xworm | 6639082eb40e90f37ad92b3616c2040937355c5196ba241340cb1e8719d098df

Analysis

max time kernel
254s
max time network
255s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 10:22

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

XClient.exe
Size

283KB
MD5

94d7570a4d6becf9ccccac918fc7a525
SHA1

8e9fa909a7f38b1f4481ee880340c96aa03a9a84
SHA256

6639082eb40e90f37ad92b3616c2040937355c5196ba241340cb1e8719d098df
SHA512

d97b0b2c758e3288ffbacf1111b621f0530ad152830b17795a8734e4d30cd85c5578d94983f6668222028e45095582a05a41033df0bf1061fb18124fe7fa8e7f
SSDEEP

3072:c43Cklb4wOyopUd87kREhYyZxbHrR6Y7zjokEtNaaayMakxiJ+UZeQnjm9sjSwkm:bpbVoA8oKhsrx8iJZeQiWsVCA2aAN0F

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

hard-tyler.gl.at.ply.gg:27490

Attributes

Install_directory
%Temp%
install_file
systemprocess.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2708-1-0x0000000001070000-0x00000000010BC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2752	powershell.exe
2540	powershell.exe
944	powershell.exe
624	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemprocess.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemprocess.lnk	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\systemprocess = "C:\\Users\\Admin\\AppData\\Local\\Temp\\systemprocess.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a016ec3c7de9da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{62EE4801-5570-11EF-BB94-CE397B957442} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d990900000000020000000000106600000001000020000000e6f08b5eb876265339dacaf105abd5018d7dc273bc15798df2310ccad8856601000000000e8000000002000020000000b3df3e041da544734a9a747b12a11df3aab873e1b93803f4e49624e9d57955be900000001f0438cfbf236c54c0ffbe18171c93b40e4a953dd9225f11d3e11728606a09245e4297cc8995eb3d8ebc2cb93a162a6f642de6052488e1155ec24919c6005bbf55fd649931383533e83ed5b54e5a6919cab0b520d850eefc53afa87cb12f09eafab67eb52ff45feb9968e649498a513cdb3fa9fee3b473be2bbe0bebf9871a09aad9779dc6177ea30d6490f444b80b64400000005a9761cb904905896f36d7aa0333b526d7cfbd3d6ed3550f937c8b9ab33ba5765a13a676a7a1bb493e7ca3067a48f799a2880649aaa5d319d25f5ea500056c0d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d990900000000020000000000106600000001000020000000895e2c379ae4f461918f6fdce33cc5893a397c6e98400491c9a316261493373f000000000e800000000200002000000052102d2fa7371af0e3ee3cc6f411d0ba91b52acb2ce29ffdae603cc49c01455a200000002ee145d2b28dfe40031d900cd6bc7dd106f21c0879fc3294a66728d8ea316c4b40000000c5f969b5e14ac826292a18b6a0c14c1c8229d36f1268da7e18d61f022efca21ce3a0e1615262ee58a721ddb7b6fd7f942b835ef86fe1a8009f27dbe60df7c888	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429274533"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2752	powershell.exe
2540	powershell.exe
944	powershell.exe
624	powershell.exe
2708	XClient.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	XClient.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	2708	XClient.exe
Token: SeShutdownPrivilege	1996	shutdown.exe
Token: SeRemoteShutdownPrivilege	1996	shutdown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1800	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2708	XClient.exe
1800	iexplore.exe
1800	iexplore.exe
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2752	2708	XClient.exe	31
PID 2708 wrote to memory of 2752	2708	XClient.exe	31
PID 2708 wrote to memory of 2752	2708	XClient.exe	31
PID 2708 wrote to memory of 2540	2708	XClient.exe	33
PID 2708 wrote to memory of 2540	2708	XClient.exe	33
PID 2708 wrote to memory of 2540	2708	XClient.exe	33
PID 2708 wrote to memory of 944	2708	XClient.exe	35
PID 2708 wrote to memory of 944	2708	XClient.exe	35
PID 2708 wrote to memory of 944	2708	XClient.exe	35
PID 2708 wrote to memory of 624	2708	XClient.exe	37
PID 2708 wrote to memory of 624	2708	XClient.exe	37
PID 2708 wrote to memory of 624	2708	XClient.exe	37
PID 2708 wrote to memory of 1800	2708	XClient.exe	39
PID 2708 wrote to memory of 1800	2708	XClient.exe	39
PID 2708 wrote to memory of 1800	2708	XClient.exe	39
PID 1800 wrote to memory of 1796	1800	iexplore.exe	40
PID 1800 wrote to memory of 1796	1800	iexplore.exe	40
PID 1800 wrote to memory of 1796	1800	iexplore.exe	40
PID 1800 wrote to memory of 1796	1800	iexplore.exe	40
PID 2708 wrote to memory of 1996	2708	XClient.exe	42
PID 2708 wrote to memory of 1996	2708	XClient.exe	42
PID 2708 wrote to memory of 1996	2708	XClient.exe	42

