xworm | 3ee2fd48810d44c52854df63b99be9b5e4ef60efc70852b2e1672700f9a3c5a0

Analysis

max time kernel
62s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 21:35

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

2024-01-10-18-19-14.exe
Size

79KB
MD5

0a2db837a415837ff64d570e9248f079
SHA1

10752d7b2a8f997ef1cfa73ad3675bb54600b18a
SHA256

3ee2fd48810d44c52854df63b99be9b5e4ef60efc70852b2e1672700f9a3c5a0
SHA512

dbc46cae96b51c64315446b369552a41006b96a53a8b56bde9bf262ad9ec93958b4485b67c85fee0b93c60d8cc9b83b850a4c8b618f6077f5ee1605cebc07523
SSDEEP

1536:Au+JxE8lRyMiOTHXe99l4BlRB2LsjT0YQNhKcQIoO9gkMtdt0hFJ:APV3ex2yMA7vxQIoOradU

Score

10^/10

xworm bootkit defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

trip-thesaurus.gl.at.ply.gg:16715

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023bc5-4.dat	family_xworm
behavioral1/memory/3960-12-0x0000000000740000-0x0000000000758000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3760	powershell.exe
424	powershell.exe
4504	powershell.exe
1188	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2024-01-10-18-19-14.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2024-01-10-18-19-14.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	riwebt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	riwebt.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	2024-01-10-18-19-14.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	2024-01-10-18-19-14.exe

Executes dropped EXE 9 IoCs

pid	Process
3960	2024-01-10-18-19-14.exe
4796	SecurityHealthSystray
4160	riwebt.exe
2152	riwebt.exe
3508	riwebt.exe
5012	riwebt.exe
3640	riwebt.exe
1888	riwebt.exe
4192	riwebt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthSystray"	2024-01-10-18-19-14.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	riwebt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-01-10-18-19-14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	riwebt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	riwebt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4360	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3960	2024-01-10-18-19-14.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2216	powershell.exe
2216	powershell.exe
3760	powershell.exe
3760	powershell.exe
424	powershell.exe
424	powershell.exe
4504	powershell.exe
4504	powershell.exe
1188	powershell.exe
1188	powershell.exe
3960	2024-01-10-18-19-14.exe
2152	riwebt.exe
2152	riwebt.exe
2152	riwebt.exe
2152	riwebt.exe
2152	riwebt.exe
5012	riwebt.exe
2152	riwebt.exe
5012	riwebt.exe
3508	riwebt.exe
3508	riwebt.exe
2152	riwebt.exe
2152	riwebt.exe
5012	riwebt.exe
5012	riwebt.exe
3508	riwebt.exe
3508	riwebt.exe
3640	riwebt.exe
3640	riwebt.exe
1888	riwebt.exe
5012	riwebt.exe
1888	riwebt.exe
5012	riwebt.exe
2152	riwebt.exe
2152	riwebt.exe
3508	riwebt.exe
3508	riwebt.exe
2152	riwebt.exe
2152	riwebt.exe
5012	riwebt.exe
5012	riwebt.exe
1888	riwebt.exe
1888	riwebt.exe
3508	riwebt.exe
3508	riwebt.exe
3640	riwebt.exe
3640	riwebt.exe
2152	riwebt.exe
2152	riwebt.exe
3640	riwebt.exe
3640	riwebt.exe
3508	riwebt.exe
3508	riwebt.exe
1888	riwebt.exe
1888	riwebt.exe
1888	riwebt.exe
1888	riwebt.exe
3508	riwebt.exe
3508	riwebt.exe
5012	riwebt.exe
5012	riwebt.exe
3508	riwebt.exe
1888	riwebt.exe
1888	riwebt.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3960	2024-01-10-18-19-14.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	424	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	3960	2024-01-10-18-19-14.exe
Token: SeDebugPrivilege	4796	SecurityHealthSystray

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
3960	2024-01-10-18-19-14.exe
4192	riwebt.exe
2152	riwebt.exe
1888	riwebt.exe
5012	riwebt.exe
3508	riwebt.exe
1888	riwebt.exe
5012	riwebt.exe
3508	riwebt.exe
2152	riwebt.exe
1888	riwebt.exe
5012	riwebt.exe
3508	riwebt.exe
2152	riwebt.exe
1888	riwebt.exe
5012	riwebt.exe
2152	riwebt.exe
3508	riwebt.exe
1888	riwebt.exe
5012	riwebt.exe
3508	riwebt.exe
2152	riwebt.exe
1888	riwebt.exe
5012	riwebt.exe
3508	riwebt.exe
2152	riwebt.exe
1888	riwebt.exe
5012	riwebt.exe
2152	riwebt.exe
3508	riwebt.exe
1888	riwebt.exe
5012	riwebt.exe
3508	riwebt.exe
2152	riwebt.exe
1888	riwebt.exe
5012	riwebt.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2216	1184	2024-01-10-18-19-14.exe	82
PID 1184 wrote to memory of 2216	1184	2024-01-10-18-19-14.exe	82
PID 1184 wrote to memory of 2216	1184	2024-01-10-18-19-14.exe	82
PID 1184 wrote to memory of 3960	1184	2024-01-10-18-19-14.exe	84
PID 1184 wrote to memory of 3960	1184	2024-01-10-18-19-14.exe	84
PID 3960 wrote to memory of 3760	3960	2024-01-10-18-19-14.exe	86
PID 3960 wrote to memory of 3760	3960	2024-01-10-18-19-14.exe	86
PID 3960 wrote to memory of 424	3960	2024-01-10-18-19-14.exe	88
PID 3960 wrote to memory of 424	3960	2024-01-10-18-19-14.exe	88
PID 3960 wrote to memory of 4504	3960	2024-01-10-18-19-14.exe	90
PID 3960 wrote to memory of 4504	3960	2024-01-10-18-19-14.exe	90
PID 3960 wrote to memory of 1188	3960	2024-01-10-18-19-14.exe	92
PID 3960 wrote to memory of 1188	3960	2024-01-10-18-19-14.exe	92
PID 3960 wrote to memory of 4360	3960	2024-01-10-18-19-14.exe	96
PID 3960 wrote to memory of 4360	3960	2024-01-10-18-19-14.exe	96
PID 3960 wrote to memory of 4160	3960	2024-01-10-18-19-14.exe	105
PID 3960 wrote to memory of 4160	3960	2024-01-10-18-19-14.exe	105
PID 3960 wrote to memory of 4160	3960	2024-01-10-18-19-14.exe	105
PID 4160 wrote to memory of 2152	4160	riwebt.exe	107
PID 4160 wrote to memory of 2152	4160	riwebt.exe	107
PID 4160 wrote to memory of 2152	4160	riwebt.exe	107
PID 4160 wrote to memory of 3508	4160	riwebt.exe	108
PID 4160 wrote to memory of 3508	4160	riwebt.exe	108
PID 4160 wrote to memory of 3508	4160	riwebt.exe	108
PID 4160 wrote to memory of 5012	4160	riwebt.exe	109
PID 4160 wrote to memory of 5012	4160	riwebt.exe	109
PID 4160 wrote to memory of 5012	4160	riwebt.exe	109
PID 4160 wrote to memory of 3640	4160	riwebt.exe	110
PID 4160 wrote to memory of 3640	4160	riwebt.exe	110
PID 4160 wrote to memory of 3640	4160	riwebt.exe	110
PID 4160 wrote to memory of 1888	4160	riwebt.exe	111
PID 4160 wrote to memory of 1888	4160	riwebt.exe	111
PID 4160 wrote to memory of 1888	4160	riwebt.exe	111
PID 4160 wrote to memory of 4192	4160	riwebt.exe	112
PID 4160 wrote to memory of 4192	4160	riwebt.exe	112
PID 4160 wrote to memory of 4192	4160	riwebt.exe	112
PID 4192 wrote to memory of 3236	4192	riwebt.exe	114
PID 4192 wrote to memory of 3236	4192	riwebt.exe	114
PID 4192 wrote to memory of 3236	4192	riwebt.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-01-10-18-19-14.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10-18-19-14.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAbAB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAawBlACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAYwBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAdABhACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Users\Admin\AppData\Roaming\2024-01-10-18-19-14.exe
  "C:\Users\Admin\AppData\Roaming\2024-01-10-18-19-14.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\2024-01-10-18-19-14.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2024-01-10-18-19-14.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecurityHealthSystray'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1188
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4360
- - C:\Users\Admin\AppData\Local\Temp\riwebt.exe
    "C:\Users\Admin\AppData\Local\Temp\riwebt.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\riwebt.exe
      "C:\Users\Admin\AppData\Local\Temp\riwebt.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2152
  - - C:\Users\Admin\AppData\Local\Temp\riwebt.exe
      "C:\Users\Admin\AppData\Local\Temp\riwebt.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\riwebt.exe
      "C:\Users\Admin\AppData\Local\Temp\riwebt.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\riwebt.exe
      "C:\Users\Admin\AppData\Local\Temp\riwebt.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3640
  - - C:\Users\Admin\AppData\Local\Temp\riwebt.exe
      "C:\Users\Admin\AppData\Local\Temp\riwebt.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\riwebt.exe
      "C:\Users\Admin\AppData\Local\Temp\riwebt.exe" /main
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4192
    - - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\System32\notepad.exe" \note.txt
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3236

C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
C:\Users\Admin\AppData\Roaming\SecurityHealthSystray
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bf3651a8682259b5e292b98289271f76

SHA1
4694a32734c377985dafbd15e26b9a129f1e4a45

SHA256
5ffc07abea05b9bb523e511ed75995488a22e3dd54fddc50b62b8336bd57c575

SHA512
d9cd369fc710131f0f24c3add83a923625831b1bfb4fba0da83dd71fa41a4ed5a0f0e00755f3cf8ae2aef4aa498c353348c51c167f7d6a2af834f07c78b33896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
979e96c39590c6cd6535cde1f0182c2b

SHA1
4b92dba513f4d76f4fedec1f018595c016103820

SHA256
d90b8a52ba895bd8f50b6f4388a78c431428f0c6f50295fabc522b39d3374a0f

SHA512
4af06e6c6193e866b2fc71b73161c72a579dd029352a2e3d92014903619019113d75c9039cf818cea6fa37bb74c67650ed6cbf6cb2b71572eeb05c7422f48077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vevkedj2.fds.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\riwebt.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\2024-01-10-18-19-14.exe

Filesize
74KB

MD5
9fd737e642e488c941cb3cfa205bf0b2

SHA1
53c1d11e884a4eb76a402111447e7659292a2813

SHA256
e5172d5f750acb734d00f632d68ac1542444625307f7d5abd519810943f8af2f

SHA512
ee6d98f5760fe357515b89fa6a44d8635f4cd3a6f3cd14ea9bc9a03a479da45f0410c182c7159356bab3f42a6afdac58c018bb483de4774fa004b1b7e6370e08

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/2216-46-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/2216-52-0x00000000076B0000-0x0000000007746000-memory.dmp

Filesize
600KB

Download
memory/2216-18-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/2216-29-0x0000000005CB0000-0x0000000006004000-memory.dmp

Filesize
3.3MB

Download
memory/2216-30-0x00000000060F0000-0x000000000610E000-memory.dmp

Filesize
120KB

Download
memory/2216-31-0x0000000006130000-0x000000000617C000-memory.dmp

Filesize
304KB

Download
memory/2216-33-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/2216-32-0x00000000066D0000-0x0000000006702000-memory.dmp

Filesize
200KB

Download
memory/2216-34-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/2216-37-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/2216-45-0x00000000072C0000-0x00000000072DE000-memory.dmp

Filesize
120KB

Download
memory/2216-47-0x00000000072F0000-0x0000000007393000-memory.dmp

Filesize
652KB

Download
memory/2216-17-0x0000000005880000-0x00000000058A2000-memory.dmp

Filesize
136KB

Download
memory/2216-48-0x0000000007A60000-0x00000000080DA000-memory.dmp

Filesize
6.5MB

Download
memory/2216-49-0x0000000007420000-0x000000000743A000-memory.dmp

Filesize
104KB

Download
memory/2216-13-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download
memory/2216-51-0x0000000007490000-0x000000000749A000-memory.dmp

Filesize
40KB

Download
memory/2216-19-0x0000000005A90000-0x0000000005AF6000-memory.dmp

Filesize
408KB

Download
memory/2216-53-0x0000000007620000-0x0000000007631000-memory.dmp

Filesize
68KB

Download
memory/2216-54-0x0000000007660000-0x000000000766E000-memory.dmp

Filesize
56KB

Download
memory/2216-55-0x0000000007670000-0x0000000007684000-memory.dmp

Filesize
80KB

Download
memory/2216-56-0x0000000007750000-0x000000000776A000-memory.dmp

Filesize
104KB

Download
memory/2216-14-0x0000000004B50000-0x0000000004B86000-memory.dmp

Filesize
216KB

Download
memory/2216-67-0x00000000076A0000-0x00000000076A8000-memory.dmp

Filesize
32KB

Download
memory/2216-15-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/2216-73-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/2216-16-0x0000000005220000-0x0000000005848000-memory.dmp

Filesize
6.2MB

Download
memory/3760-66-0x0000016BCF7B0000-0x0000016BCF7D2000-memory.dmp

Filesize
136KB

Download
memory/3960-50-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/3960-111-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/3960-112-0x000000001C420000-0x000000001C42C000-memory.dmp

Filesize
48KB

Download
memory/3960-12-0x0000000000740000-0x0000000000758000-memory.dmp

Filesize
96KB

Download
memory/3960-11-0x00007FF989863000-0x00007FF989865000-memory.dmp

Filesize
8KB

Download
memory/3960-132-0x000000001C470000-0x000000001C47A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads