xworm | 9367be61e6f18c4bc17567e4259607293eb60687920b7656728442df79c9fe03

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vape.exe
Size

8.4MB
MD5

8afb546a821068f344d5e5481d57fd6a
SHA1

907c78ae51a9bef3612538c1205cb1458b591df6
SHA256

9367be61e6f18c4bc17567e4259607293eb60687920b7656728442df79c9fe03
SHA512

2c4123ada410cfb647f4e32039216e14f06ebdec910471ce9d9ae674191dbc96f915f0c8798672ba640d4a3ce9d176a5139f479c96d4bcde59dea9317a17438e
SSDEEP

196608:8okYHMUWsVqYGAwEFD8bJrxv8pL6x/rFdiX4virXL:KYHRWsVsAwEGbJrxIG1v84vir7

Score

10^/10

xworm evasion persistence ransomware rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%Temp%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/4dSAsSm4

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x00090000000122c9-7.dat	family_xworm
behavioral1/memory/2876-10-0x0000000001210000-0x0000000001228000-memory.dmp	family_xworm
behavioral1/files/0x00060000000161e2-54.dat	family_xworm
behavioral1/memory/2604-56-0x0000000000B50000-0x0000000000B66000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Public\\Documents\\Sub\\Client.exe"	svchost.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	svchosl.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2928	cmd.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv_host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv_host.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoftsoftware_sv.lnk	ms_host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoftsoftware_sv.lnk	ms_host.exe

Executes dropped EXE 22 IoCs

pid	Process
2876	sv_host.exe
1860	svchost.exe
2896	Built.exe
2652	Installer.exe
2604	ms_host.exe
2524	Built.exe
1196	Process not Found
2088	svchosl.exe
1760	svchosl.exe
840	svchosl.exe
1512	svchosl.exe
2868	svhost
1620	svchosl.exe
2068	svchosl.exe
2404	svchosl.exe
2296	svchosl.exe
1740	svchosl.exe
1664	svchosl.exe
1456	svhost
1228	svchosl.exe
2320	svchosl.exe
2632	svchosl.exe

Loads dropped DLL 7 IoCs

pid	Process
2512	Vape.exe
2896	Built.exe
2524	Built.exe
1196	Process not Found
2652	Installer.exe
2088	svchosl.exe
2088	svchosl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000015d92-58.dat	upx
behavioral1/memory/2524-61-0x000007FEF2550000-0x000007FEF2B39000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsoftsoftware_sv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\microsoftsoftware_sv.exe"	ms_host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost"	sv_host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Sub\\WatchDog.exe"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
8	pastebin.com
9	pastebin.com
14	raw.githubusercontent.com
15	raw.githubusercontent.com
21	discord.com
22	discord.com
6	pastebin.com
7	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	icanhazip.com

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	svchosl.exe
File opened for modification	C:\autorun.inf	svchosl.exe
File created	D:\autorun.inf	svchosl.exe
File created	F:\autorun.inf	svchosl.exe
File opened for modification	F:\autorun.inf	svchosl.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Desktop\Wallpaper = "C:\\gays.jpg"	sv_host.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2412	schtasks.exe
2376	schtasks.exe
1636	schtasks.exe
1736	schtasks.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
1684	timeout.exe
2632	timeout.exe
1244	timeout.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	svchosl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	svchosl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	svchosl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	svchosl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	svchosl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	svchosl.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2512	Vape.exe
2512	Vape.exe
1884	powershell.exe
1976	powershell.exe
1800	powershell.exe
2592	powershell.exe
2652	Installer.exe
1560	powershell.exe
2652	Installer.exe
2652	Installer.exe
2652	Installer.exe
2652	Installer.exe
2652	Installer.exe
2652	Installer.exe
1780	powershell.exe
2448	powershell.exe
2516	powershell.exe
2088	svchosl.exe
2088	svchosl.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe
1860	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	Vape.exe
Token: SeDebugPrivilege	2876	sv_host.exe
Token: SeDebugPrivilege	1860	svchost.exe
Token: SeDebugPrivilege	2604	ms_host.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2652	Installer.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2088	svchosl.exe
Token: SeDebugPrivilege	2876	sv_host.exe
Token: SeDebugPrivilege	2604	ms_host.exe
Token: SeDebugPrivilege	2868	svhost
Token: SeDebugPrivilege	1456	svhost

