconfig" /tr "C:\Users\Admin\msconfig.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffe036d46f8,0x7ffe036d4708,0x7ffe036d4718
    3⤵
    PID:3032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,14238035899221241531,11817998914707769287,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:4828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,14238035899221241531,11817998914707769287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,14238035899221241531,11817998914707769287,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
    3⤵
    PID:4336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14238035899221241531,11817998914707769287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
    3⤵
    PID:2436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14238035899221241531,11817998914707769287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:5092
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14238035899221241531,11817998914707769287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8
    3⤵
    PID:656
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14238035899221241531,11817998914707769287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14238035899221241531,11817998914707769287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
    3⤵
    PID:4352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14238035899221241531,11817998914707769287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
    3⤵
    PID:2692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14238035899221241531,11817998914707769287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
    3⤵
    PID:4984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14238035899221241531,11817998914707769287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
    3⤵
    PID:3732

C:\Users\Admin\msconfig.exe
C:\Users\Admin\msconfig.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d6711cb01ae0dd975953d5de052bc574

SHA1
a070af2ce16d3faf57444c7d5b4f5243bd43f833

SHA256
85d9385feb97aecd0adf11b21e3f9ded3f3baf226aa050b78bf2065f2642e94e

SHA512
5dc22c8f9b6f609d39e873318e141a1f9c0ddd04420cb9cf9d8afb72eca72602e6f84a7530f08e9dea670683d257d18e7693a01a9dff61100e45f4e45d0d2219

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3486363de3e158cbe5e1b9a0abad3fca

SHA1
4a8feb087dc077fe2c4abb8460e4537f44875565

SHA256
36839f9f66ba3e1ed90e14b3ee658efd7fa16e31da8addaad486bc0314c0e597

SHA512
e9475c44912278f1923745754ababa9f8bbef7abd73cd33c5f56d67c9a714867de6886f3944453f2114a58dfdacad2b2299810eba71ef6d30c1dd92e087768f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b89d4c7d38994579f590a06bc5ae2b32

SHA1
411c56f80d20a8f921ead0749bb23049b647597a

SHA256
bfd461906670a5f7bdc42b4673d97a0a831d212cffe29ddf57b72f5f205aa9e6

SHA512
684a7f9db889d8050d2ef2df027444b1ef2f31fff49388e0a73b63b7aecc5900b66c05cb2b1e581218cd8a95720a1debc5673f0c89857cf9aaefdca9e6b16857

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
628B

MD5
83d5c3c641860457c3f3e36699f62d49

SHA1
070fa969f5d4bc2ce00437601ad6fef8a5fdb060

SHA256
618fd96672bd24521ed6abe0a273376b13af2df3ce17bfde8e5bf19489cb7392

SHA512
12f51a326a870fc1c7b96ad2360b050980f9fa3869c2d81d19c695872a9c75442d47d73a26d1e1061f51197a7da21f603b109ad4e6f2f19ab5d63dae949bb1fb

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
5cf7e4e8b879e040c712d3174699516e

SHA1
2b71b1909f32ece45b1ba55cde5d62d9739fd64c

SHA256
068793f821868d5a010b77eff6ce226528bc3f76379beb83cdd941e9b14271dd

SHA512
abda005ec559cfbc13577aac8253a3e9f4940c636ca4916c3d2ee4be5e4b3f924523e50c0dbfc856f51ae2a91b1cff3cf59c5d4b3bfda5f2ad8545291c1bc08c

Download Submit
C:\Users\Admin\msconfig.exe

Filesize
39KB

MD5
8a1f910de42bbdfc2967424952092c93

SHA1
c9eb6e94e8f11e023e524eea898c14e1084568ac

SHA256
14e1b5a22e7e68cfd1908bc0b7c6c7db1889c9109967bdd8fc06cd01ad3da042

SHA512
6c8b01d99e3a8fb4c1e4d671616abe4e523202aba8873ae2eecd92d4a5020330cdb1635344c846b8e8189fd3ecb15f98a2da907a89ab2d1ead5d14dc3af1689f

Download Submit
memory/3088-11-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3088-13-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3544-8-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3544-15-0x0000000001700000-0x000000000170C000-memory.dmp

Filesize
48KB

Download
memory/3544-0-0x00007FFE0C913000-0x00007FFE0C915000-memory.dmp

Filesize
8KB

Download
memory/3544-7-0x00007FFE0C913000-0x00007FFE0C915000-memory.dmp

Filesize
8KB

Download
memory/3544-6-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3544-1-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download