xworm | e1ea405efb08d4a7d254423fc5b700021eb653b1545d120c0f6cf4ff31c7f0ae

Resubmissions

02/05/2024, 02:59

240502-dg26eshb97 10

02/05/2024, 02:36

240502-c3k9csef7t 10

Analysis

max time kernel
297s
max time network
301s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
02/05/2024, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a ton of ya/ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
Size

63KB
MD5

222c2d239f4c8a1d73c736c9cc712807
SHA1

c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256

ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512

1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02
SSDEEP

1536:tJc/5q1qoR5PDdAZcIED4VuCkbFybjQ9f0jQRmONww+W:7c/iqoJekbFEQ9W+mONP+W

Score

10^/10

xworm bootkit persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:23638

209.25.140.1:5525:23638

bring-recorder.gl.at.ply.gg:23638

action-yesterday.gl.at.ply.gg:23638

147.185.221.19:23638

then-wheel.gl.at.ply.gg::23638

then-wheel.gl.at.ply.gg:23638

teen-modes.gl.at.ply.gg:23638

Attributes

Install_directory
%LocalAppData%
install_file
uwumonster.exe

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral27/memory/2752-1-0x0000000000E30000-0x0000000000E46000-memory.dmp	family_xworm
behavioral27/files/0x000b000000012279-8.dat	family_xworm
behavioral27/memory/2632-10-0x00000000010E0000-0x00000000010F6000-memory.dmp	family_xworm
behavioral27/memory/2016-37-0x0000000001130000-0x0000000001146000-memory.dmp	family_xworm
behavioral27/memory/1444-630-0x0000000001250000-0x0000000001266000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

Executes dropped EXE 19 IoCs

pid	Process
2632	uwumonster.exe
1696	uwumonster.exe
1664	rfdhct.exe
568	rfdhct.exe
1408	rfdhct.exe
2324	rfdhct.exe
108	rfdhct.exe
1732	rfdhct.exe
2432	rfdhct.exe
2016	uwumonster.exe
1956	tuwjpk.exe
1008	tuwjpk.exe
1976	tuwjpk.exe
2920	tuwjpk.exe
2908	tuwjpk.exe
1572	tuwjpk.exe
2076	tuwjpk.exe
1928	uwumonster.exe
1444	uwumonster.exe

Loads dropped DLL 30 IoCs

pid	Process
1664	rfdhct.exe
1664	rfdhct.exe
1664	rfdhct.exe
1664	rfdhct.exe
1664	rfdhct.exe
1664	rfdhct.exe
1664	rfdhct.exe
1956	tuwjpk.exe
1956	tuwjpk.exe
1956	tuwjpk.exe
1956	tuwjpk.exe
1956	tuwjpk.exe
1956	tuwjpk.exe
1956	tuwjpk.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe"	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rfdhct.exe
File opened for modification	\??\PhysicalDrive0	tuwjpk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2600	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 705e83c53d9cda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000000e5dca6b22a5e67770fd70da5850c3dd6c32373850a7fb33af1152f2589d4651000000000e8000000002000020000000a2283f713caccbce32ce951abef4c978c5ff4a41ed1da0b97862a379e2fe16c390000000ddeb3151f5de986101f66739f4768935a16bc3f4accb96c5cf1ec9453742484c549d3123f940eb38c69c609822e32a45a3bd0181613ebf487d8d2de45df61314eebce1566073a3112504837b08a61c72854c8579ad1c7d3ded863a1a1d3c1ee1f0aa99bfbad717a7a60b17babb4ef8f3d7b907eeca9aaec058eb48a4ece358168b53a92404409967b65635966328423040000000c1c90f66f5dd0726eb55ad91229028028ec318b2961ef4e5a443541688e0867185e18e9542ace8a7d5ad47429c790a5fa457377c5fa12643891331e4a48624b6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420781072"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{01F81D01-0831-11EF-91AC-F2A35BA0AE8D} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000005430edb2d2a262859837228e8a6f424955155001edb1180d456d4e5414c45b4f000000000e800000000200002000000033ca224ffb645ac2cddeb68cb28460f11c13d0fb320f357307554173d0ba11b7200000003bd1b326e7f9bcf7a6720cd00be6c7ad514e47ac0d8db1cea70ae4062224dc884000000004b0eb91530f02f80d5a40abccbbcf5477624050ea09045340a98963cfb1107b018241057c0f7a5844e66f75dc19627f9a6db9e459a0acd8e5229668ec98631e	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Runs regedit.exe 1 IoCs

pid	Process
1624	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
568	rfdhct.exe
568	rfdhct.exe
2324	rfdhct.exe
1408	rfdhct.exe
2324	rfdhct.exe
108	rfdhct.exe
1408	rfdhct.exe
568	rfdhct.exe
568	rfdhct.exe
108	rfdhct.exe
2324	rfdhct.exe
1408	rfdhct.exe
1732	rfdhct.exe
568	rfdhct.exe
108	rfdhct.exe
1408	rfdhct.exe
2324	rfdhct.exe
1732	rfdhct.exe
568	rfdhct.exe
108	rfdhct.exe
1408	rfdhct.exe
2324	rfdhct.exe
1732	rfdhct.exe
568	rfdhct.exe
108	rfdhct.exe
1408	rfdhct.exe
2324	rfdhct.exe
1732	rfdhct.exe
568	rfdhct.exe
108	rfdhct.exe
2324	rfdhct.exe
1408	rfdhct.exe
1732	rfdhct.exe
108	rfdhct.exe
568	rfdhct.exe
2324	rfdhct.exe
1408	rfdhct.exe
1732	rfdhct.exe
1732	rfdhct.exe
108	rfdhct.exe
568	rfdhct.exe
1408	rfdhct.exe
2324	rfdhct.exe
1732	rfdhct.exe
108	rfdhct.exe
568	rfdhct.exe
1408	rfdhct.exe
2324	rfdhct.exe
1732	rfdhct.exe
108	rfdhct.exe
568	rfdhct.exe
1408	rfdhct.exe
2324	rfdhct.exe
1732	rfdhct.exe
1408	rfdhct.exe
568	rfdhct.exe
108	rfdhct.exe
2324	rfdhct.exe
1732	rfdhct.exe
1408	rfdhct.exe
568	rfdhct.exe
108	rfdhct.exe
2324	rfdhct.exe
1732	rfdhct.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1436	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
Token: SeDebugPrivilege	2752	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
Token: SeDebugPrivilege	2632	uwumonster.exe
Token: SeDebugPrivilege	1696	uwumonster.exe
Token: SeDebugPrivilege	2016	uwumonster.exe
Token: SeDebugPrivilege	1436	taskmgr.exe
Token: SeDebugPrivilege	1928	uwumonster.exe
Token: SeDebugPrivilege	1444	uwumonster.exe
Token: 33	2696	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2696	AUDIODG.EXE
Token: 33	2696	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2696	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
2584	iexplore.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe
1436	taskmgr.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
2584	iexplore.exe
2584	iexplore.exe
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
1916	IEXPLORE.EXE
1916	IEXPLORE.EXE
1916	IEXPLORE.EXE
1916	IEXPLORE.EXE
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
1244	IEXPLORE.EXE
1244	IEXPLORE.EXE
1916	IEXPLORE.EXE
1916	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2600	2752	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	28
PID 2752 wrote to memory of 2600	2752	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	28
PID 2752 wrote to memory of 2600	2752	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	28
PID 2712 wrote to memory of 2632	2712	taskeng.exe	31
PID 2712 wrote to memory of 2632	2712	taskeng.exe	31
PID 2712 wrote to memory of 2632	2712	taskeng.exe	31
PID 2712 wrote to memory of 1696	2712	taskeng.exe	35
PID 2712 wrote to memory of 1696	2712	taskeng.exe	35
PID 2712 wrote to memory of 1696	2712	taskeng.exe	35
PID 2752 wrote to memory of 1664	2752	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	36
PID 2752 wrote to memory of 1664	2752	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	36
PID 2752 wrote to memory of 1664	2752	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	36
PID 2752 wrote to memory of 1664	2752	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	36
PID 1664 wrote to memory of 568	1664	rfdhct.exe	37
PID 1664 wrote to memory of 568	1664	rfdhct.exe	37
PID 1664 wrote to memory of 568	1664	rfdhct.exe	37
PID 1664 wrote to memory of 568	1664	rfdhct.exe	37
PID 1664 wrote to memory of 1408	1664	rfdhct.exe	38
PID 1664 wrote to memory of 1408	1664	rfdhct.exe	38
PID 1664 wrote to memory of 1408	1664	rfdhct.exe	38
PID 1664 wrote to memory of 1408	1664	rfdhct.exe	38
PID 1664 wrote to memory of 2324	1664	rfdhct.exe	39
PID 1664 wrote to memory of 2324	1664	rfdhct.exe	39
PID 1664 wrote to memory of 2324	1664	rfdhct.exe	39
PID 1664 wrote to memory of 2324	1664	rfdhct.exe	39
PID 1664 wrote to memory of 108	1664	rfdhct.exe	40
PID 1664 wrote to memory of 108	1664	rfdhct.exe	40
PID 1664 wrote to memory of 108	1664	rfdhct.exe	40
PID 1664 wrote to memory of 108	1664	rfdhct.exe	40
PID 1664 wrote to memory of 1732	1664	rfdhct.exe	41
PID 1664 wrote to memory of 1732	1664	rfdhct.exe	41
PID 1664 wrote to memory of 1732	1664	rfdhct.exe	41
PID 1664 wrote to memory of 1732	1664	rfdhct.exe	41
PID 1664 wrote to memory of 2432	1664	rfdhct.exe	42
PID 1664 wrote to memory of 2432	1664	rfdhct.exe	42
PID 1664 wrote to memory of 2432	1664	rfdhct.exe	42
PID 1664 wrote to memory of 2432	1664	rfdhct.exe	42
PID 2432 wrote to memory of 3048	2432	rfdhct.exe	43
PID 2432 wrote to memory of 3048	2432	rfdhct.exe	43
PID 2432 wrote to memory of 3048	2432	rfdhct.exe	43
PID 2432 wrote to memory of 3048	2432	rfdhct.exe	43
PID 2712 wrote to memory of 2016	2712	taskeng.exe	44
PID 2712 wrote to memory of 2016	2712	taskeng.exe	44
PID 2712 wrote to memory of 2016	2712	taskeng.exe	44
PID 2752 wrote to memory of 1956	2752	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	45
PID 2752 wrote to memory of 1956	2752	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	45
PID 2752 wrote to memory of 1956	2752	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	45
PID 2752 wrote to memory of 1956	2752	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	45
PID 1956 wrote to memory of 1008	1956	tuwjpk.exe	46
PID 1956 wrote to memory of 1008	1956	tuwjpk.exe	46
PID 1956 wrote to memory of 1008	1956	tuwjpk.exe	46
PID 1956 wrote to memory of 1008	1956	tuwjpk.exe	46
PID 1956 wrote to memory of 1976	1956	tuwjpk.exe	47
PID 1956 wrote to memory of 1976	1956	tuwjpk.exe	47
PID 1956 wrote to memory of 1976	1956	tuwjpk.exe	47
PID 1956 wrote to memory of 1976	1956	tuwjpk.exe	47
PID 1956 wrote to memory of 2920	1956	tuwjpk.exe	48
PID 1956 wrote to memory of 2920	1956	tuwjpk.exe	48
PID 1956 wrote to memory of 2920	1956	tuwjpk.exe	48
PID 1956 wrote to memory of 2920	1956	tuwjpk.exe	48
PID 1956 wrote to memory of 2908	1956	tuwjpk.exe	49
PID 1956 wrote to memory of 2908	1956	tuwjpk.exe	49
PID 1956 wrote to memory of 2908	1956	tuwjpk.exe	49
PID 1956 wrote to memory of 2908	1956	tuwjpk.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2600
- C:\Users\Admin\AppData\Local\Temp\rfdhct.exe
  "C:\Users\Admin\AppData\Local\Temp\rfdhct.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\rfdhct.exe
    "C:\Users\Admin\AppData\Local\Temp\rfdhct.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:568
- - C:\Users\Admin\AppData\Local\Temp\rfdhct.exe
    "C:\Users\Admin\AppData\Local\Temp\rfdhct.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1408
- - C:\Users\Admin\AppData\Local\Temp\rfdhct.exe
    "C:\Users\Admin\AppData\Local\Temp\rfdhct.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2324
- - C:\Users\Admin\AppData\Local\Temp\rfdhct.exe
    "C:\Users\Admin\AppData\Local\Temp\rfdhct.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:108
- - C:\Users\Admin\AppData\Local\Temp\rfdhct.exe
    "C:\Users\Admin\AppData\Local\Temp\rfdhct.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1732
- - C:\Users\Admin\AppData\Local\Temp\rfdhct.exe
    "C:\Users\Admin\AppData\Local\Temp\rfdhct.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\taskmgr.exe
      "C:\Windows\System32\taskmgr.exe"
      4⤵
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1436
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe"
      4⤵
      Runs regedit.exe
      PID:1624
  - - C:\Windows\SysWOW64\taskmgr.exe
      "C:\Windows\System32\taskmgr.exe"
      4⤵
      PID:2988
- C:\Users\Admin\AppData\Local\Temp\tuwjpk.exe
  "C:\Users\Admin\AppData\Local\Temp\tuwjpk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\tuwjpk.exe
    "C:\Users\Admin\AppData\Local\Temp\tuwjpk.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:1008
- - C:\Users\Admin\AppData\Local\Temp\tuwjpk.exe
    "C:\Users\Admin\AppData\Local\Temp\tuwjpk.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:1976
- - C:\Users\Admin\AppData\Local\Temp\tuwjpk.exe
    "C:\Users\Admin\AppData\Local\Temp\tuwjpk.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:2920
- - C:\Users\Admin\AppData\Local\Temp\tuwjpk.exe
    "C:\Users\Admin\AppData\Local\Temp\tuwjpk.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:2908
- - C:\Users\Admin\AppData\Local\Temp\tuwjpk.exe
    "C:\Users\Admin\AppData\Local\Temp\tuwjpk.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:1572
- - C:\Users\Admin\AppData\Local\Temp\tuwjpk.exe
    "C:\Users\Admin\AppData\Local\Temp\tuwjpk.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:2076
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:2220
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=bonzi+buddy+download+free
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2584
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2952
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:472067 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2916
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:406549 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1916
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:406573 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2116
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:865310 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1628
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:865344 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1244
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:1061935 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2948

C:\Windows\system32\taskeng.exe
taskeng.exe {E0DC3ADB-4362-4973-B362-90EC41F78AB2} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1444

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
a240d3899f5c942fa4d758eaa3f6cffd

SHA1
ab28b7e179d0b320b32b40f9302c6692bab2f06e

SHA256
fd668a44e7e00cb370d96f1ed1de4a6853f0fe2679fbb5e9cc211450d7cd6111

SHA512
8d774eda4fba5de333e50be8503c902c5f8aa6bc4516a0cad95f8cb8d697924fb88696b22cc712c6468ee9e8866a29c71d24f16d4e19dd0ded38069602babeee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_D7C1EE155B4C5E8C9EE3042DF21F688A

Filesize
472B

MD5
d82886e4da51cd825189e243de66e640

SHA1
edc8290b23161653889b252b37f19ec019720941

SHA256
3d47798cbe8f8488ea79b1ef3fa8e9c89a17ccea4f2305be794601878e3cde73

SHA512
ba84e29c4e2a374bb2b836e4dc40ff52db54159c0145f4b1f90927953e285d72a25f358f4ada1450ac4f09f48d7dcb1d7ff77aac5670fea4678094bb3a3c5ed4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
ac8a657c0f36af9465897e357586552a

SHA1
6dc4ce7cfcff05f2418ae0d4676755014b835a27

SHA256
c446e349a63f95b8ab7073321b5d1cab4ed25a482c39de2e45907e18bd3d2ec2

SHA512
553718ef22848577b17432b5a8dd5397ad4b2ce3feff0e5110fd325259ece9311a4694cc339078eb43e3658e3495f66c9842d1de94aacba1178f89b67e190ccc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ad3a87f73938f54e96d9e8aee80bf4b3

SHA1
33c117d9ed7f64cf165e654a23dd2ca84673e66d

SHA256
07068d11e0fa291945c3c55f0fc20631adab7ac5ff3edb260edeb206f510e337

SHA512
90855b45831fde248b7eba25c37133722041725234fdd9aa73daa066f696722da9e3a3259614d6c76edeb3228f8733fd5b3cb03b149673cdf9c162042ee59b7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed1276c9c6ca5e420a5f46a8e8f35fba

SHA1
54a640b0d9ae98d2a178852d3ea492096efb89ea

SHA256
766f30f3b2231f2dd30056ac2dbd5033e195d8e147adf78fe89543c1036a4abc

SHA512
4f6c275af537a38117f8b3b105afcd7d7e72f4d318591211cceae129418556f89fb5d59d8162bf849349e2d062645d0f521855981223bf35e6827347516607a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a116a35ee4e32fb02260680b8ce1b66d

SHA1
a8895df73cf0469d3ca3cbd1f8d3c79ca4142515

SHA256
21e5987d41c9e8c53f329ddca452c025a848f050757cc609fa6f534ab1b28ef6

SHA512
e128f672b972dffa65d6ca5d8233a3649831d8db378458f85f691f484222bc80a4f901a525c551af2f0440efd6d8ea9b257caf3e0811cded09dafd337ea055a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb240c034775d1e0e5f2c67180da7162

SHA1
b3e577c5aacc7822b5a6cac67349fc6ce8b9d7fe

SHA256
5eae0d662e0f23fecd33fd640847560aa3a6d8a2a6e29aa1ff76de076f067e0f

SHA512
6cfa137a1a7406fe9ccbb9c0e9a9b5253dcf2e9021baa7cdadc5bd0d1f019cb27170f6a585878819f8d6cbcd3ecedd252c76bef6f792aab5f0a5d0e8c9b6fe48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0b63e4c121632049f9a13b1285092cf3

SHA1
95781b4a01ba4e2cdb262325a03bad74a80ae69c

SHA256
14327a110332b4dfdbcbeb484cbf3e9878448046977751dfbc27b53ba534d1ea

SHA512
c631e2674ab9cc82bba99978e127560ba7011635cc7128b58f2c8b290c8bf2b75fee72e1b0cdaf8da979d4c0c80c4cb4ded4fcd7a910dbdccf91cb54e3bd54f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c44f289488a7891ecc2a06aa1002d31

SHA1
8c20210ecee4652ae1e76e49971c25585f8ed567

SHA256
c974ea37e55e6642186a5598625496de9c0443f901bed9cc5ebc50bdc93d2865

SHA512
36e0b8da83a4867b1e1b5106b3ea5cc8377309a87c9eebb52f3bcdea58f51109f4c92836300b507497a7d0d0b85978c0acdc4af4c249c4a43c34e88b17197787

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d0aec012851da5822c4277cdfbff5ba

SHA1
0cfdf774d29da7275b3237c2eb404f7b5828d4e3

SHA256
480b023e1c68a40eae69efbacf5264666904b50383adfc12a65a942a01e151b4

SHA512
41dc4d42f9277e79fc160c7c6e4f8c7653c4f74e4271931e45871c70ff22e3edf6f2b6a0784bfdf9677fa73644909d7b3ca7f97f0a3069fedd00ec5b5005706f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
60e9091e65c42e06666c87008a0422fe

SHA1
a4e6e3a0891e5e784503939001e1a1b83a9d0975

SHA256
9b8502a80052b4ed001f30ce9033aff449baf9f3fb9817ddc8e900c0dcc3ce7f

SHA512
971c117a24379b74bdc122f0b96ef999fd8871beba3f0842d05d90ae853c217e45fad6269b7841c5df53b7797a940cd4102c59cb2d60ca4ad87180dc8da40caa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_D7C1EE155B4C5E8C9EE3042DF21F688A

Filesize
414B

MD5
a9d560a8d5121604d1c3955e0b85d888

SHA1
96ecda7c104a03c659c75f64db21baa9a35fac61

SHA256
abc7e6b95c25cf43709e78ea80050976300d8e0d6574922f505679fc6773ac5c

SHA512
c045f38274d14b4115d735871f5eb0d9f513c2e758c72dc83937ff0f5f35bfce287ec31649c2b1451863cb1646deeea6407be22c1c1c1ba3e7d9825740b5947b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wi962z5\imagestore.dat

Filesize
5KB

MD5
fcbef3ec2c9a818f7adf2b21fe26ab2b

SHA1
71c09570fa783eaa8fd3881c23ea3790e6d8d3c2

SHA256
45356c74a49aeacc75ae05dde7c314ff8f1d8ed3f0d1cb54cdb04d307f0d4688

SHA512
f8ee6b7d0bde003ba14c6076aa739ccf04874d75c5d253e89f84f32906522f72837c134f770ec5d8f8729247a4dfe50c810c1c8fb4878022dd8420b9c0df78e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\api[1].js

Filesize
850B

MD5
ee87fd4035a91d937ff13613982b4170

SHA1
e897502e3a58c6be2b64da98474f0d405787f5f7

SHA256
7649b605b4f35666df5cbcbb03597306d9215f53f61c2a097f085fa39af9859f

SHA512
9e27179bdedb6fe008ab8dc0827d479c674e7e21ad44081c78782f29dd5b91ad2d5bf4f6912d6d1ad3275eedce659e26ace02f769c6b7f4b1f660a3c628feab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KRMHFE1W\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OV51DDG5\styles__ltr[1].css

Filesize
55KB

MD5
2c00b9f417b688224937053cd0c284a5

SHA1
17b4c18ebc129055dd25f214c3f11e03e9df2d82

SHA256
1e754b107428162c65a26d399b66db3daaea09616bf8620d9de4bc689ce48eed

SHA512
8dc644d4c8e6da600c751975ac4a9e620e26179167a4021ddb1da81b452ecf420e459dd1c23d1f2e177685b4e1006dbc5c8736024c447d0ff65f75838a785f57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PH7CXNA3\recaptcha__en[1].js

Filesize
505KB

MD5
e2e79d6b927169d9e0e57e3baecc0993

SHA1
1299473950b2999ba0b7f39bd5e4a60eafd1819d

SHA256
231336ed913a5ebd4445b85486e053caf2b81cab91318241375f3f7a245b6c6b

SHA512
d6a2ed7b19e54d1447ee9bbc684af7101b48086945a938a5f9b6ae74ace30b9a98ca83d3183814dd3cc40f251ab6433dc7f8b425f313ea9557b83e1c2e035dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3CB2.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8C78.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfdhct.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\AppData\Local\uwumonster.exe

Filesize
63KB

MD5
222c2d239f4c8a1d73c736c9cc712807

SHA1
c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c

SHA256
ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d

SHA512
1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BOW28O4N.txt

Filesize
124B

MD5
0be51b79a2203996b529515d3d007ae4

SHA1
d63e632b7450e5e97c1c41eb374393caee030837

SHA256
b72b0c03ce9bd94f8d396f87366e273448f53bd245e72f51f27ebbcb63758f43

SHA512
fb6d84d16eca7f0fcd3208e3473d02df6d3ae80540b6f369201871371ec502715a7da13ed25534c3355e760ab7f35147ad4bd358a49ba9e15235371b90bea3d8

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1444-630-0x0000000001250000-0x0000000001266000-memory.dmp

Filesize
88KB

Download
memory/2016-37-0x0000000001130000-0x0000000001146000-memory.dmp

Filesize
88KB

Download
memory/2632-10-0x00000000010E0000-0x00000000010F6000-memory.dmp

Filesize
88KB

Download
memory/2752-0-0x000007FEF5343000-0x000007FEF5344000-memory.dmp

Filesize
4KB

Download
memory/2752-12-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2752-11-0x000007FEF5343000-0x000007FEF5344000-memory.dmp

Filesize
4KB

Download
memory/2752-6-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2752-1-0x0000000000E30000-0x0000000000E46000-memory.dmp

Filesize
88KB

Download