xworm | ba632368edb4e5751d72f276a1bc0d06dbd7b89a3583a5db09d3b39ee2576256

Analysis

max time kernel
122s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/11/2024, 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bloxstrap-v2.8.1.exe
Size

11.1MB
MD5

98fe512e86a4d844618f4275cb11f9da
SHA1

42b6fcc6b481fa21bafd86c061c8592d327993cb
SHA256

ba632368edb4e5751d72f276a1bc0d06dbd7b89a3583a5db09d3b39ee2576256
SHA512

65d8f84dcb0c3971bb9c7930ba02e14ae05a62cf431576bcb8cb0de59f5a8c22decb7648481156a186d914410d914e69337d5069c7c5345bacaea2be94fc9659
SSDEEP

196608:ESHBLJKbIWxA63vYjVQ4SvrOXvH0RG1jT7ub1EBKnQtD794BY:BBVKNAGvcmTWUc1jT7FKny

Score

10^/10

xworm discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

192.168.68.139:2068

tell-outcome.gl.at.ply.gg:2068

Mutex

SXJOPv2u5QpF0aEa

Attributes

Install_directory
%AppData%
install_file
FileExplorer.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001878c-11.dat	family_xworm
behavioral1/memory/2620-12-0x0000000000B10000-0x0000000000B1E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 3 IoCs

pid	Process
1972	Bloxstrap-v2.8.1.exe
2620	XClient.exe
1076	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
3044	Bloxstrap-v2.8.1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\FileExplorer = "C:\\Users\\Admin\\AppData\\Roaming\\FileExplorer.exe"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
2824	iexplore.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1948	timeout.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000000dea8e396365e746b7a513f54eb1342082bace288ee185bc1cbcea24a9116072000000000e80000000020000200000005b686d6245a488d88c2b37f316d3ccda2b0a513f4d12115c61121e702a1500bc20000000d651b920e41cec7addef3a198be34a00fd721481effebfbab06642702d00676d4000000013b790855d14f7a4e72573f358f32a2887837d0219d4f629ad6630f00f7123744a9162b8d5c2c9626827e3bd4b26e5e37088aa9ce56f96e99eb67e3b3283bb9c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{03BDF581-A8F7-11EF-A073-FA59FB4FA467} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000fa06fd61348e4539f087fba0e82f66d178572e07b1d7d29ed45cb725c1670a88000000000e8000000002000020000000649810bfc0ff7557fc926b75a7dc7073edf113e2f951cc163f2bb7d43a8ef3679000000030f796f821a20ef0b073d88bef327cfdc04fe1bb9900f6dc7d2a31703566e1f3f07ced943df41835295a2991834d380c9c3aaa58b6d435a6147f5c3da1ae681324c07c28d43ca5e50df1f49d6b45f319baebbd40e303693656a1d8f7b5a0eb80474d95dc2bd5295fcc2639bab790fbed199ea552731eae173e4f382a651acea9fa87aceffc1ffa780f682965cdb24dd840000000ff288b2eef28aaf59472c105c8076b4c1c4210d1f940764b5c4ee53a246ef07cd496df6a6127ee85ed07c0bf01724a4baf3b486f895d8d981e4495b90f47c32f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70cf3fdb033ddb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438458302"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	XClient.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2824	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2824	iexplore.exe
2824	iexplore.exe
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1972	3044	Bloxstrap-v2.8.1.exe	30
PID 3044 wrote to memory of 1972	3044	Bloxstrap-v2.8.1.exe	30
PID 3044 wrote to memory of 1972	3044	Bloxstrap-v2.8.1.exe	30
PID 3044 wrote to memory of 2620	3044	Bloxstrap-v2.8.1.exe	31
PID 3044 wrote to memory of 2620	3044	Bloxstrap-v2.8.1.exe	31
PID 3044 wrote to memory of 2620	3044	Bloxstrap-v2.8.1.exe	31
PID 1972 wrote to memory of 2824	1972	Bloxstrap-v2.8.1.exe	33
PID 1972 wrote to memory of 2824	1972	Bloxstrap-v2.8.1.exe	33
PID 1972 wrote to memory of 2824	1972	Bloxstrap-v2.8.1.exe	33
PID 2824 wrote to memory of 2184	2824	iexplore.exe	34
PID 2824 wrote to memory of 2184	2824	iexplore.exe	34
PID 2824 wrote to memory of 2184	2824	iexplore.exe	34
PID 2824 wrote to memory of 2184	2824	iexplore.exe	34
PID 2620 wrote to memory of 1980	2620	XClient.exe	37
PID 2620 wrote to memory of 1980	2620	XClient.exe	37
PID 2620 wrote to memory of 1980	2620	XClient.exe	37
PID 1980 wrote to memory of 1948	1980	cmd.exe	39
PID 1980 wrote to memory of 1948	1980	cmd.exe	39
PID 1980 wrote to memory of 1948	1980	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.8.1.exe
"C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.8.1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Roaming\Bloxstrap-v2.8.1.exe
  "C:\Users\Admin\AppData\Roaming\Bloxstrap-v2.8.1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win7-x64&apphost_version=6.0.35&gui=true
    3⤵
    - System Time Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2824 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2184
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7FAB.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fad94914aafaadd6483f20407068f19

