xworm | a8832fdd998e86f7823e93f27a98ef6d7ac44537c709adcfdd9537a53a42d3c4

Resubmissions

07/08/2024, 17:58

240807-wkbfzs1fpq 10

07/08/2024, 17:55

240807-whvf3svdma 10

07/08/2024, 17:47

240807-wcy73svcrh 10

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

53KB
MD5

5496793299d1c888dfd87a790447bc84
SHA1

fcff41d475c5415ea27ad63728054a07c2165c67
SHA256

a8832fdd998e86f7823e93f27a98ef6d7ac44537c709adcfdd9537a53a42d3c4
SHA512

b51e92e509c0ef8690c840a45aed9435c2cf21a8723e6023cffc05d1e9f9edac63a7f9a74bb676a89b840db66fa0f66fb6c2808a01fb68de108216b3fb124676
SSDEEP

768:M+QiIOyhxNxGEaRiYLKhSPx2oWbpBZ5msdAWLPHHO2IhX4+zb:bQi22EKKha2TbpBHA+O2I5b

Score

10^/10

xworm discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
hentai.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/memory/1760-1-0x0000000000D60000-0x0000000000D74000-memory.dmp	family_xworm
behavioral1/files/0x00080000000120fe-8.dat	family_xworm
behavioral1/memory/2260-10-0x0000000000F50000-0x0000000000F64000-memory.dmp	family_xworm
behavioral1/memory/1688-94-0x0000000000300000-0x0000000000314000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hentai.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hentai.lnk	XClient.exe

Executes dropped EXE 3 IoCs

pid	Process
2260	hentai.exe
2560	hentai.exe
1688	hentai.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\hentai = "C:\\Users\\Admin\\AppData\\Roaming\\hentai.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{05734651-54E7-11EF-A429-7A64CBF9805C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2920	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
972	POWERPNT.EXE
1932	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1932	vlc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	XClient.exe
Token: SeDebugPrivilege	2260	hentai.exe
Token: SeDebugPrivilege	2560	hentai.exe
Token: 33	1932	vlc.exe
Token: SeIncBasePriorityPrivilege	1932	vlc.exe
Token: SeDebugPrivilege	1688	hentai.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe
1932	vlc.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
972	POWERPNT.EXE
1932	vlc.exe
1960	iexplore.exe
1960	iexplore.exe
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2920	1760	XClient.exe	31
PID 1760 wrote to memory of 2920	1760	XClient.exe	31
PID 1760 wrote to memory of 2920	1760	XClient.exe	31
PID 2748 wrote to memory of 2260	2748	taskeng.exe	36
PID 2748 wrote to memory of 2260	2748	taskeng.exe	36
PID 2748 wrote to memory of 2260	2748	taskeng.exe	36
PID 972 wrote to memory of 1660	972	POWERPNT.EXE	40
PID 972 wrote to memory of 1660	972	POWERPNT.EXE	40
PID 972 wrote to memory of 1660	972	POWERPNT.EXE	40
PID 972 wrote to memory of 1660	972	POWERPNT.EXE	40
PID 2748 wrote to memory of 2560	2748	taskeng.exe	41
PID 2748 wrote to memory of 2560	2748	taskeng.exe	41
PID 2748 wrote to memory of 2560	2748	taskeng.exe	41
PID 2748 wrote to memory of 1688	2748	taskeng.exe	46
PID 2748 wrote to memory of 1688	2748	taskeng.exe	46
PID 2748 wrote to memory of 1688	2748	taskeng.exe	46
PID 1960 wrote to memory of 3064	1960	iexplore.exe	48
PID 1960 wrote to memory of 3064	1960	iexplore.exe	48
PID 1960 wrote to memory of 3064	1960	iexplore.exe	48
PID 1960 wrote to memory of 3064	1960	iexplore.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "hentai" /tr "C:\Users\Admin\AppData\Roaming\hentai.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2920

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2888

C:\Windows\system32\taskeng.exe
taskeng.exe {958D0372-C5B6-4ACE-9A79-F1B0B1A337DB} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Roaming\hentai.exe
  C:\Users\Admin\AppData\Roaming\hentai.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Users\Admin\AppData\Roaming\hentai.exe
  C:\Users\Admin\AppData\Roaming\hentai.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Users\Admin\AppData\Roaming\hentai.exe
  C:\Users\Admin\AppData\Roaming\hentai.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1688

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\CloseStop.ppsm"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:972
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1660

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Public\Videos\Sample Videos\Wildlife.wmv"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1932

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1960 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8cb6950cd1992867a1876ecf510e57c

SHA1
44b144447471a6a3f606580f232b34b4e3f53e99

SHA256
6d813b8570818cc60a276157ae7aea9bf35b13ef43237a5d1db567897d6f2fbe

SHA512
95481ebe2e306f7059849eec10dc299f5e99c8c7f43596ee54cbc1732841b87e31b1c5c148fafb5a043de3414c75dd0626f93ca91eb20b7ac4fe2a4fffdfd15f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6976e5a8747b80d354f1577928620e9a

SHA1
a8845226d0bc218438eef71da39f161702640a0e

SHA256
b648ac6d2bd8b731d8c65063cae687341fd5c1169b053a7dc8c5241cb1fb39f3

SHA512
ddfcb840d93463dd27e5ce487d4b6dcb16f324fc8471b620551571b078a4a6d0906be8c468b6689ecc329d08fa7bb2a23b84f24cf9f5a3414d1e0c7c80f295c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a149bb1d26e7af955da01dff00b937e6

SHA1
e420d80ac879498bc93acb7827b7085783ef94c3

SHA256
eb43b0a099969eac34494f6a419750fe5f410e8b38d837736b2541ea53a169cc

SHA512
1472b6d5b6c469c4bbe0afb91880877424643601bb2f4c63fafe2ae6d4045db76ac296e03bc2731e19332bd109d706b5bed17cea95100e1da3a7234baa627054

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cbea1fe2deed3a64279cd49fd623aa5

SHA1
3d92ef03da15471c27f7f4a280f37c4288d65667

SHA256
7a0136627e738f194324fe0d1ceca68267363f9b6c322539e1ce0db54ecf19f5

SHA512
6773eea6f8ceb42be5fd03b132ef30e1a946fe7af1454c6dc5b9d99a8a6dd419cb7872d51d7f59985ce0bcc0f4b2e7fe3bd5f1a7e8e563a808606f9cbf13c47e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87648f946f03f1fb5b85c7568afccdb6

SHA1
eabc3674f2e5d9c3c5e826dc1f87ccc86ac257e9

SHA256
900de483df26c967df7f32119571c49d16863c9461057f21263d7a8b4e19ade5

SHA512
c093bb781d3b3e067dd2b8cec82f72759bd87a4aa9d5b55a1023d604b28c6bf100faf0b5300c16b262a39097b7a7fe0306fa9f5368bf22d95ece4bdaa1dec653

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db40e53b374d29e952db425c9a4fc302

SHA1
af01ff6725de998d593f9381bd03e68099f1eb8d

SHA256
3786a513a6d158afe48c34f836ebe0812ae1b3cf75d8351afcdc1e30d5915d0d

SHA512
7b47cd95edd3c7de1ab4424f8f8e11cb79d883b81db370d0cb77de80d7fd92bb8eeb8f0608562ac64a0a0734530d286ebbd424ffd04402dd9948da8866b57058

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab7fa262ab5d88a4380246da84535fb9

SHA1
f1144f01d3895077b7c20beb515ae50a1662c7ce

SHA256
57ec8945ce12355d0978e117a4decd1a69384f1798026b0a7153be9097c9389a

SHA512
dffd8f0da92765b4014f76e94043c1d74e462d3c86f07e41552747122efcbf37daf47b7400a306758cfce4525e9e74d31465329d2c1460aefff11ad2d82cb13e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6cb770cb7137e82d0b59023397a53638

SHA1
2c563109a3a80f106c1cbe979ca7036643770f37

SHA256
58a6acfbbbc8e1b8bbb04ab4bcbe75720617873972d3f0d1df8d4dba1a2e0c83

SHA512
0aa54cc4164c360961a2608afe41494c82d6732d567438eecb32f70534c92bd810f0bae05fbc6a5b46c7b4f3ee97085cdf02ac20316c8e576d171ba9bbe349e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae0f71de6a941008b4ea96034ae079c0

SHA1
858ceb40a6e7e2f3ef8318108eabb8b84a2d9933

SHA256
422339c2146c299344a3230e9ba5bcc9b988e88c9c1b6ecacfeec44be8418639

SHA512
88c0c2e04c1d89d6f84290fe3710c3852d82d67d57676caf4cc58d954cdbac85187f35f19c04abec3a8bf023148e98599d682e7c3c9ae75f5e808602c5d2fe5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE794.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE824.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\hentai.exe

Filesize
53KB

MD5
5496793299d1c888dfd87a790447bc84

SHA1
fcff41d475c5415ea27ad63728054a07c2165c67

SHA256
a8832fdd998e86f7823e93f27a98ef6d7ac44537c709adcfdd9537a53a42d3c4

SHA512
b51e92e509c0ef8690c840a45aed9435c2cf21a8723e6023cffc05d1e9f9edac63a7f9a74bb676a89b840db66fa0f66fb6c2808a01fb68de108216b3fb124676

Download Submit
memory/972-16-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/972-14-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1688-94-0x0000000000300000-0x0000000000314000-memory.dmp

Filesize
80KB

Download
memory/1760-12-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1760-11-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/1760-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1760-1-0x0000000000D60000-0x0000000000D74000-memory.dmp

Filesize
80KB

Download
memory/1760-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/1932-74-0x000007FEE90F0000-0x000007FEE9101000-memory.dmp

Filesize
68KB

Download
memory/1932-62-0x000007FEE9E60000-0x000007FEE9EA2000-memory.dmp

Filesize
264KB

Download
memory/1932-49-0x000007FEEBEF0000-0x000007FEEBF18000-memory.dmp

Filesize
160KB

Download
memory/1932-58-0x000007FEEB950000-0x000007FEEB980000-memory.dmp

Filesize
192KB

Download
memory/1932-57-0x000007FEEB980000-0x000007FEEBA11000-memory.dmp

Filesize
580KB

Download
memory/1932-56-0x000007FEEBAB0000-0x000007FEEBB1D000-memory.dmp

Filesize
436KB

Download
memory/1932-55-0x000007FEEBCD0000-0x000007FEEBCE1000-memory.dmp

Filesize
68KB

Download
memory/1932-51-0x000007FEEBD40000-0x000007FEEBEC0000-memory.dmp

Filesize
1.5MB

Download
memory/1932-54-0x000007FEEBCF0000-0x000007FEEBD1F000-memory.dmp

Filesize
188KB

Download
memory/1932-53-0x000007FEFBC80000-0x000007FEFBC90000-memory.dmp

Filesize
64KB

Download
memory/1932-52-0x000007FEEBD20000-0x000007FEEBD37000-memory.dmp

Filesize
92KB

Download
memory/1932-66-0x000007FEE99F0000-0x000007FEE9C31000-memory.dmp

Filesize
2.3MB

Download
memory/1932-81-0x000007FEE8B80000-0x000007FEE8BB4000-memory.dmp

Filesize
208KB

Download
memory/1932-59-0x000007FEEA0E0000-0x000007FEEB94F000-memory.dmp

Filesize
24.4MB

Download
memory/1932-80-0x000007FEE8BC0000-0x000007FEE8D3A000-memory.dmp

Filesize
1.5MB

Download
memory/1932-79-0x000007FEE8D40000-0x000007FEE8D52000-memory.dmp

Filesize
72KB

Download
memory/1932-78-0x000007FEE8D60000-0x000007FEE8D71000-memory.dmp

Filesize
68KB

Download
memory/1932-77-0x000007FEE8D80000-0x000007FEE8D95000-memory.dmp

Filesize
84KB

Download
memory/1932-76-0x000007FEE8DA0000-0x000007FEE8DF7000-memory.dmp

Filesize
348KB

Download
memory/1932-75-0x000007FEE8E00000-0x000007FEE8E4E000-memory.dmp

Filesize
312KB

Download
memory/1932-26-0x000007FEF3000000-0x000007FEF3018000-memory.dmp

Filesize
96KB

Download
memory/1932-73-0x000007FEE9260000-0x000007FEE92D4000-memory.dmp

Filesize
464KB

Download
memory/1932-72-0x000007FEE92E0000-0x000007FEE9327000-memory.dmp

Filesize
284KB

Download
memory/1932-71-0x000007FEE9330000-0x000007FEE9391000-memory.dmp

Filesize
388KB

Download
memory/1932-70-0x000007FEE93A0000-0x000007FEE93B1000-memory.dmp

Filesize
68KB

Download
memory/1932-69-0x000007FEE96F0000-0x000007FEE9713000-memory.dmp

Filesize
140KB

Download
memory/1932-68-0x000007FEE9720000-0x000007FEE9735000-memory.dmp

Filesize
84KB

Download
memory/1932-67-0x000007FEE9740000-0x000007FEE99F0000-memory.dmp

Filesize
2.7MB

Download
memory/1932-65-0x000007FEE9C40000-0x000007FEE9C97000-memory.dmp

Filesize
348KB

Download
memory/1932-64-0x000007FEE9CA0000-0x000007FEE9E0B000-memory.dmp

Filesize
1.4MB

Download
memory/1932-63-0x000007FEE9E10000-0x000007FEE9E5D000-memory.dmp

Filesize
308KB

Download
memory/1932-38-0x000007FEEE270000-0x000007FEEE281000-memory.dmp

Filesize
68KB

Download
memory/1932-61-0x000007FEE9EB0000-0x000007FEE9EC2000-memory.dmp

Filesize
72KB

Download
memory/1932-60-0x000007FEE9ED0000-0x000007FEEA0D6000-memory.dmp

Filesize
2.0MB

Download
memory/1932-50-0x000007FEEBEC0000-0x000007FEEBEE4000-memory.dmp

Filesize
144KB

Download
memory/1932-35-0x000007FEEC070000-0x000007FEED120000-memory.dmp

Filesize
16.7MB

Download
memory/1932-48-0x000007FEEBF20000-0x000007FEEBF77000-memory.dmp

Filesize
348KB

Download
memory/1932-47-0x000007FEEDC20000-0x000007FEEDC31000-memory.dmp

Filesize
68KB

Download
memory/1932-46-0x000007FEEBF80000-0x000007FEEBFFC000-memory.dmp

Filesize
496KB

Download
memory/1932-45-0x000007FEEC000000-0x000007FEEC067000-memory.dmp

Filesize
412KB

Download
memory/1932-44-0x000007FEEDC40000-0x000007FEEDC70000-memory.dmp

Filesize
192KB

Download
memory/1932-43-0x000007FEEDC70000-0x000007FEEDC88000-memory.dmp

Filesize
96KB

Download
memory/1932-42-0x000007FEEDC90000-0x000007FEEDCA1000-memory.dmp

Filesize
68KB

Download
memory/1932-41-0x000007FEEE210000-0x000007FEEE22B000-memory.dmp

Filesize
108KB

Download
memory/1932-40-0x000007FEEE230000-0x000007FEEE241000-memory.dmp

Filesize
68KB

Download
memory/1932-39-0x000007FEEE250000-0x000007FEEE261000-memory.dmp

Filesize
68KB

Download
memory/1932-37-0x000007FEEE290000-0x000007FEEE2A8000-memory.dmp

Filesize
96KB

Download
memory/1932-36-0x000007FEF2E70000-0x000007FEF2E91000-memory.dmp

Filesize
132KB

Download
memory/1932-90-0x000007FEF3020000-0x000007FEF3054000-memory.dmp

Filesize
208KB

Download
memory/1932-89-0x000000013F140000-0x000000013F238000-memory.dmp

Filesize
992KB

Download
memory/1932-28-0x000007FEF2FC0000-0x000007FEF2FD1000-memory.dmp

Filesize
68KB

Download
memory/1932-27-0x000007FEF2FE0000-0x000007FEF2FF7000-memory.dmp

Filesize
92KB

Download
memory/1932-29-0x000007FEF2F00000-0x000007FEF2F17000-memory.dmp

Filesize
92KB

Download
memory/1932-33-0x000007FEED120000-0x000007FEED32B000-memory.dmp

Filesize
2.0MB

Download
memory/1932-34-0x000007FEEFD60000-0x000007FEEFDA1000-memory.dmp

Filesize
260KB

Download
memory/1932-30-0x000007FEF2EE0000-0x000007FEF2EF1000-memory.dmp

Filesize
68KB

Download
memory/1932-31-0x000007FEF2EC0000-0x000007FEF2EDD000-memory.dmp

Filesize
116KB

Download
memory/1932-25-0x000007FEED460000-0x000007FEED716000-memory.dmp

Filesize
2.7MB

Download
memory/1932-32-0x000007FEF2EA0000-0x000007FEF2EB1000-memory.dmp

Filesize
68KB

Download
memory/1932-23-0x000000013F140000-0x000000013F238000-memory.dmp

Filesize
992KB

Download
memory/1932-24-0x000007FEF3020000-0x000007FEF3054000-memory.dmp

Filesize
208KB

Download
memory/1932-91-0x000007FEED460000-0x000007FEED716000-memory.dmp

Filesize
2.7MB

Download
memory/2260-10-0x0000000000F50000-0x0000000000F64000-memory.dmp

Filesize
80KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads