xworm | e1ea405efb08d4a7d254423fc5b700021eb653b1545d120c0f6cf4ff31c7f0ae

Resubmissions

02/05/2024, 02:59

240502-dg26eshb97 10

02/05/2024, 02:36

240502-c3k9csef7t 10

Analysis

max time kernel
295s
max time network
304s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
02/05/2024, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a ton of ya/ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
Size

63KB
MD5

222c2d239f4c8a1d73c736c9cc712807
SHA1

c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256

ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512

1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02
SSDEEP

1536:tJc/5q1qoR5PDdAZcIED4VuCkbFybjQ9f0jQRmONww+W:7c/iqoJekbFEQ9W+mONP+W

Score

10^/10

xworm bootkit persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:23638

209.25.140.1:5525:23638

bring-recorder.gl.at.ply.gg:23638

action-yesterday.gl.at.ply.gg:23638

147.185.221.19:23638

then-wheel.gl.at.ply.gg::23638

then-wheel.gl.at.ply.gg:23638

teen-modes.gl.at.ply.gg:23638

Attributes

Install_directory
%LocalAppData%
install_file
uwumonster.exe

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral3/memory/2888-1-0x0000000000E70000-0x0000000000E86000-memory.dmp	family_xworm
behavioral3/files/0x000b0000000122ee-9.dat	family_xworm
behavioral3/memory/2804-11-0x0000000000170000-0x0000000000186000-memory.dmp	family_xworm
behavioral3/memory/2184-15-0x00000000000C0000-0x00000000000D6000-memory.dmp	family_xworm
behavioral3/memory/1532-38-0x0000000000130000-0x0000000000146000-memory.dmp	family_xworm
behavioral3/memory/2488-600-0x0000000000340000-0x0000000000356000-memory.dmp	family_xworm
behavioral3/memory/2500-1057-0x0000000000D50000-0x0000000000D66000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

Executes dropped EXE 19 IoCs

pid	Process
2804	uwumonster.exe
2184	uwumonster.exe
2796	unjujy.exe
1248	unjujy.exe
1632	unjujy.exe
1496	unjujy.exe
1484	unjujy.exe
1864	unjujy.exe
2492	unjujy.exe
1532	uwumonster.exe
1988	cuxssh.exe
2236	cuxssh.exe
1652	cuxssh.exe
2604	cuxssh.exe
1244	cuxssh.exe
2216	cuxssh.exe
1704	cuxssh.exe
2488	uwumonster.exe
2500	uwumonster.exe

Loads dropped DLL 14 IoCs

pid	Process
2796	unjujy.exe
2796	unjujy.exe
2796	unjujy.exe
2796	unjujy.exe
2796	unjujy.exe
2796	unjujy.exe
2796	unjujy.exe
1988	cuxssh.exe
1988	cuxssh.exe
1988	cuxssh.exe
1988	cuxssh.exe
1988	cuxssh.exe
1988	cuxssh.exe
1988	cuxssh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe"	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	unjujy.exe
File opened for modification	\??\PhysicalDrive0	cuxssh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2388	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420781049"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F4304031-0830-11EF-85C1-E69D59618A5A} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9042dcc73d9cda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000005cdce5ade5fd3b6249ce6eab1a590d4b115aeb0f74e83eef9605967f64f4d85e000000000e8000000002000020000000ab95a0674b7a86f70b9b45f1d2e61a2bbdf6e14cee18579ded4d54efe370852590000000b5f7d20d4c8dfb0a61c82287d28cf155eec1ed98a51967e740ce511a2a2aba105af06a9a8d47ed1a18e7ba097e9b1c00b560155635480ae887c78b57d1c004b06098575cfe529850fdf19d0d0da7d6a83a728f4f814451ed8563d5988d9a847ed40ae229086bfa5cc0b4fd72b83d6f6e600df50f362bcd17fa88b1e73aa65cb3569360a5f251cdd308ee765656ab444a400000005c21e2968f9fe41cdc736007c8a5e4d7ebc339b209ac01cbdfe5277e691dfb3e88f790c1ba87cbcc9f86723f100509942b55475174f42fa179496b0559a7ad27	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000f2ec1147891b5268d763a94914c56a6338a67f04cf5efd0c91910655254cd2a2000000000e800000000200002000000057d97d98f49f077eefd163298b46b8da3bfa963290884c75624970382a1a1a7e200000004067ecc3c3d968cdcd2a7708802496682603f811ad23485762f05094dbcd07f2400000007041021c8abdc9911c479d700708d3c30802fc230bfb3d581248f8fd576817423f7b71043826cdab0cb91ec8e3363c39ed1cac46df043cc04b43aaa0e932a6f7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Runs regedit.exe 1 IoCs

pid	Process
2044	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1496	unjujy.exe
1496	unjujy.exe
1632	unjujy.exe
1484	unjujy.exe
1248	unjujy.exe
1864	unjujy.exe
1248	unjujy.exe
1632	unjujy.exe
1496	unjujy.exe
1864	unjujy.exe
1484	unjujy.exe
1864	unjujy.exe
1484	unjujy.exe
1248	unjujy.exe
1496	unjujy.exe
1632	unjujy.exe
1632	unjujy.exe
1864	unjujy.exe
1248	unjujy.exe
1484	unjujy.exe
1496	unjujy.exe
1496	unjujy.exe
1632	unjujy.exe
1248	unjujy.exe
1484	unjujy.exe
1864	unjujy.exe
1864	unjujy.exe
1632	unjujy.exe
1496	unjujy.exe
1248	unjujy.exe
1484	unjujy.exe
1632	unjujy.exe
1484	unjujy.exe
1496	unjujy.exe
1248	unjujy.exe
1864	unjujy.exe
1632	unjujy.exe
1248	unjujy.exe
1484	unjujy.exe
1864	unjujy.exe
1496	unjujy.exe
1632	unjujy.exe
1484	unjujy.exe
1496	unjujy.exe
1864	unjujy.exe
1248	unjujy.exe
1632	unjujy.exe
1864	unjujy.exe
1484	unjujy.exe
1248	unjujy.exe
1496	unjujy.exe
1248	unjujy.exe
1496	unjujy.exe
1632	unjujy.exe
1484	unjujy.exe
1864	unjujy.exe
1864	unjujy.exe
1248	unjujy.exe
1632	unjujy.exe
1496	unjujy.exe
1484	unjujy.exe
1632	unjujy.exe
1864	unjujy.exe
1248	unjujy.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
Token: SeDebugPrivilege	2888	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
Token: SeDebugPrivilege	2804	uwumonster.exe
Token: SeDebugPrivilege	2184	uwumonster.exe
Token: SeDebugPrivilege	1532	uwumonster.exe
Token: SeDebugPrivilege	2488	uwumonster.exe
Token: SeDebugPrivilege	2500	uwumonster.exe
Token: 33	1140	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1140	AUDIODG.EXE
Token: 33	1140	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1140	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3048	iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
3048	iexplore.exe
3048	iexplore.exe
2016	IEXPLORE.EXE
2016	IEXPLORE.EXE
2016	IEXPLORE.EXE
2016	IEXPLORE.EXE
1688	IEXPLORE.EXE
1688	IEXPLORE.EXE
1688	IEXPLORE.EXE
1688	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
984	IEXPLORE.EXE
984	IEXPLORE.EXE
984	IEXPLORE.EXE
984	IEXPLORE.EXE
1736	IEXPLORE.EXE
1736	IEXPLORE.EXE
1736	IEXPLORE.EXE
1736	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2388	2888	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	28
PID 2888 wrote to memory of 2388	2888	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	28
PID 2888 wrote to memory of 2388	2888	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	28
PID 2660 wrote to memory of 2804	2660	taskeng.exe	32
PID 2660 wrote to memory of 2804	2660	taskeng.exe	32
PID 2660 wrote to memory of 2804	2660	taskeng.exe	32
PID 2660 wrote to memory of 2184	2660	taskeng.exe	35
PID 2660 wrote to memory of 2184	2660	taskeng.exe	35
PID 2660 wrote to memory of 2184	2660	taskeng.exe	35
PID 2888 wrote to memory of 2796	2888	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	36
PID 2888 wrote to memory of 2796	2888	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	36
PID 2888 wrote to memory of 2796	2888	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	36
PID 2888 wrote to memory of 2796	2888	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	36
PID 2796 wrote to memory of 1248	2796	unjujy.exe	37
PID 2796 wrote to memory of 1248	2796	unjujy.exe	37
PID 2796 wrote to memory of 1248	2796	unjujy.exe	37
PID 2796 wrote to memory of 1248	2796	unjujy.exe	37
PID 2796 wrote to memory of 1496	2796	unjujy.exe	38
PID 2796 wrote to memory of 1496	2796	unjujy.exe	38
PID 2796 wrote to memory of 1496	2796	unjujy.exe	38
PID 2796 wrote to memory of 1496	2796	unjujy.exe	38
PID 2796 wrote to memory of 1632	2796	unjujy.exe	39
PID 2796 wrote to memory of 1632	2796	unjujy.exe	39
PID 2796 wrote to memory of 1632	2796	unjujy.exe	39
PID 2796 wrote to memory of 1632	2796	unjujy.exe	39
PID 2796 wrote to memory of 1484	2796	unjujy.exe	40
PID 2796 wrote to memory of 1484	2796	unjujy.exe	40
PID 2796 wrote to memory of 1484	2796	unjujy.exe	40
PID 2796 wrote to memory of 1484	2796	unjujy.exe	40
PID 2796 wrote to memory of 1864	2796	unjujy.exe	41
PID 2796 wrote to memory of 1864	2796	unjujy.exe	41
PID 2796 wrote to memory of 1864	2796	unjujy.exe	41
PID 2796 wrote to memory of 1864	2796	unjujy.exe	41
PID 2796 wrote to memory of 2492	2796	unjujy.exe	42
PID 2796 wrote to memory of 2492	2796	unjujy.exe	42
PID 2796 wrote to memory of 2492	2796	unjujy.exe	42
PID 2796 wrote to memory of 2492	2796	unjujy.exe	42
PID 2492 wrote to memory of 2404	2492	unjujy.exe	43
PID 2492 wrote to memory of 2404	2492	unjujy.exe	43
PID 2492 wrote to memory of 2404	2492	unjujy.exe	43
PID 2492 wrote to memory of 2404	2492	unjujy.exe	43
PID 2660 wrote to memory of 1532	2660	taskeng.exe	44
PID 2660 wrote to memory of 1532	2660	taskeng.exe	44
PID 2660 wrote to memory of 1532	2660	taskeng.exe	44
PID 2888 wrote to memory of 1988	2888	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	45
PID 2888 wrote to memory of 1988	2888	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	45
PID 2888 wrote to memory of 1988	2888	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	45
PID 2888 wrote to memory of 1988	2888	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe	45
PID 1988 wrote to memory of 2236	1988	cuxssh.exe	46
PID 1988 wrote to memory of 2236	1988	cuxssh.exe	46
PID 1988 wrote to memory of 2236	1988	cuxssh.exe	46
PID 1988 wrote to memory of 2236	1988	cuxssh.exe	46
PID 1988 wrote to memory of 1652	1988	cuxssh.exe	47
PID 1988 wrote to memory of 1652	1988	cuxssh.exe	47
PID 1988 wrote to memory of 1652	1988	cuxssh.exe	47
PID 1988 wrote to memory of 1652	1988	cuxssh.exe	47
PID 1988 wrote to memory of 2604	1988	cuxssh.exe	48
PID 1988 wrote to memory of 2604	1988	cuxssh.exe	48
PID 1988 wrote to memory of 2604	1988	cuxssh.exe	48
PID 1988 wrote to memory of 2604	1988	cuxssh.exe	48
PID 1988 wrote to memory of 1244	1988	cuxssh.exe	49
PID 1988 wrote to memory of 1244	1988	cuxssh.exe	49
PID 1988 wrote to memory of 1244	1988	cuxssh.exe	49
PID 1988 wrote to memory of 1244	1988	cuxssh.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2388
- C:\Users\Admin\AppData\Local\Temp\unjujy.exe
  "C:\Users\Admin\AppData\Local\Temp\unjujy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\unjujy.exe
    "C:\Users\Admin\AppData\Local\Temp\unjujy.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1248
- - C:\Users\Admin\AppData\Local\Temp\unjujy.exe
    "C:\Users\Admin\AppData\Local\Temp\unjujy.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1496
- - C:\Users\Admin\AppData\Local\Temp\unjujy.exe
    "C:\Users\Admin\AppData\Local\Temp\unjujy.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1632
- - C:\Users\Admin\AppData\Local\Temp\unjujy.exe
    "C:\Users\Admin\AppData\Local\Temp\unjujy.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\unjujy.exe
    "C:\Users\Admin\AppData\Local\Temp\unjujy.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1864
- - C:\Users\Admin\AppData\Local\Temp\unjujy.exe
    "C:\Users\Admin\AppData\Local\Temp\unjujy.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:2404
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=mcafee+vs+norton
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:3048
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2016
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:275469 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1688
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:865294 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2916
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:865309 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:984
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:1455126 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1736
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:1061926 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1348
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:1193007 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1992
  - - C:\Windows\SysWOW64\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:2500
- C:\Users\Admin\AppData\Local\Temp\cuxssh.exe
  "C:\Users\Admin\AppData\Local\Temp\cuxssh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\cuxssh.exe
    "C:\Users\Admin\AppData\Local\Temp\cuxssh.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:2236
- - C:\Users\Admin\AppData\Local\Temp\cuxssh.exe
    "C:\Users\Admin\AppData\Local\Temp\cuxssh.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:1652
- - C:\Users\Admin\AppData\Local\Temp\cuxssh.exe
    "C:\Users\Admin\AppData\Local\Temp\cuxssh.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:2604
- - C:\Users\Admin\AppData\Local\Temp\cuxssh.exe
    "C:\Users\Admin\AppData\Local\Temp\cuxssh.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:1244
- - C:\Users\Admin\AppData\Local\Temp\cuxssh.exe
    "C:\Users\Admin\AppData\Local\Temp\cuxssh.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:2216
- - C:\Users\Admin\AppData\Local\Temp\cuxssh.exe
    "C:\Users\Admin\AppData\Local\Temp\cuxssh.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:1704
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe"
      4⤵
      Runs regedit.exe
      PID:2044

C:\Windows\system32\taskeng.exe
taskeng.exe {1D0540B1-EE99-4F7A-8129-DB212A5053C8} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Users\Admin\AppData\Local\uwumonster.exe
  C:\Users\Admin\AppData\Local\uwumonster.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2500

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x7c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
a240d3899f5c942fa4d758eaa3f6cffd

SHA1
ab28b7e179d0b320b32b40f9302c6692bab2f06e

SHA256
fd668a44e7e00cb370d96f1ed1de4a6853f0fe2679fbb5e9cc211450d7cd6111

SHA512
8d774eda4fba5de333e50be8503c902c5f8aa6bc4516a0cad95f8cb8d697924fb88696b22cc712c6468ee9e8866a29c71d24f16d4e19dd0ded38069602babeee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_D7C1EE155B4C5E8C9EE3042DF21F688A

Filesize
472B

MD5
d82886e4da51cd825189e243de66e640

SHA1
edc8290b23161653889b252b37f19ec019720941

SHA256
3d47798cbe8f8488ea79b1ef3fa8e9c89a17ccea4f2305be794601878e3cde73

SHA512
ba84e29c4e2a374bb2b836e4dc40ff52db54159c0145f4b1f90927953e285d72a25f358f4ada1450ac4f09f48d7dcb1d7ff77aac5670fea4678094bb3a3c5ed4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
308e4b768d587ee2706f03b297854f8b

SHA1
0e9be268eec8af38adb9d0d06ac0771a3439aa70

SHA256
cd7b8b5adc73001d3cf632a13102bcf92cb14cf4482d3b3fc826444cbbfae608

SHA512
bb4de1c72205726b3f0ec1a201b768aba3a03bc4a2d8be763a9e962107f315ad870f92ddbedeb06813b3880e99c5e83c4b52130d434f1b5fa638413607a9ee60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0c2df52becaf25450678123f93f3c7a2

SHA1
cc6acf41e940a94ba99614bf883de42e675196e5

SHA256
f3bc31fb1c886c4d16777aeb95a11dd0a11201789f37cdf28fc614a9b03bb15a

SHA512
0f101e6c4537330586676cf2a81ff1d3344f413e215b06e1652900ce461d131b20acb7603deb179ebcc5fa687ab0438433ad24b80f28e4999da516e8392316af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e9f354c9662a682717891728e7e1990

SHA1
77391d46cd9659c45d5e9cbf2e70eeb9457d0c39

SHA256
9080ae60f598e75a82ec309fe93715067f86b25456e049b7a4d187637e697766

SHA512
fa13b1bd31100a126cf1ac12aa91fa6ab7f76d74b32df1af62ec283392a786f133282edff2f07abd0e57d3baaa6c92f6f3e86c75f63011268efb3e26a4e83f2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
24db63a65749b36ae7f620f03176a14b

SHA1
05b18f169f65710aab34e85e5e8745ce37542612

SHA256
c7cad73c5becf4f015c6e8d25149200cb04535792baf1e96b3d0098d527ab43c

SHA512
e2c2c67c1202c1f19bd3cf18055a618fa499a2268b60db8fcf6c6a80cca7ff4b53e66bc0838b8c6183fc2e5405101ebe3bcf606719ed1573f766c723e9d932d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3d43533040a12ade3e6131217a929b2

SHA1
ca8184de4a3b79d53a1a9c1507668c5d91c4816d

SHA256
df4b32d97e4c156d873d263f96ada414fd115597cab3d7644c861a2c4e4befdb

SHA512
731ab6e2407374efb18ce342a0da2fa89d9a8937828461dd0eb87c36bd3502191266e2e0861d51b0652327dac67a26408bab3e10dcf46c836c8cbcd552733c8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
da9c1fb1c81a2a414420862c2c376b86

SHA1
2fc4b88025fb1d5306cd8571400378a7801c2b02

SHA256
f247480f44644d4d02ec80fb37722bff893021280b8cd51f138ec7f6001966be

SHA512
37ef5b0cdf46318e9c2b6ae51d87308d0a3f7ba942dc100d9780655d45c9d8034cf6e3e0cf93fcf4f6556fd4c6309f86f3ec28c298aa4ca694a211c579981a62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ccf7894e753501ad4f9ee981d073ce1f

SHA1
7c214ab2e7ce577aeb3d85376c17882ab5d46620

SHA256
e50fa39ad4ac7dd08d305a743169d249581cfc563f08e26775530ce60688feac

SHA512
98b8dbd4d47da03ab8f597b5f972bc33c51c744873ef7da610294e8ec1fd2469fb56102f743897d39cf028757cca602e3c63c7acece839b530c7e348789004db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
366501dd0017ed5dc969cc0ebf189901

SHA1
53171831b20832a73a25552507bf3ec801e0ab85

SHA256
f8183386f77a2897a98635e65c5163df669a6874e40eb0475ecd2361810ab480

SHA512
23f40f4d10bd103ec49b22000cb65d2e1fa41762056e214990d203d44923fd6b81580ea339fcf9e761d4642bf90d03c7d8243507b17f5dc449c5eb5ce7746583

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4589ecca01491fc374f720ff2d81656

SHA1
97b0687a84d7a76616a82a1a21fb99cf517fdb62

SHA256
9f5d6c0841d09ed2ef81958a09b9d3f2e1714afc1fe29b4b6cefbd8cb0a18b96

SHA512
2075aa4b561d965ea3185f8e5b332638af85918a50d92e32ee3c4f119f42208675e5719f6b94911a512bdcfc72ab086b7fe2473ffb3892a5795d3f96e94d64e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
130d70a92a5cc4e85edf54b93f99a192

SHA1
44d145e9dbd37f9b753a9e6484b946d7b90f37fd

SHA256
ad7d724d719cf2fc640580d57e4a41a112fc84801e5891457bb59fad0f29f846

SHA512
88527472b18dc6d4c4bfa2e10a5bbc89ca88d4c7a9e3d26a8e70621c4e9869b03fdaad6bbb6a104f9cc5b2269777cdac7553b05b680555f6003e5d72b04540a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
881a360329d3234769bf25fde5f001b9

SHA1
9639f1c48152f7de4d43bd20729dcf0572c82e46

SHA256
dbfdbb2593ff36a4ce3349ee28b0c0879a8f1e4d1c985932ab7026f565442378

SHA512
32b4e35be6b7402dd56c9feca23c853da624a1e9f7b927d202e9a71ca0a5662f7c3cd7d75ab383e176f948f500bdcabccc26c4954e5427e2afe923a90a404877

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
335488be0911070f52a30431205872c6

SHA1
f41511a3a4d687142781df149b289580470669f3

SHA256
14ef833eb8e7e398f3e3e4a70530dee9b5c191ed8d3851ccc6d7d1e2dffc3013

SHA512
62a0697b50287c5f5ed246b396ca5211947fdf5f787acd5507707fb4ba2c1a3818621fab825d62509e734b210d279a94c60442ab9fb54d91d1e2fbaf6d9d4fc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c9255483abfecb1c857c818db3422c2

SHA1
d3ee4fb1898bc050ff25d0d37275c5554d5ffb16

SHA256
54ff44b91a1b150a74fbfe4748f4c62bb6e08c1ef5784edcdf9fecfff574f4d7

SHA512
107deec5586815f1ed29a873147fa1f95cb80672669c0235615d2f80b57b3521934fbd7f2bb758206c39aa29712d7201656b4312160771aaf1a7319041d33e92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35e1f66906fc58177bd531d004c6557c

SHA1
011aaa75346db07af065c2194f519fd6303bcfe4

SHA256
1a50d1fedeeeadf99dd96909e9a96a395a6ecf67942ef538902d1d72d13ea2b7

SHA512
6ecb5b50f80dbc6a16c2abe8cc1fc32bf06dcc607f11da6fe1dbccd7e00a20d12ff35e84b33e77619640f92b3d80deaf699b92eded14b9cbe8bfff5388f437af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
025a06a4faddb40ca71b0b5421c386f7

SHA1
891a2832fa543958bf03ae3dbb3aef7f3e34d54e

SHA256
8ab223330a21d1455b1cd665e3199b51e27c4b57186960dd23fd6176716c9f19

SHA512
523d31a1cfa5212d951773c23a5867e018f30143f3d78ff51fbd563a8e40545374bf0dba593e70d03dd20519547c970239e88d0db4faab68478d10c3b3cff223

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aa6b22fa6acd0e96628f9440075e1d2b

SHA1
43bd23af076a12280ff5fc7eba75c20f19733402

SHA256
de782d21d90994426917d0b7fef2da156f3bd9d6623f93e4dd44a424342b0c82

SHA512
3d3551f5b76f8de7d5f32f1e8b1465df8a09981d9095cc95054b9c1864cbe17185ee1d8721296d3937cc060174ac1eff9cadfb1c4abac43352e047d4ea0e7eb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de0142d929af8cd3c1918e4c666fd11f

SHA1
c8e53f54c213d91282c879bae72588bfcc5a8b62

SHA256
c0c0a80aa57b28ce6de5f4757b44a5540361a3745ea7012def2d55976643758e

SHA512
b9ad1b6a710df53d5d909c976c2427c5c25d173ebccfbdcb01942645cde63264f7dedb46d3a550de1d8df60816263cd7906af11c67b2997f3fd391a13bf7063c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4702a06128cf145d2475f85119374464

SHA1
31675f221f76de8164ee5c45e5bd64496f9e94e5

SHA256
3e12c5a1790741f5be1ff754e9371aab0c89a0799955c3ba181c2e1a5e340fc0

SHA512
7ec74bbbe50382ba4fa6281baaaed0ddda4c14da7758804cb6c6a90d1cfcdaf96278eb2c80c30390634735e5115d6ac58f5df109cd4711d8f151ec5227788c02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
560b88375f4c1c57cd2a1136685e0f80

SHA1
5dcbdff90f63e5b5db6248a539465a7015fa43f4

SHA256
37e7c7cae8a0f34fc3c46c3ceb335d68172a39e7cf417fcb9a0a67c731fe7c73

SHA512
3cad6b7dae497e7fbb580d081704d8750425f6d317d0956d0eba6c83a10c2a769a5fbc533171479b14be65a4a6c21418e5b0aaec8f1ed43ee57fd444748b68dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8e8dc26a4679ea01cfd7c427c8f00778

SHA1
c0f40572651b9ede707e6183b2cd133c98f49f0f

SHA256
d705d58ae2b71bdb2f8aaa1eae038efd0e92a27b39f4c0278df22fd1d2b9d0a1

SHA512
fa2cd1d4057051dc1bacf89f8a1348d8fef82a4bce7288cf82c550f131bd8cee3f4723702bcac9438411317b798462c9837cb98b8a63088b4502fde57462b720

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
3b64e7a8a2a3dfb330f823fa8abf5fc3

SHA1
3fc7a97cdb6ba9dda6df5f8f1ae935be66f6974a

SHA256
b8ce06811d9683c077990d492a1caac405338aa9ee5d161e149d67112dd755e9

SHA512
8418e508d3fe67882b8caa2e730bbf2460907aefd4ea3426decd7af3d50e675812886d44a3951bf8d7b29ecb95af5fa5486e3bf2e6269e38d906f93f7b28b9eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_D7C1EE155B4C5E8C9EE3042DF21F688A

Filesize
414B

MD5
c05e8e6d3c9e568c3c306476e7f4ee68

SHA1
ca03846146e7dc95447da6267c6bae73832dfd38

SHA256
36d86b2dece13d2a76786df27a87a3ee536bb4f7730b96c7757ed3a80986aa21

SHA512
2327d04f925b9d693549e2ec8992b67b34a9d493b9903f3de9b12a5f0243183189901652b82236d8f5cf726cadd2d43fb337f3cea8aa701c6911289b6050d40d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\15VULRUO\www.google[1].xml

Filesize
95B

MD5
7497655c2dbdeb0de5a30fe343636cdd

SHA1
389110c8999f231bbbb4f2e79324658701b32dfd

SHA256
a99d8f0a07e8211abae5c58e4c698a04f7d5ba2860e5643e8cdf135d9a22ac5b

SHA512
77c5425ad7d0a2e8a5e9b76aba88730aacff39b1499749ece2f7c5e1e9936d5ea294ebf0ed4b569125e994d375120bf03fcd347416a0b4d7ae0b9b9cce4a3792

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wi962z5\imagestore.dat

Filesize
5KB

MD5
3f3861ed6a387c89d0d312ceb223413e

SHA1
49c465a14fed5256023dc835b34266c603292cab

SHA256
3e6e2ca81db10d5aac4aef7c8d480d21673f35e41538880eb69f4b96c1ca1138

SHA512
6900e002c8d52b456e2234dd48ac536fc13bd52ca3b480611f4ef77097bd7352c023789aad8ed21a3559da622a185a9f73317fa875006d6a4589655f3c00c796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\7eQ2Z2UxguOtDKLo8k3CBaEbS6lC99JHwgFri1PPOEg[1].js

Filesize
24KB

MD5
042fe9734b14cf73e14f4072ab56fade

SHA1
a63dca07a21fb0676731ae722b277d057da8a456

SHA256
ede43667653182e3ad0ca2e8f24dc205a11b4ba942f7d247c2016b8b53cf3848

SHA512
4f6b8b8d17e2c6ea70b86e5588a9c6eb6257716a60f120efbf30c9d1054180c1a572d9ee795762689a34862913c0a270d3930899dd7b679a213427f74f34c39c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\api[1].js

Filesize
850B

MD5
ee87fd4035a91d937ff13613982b4170

SHA1
e897502e3a58c6be2b64da98474f0d405787f5f7

SHA256
7649b605b4f35666df5cbcbb03597306d9215f53f61c2a097f085fa39af9859f

SHA512
9e27179bdedb6fe008ab8dc0827d479c674e7e21ad44081c78782f29dd5b91ad2d5bf4f6912d6d1ad3275eedce659e26ace02f769c6b7f4b1f660a3c628feab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KRMHFE1W\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KRMHFE1W\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OV51DDG5\styles__ltr[1].css

Filesize
55KB

MD5
2c00b9f417b688224937053cd0c284a5

SHA1
17b4c18ebc129055dd25f214c3f11e03e9df2d82

SHA256
1e754b107428162c65a26d399b66db3daaea09616bf8620d9de4bc689ce48eed

SHA512
8dc644d4c8e6da600c751975ac4a9e620e26179167a4021ddb1da81b452ecf420e459dd1c23d1f2e177685b4e1006dbc5c8736024c447d0ff65f75838a785f57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PH7CXNA3\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PH7CXNA3\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PH7CXNA3\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PH7CXNA3\recaptcha__en[1].js

Filesize
505KB

MD5
e2e79d6b927169d9e0e57e3baecc0993

SHA1
1299473950b2999ba0b7f39bd5e4a60eafd1819d

SHA256
231336ed913a5ebd4445b85486e053caf2b81cab91318241375f3f7a245b6c6b

SHA512
d6a2ed7b19e54d1447ee9bbc684af7101b48086945a938a5f9b6ae74ace30b9a98ca83d3183814dd3cc40f251ab6433dc7f8b425f313ea9557b83e1c2e035dff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PH7CXNA3\webworker[1].js

Filesize
102B

MD5
284b36421a1cf446f32cb8f7987b1091

SHA1
eb14d6298c9da3fb26d75b54c087ea2df9f3f05f

SHA256
94ab2be973685680d0be9c08d4e1a7465f3c09053cf631126bd33f49cc2f939b

SHA512
093f3f5624de2e43e43eb06036107ff3260237f9e47e1f86fdfba7c7036522187a9b47b291f5443c566658a8ef555e5033c7f2ac0c9f4fa8eb69eb8e2540b372

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC9B6.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCA26.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\unjujy.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\AppData\Local\uwumonster.exe

Filesize
63KB

MD5
222c2d239f4c8a1d73c736c9cc712807

SHA1
c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c

SHA256
ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d

SHA512
1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1BAOZVRO.txt

Filesize
125B

MD5
711d9c383b78c9ebdae4540c375802c8

SHA1
873e7ebac1b3c8fa7694699c08fcf700ba1fcd7f

SHA256
73615e0ff2e9e4d71d324c2dfe8a480a8ddf0f537f23d29e9b5e18d5c8cf31b5

SHA512
36cec0f9cec7f8262063abf351279b5a919066e4749e3cc3d38d5265fb1307c05679c07165f382eac76a3216dbff7c097ef017aab4e006ffac38be3bc095d78c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AHD8K4PR.txt

Filesize
125B

MD5
90e56f1ba6d7b632de3592973a14865d

SHA1
3c62037d4ab7e7c72fca181a4d54ee85d97fc4be

SHA256
206fb576f7b10c488c6a01555af2e4934e910546d42f5720141364846e140be8

SHA512
5af9acfbfd9a5ef9853707b308d0bc850f8e755d668b50ecc0928e6bb699fbeea558352d1b38e2eedf3afb0093a948e206058096e3a9a20a70a4005d3c5949a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\L8OJJIIF.txt

Filesize
124B

MD5
79657fa58768d80e1f56759ae7f004c4

SHA1
161f114672d56f98674416b857bda53a4ef7ac27

SHA256
395b2bd834b447cab8ea57aac35552cd6d18222c31165f15ebac1d48951dde3d

SHA512
f9888b2e84cad6917a56b6278949b6b7099dfaaa41cee7e909e7a07ac23499037b6c7aa025efe7f12e60a707e7e28ebfce00a0c72a1595935ab76b249a0ccc57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RZF8H5ZQ.txt

Filesize
124B

MD5
0a9329cb7c80b4b05dec971a90e4f6e9

SHA1
60f8bc09a2e56c4bbe82443722471a06280a93f4

SHA256
e54dfc10342c788cc89dc2067a5e134b2d377e09213145e61bee7059faf60d5c

SHA512
45dc1497ab2130c61523efc8c6c74d2179d9cb58b430bf1eca2211e6a9318b3d0903e7aa4fabd9cf3fa5aea2e68bac7157ccf749ca08be0e32442145aa2e6d99

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1532-38-0x0000000000130000-0x0000000000146000-memory.dmp

Filesize
88KB

Download
memory/2184-15-0x00000000000C0000-0x00000000000D6000-memory.dmp

Filesize
88KB

Download
memory/2488-600-0x0000000000340000-0x0000000000356000-memory.dmp

Filesize
88KB

Download
memory/2500-1057-0x0000000000D50000-0x0000000000D66000-memory.dmp

Filesize
88KB

Download
memory/2804-11-0x0000000000170000-0x0000000000186000-memory.dmp

Filesize
88KB

Download
memory/2888-12-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

Filesize
9.9MB

Download
memory/2888-0-0x000007FEF5533000-0x000007FEF5534000-memory.dmp

Filesize
4KB

Download
memory/2888-1-0x0000000000E70000-0x0000000000E86000-memory.dmp

Filesize
88KB

Download
memory/2888-6-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

Filesize
9.9MB

Download
memory/2888-7-0x000007FEF5533000-0x000007FEF5534000-memory.dmp

Filesize
4KB

Download