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\systemprocess.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemprocess.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:624
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://guns.lol/serc
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1800 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1796
- C:\Windows\system32\shutdown.exe
  shutdown.exe /f /s /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1996

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1748

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
950307c5e4034486da109a21de098446

SHA1
4c473e73c9b31e1704a3c9e71771e895d753387f

SHA256
797c6d279705b9f2c837ce4402bb6def1083fab420328ed7d3bb1e63b32d8e40

SHA512
33887b7f6a4707eb14e9e6f0d05293b60546edbadb28aabb05ba32a8cd28754382a0bd0753a216230d7b96117a3a9461fe42fb455e570b32270534a89aec6d2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
59e0a4f321bbd3289f57b9f2ea507127

SHA1
4caeeafd7e0b6d5c42eb1c29a0cfc51b2711f6e2

SHA256
57da8bf26fa7625ba3de2a07869bdcd583896cf62d4483ed3e65219db8491596

SHA512
82ca7e2d957bb811c21521456d17c0507569c7c6905a98a9ae679949acfab4d96bc1669bdbda12048f9cea48b0b71108a10bdd6573198711878aa64a12721551

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
31fac0902479028429e05094819f4f76

SHA1
a1745e14070643c94b7801eb8f27eb9ba6ea90d9

SHA256
e19dfe55037fdabf6fa8e269ee6a2ee0a73aff5f34e2bad13af8457daaf15421

SHA512
f2f7a13d142694f174f7c49488e5bcbefef44fc25c87032c71753c8adf93af6285282629c4341a613687cf729fd07ff697c25193d9fb09a06943508e53c56abf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb05ea5bd0aebd9b4a33af62b3af7160

SHA1
9f61ff10c0c0486048ae5756b73f6e2cae78cd6f

SHA256
2e47b262d49babb0aef4603ec76110a8fe6e2d6d87048c18725b19b1c1c9d4b2

SHA512
3e42e5a32db3b873953308183127bac50c6813ff4bebcb4d655635b80262cd13ffe3b0cbc21dc57d6a2ab10828c490b0a45b090cea0b81fd54dace9d545cf2a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0242fc4594dd72b0d671d04da65ec834

SHA1
3261e8c0046de6c2a1a2fcff55cf7993d43c0d56

SHA256
030b991e1f34fef5a3032fd85aff58f1a01c9c548b1f6b515a2c2b744afd99f4

SHA512
23b13fc63c9bbc09624688cff90d41ceaa43dbdd8d7951e29caeab0c7c7c97167fd76bc67a4b148e344fc9100c3a9330352b7e6115390818d95a7605fed1ddec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1bf757784a066cbda1c20fea347df477

SHA1
2cf831f505bbd422a4342c25ec1aaa91f52b3105

SHA256
6f22f45b24d7949cc6755f9df5e518b230efed383d93e2ba037719f0fa8e55e0

SHA512
9f23be4ea544c101f400ffa228d8ddd01f1e2f8a6951914c0e90441e304fa6ca5bd5dd2c49ac362287f0819723f24c5a35dbd26fcbc7114b46bb1b018e12ffac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdb2b5100108f9d4a93035fe3e50f887

SHA1
5be1000d6ad07f660e39f258c1b7c8ae18995782

SHA256
332e1496a12e42177ae5df10ce1a031ca0a5fa324b8ed4eeaad60ec56b1e710d

SHA512
2ba560089c5ef084c9f45cb00a2f80c67f08ef5459fafdf5e2e368b96c7a6079bcfd62fb57954ad75fa22d62f38a80616ad2dc4c7a37e30700639be95636a6a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bba0caf236047b81ad7b858ae2449b05

SHA1
068445a20822fa78780dbfec5418d9080d91c010

SHA256
dd21fee47ad349a1ec077232956338fb80b3dea2c270971f34750b09b521d1e7

SHA512
f1cb2f81def367ac86c035d34a230a97e15ab066e431e0d0c4256445b14e12b100a6ba02518fdd0b10f033881d2317b57dd17d13a0c08c9a16e52858a984bd0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1bb577a29eb5e32585f21a81f4fab86f

SHA1
8f6b3907496618ae52628c4a2d869ee0ac84a65a

SHA256
e3643206b0e3c5e87517fa900c162fa50434ad3bc25820137067b710b0be07fc

SHA512
1570e5fefd77b7757d646bc2bd4d9f583e20d97f96145ba18d7a643745430c78e14aeb007d756848b4be1c858c7fb75f6a30afbaeba4adcddb302fa0d02bc571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d6aafe4fe34c75aa740f53515d23cdf

SHA1
acc4def8bdf74b9556242922e2a4e85ff83ec19b

SHA256
0aaec3396224db8f7aedd60ec366f4314a61a47fc2cd4e6f307df4ffd0a85408

SHA512
10d590b651b2047cac3c751522ada54a2562b37db19278a67ea378468321fbb79b94ef6da92fc852deae45e8a7eb45568535e19a630acbc7350852f288c8bf7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a0b693f29ba4f98894433868db69429

SHA1
90724eaf768443908982ed3e871d433b3c5d7d88

SHA256
20042c37dd2c8f2235aead5019aab20206cffe91a246202c67db8378eea514d1

SHA512
b5b3984a6575b9b22bc43bf1a55d6883aad0b135fd56d0cc50bd642b12681efed01b1a7eb7a0e69ec882ee46573706ec179f2153a4ab2d6a58a91824a6902996

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01adcae48fd9c39894297ce3f061b050

SHA1
237f1ace56adc8bc3e1bbeebac66bb4972972f88

SHA256
6acdfde50867eab6dd394f6fbba99d65a78bb244fc408e9f430c95276546bc57

SHA512
80edce827c82830d8b769dd9746de498ba760c4641b0b8193f67b7a0ef13c6e88ee59ce02315fa2e8bffdc0fbafad43cae8e47bba4b67abe6172d67eb94a2e4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8930c32e489eccff279ca0cf1b6a449

SHA1
5fc22e4d83e19f21b8b1cff5f971019ced303a28

SHA256
b6bc077503ca4ffc20762d345cf6db22e870479c06317c8646077a9a68370188

SHA512
a0de9c384d7d5251a047c3d0d48830b6516868fbc4826ce2c3745c3d0adcba6dbf132d936db45ec079955a2ebcd31f90b350ecb90cb04196f0f0a03e9fa9ba52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e69ed5108e7593bec529c09712f1c5f2

SHA1
13a5e1942bdbf42f11f5c19a7b49b2382dd62c2c

SHA256
b99c1b5230146ea895abd25e702a8e727c465e623d867a30e5eb44327dda10e5

SHA512
48535c5867e4de1b1eeb9204ee58610a255a9ffaf8759e44a1d6d6a3b04b2eca1ede3eadbb0601d1d89f3dbb0bcea709ebfe4046cec6853ce344100098bbc55f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fddf752bddabdc124555fba1df8f8fae

SHA1
31185e880ca47abe5e1b07e6600ae53ae71d8a86

SHA256
5c120ecb3d228067d7d829d0128dcf3e26f80439fe2aab42b8d2159cae229bfe

SHA512
76ee3fc258e3ab58a48151469c8ced32a7b94bf0ea097657937633007f7ddb2d13c61896fae5599e9b9e6d52a23e076ed6a6d31575a0a5c71bc16af1b0c7f8c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b76dd3c21a731a195058af4bc9dd046

SHA1
5554cc09bdeae7d5ebd508a6c4be09d0715db53e

SHA256
3764f303714f7f348a509024f942ea7f869a6bbdf2a5c69a998b14fba354907e

SHA512
56785f01f1ef82a723eeed1f44335874f58fbf9c7f4a30fd8eaeadd50a32be7a942d90877c93cb9bb8dc50286e336b0e969be434fc74618aed31d0f259045d37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28c58366615dc54dc7f2f38b1ee555c0

SHA1
3da74835f1fc8fcf07309bfff0a891aa5b2f2446

SHA256
655b57b43a12549ab893c50832c08de017a590730422e017805f9d4fe247135b

SHA512
81d18bcb97eec5ada144a57ff30da752614ad4c9f8889ad29dd36308f52b51db9f38ac4db846eeecf3357e3f3cb64782fab1af57ae787639638968b4292589a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e09693622101b24c51339e62299db69b

SHA1
8f957c32a80db50d926517d0bf73f57217d19391

SHA256
68977a15b4f66c27dc0673e6ce1bdd83f57c3ebfc64a7f45439ab73befca2620

SHA512
36597685f82c92d94d0ca02b934c2f48601953f2e2098284c9a540772c4e8e57a73482a4e9736b5594c42a02d5581bc37e8dbd9dcc27b5436d86d4679714aad0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd9a5357a7c8312bb216ce8a89cf71fd

SHA1
b12d138bbb78c76d5061674af3655409c5903aac

SHA256
099f4081c25213b8895b3a93232588ff32bd30d7cf6646505dfafaeb4d9b652d

SHA512
2892280bb2be772ebf2aa127ab12e9e59394c998e4d4dbced72ea8083a07432c51ff53727f3dfa51661f08fd68b4293b5e81d485a5db21b6785cc9c9c04d13bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76566191542a502f5fa6959b84952a18

SHA1
984c523b1b82eada9d544d620c3ae36c55bb5501

SHA256
268458eef38dcbbac5bc15e9ea8bd96f92338a7f485ace816cf50e72f68efa2f

SHA512
bed04a898cb43fa834f07f0f22f20d3527c52ac6dc91b7f151fb7267ea8fbbd96ab168a883ca19f931109e6ca9db0fa115a64db8ff499f5ddfc64cd755f70904

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e5a9873c5d55bed398ff609c7d4dfeb

SHA1
12d31c325d384863d0f9b31eeb928f5796b001df

SHA256
de2fbc45c7fa822511825e6af2557d6f72f07934473bd71098064e0d75086f55

SHA512
2f9ca1e75f2848697fd7e594844a12999aa7a84113cd2eacbe79d7318d92ee4ba3a83f55b57f7dee9df30f51fe804372368c3e37daafa1b3f33c703156a0b026

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d384229779f58e8737f631e820e3230

SHA1
6ae0037d914b0fb97a66ff7aea694bc96fc61045

SHA256
6a3850470a50dc8fa7db9c806ab7ee447e2e18be40e3fb8327909ff6bfa4e60f

SHA512
304e308ee1c88fee7829c1fbabe03f27c6d4a944f1a16973f17b4abe0039064d13981e8149b420f85ceb8cc31b37357a4148c87e5cf077841ba644593f413e1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe56f10e875fa5edb5859d59d76dca6e

SHA1
bc247ae8d385fba7f158063d618ee58373cec363

SHA256
b07dd9efee11aa5ae04ae64a38248808d15ab95e17e64a44757aab1a51d340b9

SHA512
24ad5522b3a1c41d152cf327e5664789dc41ac31b10dfa8e156fc3c8c64693ffadfa2f76f16e36d35c25f4a0bc4a0a31f9b85a1fac5d8ad05a3e48e6ab061658

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fb94e246c9cf1065bf5e68a8766bcdf

SHA1
fa157aa2b2ada55f6fa5322ccb3e9a559c165336

SHA256
28c679d0fe3baab70f6dd9e7af69bef37e44d129ae13f55e0f67651fcb684b16

SHA512
c2a404764258979fadc0615bf2ede547cbdd672e5d000ac00a16c4532b06fe4e403d6f8d71242fa156788cb66ab5a46002e8983925d4f08dfa6a457b93841efe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
991c7d09cc9f129d7e352f581500aa07

SHA1
5089950400ecfb0d9a02038ed34f647ff9b3ab4c

SHA256
e2800d9e0996c2f59693766a268e4b1ef1d4e349f1cf79eb824edb113308a9a2

SHA512
0c8d06a68b6e281fcfa2cc50e5010508488aae4957950f6d2b0f56cf06fc0dfe803d1de4ffd1df44e091331dcdb34975d8532b0092c58cc7db0b07f5c932971b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1bdf2669a95061d2f434aab45da15573

SHA1
78f2d642939ad74a4321046bfa50b66bb3bc6d5b

SHA256
fceedceede729eb0db3919b3b8353f48c6695402180a960024762fa8733135c2

SHA512
58e9d47be1eec6302eaadb42608b567db15b18e30dfe6a03ce768d4e9cef583c221ec4822e7cf600c6889d1c0fb067c698f6d78908e173c13ff78c95a635de46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1eb3feba3f9277e99f9cfe71e2f718e

SHA1
c7af40d454905f3ea6f655a781107bee144c25a3

SHA256
dbdd0ffdbfbdfb945bcb17ac418e94f055243acdf8d53ffe7ea91d176038d310

SHA512
9e93fcd1f8b7e516c4e737db6ec95b572a4f7d42157c7c9952d54036ad59c33966a0346f3c1ab94a5fe0f3212ad313c607f156600497b7cff5b8ef665011cd5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
daa994a87b72658c4e8cb49374da16a2

SHA1
c331395bf401a73d1ccef50bdb659e87d08636ed

SHA256
82c05685d1132c1eb407fd40f8634672e0992bbf535fa8ab843d0a4aeb462542

SHA512
bf633e77901834538547540137b605b3688ea0de98856c95a553bd67a014de284b05ef83d5dc99c2eb744d2bb1247a1e80186a2d04e4ea662a0af33a1464de8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf7c066314daff1dd80e3c652c7b5777

SHA1
1fe3a493fc33e75ffdcc8cc3363d35b5d2205b7b

SHA256
b5ce9f3041244cae51eb3c30613846684ff23e00e12b42ad2333860df878c1a9

SHA512
2a294d1dcee129b9966061e8cea072085ca865a9158c3ee75317e7af1ee9c81df559ae2a316a1ff2f7577e55b03e06b367d941ba2419f1b9bd834324ad35b7e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
282e755e8f1759a395e77f9cc0bbef61

SHA1
b92b7d81cdcdc6e319a6a177d5e2a06f5038ef62

SHA256
480ea2c1deae9d77deba652dc16cc352b2758e3dbd92640a7425b8be86a07e03

SHA512
8a9a8e5ac309fb8835d2d14f7a189e9b503fb799dd8be135d2be65603090d86028d4642af3a9147fb90caf86066bea4f16c01d94eca68e7f472afd260af45874

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddee6e2e42455eb6c4212cc5b97998a4

SHA1
1148550236622374a70712f7ec9b4c85d9aaa3da

SHA256
8a35a07bb6edaad70018d6c05d28bdd17e954d95f3126a2be3e3d47149716766

SHA512
9d1e2292abaa1209e0b8949457b8d8c5290eb71aba722e53faa50837c69412d363cc219d3dbe88eaaab47b27eebb0ff0425fc0f7f521f34f171e58f512e3474b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
e76c17b220de2083e084ee807b990eeb

SHA1
a7df5527f74ff5b5557363f00f81f15e855d1735

SHA256
e39aa4f9bc0c797a12f865f64af6bb20797118ee9a48773b53114810dc626cf4

SHA512
7549680ae6af3f1156cfe4ac74acde41fff8488feb6c542951a9b6cb4e820ae498d42912296946956d23dc576a18aed071c084bf4aca7168b014732871ea410c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
434116c5bcce2f3cc0813506b110322b

SHA1
c325765459941dc82a5e73deea2d7566e01ab778

SHA256
81919a2cca6e59ca263e2c9e925f682d2d97e1675b83962e56bad0890d850f40

SHA512
be5809e509ba8c9a1e475b51b78e86f9ad0ed9bd63fe73803c4b6910ff22d95cc164fae6844333222aebdaf4abaad5e6e02e7c6323c2faf4f5db6cd385f8d4fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JQ7VMQEC\guns-solid[1].svg

Filesize
732B

MD5
48817a08ba7e68c843c044f272f9f6f7

SHA1
ac3a03887ef169327cca4fed5632453611da39a8

SHA256
e07f17964bb0c49b975f385542abb2f6c55e67b3b0d3b77c4d743fe3416553c4

SHA512
a3d4296d8a408af9e412fdb60554f63bf2005bc0eb3a863f7a47f2bc9f311e0a5672b68e318c0600cb099b3c64f6037a02c97e875b9fd91808d336ca8a7e50ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1631.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1BEF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0db29864601c4aa1e1daf105ae108008

SHA1
bee221fb38ad234f2c090a8c2a85b17483450008

SHA256
aaee0eb3fd80c9bba4d3ac71ab742f676f43485454e4fb4351b2ce744f5a9e14

SHA512
0628cb1851e2bf2fd4fcd5ef94f5d79326c1b31bf64aec6a227ddf49527bf53a9338d6f84cb1343ded7941029ae5ac3cc81d5cf390613c7893f52b0ddbccd247

Download Submit
memory/2540-15-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2540-16-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2708-0-0x000007FEF5E83000-0x000007FEF5E84000-memory.dmp

Filesize
4KB

Download
memory/2708-32-0x000007FEF5E83000-0x000007FEF5E84000-memory.dmp

Filesize
4KB

Download
memory/2708-34-0x0000000001040000-0x000000000104C000-memory.dmp

Filesize
48KB

Download
memory/2708-33-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

Filesize
9.9MB

Download
memory/2708-2-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

Filesize
9.9MB

Download
memory/2708-1-0x0000000001070000-0x00000000010BC000-memory.dmp

Filesize
304KB

Download
memory/2708-1539-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

Filesize
9.9MB

Download
memory/2752-9-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2752-8-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2752-7-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads