xworm | 81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4

Analysis

max time kernel
120s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe
Size

9.6MB
MD5

dbbc877901e2a5a8c73c77b28a699960
SHA1

c4ac39e195c4c76110958801ef482ac5d1af8941
SHA256

81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4
SHA512

9fa8359322eaec930786ea003540cf1bbcb7bf11205a5c5b9ef8d55a8cc8ad2c2c6289a010aa8f172443e3895b6c81b290d9145c7557335b8f7c180638bb08da
SSDEEP

196608:K7kTvcGFwgJHb9fi4OEcGyYf/be2MAtMJjTPFrh+IRHi6b:K7O0GS079fHckf/a1AyJXX5iE

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

178.215.236.225:7000

Attributes

Install_directory
%AppData%
install_file
TaskSchedular.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2756-29-0x0000000000D40000-0x0000000000D5A000-memory.dmp	family_xworm
behavioral1/files/0x000d000000018683-27.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaskSchedular.lnk	UD-Drop.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaskSchedular.lnk	UD-Drop.exe

Executes dropped EXE 3 IoCs

pid	Process
1972	Phantom Ware.exe
1200	Process not Found
2756	UD-Drop.exe

Loads dropped DLL 2 IoCs

pid	Process
3044	81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe
1200	Process not Found

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
2600	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000000d5d76fac43170c3b0dd1b0429355cbb5f32296ba69fc5e39458a7b176ffc0ce000000000e800000000200002000000093a69e96f977c09528b4fdbd023e8017874f825d8f17e92e9cf4e286cb07185e20000000f85de5bb9beea621b49fee1ffa66667a892ce893a82a4e104a5e48a390f2d59840000000651257d6fe0b2553fbbe4aa9b5d1cb4428345f1d29ea03cc282281753caa3567af97f42c1a49770da7e8885b90936ce0ea856cb532a00e1b4c7c014d1535d75f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0d83d953515db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434081593"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AF762831-8128-11EF-9D9B-465533733A50} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000005d5f03467c13a860f9581cfd96972ce15bbd8c80d9d40b1935e2c429e1690814000000000e80000000020000200000009777067310c628913800a695d65356c012fcc12e10f3099d5aee1406295c3dbc900000004bec0813283a29ebd0728848a5be2f2c5dfd0480ab9519fcb5fa12b8f8d0097d35cad708adef652df303acfa097983de16e0fdb94df121a3e6657ab4bae9d9c2ce6ec1c7d91c873028ae3063718b732849dcad4c15098483f96e988781a28f12a833d3bc7fc26446f15d2d4a117b9ef1623baa17961422127d71a7c5e34a2c72a1bdcb5907a616af46162900a6fbb544400000001c5345f4aa0268a35ab4476b510ddfac21ea9899b329a0cb3bffdc9dcd184e4388fcbe13140a535c69da557a77e685a8d3ad1496744afe73b068d16b39758e88	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2756	UD-Drop.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	UD-Drop.exe
Token: SeDebugPrivilege	2756	UD-Drop.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2600	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2600	iexplore.exe
2600	iexplore.exe
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2756	UD-Drop.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1972	3044	81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe	30
PID 3044 wrote to memory of 1972	3044	81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe	30
PID 3044 wrote to memory of 1972	3044	81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe	30
PID 3044 wrote to memory of 2756	3044	81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe	31
PID 3044 wrote to memory of 2756	3044	81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe	31
PID 3044 wrote to memory of 2756	3044	81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe	31
PID 1972 wrote to memory of 2600	1972	Phantom Ware.exe	33
PID 1972 wrote to memory of 2600	1972	Phantom Ware.exe	33
PID 1972 wrote to memory of 2600	1972	Phantom Ware.exe	33
PID 2600 wrote to memory of 2316	2600	iexplore.exe	34
PID 2600 wrote to memory of 2316	2600	iexplore.exe	34
PID 2600 wrote to memory of 2316	2600	iexplore.exe	34
PID 2600 wrote to memory of 2316	2600	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe
"C:\Users\Admin\AppData\Local\Temp\81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\Phantom Ware.exe
  "C:\Users\Admin\AppData\Local\Temp\Phantom Ware.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win-x64&os=win7&apphost_version=8.0.8&gui=true
    3⤵
    - System Time Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2316
- C:\Users\Admin\AppData\Roaming\UD-Drop.exe
  "C:\Users\Admin\AppData\Roaming\UD-Drop.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d974239124a409383386073ade97dfc6

SHA1
defdde311d03d3aa8e688c0f2f56417d9af04eff

SHA256
5c988bc1010b6be1dafa33ffb73c99da2b3512076cfb07c783e4a0a8c9281dda

SHA512
3991d4469b2f4634d17ea4e0bb971d44a8807c943efdf4aee16ace7654cd3537b2f31fde7e5ef17b21fa87ae068231ef514cfabc06a011b5f6a501d2cae06098

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dd4749b1c516c387a95f11e1e312322

SHA1
d29c57d7cefe573e7b620436fe8cff814a8179df

SHA256
25539d58ba00757bbc97763566f86bf7c5181bca41dc859ade495c63bdd2140f

SHA512
a468140ac1833c2d0afb5137d4e840d9966191c0335f86c8fcff79de94841783baf7a816d4f6a6a17732d7d91d5a76f938c10383d9247c98ba1886ef9b024b71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
372e88faef433ba378b4daf7ef6c68c0

SHA1
589e466d29fb6aa71b8fc6d251d298a4cb83c87f

SHA256
09b68a45e7598fb7624358e79d189adbf8c5c75a18386a55d527a47573248b0e

SHA512
1ab3e701bf92c8b3cb880f161f7e31ef038b677c697bc6a807c00a4d4d684f10dfdd9dfd67fe385d3eaa40c8bbee29c2e3dedb8b26a5a0cab70dd08c6f1b0083

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41966bf01a21dce6de66284bfe100a60

SHA1
011648320e43bc5139e01cf3901ee55155e2425b

SHA256
b182208f88a178375b39c6b25a3848788cedb9c1a07c470accafd50565cc3e9f

SHA512
47ab96f9d4d22d5c5b2d158cb4405fd020e29f1d7d260acc2209a45d368c73c79ceea6d95dc916e51e6424614d5fd24474beec24979eb78ef4da6be3904234d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0fa0d095308d60b1fcd17119ba0ff695

SHA1
0e386b2a7561bc06ee2046489c2a5dfd86cbf4f6

SHA256
d6f144562326761d1f1c03992a243790c68aa31d2106f503edcf4a9b8b4f4f3a

SHA512
e12bc6956e7260d0c65aedc92802b2ca6533d8a6a2abf97f865ec5b3ef67e8cb0be462ca3773584f94d8db4ef12667a827bca804c49277d5f877ec112d560b51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9c149c16d7973ef4ceb2eec9d9b37e7

SHA1
727a0ed47c0fd0f080f3ef0a8c3dfc58855746b3

SHA256
6e09d72ae3b045ab95deab4934d2876804a4e11298caccce752e802df7798da4

SHA512
f7df30599b0ac8190ded0c1984465093d5ff231949dd0fab96d5bff127b148974044486e98ed75ed5e98fa7eb86679749bffd6ddeb927be168144ee8cdbf6602

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c378a433173c4b5c95f78c6894b42fed

SHA1
e48ab5778d30a08cc99063dac730399e5e4e4d4c

SHA256
0b3ee26f2e9467a807cbbc5a9229bab0ea16eb9ad6f536f3adc53bfee8ead234

SHA512
2fb56dcc6e508cf16aeaa45eeb8ce2ec07ac95f842a92a33ff4f6e2292d8bbb52b1ad1683e0c7a8644f294d503095ec8baf9812216ab41bb76b767528d0db613

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
533fafabb9e91ea2f55cdbcfc4d6f834

SHA1
b79bc421c21d0ba02d92deb9c0fadeae56c5e4c3

SHA256
0c889e4d3848d72963a0b6a07fa097f41ea4b118a118f9f8d85ddce2391824fb

SHA512
48da451e5c1f2e92c15fbcb405ed37b71ded091dcd1e82fcaadb6fc5324c4bba747b47106c46c13923e966d72ffda5b7f65ef942d9bd51026f2427d339343309

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e98b361fe6558a67394c80e46c0a3d5

SHA1
2030fd772638ec8c3e51e4ca3d38feffa9f0c03d

SHA256
6ee98e3df46bddd342f982d9b79e43729a0f4ffd6095ec2e70043cc81e633082

SHA512
8506acae3559e31e21ec31645198ec087bb446f7f3ed2f754d31e09b7aacfabed94c7ae8418ebca21f83b202167914cb00e67f44805e0a6f7cc7734749ce7973

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c670bbb67a8538286dcdbda3dc4d2d85

SHA1
b43ff41513fd2b6daadcb6c873247a3c17253707

SHA256
920e535a22a256e279ee7163e38c7f480f7df6b6759d9d151794d7f34a93c8a5

SHA512
ef18a15aea11e727f5d276e7599c858c9a40cf90d544500a2a1ea0d73ec11f79fbb7deb0bda17409c590e62599114668952e8532f16c7e48cc9e92572ef0e32f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
513729c6b93954b17ab6c80ee37aa8c1

SHA1
8bb299c621c6254a0393a58717b7c1c0f9f762ad

SHA256
2d149cf1642e9395ad30ab608b5c25483012412dc691f934ccac030a22a04ecf

SHA512
6993b30738e3ebb52badb69ca1e800dd934ebbad876a241ba8f385ae895137dc6a6b9923888bc2904fdd02fa86b9c3778560254497f82c465d514597a23e45b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
622c4c7db57e2dec8ec6a08634ea0d72

SHA1
adb6d81ba131ae71e36d6128894409d9df22a339

SHA256
db3c83cd91ee378dd1b7c6e762c2169a69f6ff6c7509af6e98eff4dec25c27f2

SHA512
40e78918f158ae54a681b22e78e1fa492726a78f76024f8106dee17f19daed1739ff7922e54b5acb296302523969d3b678c53dd7b5e34736192a536c7f9904e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fa77d14562ef261047ae0e036e94f85

SHA1
c9921b84b9df0d96a480cbc607f4a5d4866e4cc7

SHA256
5738b21f2080eb7192279a6648f54a79fff05fab1e3019348a2633588e8b7b20

SHA512
11e5a2c79a27dc0f74fb00eac641afa50dca9de0977dad67b89d0ff8648de55896c7a2ae28ab1fab366ddce7ed0fb583870cdda5d99e350282c5555959d45751

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
634374b1584baaef01497222a77ce39b

SHA1
d848286b638d5651b4d61ed646a3cbb921ac5909

SHA256
79098465f5b03c6dd78119abb2851d65af9dd7293be7688b63c6d7d3c1777c4c

SHA512
7027261291061e6c04d47b05352ad4475f0797dbed024a93cdad0a04028c152075e69ebc3d49999dd66c2ab40b6b64b1e66a32ceb3193f98c1209ce6bd927395

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f04b3e2bdd107f4da05bc10c7170e0f

SHA1
4ab67b8a9853697e88efc493b5533da22f43bad3

SHA256
59dd5423e1631dda6a4c60afe43397ebd0aa2fbd674103140f568100fa44e557

SHA512
2849d447899924e78d028e32439ea8fe7f79d99841ed450033dd6e680041bff59ccd3743dd7310f606ceea29437a5edb5e708797a2f76637eb6de17d1963d7ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad34b1ec31f961db8f15acb4c8a98052

SHA1
59b69419f29d667f166a3c094022b3373452f884

SHA256
dd610838a0ea67a0cfa944013e9b20fccce52d892ef74cec960a7d98e9059614

SHA512
72490ee488e768d2e17ebf41a64e8a86adfa173fc0bc342a8c503cd3d70c50a2c7e2c0c5c07843dafe6185c36fc0019ebe6c5aede3cdf79a0d2a742cbcf33e4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b37fc61c757cebdd5162900e7abd4565

SHA1
4bd4d7eabf0994d8cd27b71ae35507b3e7ea79f0

SHA256
e51ac303160963f586a3a3f89de77be5d766d0896bec262ae11cf5c59d97f591

SHA512
2385445fee50205e74a26de11291549357d0110e9cbc6874406205ca948fbe8c5c76bc89972626a42048df65c9c6b236290482db4f420fa4d90636aef2e00dbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
933b7b212330116e9850074f986d4f69

SHA1
6320306b77734cfba7331fe895e8b66ead8ca304

SHA256
4844c1f9e99036211c928df222e98b94d5a8261984673acb8c0211fe7c8d1dad

SHA512
8a458b6349dbb8be7e2671b55695c2ae93ecc48f8e655c9e4d715a22d641e3eea06bb2d207ae5c9b8acd846bc6329b2704bb3cac691c20fbe4a0479fc3cea45a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c0b99eaf4baca6197735834a348a020

SHA1
766ffcec0f5f6bbb01017fb054bdfb8b4a9d9d3c

SHA256
257a2855b8c616a48aa06603e83ce86a64842ec0ea46956d53be8a29fc52b991

SHA512
d3e7cdb6e5b6bcfc8010a8c8181c8e08601f191d9df8f4ade4ffcf078a0f921232c4e8696fce2bbdd88837bc62e3c9821019401e4bc1efeeed7d3c60635f177e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1f65985afed3f760231f3039dbef5ab

SHA1
d3fcc2cf0bb47d588c5538fd13828cc0e1b5166b

SHA256
c9122798f41253b3b8416bc83d8ca9cf51cd8152f89f429562b377f2f256cd3c

SHA512
7e9471fa63a42d935b1c758f47685b9f567e5d7bdb36cbe996838712f1651e1e109e2360ff1b559e79abe881469b1d6300817fbac2d1b6537c3e106fdd6ebe8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb802e2e4c3755b94f6ee21e94e677f9

SHA1
c6a0bcd4f50cc2f1d0a50661c00a364623f2f37a

SHA256
c40b58c0cdbb2896baa9473a62756ab472a577914745f40436da1a2c1d3e61e4

SHA512
5c8ca833a42b656534f9471a38cec078ecfc0b868b47360cd508f17c3d4bbcef73d985a03831ce7e9211c9ea465166b5e2d5d584f8023c48321d8c4488df4033

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40689e7f78b79703f269e045dea601a5

SHA1
c62aab340e52cedca12de798fdf069e5f65f509f

SHA256
5ca5c04dce3ab462199d1fd264252570e15c249556fe3b67c6323759600eae3a

SHA512
45f0de9b6758944599554240cebfe989567fa41d585945a3885257e1f962bcf462318b77e4ce42af6bdc85973157f30a4607913e9abf22b90cf80bfd34395500

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71168fe624f0ef7174a644b1e7a5e6cd

SHA1
bf474de5d4183f66b761a10a300f95764c731485

SHA256
5bf26ba88c948650e3560626df9d3f7d311e576f0415b7889795193b4c9e9474

SHA512
bb1317483bfb7da4eec33787d8cc57dbce2a0d46c0a000f7b16a8e9ba417c3f1a2dd44a99bb413e23d9109dff67b2acb7473b44d002ebed5a0bbb56b329e61e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cf8727c62312354ec20452dac8fbf97

SHA1
e3474217b1a36a02bf3e9c69e048e91384e481c5

SHA256
0940cfc6a087fc1b1429792cc443ea124418635dfe0903fe761d22811bc89e0d

SHA512
4a6cedcb7ac0d516daa04787d0e010034f1526dc527ae772cef2f77c97ef276ab224daa94777801ad5a870daa806ec9461ab78a157b982c258d62ce6d3de4c92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
470d571bc668c15876d9b10b00e1ad0a

SHA1
cdd208b62ee2ea6f5a1a24675b8e92b0a931eb96

SHA256
0562f1f6a7768e4f6d440e8d39469bad2ed43f17de1de77873c05d5fbe2dcc7c

SHA512
1cc12d6b31fb7bca73f95e603814647c61cafa263b7651e72fb867b6a5837347632adb42952a04fd3dd8c184523739635d1f11043ea18cfe6d1d16134c720705

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5084f3b1cefde75e716b55f3d4d63c60

SHA1
917b8d3c1dbcf7b846edb2be7a5fdb9f9ef495c0

SHA256
a4f80a33c08951cddb180b2e1393e21a8c68064699b636a1ccc2696ce3f0d2f7

SHA512
6f144123dc360b4eecadcc35319fe50d1817e9cbfe750d7623cd1a35dc06a8a0b7b7f27bc362e6e1b2f8247a2673a346d6ab3bfc229c7921be74232c53b275d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f141321e813a47241379742509d29c23

SHA1
719034ff654d3355091f12e9df10bfd4f9098fb6

SHA256
ede117d96b9c8dbbd5888068fa973858de1f04663fb21d085e5cb57764f0cc8d

SHA512
275f165d16445ee3a3fd6383c26c72fbbe586f05fe5d3a63989f35d6bb0f365ea829b1da25bc281d6852a70b71b50f7ed335db010cf3dfd0b50b97faa7f02110

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c26db9f0c4ae078289370e4e219955dc

SHA1
7d065cf4d12e9a04da5f72a333d1a6fedc1bd643

SHA256
dba2285cbfbd6319cbe44bd0117437d31c0d17a7e30be7773f2e924e760128a0

SHA512
7b8cab5bc71506f1fa558a991fe48822e71fc3225460f6d7fa3358cf1f52041caa583e109d6bc98111644f23cf3c97b8371ec4fc7299796f5065e285ea50b54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCEA7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCEB9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\UD-Drop.exe

Filesize
75KB

MD5
a375378e75272307aa57d60daf52a685

SHA1
3349d6fc564e63aefca143b0600172b22f758b6f

SHA256
8406be2985a8776e6ee84157e3951ab93c329a53bdceb2c8d21ad82081d3f7ca

SHA512
b70d32375c556583c9349aa2dfbfe762ea7bbe9f6e0b7c2e3f516c1e3415bbabf2b0102c3802c18dd3bab2d0307c57d64d8be87394554a2e8b8d6b2997dd2ed0

Download Submit
\Users\Admin\AppData\Local\Temp\Phantom Ware.exe

Filesize
135KB

MD5
cb6d53d6568d8f4953ca2a8b4fe83171

SHA1
6b2ff21b333d0052a7ecb22c562fbd15a890595b

SHA256
921766a7852fcb4d43af5e488c93fd75c8f9e7d74d09f8f671d17b9e496800c9

SHA512
c8060d7b1a76f1203113b22c5bc4b43266bfc0784a44094e145e9d316c00df6b22c22e313ade83ced699f787e1a977ab407ce79187efbd6598d3cf8ca0d2c107

Download Submit
memory/1972-19-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download
memory/2756-28-0x000007FEF58B3000-0x000007FEF58B4000-memory.dmp

Filesize
4KB

Download
memory/2756-29-0x0000000000D40000-0x0000000000D5A000-memory.dmp

Filesize
104KB

Download
memory/2756-84-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-31-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/3044-0-0x000007FEF58B3000-0x000007FEF58B4000-memory.dmp

Filesize
4KB

Download
memory/3044-30-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/3044-12-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Filesize
9.9MB

Download
memory/3044-1-0x0000000000100000-0x0000000000AA6000-memory.dmp

Filesize
9.6MB

Download