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2876	2512	Vape.exe	28
PID 2512 wrote to memory of 2876	2512	Vape.exe	28
PID 2512 wrote to memory of 2876	2512	Vape.exe	28
PID 2512 wrote to memory of 1860	2512	Vape.exe	29
PID 2512 wrote to memory of 1860	2512	Vape.exe	29
PID 2512 wrote to memory of 1860	2512	Vape.exe	29
PID 2512 wrote to memory of 2896	2512	Vape.exe	30
PID 2512 wrote to memory of 2896	2512	Vape.exe	30
PID 2512 wrote to memory of 2896	2512	Vape.exe	30
PID 2512 wrote to memory of 2652	2512	Vape.exe	32
PID 2512 wrote to memory of 2652	2512	Vape.exe	32
PID 2512 wrote to memory of 2652	2512	Vape.exe	32
PID 2512 wrote to memory of 2652	2512	Vape.exe	32
PID 2512 wrote to memory of 2652	2512	Vape.exe	32
PID 2512 wrote to memory of 2652	2512	Vape.exe	32
PID 2512 wrote to memory of 2652	2512	Vape.exe	32
PID 2512 wrote to memory of 2604	2512	Vape.exe	33
PID 2512 wrote to memory of 2604	2512	Vape.exe	33
PID 2512 wrote to memory of 2604	2512	Vape.exe	33
PID 2896 wrote to memory of 2524	2896	Built.exe	31
PID 2896 wrote to memory of 2524	2896	Built.exe	31
PID 2896 wrote to memory of 2524	2896	Built.exe	31
PID 2512 wrote to memory of 2928	2512	Vape.exe	36
PID 2512 wrote to memory of 2928	2512	Vape.exe	36
PID 2512 wrote to memory of 2928	2512	Vape.exe	36
PID 2928 wrote to memory of 1684	2928	cmd.exe	37
PID 2928 wrote to memory of 1684	2928	cmd.exe	37
PID 2928 wrote to memory of 1684	2928	cmd.exe	37
PID 2876 wrote to memory of 1976	2876	sv_host.exe	38
PID 2876 wrote to memory of 1976	2876	sv_host.exe	38
PID 2876 wrote to memory of 1976	2876	sv_host.exe	38
PID 2604 wrote to memory of 1884	2604	ms_host.exe	41
PID 2604 wrote to memory of 1884	2604	ms_host.exe	41
PID 2604 wrote to memory of 1884	2604	ms_host.exe	41
PID 2876 wrote to memory of 2592	2876	sv_host.exe	44
PID 2876 wrote to memory of 2592	2876	sv_host.exe	44
PID 2876 wrote to memory of 2592	2876	sv_host.exe	44
PID 2604 wrote to memory of 1800	2604	ms_host.exe	43
PID 2604 wrote to memory of 1800	2604	ms_host.exe	43
PID 2604 wrote to memory of 1800	2604	ms_host.exe	43
PID 2604 wrote to memory of 1560	2604	ms_host.exe	47
PID 2604 wrote to memory of 1560	2604	ms_host.exe	47
PID 2604 wrote to memory of 1560	2604	ms_host.exe	47
PID 2876 wrote to memory of 1780	2876	sv_host.exe	49
PID 2876 wrote to memory of 1780	2876	sv_host.exe	49
PID 2876 wrote to memory of 1780	2876	sv_host.exe	49
PID 2652 wrote to memory of 2128	2652	Installer.exe	50
PID 2652 wrote to memory of 2128	2652	Installer.exe	50
PID 2652 wrote to memory of 2128	2652	Installer.exe	50
PID 2652 wrote to memory of 2128	2652	Installer.exe	50
PID 2652 wrote to memory of 2088	2652	Installer.exe	57
PID 2652 wrote to memory of 2088	2652	Installer.exe	57
PID 2652 wrote to memory of 2088	2652	Installer.exe	57
PID 2652 wrote to memory of 2088	2652	Installer.exe	57
PID 2128 wrote to memory of 2504	2128	cmd.exe	52
PID 2128 wrote to memory of 2504	2128	cmd.exe	52
PID 2128 wrote to memory of 2504	2128	cmd.exe	52
PID 2128 wrote to memory of 2504	2128	cmd.exe	52
PID 2604 wrote to memory of 2516	2604	ms_host.exe	54
PID 2604 wrote to memory of 2516	2604	ms_host.exe	54
PID 2604 wrote to memory of 2516	2604	ms_host.exe	54
PID 2876 wrote to memory of 2448	2876	sv_host.exe	55
PID 2876 wrote to memory of 2448	2876	sv_host.exe	55
PID 2876 wrote to memory of 2448	2876	sv_host.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Vape.exe
"C:\Users\Admin\AppData\Local\Temp\Vape.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\sv_host.exe
  "C:\Users\Admin\AppData\Local\Temp\sv_host.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv_host.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv_host.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svhost'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Local\Temp\svhost"
    3⤵
    - Creates scheduled task(s)
    PID:1736
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- - C:\Windows\system32\CMD.exe
    "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Public\Documents\Sub\Client.exe" & exit
    3⤵
    PID:2320
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Public\Documents\Sub\Client.exe"
      4⤵
      Creates scheduled task(s)
      PID:2412
- - C:\Windows\system32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Public\Documents\Sub\Client.exe" /RL HIGHEST & exit
    3⤵
    PID:2528
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "svchost" /tr "C:\Users\Public\Documents\Sub\Client.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2376
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2524
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp424E.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:2632
- - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
    "C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe"
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops autorun.inf file
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\watchdog.vbs.bat""
      4⤵
      PID:1596
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:112
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\watchdog.vbs.bat""
      4⤵
      PID:1956
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2688
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\watchdog.vbs"
        5⤵
        
        PID:1872
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:1760
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:840
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:1512
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:1620
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:2068
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:2404
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:2296
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:1740
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:1664
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:1228
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:2320
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:2632
- C:\Users\Admin\AppData\Local\Temp\ms_host.exe
  "C:\Users\Admin\AppData\Local\Temp\ms_host.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ms_host.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ms_host.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'microsoftsoftware_sv.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "microsoftsoftware_sv" /tr "C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1636
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "microsoftsoftware_sv"
    3⤵
    PID:1148
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9D12.tmp.bat""
    3⤵
    PID:2588
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1244
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp201E.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1684

C:\Windows\system32\taskeng.exe
taskeng.exe {06E3141D-B69D-48B5-8EDB-3AB86A4372DE} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]
1⤵
PID:2948
- C:\Users\Admin\AppData\Local\Temp\svhost
  C:\Users\Admin\AppData\Local\Temp\svhost
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Users\Admin\AppData\Local\Temp\svhost
  C:\Users\Admin\AppData\Local\Temp\svhost
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8df53d367a8058d27ea7491b141ee3f1

SHA1
99e12d0fdfd1b6cac3b3f21befb4c096e3d7c8d8

SHA256
28e6dcae07df1a5e52fbe32c511373471a75d3ab7bea19963b2906c6429dd989

SHA512
1d91d57ff3c19b88ad3c62cfc1e910e04f8a638745562e7613aa5f4594955ff02261b2961f02b646694dcdf3068fe8df31eacfcaf55aa5123dc7e2453534f255

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22bd1c108dce7989b6c606c85de9c742

SHA1
72d161d5ee1d5f97848820bf8655cbb1d8f5c5a3

SHA256
095def662b0fb40fe263d6fed5ae4a89680c6c77a9d86a64e685eb2c5a5dbfac

SHA512
a4cf43a7ad3a6fa4ce7e95db45382373457b631361880caa4660f48f0f3b647f10ebda7d645cc1c945813d4823c7ba0c880c2abfff137d451c615c7f482252aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
768KB

MD5
15a49cc7a7158930c1c2ab498cd575ac

SHA1
bfd134280d583b36bfc244e7f438551732bc4549

SHA256
6b22ff92836e37d8bb2a80ba69f61c33ab05a31f8403db745d8ec19c38238452

SHA512
9306ca695a2dc18c0f13b7e46629895872f6222a97785d8afa5c922577e95336e43e002e3df3ca94e6bba53cf27ac70d888d8570132d2365d548c6661d676f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
384KB

MD5
598a2ee043783d9ac8ed6fe02cbd11c6

SHA1
ee8e062c1e05483fc1d2afccfd7353eac788dfe5

SHA256
317d5b99ed39f7fb50d09d4d6b4444b1e0d7d225b15439efb276a4507f6b66e8

SHA512
492b410ef721d6aab6dc239d200fd810233bab50019405cd7d5e84371733ec06bb599f0db889c7535a86301f4139d98cba3dc400433bfe6a1d77971ebd2f74ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
1.9MB

MD5
2abae4c3e898b97c7e336b602a14df43

SHA1
3b26a5cfab7d4da0d6a4eb58d783e3e9c826f3ea

SHA256
f0714233a091ffb88474bd72560fabe32db14aa886d1870b689451794a8fb48a

SHA512
655b5701f86e5cd27bbea6f6f7f29e0750462f7749633ad1ebcfa9ffe0e741e618913c701e0a0521815624179741f6dee5f900908484e9f34efe09edf9c26a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab61FE.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
2.4MB

MD5
68a116880728b77f51ab407eddd437ad

SHA1
421dbac9b6a10d283c390e4a70bd6e1bdbaa39ab

SHA256
2feeff13d9d3b5594411fe20b77986be8ce0cfd4286c70910c7aadb6714b348c

SHA512
95a495b5f7947e03565a048fc42237bd68912b8ee0f074159b9b26480e814344f42344cadf75a1d3bf2a85e2a9b34fba2f5f1475f576a816849beaa7af8ca5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
1.9MB

MD5
4a758894cf35d2fde608827b57d051f9

SHA1
1ce04000b5ee8e9146b3647f9fb611165f46fdbb

SHA256
7a067bce3007c3d180ad0e5470d56fa1d7dc0f2a75f3a92cda35048005b7db8a

SHA512
e8bda63a8ec2683d4f8ac73a0920728d91eed8ce1a5935f51d226be7d2930b0ed44d9e2f7aaac7abebbcaaf14ceb7f7cdf57f15495d47a8891f8b42469f8382d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar62AC.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ms_host.exe

Filesize
60KB

MD5
d5a10d43ab7ebb2eb3994d838f28082c

SHA1
e14038fa3d5d9f87e5f58afe4299453764570c7e

SHA256
3d30447bf5ff5d6a9a4bcb0d10a1247d75f015e93b90cc4c5278100e4b7f8e94

SHA512
e814c1dfabe7ce1d7e7f986d2319332442b69bb20c8c6c323f828a61cbae35653f5bacc1b336b06b4c74c6ff156e1c91e78be12e6e3428fbec2084046d6f9add

Download Submit
C:\Users\Admin\AppData\Local\Temp\sv_host.exe

Filesize
69KB

MD5
91d589dde2c5210749d269da8d49f9b2

SHA1
3c712db908c457dcf2fcfe76979128aa35db41f2

SHA256
8cbdd9f6000ae1b2e8092c0fc6e283da34271c83bfd564198e779c3a1f417635

SHA512
1913ff1143bdadbd90e6e4da5dc803b4d405cb6a6b767eda33ba58509cfbde6a9638be8582f7faaabacdbeae327086340b735eb0db078b0a28a05b01e7389c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
603KB

MD5
e7622f5a26365bbc2a1902866be391cb

SHA1
3fd6d9e885c99374f48887a26ea8abcd5655448c

SHA256
4d299acbd0e5643196dbb88796d22649bfe9d97f720925a4863e1ed966f65681

SHA512
43109c9cb0dee73333e0d9c7d432e05803b96fe6bfa5dc3a2a255f1c6b52c966d30d61553338a1f71b0fda18912cde0d22387452b802669f05a58376d3e4bf6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp201E.tmp.bat

Filesize
156B

MD5
56def81370cb758fd48d2345565a6a63

SHA1
28f52ac9805f45037379653fffdc8561c958018e

SHA256
998a45a1b9c42be423a39d238f14d7131b1b8267442365b08266c32b55c835bc

SHA512
c0911c71a415dff47cc074a9813fc39279fa1f232eab6c9b1a31637384de07f451ae3ca9616403338048ae07ce44f73b0a05e291dc71ccf5537b484f1404df1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp424E.tmp.bat

Filesize
169B

MD5
7b4993f5b95e7bc16958cee9a4e042c3

SHA1
0b7be203c1e2810e84d48829ca4260f481506898

SHA256
2a2e261222e9dbf55d145960b0b734dc1e70a10381b0072ceffe06014d3ad198

SHA512
0122b4898ebaace6c684f292178e3303a51decf38c7cbb50203eb2c64860c243c6b2252e2d5978f8f639a00eb03d400bc6a0f6636def5519fcae51b02c481410

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9D12.tmp.bat

Filesize
159B

MD5
a1684c2da6f685f3bd279d6c8f176a32

SHA1
20109953ef491df46e71069c8b3bbd40b7bb44d2

SHA256
1241a526c174dbb5407b41f71350076a947b46d567c7129f1c806ccaa2ed0b75

SHA512
0cf45ac5a1e0a30a1ad9cccdb39de4b00c6a052cb8605ea008d71a50e4cf54ef46caa8574b649804835fa57f54608de70b247434c60a554c66739e09a6ba96c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.vbs

Filesize
154B

MD5
708b249a9687f18684fd4b7f6d79a725

SHA1
b6a74dd71ff3119c7d0f09538305a811901c468a

SHA256
67867c598a29cc4aabfbb7461d2d0f3b946dbf792ef0c2b8bd39775f2c5e344b

SHA512
7f833139506db626c4ddf06d2f7643668f7ec4009d19d15bff03e3ca7897acfe7fc43a61b455b62b148a97afb8bef87ff05a37b00a259664c2ba66fa3cbee346

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.vbs.bat

Filesize
146B

MD5
a9d2fc52c32f82335d453b70f1d02c0e

SHA1
0c26c7ed464426b557a799a1fc141141acc53b49

SHA256
e7c0ab7bb5ab69801155583f7a47fe3ba60baea95b8c2171c19e54a338fa8106

SHA512
a347f1212a9088c48b09ff6cb2a95259dc438a5767a918451baf302f3e2bd2a66036d4f44ef543128af36206d354bdeb3431c27ec43568b8e949b99c1f1f8e8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9baa5a26c49a8edb81ece9f96fa2dae3

SHA1
e426e760d1f9ae51e0e344970d26e23c1b87a89d

SHA256
eb924ed9510b0a68037e29a65a9e06aeba92c222ec4a59e3d8ae9643c25063d9

SHA512
ec17160c466e52f00cc7c162ed4b5f7da05867d8bdaa16ddca94225f493b3f0b5cdfe817d5aefc56abf88295c6ca0973f2657b516f1346d70f2809a2a5ffae87

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe

Filesize
2.0MB

MD5
a1f6f7809f79804dc1c188ca9cd174ec

SHA1
a5a8a567b9a72093298cd5ca4df1212346e3ad3a

SHA256
f95abedf07f4f8668176be02bbdb6a01882c04d9fef5cad8a6d56519faaabe07

SHA512
6958cbf71f2a3c6f0b3331c92e8b6e35a10bb65cf5573bc1256b52fe79bf3c0e892c8e09a6ca5bcbc129ab0ac352a99b4afa7e53f5cd167c5959bd09586454ee

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe

Filesize
1.2MB

MD5
2ae7ef62417d6887aecba34bc89f69ce

SHA1
00db198ea7ae57a2477edb9c6c9afef9ffdd040f

SHA256
6a8bc1dc651c976cc0db29f8e26d3ee242fda382058605954f75560d55c67284

SHA512
82fc63a497363245085e10622f11791c33545a83a6e4e3c28b5390ca18ad31a745a5ccdb7ca76657fdf8f4b5540dd653d26f9f5ea4d3f00a642761c7598f0f89

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe

Filesize
1.1MB

MD5
a87ecf44129b6a22e068e2acde0af235

SHA1
62c9bc00abc808434c47b3cbe63665c1a163e6fe

SHA256
975ee2fa3426303953405415855f7e737bc809e96e3f53f9693393d8ac8f5e70

SHA512
c77b33c083cedbd487536671aa6e1d431306b73be9378e1b849ec3ef1de71c6bbd28629616ae13d4a54f2549031e56a967c98729da8891be71b8e558badebd55

Download Submit
C:\Users\Public\Documents\Sub\Client.exe

Filesize
14.1MB

MD5
df8066af82af32280056e4c496fce478

SHA1
0d213185a024d7b5bf7c796bbaa9437556111671

SHA256
84d04d869812c02c1dccf19ef474c1d52a750cc4586d9f441b1d983e2c116fed

SHA512
11990782e5bb5b06ca5741e2de92821902617e889ee66f611a28488b3b34e88526fe5d102a02ab2f30750554855fb3f1fbc833e75003a504fdcd76798f657683

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
C:\gays.jpg

Filesize
147KB

MD5
7d2f38ca4bec0124cfefafafe9deccaf

SHA1
f7a46510d260df4f5afdf6fbb3d6815a9e9c7ee3

SHA256
6315252de63de98413c0404a86a1fdcdf998728bc7b2a1e6d23b84914aee5aaa

SHA512
545e0df0639fecb34427cac8188a7313650042bc79903aba04e97e82df26cddc9c8a574934452bc7f41f622d2ecda25a76bac42c74c9c88f730d863e2dbe9441

Download Submit
\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
704KB

MD5
951a25061481de5dee09a8a189aa53eb

SHA1
8daecf2a75de850e3167d807a9253f9c3ac2d40c

SHA256
608b27db6cac53010dfd1c1a18d286a54e9df2f3760472174df87559e8a47257

SHA512
555c854657e338654911e1cf37fcd0df22b839b8a8d03228b84a8745db230a4ef7f46c3f7b784a3dac134ef2baf20a54cce48f3ab4c165ab0740aa1ca781dd92

Download Submit
\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
2KB

MD5
f4e715a248e7e4d332224f5faf219267

SHA1
2faa31a7805199a1c91d9560731672cc4a26b6fb

SHA256
0a192ad6eff7168de7c186c1e7eca6b2dd692c5f90ea5068e10f22cf753456c8

SHA512
538e1372e2828c8d962cbea9d5b006aba8daee61bcf6ccda7cac4f0898624b33b0a1391ba69642af005c022153d4f1a58d4c1df29872e31f1de063305d7ff7d3

Download Submit
\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
4.1MB

MD5
5b30b9102571f3befa16e18f6fcbaa45

SHA1
81a5ab49816cd8758d885d58f14a8219d7a0c97b

SHA256
9502fc5bc11606e9f2436f831d23a7f70f117bba90be0600a127b3b43d72d540

SHA512
a200e95ac10ded1c34a6797a9966abfb89c57b0fe4d6ae3a21f2ade935f65d14db2702d036114465e14f4ec8d5d1dcda2374eeb8f7a803fc6ef4a7eaa4bfa6a5

Download Submit
\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
2.9MB

MD5
ea6ac52656449958d6b1b8530cd846c1

SHA1
36b360fa53603f228e61925602975773f583affd

SHA256
b9715cb148ce800c92c662ec4d5a1addcc21ca7bad89cd03b6b4646ee534cf00

SHA512
807b0d84bf540f06d7556fc27820a8ab1c0802bb7fd6e28b8693d1c90605261d3ef5930dca8e72bcb38b1e7a7e365e21a206c68137e2f07922c4b83de8803c67

Download Submit
\Users\Admin\AppData\Roaming\svchost\DotNetZip.dll

Filesize
448KB

MD5
6d1c62ec1c2ef722f49b2d8dd4a4df16

SHA1
1bb08a979b7987bc7736a8cfa4779383cb0ecfa6

SHA256
00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c

SHA512
c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchosl.exe

Filesize
1.2MB

MD5
5bfd4534d01b02ff1ff98dee81048481

SHA1
8d19d73ed8f290f9c1b7bfb7fcefa2c0fc54b2df

SHA256
738040c192ec8bf6a1eb5e768a485e7d4734e02c882848a2d180321a27064987

SHA512
f7f2a21e11302be673699ce7002135e7a4aed7985f6f93cc212d69d90a4947be4e2f6d0362318e326f4f83947744f47511b9be13b3379dfbfa324690fb274692

Download Submit
memory/1560-157-0x000007FEEE2E0000-0x000007FEEEC7D000-memory.dmp

Filesize
9.6MB

Download
memory/1560-137-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/1560-136-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/1560-135-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/1560-134-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/1560-133-0x000007FEEE2E0000-0x000007FEEEC7D000-memory.dmp

Filesize
9.6MB

Download
memory/1780-158-0x0000000002E80000-0x0000000002F00000-memory.dmp

Filesize
512KB

Download
memory/1780-148-0x0000000002E80000-0x0000000002F00000-memory.dmp

Filesize
512KB

Download
memory/1780-179-0x000007FEEE2E0000-0x000007FEEEC7D000-memory.dmp

Filesize
9.6MB

Download
memory/1780-147-0x0000000002E80000-0x0000000002F00000-memory.dmp

Filesize
512KB

Download
memory/1780-146-0x000007FEEE2E0000-0x000007FEEEC7D000-memory.dmp

Filesize
9.6MB

Download
memory/1800-114-0x0000000002DF0000-0x0000000002E70000-memory.dmp

Filesize
512KB

Download
memory/1800-122-0x0000000002DF0000-0x0000000002E70000-memory.dmp

Filesize
512KB

Download
memory/1800-111-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/1800-112-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/1800-113-0x000007FEEE2E0000-0x000007FEEEC7D000-memory.dmp

Filesize
9.6MB

Download
memory/1800-125-0x000007FEEE2E0000-0x000007FEEEC7D000-memory.dmp

Filesize
9.6MB

Download
memory/1800-115-0x000007FEEE2E0000-0x000007FEEEC7D000-memory.dmp

Filesize
9.6MB

Download
memory/1800-116-0x0000000002DF0000-0x0000000002E70000-memory.dmp

Filesize
512KB

Download
memory/1860-15-0x0000000000840000-0x00000000008DE000-memory.dmp

Filesize
632KB

Download
memory/1860-18-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/1860-123-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/1884-84-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/1884-98-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/1884-91-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/1884-93-0x000007FEEEC80000-0x000007FEEF61D000-memory.dmp

Filesize
9.6MB

Download
memory/1884-99-0x000000000294B000-0x00000000029B2000-memory.dmp

Filesize
412KB

Download
memory/1884-95-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/1884-96-0x000007FEEEC80000-0x000007FEEF61D000-memory.dmp

Filesize
9.6MB

Download
memory/1976-92-0x000007FEEEC80000-0x000007FEEF61D000-memory.dmp

Filesize
9.6MB

Download
memory/1976-87-0x0000000002E90000-0x0000000002F10000-memory.dmp

Filesize
512KB

Download
memory/1976-97-0x0000000002E9B000-0x0000000002F02000-memory.dmp

Filesize
412KB

Download
memory/1976-94-0x0000000002E94000-0x0000000002E97000-memory.dmp

Filesize
12KB

Download
memory/1976-85-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1976-86-0x000007FEEEC80000-0x000007FEEF61D000-memory.dmp

Filesize
9.6MB

Download
memory/1976-88-0x000007FEEEC80000-0x000007FEEF61D000-memory.dmp

Filesize
9.6MB

Download
memory/2088-190-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2088-187-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2088-186-0x0000000000250000-0x00000000004B8000-memory.dmp

Filesize
2.4MB

Download
memory/2448-198-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2512-69-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2512-0-0x0000000000310000-0x0000000000B86000-memory.dmp

Filesize
8.5MB

Download
memory/2512-2-0x000000001BF70000-0x000000001BFF0000-memory.dmp

Filesize
512KB

Download
memory/2512-1-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2524-61-0x000007FEF2550000-0x000007FEF2B39000-memory.dmp

Filesize
5.9MB

Download
memory/2592-124-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2592-119-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2592-120-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2592-118-0x000007FEEE2E0000-0x000007FEEEC7D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-117-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2592-126-0x000007FEEE2E0000-0x000007FEEEC7D000-memory.dmp

Filesize
9.6MB

Download
memory/2604-56-0x0000000000B50000-0x0000000000B66000-memory.dmp

Filesize
88KB

Download
memory/2604-132-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2604-55-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2652-72-0x0000000000780000-0x0000000000786000-memory.dmp

Filesize
24KB

Download
memory/2652-71-0x00000000000D0000-0x0000000000338000-memory.dmp

Filesize
2.4MB

Download
memory/2652-73-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2652-156-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/2652-188-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2652-145-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2652-74-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/2876-121-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2876-10-0x0000000001210000-0x0000000001228000-memory.dmp

Filesize
96KB

Download
memory/2876-11-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download