SHA1
cd32aee01cf9bd8a81ed05daff2e661bd9578b21

SHA256
15b8a9e3b7cf048b4deee794713f29fe0da83a9b3875953ed76bbb55c784f1d3

SHA512
75de0676ac865581f14db66c3a71b1b6c43ef58a5903c2368b4d97fa05d0e45ed822cf763f32392dc10b81c300f83ee0ccac7080bc7cad78e09bd5b065051851

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9071af52ad5625392c89ef787bf76fb0

SHA1
5cb3a05699a80f5d996fdeca3573498229f35c36

SHA256
0d32b61dad46bf2cfec3c1724acb856d16b0fd2e97e1d4c407b88d1551bcf119

SHA512
a2205085a048f889154d37a9b61e779788a213a25e5839e2fd06521d2dfe74cf71525eb21dc677c70fb39523e4fa7eae00e77bf362c52bd879756edf6dea696d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9327889a086d1c93023120f644da7c2e

SHA1
1feb464efce583abdd87362c86c9879ca073b1be

SHA256
b4e174340e4cc0f61b77d8c7af4842c626c2cb4b4ef3f4d36e108dd35f4df57c

SHA512
ec21308849a44bf108f4c3846531d59fc14600601b1226d1ca7d2ea068518c9728ac0c03a3e82fd3eff39d244e50bae1a145bbe0692c91cf4517ee419cf2d9a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fe3acc98d1462bae4ccf801f2ad41e5

SHA1
0288b327008e937ca47cf179a21e86c5c210b30e

SHA256
5582ba58dffa2b1e2f3834d046e42f61a52242a7e7df9a715988ad28948949e3

SHA512
6d3aff5121db495de43ff11222baeccdb5edf2b14046cc9fb8182f6903d5ab6105decfdc8eb8a9a901769058374dc23ea87813aaf5b9a38a139a6a1e3d592189

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d95b4552328b89c75480bcc0cd1b8ac2

SHA1
8d01e1ca895874a47d1226fd8d75790ad0354047

SHA256
8a9f1453f817c8f5e051d350797ad6f54ee45c6e23d66063905e1be121dfa1b6

SHA512
a98a050ca2236fac6c61482d3511178c9a3e70435192548f112743993bc53968fcb3bc5eb244c9490dd0e9f258369d4f851ac518d6d8439bf9359891c5a6e9f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00742ed502c9e2ca63308e1d9f013745

SHA1
f9874b6a592ba03e198e9985c5e1de2aa58a797b

SHA256
fd2c4f4e8779f7dc3d33db45df92b0af0121803aab604bf332f1da5d7b00b72c

SHA512
ae1a7f88f6fa883f0aabb38c69bb7c16ba4ad7eb673d8f7662d6896514b7618d0b62c55449301ba6a0837a3181eec6376982f0b98542c3df4672a3f75b07a01d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bdca5e04031ff92262f74c0bcd8a5e6a

SHA1
b36454d7d95a0a819863059c292c7f70726159bb

SHA256
b53d2756c7bed205e812f4faf8e851c712439433400cfe827d3146ea17e9b190

SHA512
1a8cbb3c9a527648217909ac8d4a238910683c08e621c948cd401e0fcee2f66c425d41cecf87c91cd6e4630dcdcbf872750047d769b88b80e4abe05644e206e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ef4232956eb5a052f1344d260fcfc7e

SHA1
d8333105574e41cf628ed48ee431075a140b4b95

SHA256
efc6d14f91eb09ea3951bb770ce4246eb49722a8a431e2223155210b12b15a8e

SHA512
02659d26a3d3ae7026852693cb1511ea3c9b02f7d78ee9121622ee3362e0e5fd2111eb408b127260420b0ba04075090d69258abb5c2fb9131859cbfc97b2abf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d412c2b2e39d5409ea6aca88f010efd

SHA1
259393e3b429263d36b5367edc319e69b53b1b65

SHA256
ad20ac376782ee1ea791d8bbce3f25277bce2dd102e1a9985313f4ebb6e9dc31

SHA512
22e18c13deb79678b44b210106c3fabd36b29ae51c61dcad204e9bf5ad90d87360e2fc78c88aacd7b79cd7c1cea942158e29c9efecdbbabf908882d5c5f75e3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74964fa654db0c2ec0f98f7dedf5dda5

SHA1
9ff664b117316dffa8598514147b0b1d1f928266

SHA256
8e8589352179136d24f8db3c95cab6e518f15cdc53704377f3caa7551b536ef5

SHA512
a361556ceb28edde3b64fba2c73f25fa9c0daacde1a92174f8f64c7d3c355af0ebda08a1bd89ed763304df1d67596d973476045dde78a22c567fbd6ddbf2b80e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37d867ded14febdb753b186921ebc619

SHA1
1198fa512b19bebc9314a6f54eaa40d4de0aee5f

SHA256
b66901f56538e2075e4136463790f0ef5ac3362d6bb69a63ef919861e782e879

SHA512
b1ca2f66969927b68b71d54eabe225da92d6fd6e90d9b3440fd75c5ae19da7c0e3c64cebd03478a90bbd74e8acd29a33482d3cb6d52c24163342f0ecaeeffe48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
175d4468122661cb81190a20095f3e31

SHA1
770f91e93b5c66320e5e6eabeea12094a172cdf2

SHA256
6c87e6a09714fb87d0a932086f0cafb7372462c5fe9341c632e01afc1082be89

SHA512
f41b658ba383a70ead6f24bb0d7a4e366f9fd917746c625a83297e4f61258847fa4131f0fcb4a5180bd5fc18c7ef81faa214ee931e901d96d28006ba3693e4c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac13e352ba0ec09b912d8e9c87022820

SHA1
3c51b5d641fbb2c77e3045e8230152770ca0e72b

SHA256
9b971550446ecb1b8e8f27eab7a6bc2cfea09a7ca03ed0bc792ca473ff2b8728

SHA512
7390849546556dd66a0ebf3ac12a16c10f7233978a2f88ac4fd6c14d40e3748aef5f9a3f117cdfb7bc9d95d4e34c7523496e278f3a57ce0943e4fd69c8ebf0f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15a0d7fc0c05063c9c12ed8d243f96ae

SHA1
90b0cf8ce49cd664f15429b10e8b46c31ab0ac0a

SHA256
fce1a0a4b4ce04dec4fa090cc0601f5330f020efeb4e5a0f1a9de2214042fa5f

SHA512
63bbd9817359f887bd82674a9fa4ba27b513f07fb2bac672b8b70bff051385cfce798765fcd705b78142821dc4de84bedac0dbd70e37e49f69ef6ce2d7acd0db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9114ddd17e57368086358a7efbfd85a7

SHA1
fb81b58b14ca0428a78a36f401466cd04f0a07df

SHA256
754200f4c4bd8aae113719925727306bc5709f2b6b453749e247979382bb71c5

SHA512
8332cdc1c95ac4bc0a318a15ae8a76de0180c42721171fe1722577229595b4a1e344517c997850a2dbed8835d9d276759c625aa13d96e3182ecf5494882cbd92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb6c7674109749aba6366258bdae4e92

SHA1
723e2ef2ed9d6ed95e7cb579f86903884642c348

SHA256
f9577d8ec8f5652445afc9074d4b522c98d0f60f75942024e02a6c3bf6910bf8

SHA512
9f3211aed553c95edc7d0085eaa5956a7b8e687fbb11330557978e61ebff11183a371c57f893fd1b11700f25757e04a3cc0415a0ce9d03348d7685707e726c38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58dd49b25246eb0ae62f6d5c5c822cdf

SHA1
1dcc576af87de4fb772e2c7f09a1f2517f545bd1

SHA256
955637fb379bec5418aa91f10cd226991ab7ed053adfe2b3a537ced40a3ccf2c

SHA512
0c70c960d1fb3a136afe2b608f869cd1eb74cf11b6358dd5ae4eb35329d40b9741ba28b735bf9cec8384e427ba422c891a937ccb4aad010930246134baa8fe4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea330afa384fc87b7e46ad3f0abd44e6

SHA1
ee36bf647bb69ac5206e1cf250a275d3c9ff36cd

SHA256
d7b55847c5483f218e8a1c8feac860b30acdb09dc24f6ba51f6ca9627e77dc6a

SHA512
c8bba606b66e626a7a398c21587e8a277fb182aa08b63fee197316148a6293d056d6d8b5724cac124edcf22da1cee9fe72b579e93e4ebd49fb5d4ca76803cb48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4bd44a09830444cfe9084b97ebab058

SHA1
48a8b3dda772a31590c180330a65718704bfb545

SHA256
42db586d35e588619358c648d72c1b853ccb87080e007458002901b7b879079d

SHA512
2aea7979d358a01bca95bdd86891bb1a1cac382e1a5741c19c2666ee7e0eb06d6e343a258416fc26333c5f69fe59dce2c2be2a9f388446a53cf2321f7d0d4a9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44153dad555c77bea390326d385f93d3

SHA1
0b637d894291464a966c4f9821eb45f2f7b7fac6

SHA256
d8767dbd46242e9b08ee1577a3d34b8009edbaa087f24107999909d4b3012901

SHA512
465ec8a5ff811877136c2a8d8970ad098937533a9a9ddc9ad5d434031d88de0f3010371fcec152e385b3f4969293522974be3111948fcab95fe630e0b30a8720

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53614612381b7cf3058c46a055f309d9

SHA1
0dccc0c78654eb4109617437c90fae54b10d336c

SHA256
b30657bf1380994f936519ae900886a3bb7fcd60d81421e47bf76e33bc75dbc0

SHA512
d267e867122afcba96c2d55ddc4fcdcf49f3494901fd22d900c7e478b82db578dbc685b721ebd480cb07817c113466491554bebdb5195202cbe211cbee961ccc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b68b2b0a0137f0856167f5846d0edbea

SHA1
45b2bfe1ced0f6c801d28547cc04db2e66f20585

SHA256
bbac4bcb6d7ca54d9149def12f8b80369ca5c7c4c219ba6d23f2a7ebc07ef913

SHA512
8864519e60942b4934d409a253a8c0a48fabfc4bbcadcae2b6e47c281983fdffe060ed69a1df69a48daf9a6fd048dfc49da7dd6359251a2115b590da2c5f5d7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d9a708bc257eb8dc9a4bc3d7ad5c465

SHA1
b06ba48d26d63139538a6f423843d0c66eda9e79

SHA256
8c4575665cf6381b77754f6a4f7aa195c8f0fff0a1992efe37621678782ca89d

SHA512
3b2a8f6828061fd001ce83f9e7c875714fa7a3cf9873e8beb81a5dea2543ff2d22effafd21dfd2f54d83fe4c046ecc37699c0a961487313b25678994594d24a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cae37866efc812f38edba75b3a023eb

SHA1
93c634013444e35639f6df16b9e112f508cbd30f

SHA256
db2d67b0c83dc024f4e8eee629dd6a87d38aae7a0d5bd5b22a813fe1827d4e27

SHA512
cbaee126abef3b1ae3754ed3788b5a7b29b5060ec0d40920e239a0567dc6487aa5ce378d3c54120cf1415d020aa67bb8d6c59e1e4fe1e22921c97bc5a136efc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bde899ccc134fa6d6445900351c5dc09

SHA1
bb030057290cbec02b614982c5e16f2d47597a7c

SHA256
f295bfdaf0098f07e925dfb8220c24ff91006252b018d5de690689481a86f7da

SHA512
bc3f2fc924d26f02b2cf1c02d4ccc6ec70ad7092ebea8847444af5f64e1a034528a4ee14c078382c9116fa0b55518ea59fc976b6093a723c4cca025d7a096cb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ca9c13c3b1f5f3350e96dadeb2cde97

SHA1
3ac79f35039a12e38e454f026e39e123864fc3c9

SHA256
dec151453ae23d4015748882e7a7ebfa26f7daa1c6559155aa295f9b8cd58b9b

SHA512
7587bbf966d4618c11bd91edfb15a38fb00a9ed6791d60a1f5f5a503a852c875dc9d8d84acd3fce4ec51d3df6eee821a0f4e9e103e82daf7df219977ecc4ccbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b988a8ebac858ad8aabfdb1244f064f

SHA1
ec19dffb258344e198190a6fd03e136b6f59d033

SHA256
648868a878218450dd11228e5a738f520e6ef18a0cffa75f0ac620ce6b4b9c35

SHA512
2433e4cceb5afa5e175fba4012e5fad229045211008f23c19a66e809238ed1227179d5a17ab2e6cb5be9d7020a47ede417ac9a4f489cf699986b3cb021262556

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f583cc3bfe625505cadd7c2f1e6def8d

SHA1
ec02cc3b4213a9498738ae656bbd59186fa66534

SHA256
3b896cc52d82b3a09be2d2839754fdfecb833241cfeb726899f49d6385dad20b

SHA512
20d2b5153a010580909767a3f1cf6e280c0a1b423ee5d702d676c9f4dcfd1f053b556a388150b81dad32316478d58e33cf2aaf068fdcfda8b5f68564462dbf6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7b374c4b89f61977d66be5c801faf4a

SHA1
c552c078141a1f8024d3ff02bfbe6a68d3276c77

SHA256
6441f590031bc5fb175b6158951bee8f5d662484d88b167467657148c55148e9

SHA512
d4501dfb09144c50d991e2d64f30583fb4408cefe35e02e7a6f2204f20d34a28aad65d13d9204c67902f28de238e1f7b57974bfec851cb9f7fbd0be608de7457

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE14A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE249.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7FAB.tmp.bat

Filesize
156B

MD5
37f8b94fb64c5d8c199be6c299b67311

SHA1
3ae08fbb8738589eda315f319d76cc64040d8d36

SHA256
94ce5f0e0a98a2d975eb606ab8a8882f9bf77cb91c5181d1e170dd0f1727cf3e

SHA512
7a3994f8f86b1ab75252014d2965dcce61b90c0bd732f1ebbc02974dbc86c6cb96b523b5e3cb2e8b6ef29558223b3c5bec85fe7f96999bf2ffd6af31aa839e5b

Download Submit
C:\Users\Admin\AppData\Roaming\Bloxstrap-v2.8.1.exe

Filesize
11.1MB

MD5
60246a70b28a9d7ef6a2dfe009e48075

SHA1
8dd51b8460307f785690008657918540a8ee4998

SHA256
e9091fa15944a451e792674cf408e400a5e6391cd31160040210b494bd723f17

SHA512
551ffebc64b11e21a234b3ac5a1e103e5cf0ff4fd4d5b71628d0c4215b24fbca946cc7dc14571667214dca86ae9c3327c928b996be456529f84bb2f4a0901e5f

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
33KB

MD5
edd87a78e02a4c11c82bb8ccce9815d6

SHA1
a5c6753e71e4d4ad83325c60ec88780471297272

SHA256
da98f8de94a1f21adebde64bd45a11921fedeaec036035c46b80621b619f017b

SHA512
3bbdafa95291ac1df2fb4545f9f3818c1a5b817a4d6f3dde182a3996e71d2fd118df1447ddaf855c4432b8bdda454ae0aa26a31c4333785f87b744f34492a4cd

Download Submit
memory/2620-457-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/2620-137-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2620-456-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2620-16-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2620-14-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2620-12-0x0000000000B10000-0x0000000000B1E000-memory.dmp

Filesize
56KB

Download
memory/2620-1328-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/3044-0-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

Filesize
4KB

Download
memory/3044-1-0x0000000000070000-0x0000000000B90000-memory.dmp

Filesize
11.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads