xworm | ba632368edb4e5751d72f276a1bc0d06dbd7b89a3583a5db09d3b39ee2576256

Analysis

max time kernel
117s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/11/2024, 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bloxstrap-v2.8.1.exe
Size

11.1MB
MD5

98fe512e86a4d844618f4275cb11f9da
SHA1

42b6fcc6b481fa21bafd86c061c8592d327993cb
SHA256

ba632368edb4e5751d72f276a1bc0d06dbd7b89a3583a5db09d3b39ee2576256
SHA512

65d8f84dcb0c3971bb9c7930ba02e14ae05a62cf431576bcb8cb0de59f5a8c22decb7648481156a186d914410d914e69337d5069c7c5345bacaea2be94fc9659
SSDEEP

196608:ESHBLJKbIWxA63vYjVQ4SvrOXvH0RG1jT7ub1EBKnQtD794BY:BBVKNAGvcmTWUc1jT7FKny

Score

10^/10

xworm discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

192.168.68.139:2068

tell-outcome.gl.at.ply.gg:2068

Mutex

SXJOPv2u5QpF0aEa

Attributes

Install_directory
%AppData%
install_file
FileExplorer.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015ed2-11.dat	family_xworm
behavioral1/memory/2576-12-0x0000000000EA0000-0x0000000000EAE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 3 IoCs

pid	Process
2696	Bloxstrap-v2.8.1.exe
2576	XClient.exe
1220	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
2780	Bloxstrap-v2.8.1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\FileExplorer = "C:\\Users\\Admin\\AppData\\Roaming\\FileExplorer.exe"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
2612	iexplore.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1212	timeout.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{691BA831-A8F9-11EF-8E45-E699F793024F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f5420000000002000000000010660000000100002000000082284a7edb7c2f3226941c5215e4cd5fa5c97a7b1a404d7f45351b249b104ba3000000000e800000000200002000000028d0077828deec38e446459b3b78e6a52dcac69b7ec1f370ee6f4ca2ae3197bf900000005a17a8d5b3ca9ce97618e37a39996126d3298202de40180bdaa1e1ce0f03a8573d6c30cfa0aa832699c1b973bd95a5fd802bc76aaee03806b85ff045ef91824c27275fd16ce9a1a122ac636a45e304c62f6501d7d4f6d4617c6957e23546c88369e5b81f31c56fc248a487cd7f3e98624f3d58d592e2b71a011219a2f7481045ff2420849cd78d89113c267ae7c5788e400000003a3d6f43b8172972070dca6c2687a8173701b7d197cd5450338213451bd93f35377195af4bca5ddac7e951a82242a33ae2f047051fc57cf764a22f7468846902	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30f09a42063ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000be9ba662ab040fd959f2b4d7047fa9eab6cbbd3ab0a54de4f2a5e162536e368c000000000e800000000200002000000097ae701145363a66f5428f5ed15900b2ef8f92fba10b51145b2cd8d1820887f4200000006b837d1fa7b264b09f0c9c2ec5afcac5935aa821d62380ab7759932fb9708fb4400000002b60973e41ec0e10c44f1fdfe8398d56f9a23f37bbc6b5199d4fc89dad2c901562ce80043d868762165cf8a8b7b50b4b55353c7660e88cae524c464e82356928	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438459331"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	XClient.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2612	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2612	iexplore.exe
2612	iexplore.exe
2404	IEXPLORE.EXE
2404	IEXPLORE.EXE
2404	IEXPLORE.EXE
2404	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2696	2780	Bloxstrap-v2.8.1.exe	31
PID 2780 wrote to memory of 2696	2780	Bloxstrap-v2.8.1.exe	31
PID 2780 wrote to memory of 2696	2780	Bloxstrap-v2.8.1.exe	31
PID 2780 wrote to memory of 2576	2780	Bloxstrap-v2.8.1.exe	32
PID 2780 wrote to memory of 2576	2780	Bloxstrap-v2.8.1.exe	32
PID 2780 wrote to memory of 2576	2780	Bloxstrap-v2.8.1.exe	32
PID 2696 wrote to memory of 2612	2696	Bloxstrap-v2.8.1.exe	33
PID 2696 wrote to memory of 2612	2696	Bloxstrap-v2.8.1.exe	33
PID 2696 wrote to memory of 2612	2696	Bloxstrap-v2.8.1.exe	33
PID 2612 wrote to memory of 2404	2612	iexplore.exe	34
PID 2612 wrote to memory of 2404	2612	iexplore.exe	34
PID 2612 wrote to memory of 2404	2612	iexplore.exe	34
PID 2612 wrote to memory of 2404	2612	iexplore.exe	34
PID 2576 wrote to memory of 1168	2576	XClient.exe	37
PID 2576 wrote to memory of 1168	2576	XClient.exe	37
PID 2576 wrote to memory of 1168	2576	XClient.exe	37
PID 1168 wrote to memory of 1212	1168	cmd.exe	40
PID 1168 wrote to memory of 1212	1168	cmd.exe	40
PID 1168 wrote to memory of 1212	1168	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.8.1.exe
"C:\Users\Admin\AppData\Local\Temp\Bloxstrap-v2.8.1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Roaming\Bloxstrap-v2.8.1.exe
  "C:\Users\Admin\AppData\Roaming\Bloxstrap-v2.8.1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win7-x64&apphost_version=6.0.35&gui=true
    3⤵
    - System Time Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2404
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp25C9.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38f9890c3422aded05d5bca0e5665ac0

SHA1
504bf052ccfacd25facdd793d846d1d34a8fd9d3

SHA256
5f45b48cf76789201945d0383c668293081538f11971e33e82ce5ea91cc938dc

SHA512
c05a97ad3c7b9e84646a1315a23d45b3f9864e9b50c446f1c2ca18147282d30ccd556690a5194cf157ee23977a5a3888af63d807617043886b9cbed3fefa72e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
010759f5ac7a21b890205b090bdb696a

SHA1
cfbb3ce57fd403c3059ae85a7d5411f30705d8af

SHA256
4c68512c7932e85615fb401740f371da314a1b0f6a9161ccbb57361821335542

SHA512
0def4ff25c2c63a6c835228bcea7216f3e40a78c87b86d2476b31a9820f4a226738bac305a5531318aac35bf0ec4576c3029debcf8e63d566a30e3192630200b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a73a224673af3cc971598f804ff5ffe

SHA1
4544026159378d3c0c84b9bc172f0a0cc0b7f12d

SHA256
0a0e019d7df8294f1fcc418eb6409032abcde392922252cb45bd696741739d31

SHA512
f134c93b9a112e3abe987274c26a78825382eda3617ae1438843fdf77d0ea4d62f80d6e081d356953dd5868108392c38d1667a961fd7763cac4056a3bf1bcf2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3e8a8883fed8db9cbbff4a533fcc2ba

SHA1
fa111bd2d975b1ef85eefadcca299b213e34d3d8

SHA256
b9594199ef09fc5d1d161345c43824f25d85d6334fd4da26c47c9dff779f261d

SHA512
6a940c2d92aaed438cc6d6cfd12ad517b3a4c8d96b196e61d70df380cf58a35b49c2e4779c8d82d7990fd0f8665f1dbedc38e4fc99b21285ed47ebe9b03e2198

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb907420ab414d1a509df75e7182cbef

SHA1
12d1ff25b301536fc7ee67c5f8088d32feabd323

SHA256
7e6556f290d867a76d52fa1620e3e718ca660425e4af88c1c67f05bee18bafc5

SHA512
05562297238d4f5394c9113fb0b8bb8e782a5e7d5c2432d548033f9415e726777aa3c88a3069725f623d8640333d43668ab17b3f66b5e8f4379b63dc8e3119b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51fc72d2b0d41f719ebbf4d444f65afb

SHA1
c43fd6604e8528042af3681fc986fd985d344874

SHA256
7da57d48a411351db109b7b9c61c29fd73416164ac3568ef371e1c757eabbfe6

SHA512
2d22ada20b55782028667dc0b2a17fdcc67c4e9ec87a127c8fa010c495e359f6ba03dec974ad3dfc2dfc26f6c56765445ced9b9688a8ccf72438e0b700024beb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65d40c06fc11db41ef4220281b9a9341

SHA1
ab7b98af64aacf5be9981aca48aeec04876e74ea

SHA256
ad136ba4df7d2525419ba17e04266d29445156a233b0d146d7f91a8ddea86e51

SHA512
c4f80f7ebaec51a832c5a74a94c9c59b28baecf8907b7c08aea60656f20dd100398ae365cce0b54d0be5db3f9b450ffdf0fa5ee15957e2680b594d9f0524f490

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4b785376fcaeb83b660e0fe467682d4

SHA1
9ea2cbbabc9c8de2ae1c4fe816097a2707dfee90

SHA256
bee554b2f0129592dfcc475b6f2d05771862b14e75c0730fd296de52a62ba587

SHA512
ea50e3bfee83ec436111d433827c9bd7e7134f43c5ecb8cc3f62f33bc9a8e209041e8c73ae8dd4fdfa83cfce4aae3f6d46a517bc24d2cf8ee5cbb0a95c79e73c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48dd8a68b3ab32a94d45a0ce06045dad

SHA1
72c5daa6041aa98261b41772cc6cc4be0219f1b7

SHA256
abc898688a33807593f0b3969143c4c24cf4ca44346a99a65d270987a7fc22c6

SHA512
716d44ea2532038406aec352657424bfd55e24f5d22ba0ad1b9edfe5ba1243b963e79c2b014fbb3530911c98ee05cf1c97e06ad798203485a620ab1bcd0c2a2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3ad563acbcbc6dc1c7b725bc4572bd7

SHA1
1e8aa31ffa475d89d9ad10947bfacc39c58374c1

SHA256
f378674682e59dde5f0ee568fc28219a342478dfa7d3ad83db2122d431eca4d8

SHA512
c1fb02301eb58413bb983209ee528ff8d05e605eea06e13f343f6bed980e821965de1762ecee1656b742a04537174a7eb3ebb333be9e81d47b3105515f8aac82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
049a74774f4ad89bc7f040b1a1979eb8

SHA1
ebb3d8b183d599d6be7527b37973ab698ae9cded

SHA256
1c5fe4c7628b5d67277077ce62211592fe7d11420240092450e3bb1e16be19a5

SHA512
5ebb061ac3e54f5bdda7396a116224c0fba60e11bb066928fafe5d8781754a2fb33948786456828c27ea82b47a5f54498a1d6d57129ac7dc0e6a17bc311a41b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9849e02fb8b4ef67b07ea085cd614c20

SHA1
180326f664f92b4899b10ec24ecdff459b16a607

SHA256
d2f0f3d108fcf2b6c05b11ca0b377c1a5823d0b5a4679109064676d2d2d52676

SHA512
8985b8c7e49ff6788bc59e9053501ffc52db7b27462cec82eac6a2bd1873613ebe172cfa3fb929f522f50efea8ee4e04024abe60df0eafcd3e317c5af168f5d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
393b2c16f76849cb8bab7aef1f7909a9

SHA1
1cc8318c75253d1d9edcf20e695ffc59816616f6

SHA256
3cd7515054cf8367ed7578ed1114fb127425d0e3c65bf80bf15624c01a07b243

SHA512
49a528b337e483f8d8f499fa5510121c233a5b32f2c6b6cbcd8a2010ca0e5a69bd7a6371c1d8954fad4f2f6bd57090f29b24b330586a31898785c800619ab5aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4798a7bbd5921c4d07b09a4ac7f12574

SHA1
39f59b01b6709462b5fdba3e9390c87daa85b783

SHA256
3854e84c3dab36ca3e72277c8914e21cd12731a419f05260b9fe099f95d219e2

SHA512
ad18d47a3b62cf3a94b1d57a9157f6c2fb807a16508201e9fd9993e54d9e7804aaa3e5e8590643584c5aaf17984f0b1f5249929bce873755b18d09e5039f781b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b3b23cde50d59f6edea91604e0b96e1

SHA1
36dd0c8c20d59ac773ac88b55f77656a115d97a2

SHA256
148cb191d123f7a3e9a54c0fc2a918b19d1550cb31b028d08ee8474e26c6513d

SHA512
0a30581e0de7415e638230673e2550153bf34ab020989d447da6223ffde3853539963ab442cac9977f07c90cdc7af2102b7f9d83399aed366dfea43f1da10b3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c63aca518657ad0442c6cb9e0d62c48

SHA1
de269a838c766843824be23e5a9b703dd724da59

SHA256
0921ba7b7c63c67cf19529d9be24e5de35fdb4c3cdddb8c5fc211a821f910cf8

SHA512
2d9570099a9db0431a07ed341e4c52e56d3b0eb941de735d420a67779cbf1c8027ee05ee7d49a122129bfa956f991795da26884a9de3cafe35eabb1fa25f915a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8c72f6dd66fa056f370d3285d4e4206

SHA1
5266ec55986260ed54879f4b7d87b30be8c139f0

SHA256
51ea9bcabbef6ced98de206dfdbed52796f8e07c4621d975f9412447451316ce

SHA512
392c0b99eb153f19d82b7a281eb5ee9b5d846bed2af90677529d29feca1e1dd50deb7a23687e27dc64858929ac3aa57e2d030065a58b20af7461014cd1616f38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae450163c955811bb729c41b5bfa6471

SHA1
79334d4bc0de96d3756b087f8e8d9a72cf67f9fe

SHA256
c5b8b9d98dd54c1df9f7e1bbcb509e443185e6c8394e60459256595a87cd63e9

SHA512
a0250454e6aae8569aa8649cac61881b09b308940d3a9b70f7141d9558d136d9308e320e58ba9012129b0169274dca05737c50a79541856580de20fa1b354284

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a258d27a684614595cfed37a5ec66db1

SHA1
98fe7f9eb4a7a81dc8f1671ed06fa48a940cb93d

SHA256
300a41f1932bc41ef2959a37ea32a8b3268999cd0b7b6d1ae7371ea7c1e6d77e

SHA512
804858420bc1807e2db94bf4dea3d4f6e78ea3a3c0183d6bcc4a4e2c7d1100754c2a3635118d7c023c17aa53a6f2dbc878aa008b6b905af0cbf28c20ccc63ee2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35d59e930942dfd86c64d6de16719e91

SHA1
83c79596b78d8f884e771148d2d0fbfdbbfc46bb

SHA256
17a9244bb8971bc4b5d307a1b36c579adac426e1f55b78322421709196d5e6af

SHA512
12fd2d7fd66d6e455385ed608964026c9c7b885a2d9f3b21a42a01784ce8df02df14c6e1f476b11231d611ff1ddcfe91f3f11460dec5ab2326f16fcd67a99e4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ecab8f102ad3004e63798df619c4ad6

SHA1
b195ab1783c621a7f47d947b8762e84dabd9213d

SHA256
4c67a4b9dda537e1847f998574034a747c0a834440fde73b2563bd9d9186c564

SHA512
c6da9860bf453af54f425e96790181480f5ea80454bf8eb372d2196a1f0b9955067188d4d282b4316b42c6c385e0fe3372cfecce584bf8a1167226ed05d3cc62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12731fd19552b0163e5335662439b3e9

SHA1
88419c1c5fbe368bb660beaa38943fd3e54d53fe

SHA256
3a3cf5f1d35614d0fceb0512a15845e15eba0cd545eae010e38e6d35ccc4ace3

SHA512
a4077ec92144a917f775a45df160c4aa5d29c4b2ae4228cbf886d2a418d2fbc2ca1c71a504fa8d2a00661c281a1e0076816d6d55a82b922fabf4a616ee0f5289

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b378c674ae14a75403b64d7fb96797c

SHA1
787fe71de72dd6d8ac1ba907ef8ca2a90f7ebbd8

SHA256
16de0e6808d2b3768073555d483fd802674723987ebbc843ba3b8023e2af9b99

SHA512
cdb76773a6685da78feed22a69aa4a05ce1afe0b10ea66f7069d1bee3454fb99c55e40ea6b13288115cf759e9486c4a6d2ce52231d10d0a58dd126e06186591c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b58a093baeeff910bcaa7e32656c4cc1

SHA1
c42ec555cd30ac1610efdba306d4cfd3a1a2588a

SHA256
c22011a7d0d6c46806801d96790cac0bef5004717cb98fde0ec4455da7b3107b

SHA512
65e36f518b3072af487e1cef9ca2551fac359517436eb14821b56bfc501bd775668e669b5ebb7bddec113cfe863ac27a71c52ecf29ac8a63f9f626940a2104da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
824b1de9673f88b461705450731bf966

SHA1
afe79e5379ecde17fa5f60b7eb2ba4d2c177d622

SHA256
5cf606ee2d3cff6ac5bbc1d921f423b7c709bc86d412f1962fd4c3e732f5a3f1

SHA512
5336b76c6fc5d8410bc27f99653c08af75a9bd353fdc068cb1ead1650d9747c3edfa8c28bd3de68ec8861ea30adcf72751e976aba11ed908fe526f26955d2925

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1ED8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1EFB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp25C9.tmp.bat

Filesize
156B

MD5
284240fe512af578ea67cb0caf7a513a

SHA1
6597ad81235a0350b00f26973032e529101ff499

SHA256
94d62ac3e707bd41e515769f789988fb8a70b72550cb9e2cb113f7ad674820b7

SHA512
eb0e4e1e6866921dd5794a64e8ca04893b444d6fa5bac80c87d539a9e339163af0a2e1e458f6b344fdfe5694948476395f993d88496bbb6c9fdcb3bcf65b1fb7

Download Submit
C:\Users\Admin\AppData\Roaming\Bloxstrap-v2.8.1.exe

Filesize
11.1MB

MD5
60246a70b28a9d7ef6a2dfe009e48075

SHA1
8dd51b8460307f785690008657918540a8ee4998

SHA256
e9091fa15944a451e792674cf408e400a5e6391cd31160040210b494bd723f17

SHA512
551ffebc64b11e21a234b3ac5a1e103e5cf0ff4fd4d5b71628d0c4215b24fbca946cc7dc14571667214dca86ae9c3327c928b996be456529f84bb2f4a0901e5f

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
33KB

MD5
edd87a78e02a4c11c82bb8ccce9815d6

SHA1
a5c6753e71e4d4ad83325c60ec88780471297272

SHA256
da98f8de94a1f21adebde64bd45a11921fedeaec036035c46b80621b619f017b

SHA512
3bbdafa95291ac1df2fb4545f9f3818c1a5b817a4d6f3dde182a3996e71d2fd118df1447ddaf855c4432b8bdda454ae0aa26a31c4333785f87b744f34492a4cd

Download Submit
memory/2576-16-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-451-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-13-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-12-0x0000000000EA0000-0x0000000000EAE000-memory.dmp

Filesize
56KB

Download
memory/2576-1031-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/2576-114-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-1330-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2780-0-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp

Filesize
4KB

Download
memory/2780-1-0x00000000010F0000-0x0000000001C10000-memory.dmp

Filesize
11.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads