xworm | c352c942b6df33510094c7100fb9d48e36b8e1e2af40a60ccc360b58721c2390

Resubmissions

06/03/2025, 15:32

250306-syztyssmz2 10

06/03/2025, 15:00

250306-sdfwca1r18 10

Analysis

max time kernel
866s
max time network
893s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15415145.exe
Size

59KB
MD5

6c091ad6fae0fa76f44870d1a1b05cb4
SHA1

040f60c0ee3f4902f919025057e34ab4d11b1abd
SHA256

c352c942b6df33510094c7100fb9d48e36b8e1e2af40a60ccc360b58721c2390
SHA512

3a414f40f99e5847d9631c4ac1143c76e77db7ae42dd8c7aed2ebf1742ec73bb802d54d6cbde3b04f6b894a4cf731aa4e9dbad95166bade13f787b489d8e8d86
SSDEEP

1536:skyZtyUQ8sBkROLW+UzbTH3gfm2qt0OgSko7:skItfQ8sBkROUzbTQf+6OgK7

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

known-savage.gl.at.ply.gg:45116

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/3524-1-0x0000000000BF0000-0x0000000000C06000-memory.dmp	family_xworm
behavioral1/files/0x0013000000023b97-8.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	15415145.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\15415145.lnk	15415145.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\15415145.lnk	15415145.exe

Executes dropped EXE 15 IoCs

pid	Process
4756	15415145.exe
4684	15415145.exe
444	15415145.exe
5116	15415145.exe
1840	15415145.exe
2252	15415145.exe
3960	15415145.exe
4884	15415145.exe
1248	15415145.exe
4948	15415145.exe
3560	15415145.exe
2656	15415145.exe
4328	15415145.exe
4892	15415145.exe
2384	15415145.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\15415145 = "C:\\Users\\Admin\\AppData\\Roaming\\15415145.exe"	15415145.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3492	schtasks.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	3524	15415145.exe
Token: SeDebugPrivilege	3524	15415145.exe
Token: SeDebugPrivilege	4756	15415145.exe
Token: SeDebugPrivilege	4684	15415145.exe
Token: SeDebugPrivilege	444	15415145.exe
Token: SeDebugPrivilege	5116	15415145.exe
Token: SeDebugPrivilege	1840	15415145.exe
Token: SeDebugPrivilege	2252	15415145.exe
Token: SeDebugPrivilege	3960	15415145.exe
Token: SeDebugPrivilege	4884	15415145.exe
Token: SeDebugPrivilege	1248	15415145.exe
Token: SeDebugPrivilege	4948	15415145.exe
Token: SeDebugPrivilege	3560	15415145.exe
Token: SeDebugPrivilege	2656	15415145.exe
Token: SeDebugPrivilege	4328	15415145.exe
Token: SeDebugPrivilege	4892	15415145.exe
Token: SeDebugPrivilege	2384	15415145.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 3492	3524	15415145.exe	97
PID 3524 wrote to memory of 3492	3524	15415145.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\15415145.exe
"C:\Users\Admin\AppData\Local\Temp\15415145.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "15415145" /tr "C:\Users\Admin\AppData\Roaming\15415145.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3492

C:\Users\Admin\AppData\Roaming\15415145.exe
C:\Users\Admin\AppData\Roaming\15415145.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Users\Admin\AppData\Roaming\15415145.exe
C:\Users\Admin\AppData\Roaming\15415145.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Users\Admin\AppData\Roaming\15415145.exe
C:\Users\Admin\AppData\Roaming\15415145.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Users\Admin\AppData\Roaming\15415145.exe
C:\Users\Admin\AppData\Roaming\15415145.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Users\Admin\AppData\Roaming\15415145.exe
C:\Users\Admin\AppData\Roaming\15415145.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Users\Admin\AppData\Roaming\15415145.exe
C:\Users\Admin\AppData\Roaming\15415145.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Users\Admin\AppData\Roaming\15415145.exe
C:\Users\Admin\AppData\Roaming\15415145.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Users\Admin\AppData\Roaming\15415145.exe
C:\Users\Admin\AppData\Roaming\15415145.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Users\Admin\AppData\Roaming\15415145.exe
C:\Users\Admin\AppData\Roaming\15415145.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Users\Admin\AppData\Roaming\15415145.exe
C:\Users\Admin\AppData\Roaming\15415145.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Users\Admin\AppData\Roaming\15415145.exe
C:\Users\Admin\AppData\Roaming\15415145.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Users\Admin\AppData\Roaming\15415145.exe
C:\Users\Admin\AppData\Roaming\15415145.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Users\Admin\AppData\Roaming\15415145.exe
C:\Users\Admin\AppData\Roaming\15415145.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Users\Admin\AppData\Roaming\15415145.exe
C:\Users\Admin\AppData\Roaming\15415145.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Users\Admin\AppData\Roaming\15415145.exe
C:\Users\Admin\AppData\Roaming\15415145.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\15415145.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Roaming\15415145.exe

Filesize
59KB

MD5
6c091ad6fae0fa76f44870d1a1b05cb4

SHA1
040f60c0ee3f4902f919025057e34ab4d11b1abd

SHA256
c352c942b6df33510094c7100fb9d48e36b8e1e2af40a60ccc360b58721c2390

SHA512
3a414f40f99e5847d9631c4ac1143c76e77db7ae42dd8c7aed2ebf1742ec73bb802d54d6cbde3b04f6b894a4cf731aa4e9dbad95166bade13f787b489d8e8d86

Download Submit
C:\Users\Admin\Desktop\AddEnable.emz

Filesize
1.4MB

MD5
7e43551a662f3a398009e767e9b9c25c

SHA1
5409fb58a37a0d5fabd33314d768827d0b902f55

SHA256
781aa9a9efae8411f470ab82bc8d60180f921d48ebb43adfb43109625b369a75

SHA512
865e57f3d67707e4e152bc25f19d8acda94c4812b16d26511b766ac1c04a85278c859691138fe190c3b3e9f159fcb3d6f2f0907b8f543ee1b7578f9a463b8097

Download Submit
C:\Users\Admin\Desktop\CheckpointAssert.mp4

Filesize
360KB

MD5
b5ab29c40aec3002f37df81941085f9c

SHA1
144251d76d187a0a49f652ce0ce0d4dbbe7f3e7d

SHA256
dde9ff22480cfc7a0c9599a6d612e7c764ef77016009a2f9012b18b832f76796

SHA512
902a70313a35baa4e28d97aa29c09490f0863594054e79347629b796c626fc1333c7831903bba3215f053801df36444a9a9fa0261a25d3c2c8bb886655b92e96

Download Submit
C:\Users\Admin\Desktop\ConnectClear.pptx

Filesize
974KB

MD5
02e9b808d71533f17dd009d852f37eaf

SHA1
25b727de9b5385d8763f6db561d32473355ea0fd

SHA256
df4a8db6eaa7c9692786ffd5d80dc6bbd850889ece8c463f31a9ef53939ea1d4

SHA512
aa67fb358ab2fea53eaa29f8a793c4166285d48d5fe31e9b7e81ca16df943de50b2cc8bc7e029f1109843bdadd064ba6f1397cadb13c01b99f869b01594d5956

Download Submit
C:\Users\Admin\Desktop\ConvertHide.lock

Filesize
787KB

MD5
c53eed484084dd8db5ade69ea38b929a

SHA1
fa40bc15f2a52ab649080ea3c41ce3fa78c93ac4

SHA256
f5f2b8d2bda0b0960f2c5a2e10429e600d1e181a22376a6449ac67868355fe76

SHA512
9da50f908d074307d021c547457823e292b02a51e8b865503d632e389e10db9fa4214088db83309875dfdfa4b11811159ac047fb4de02a27e79959fe74b69bcb

Download Submit
C:\Users\Admin\Desktop\EnableGrant.potx

Filesize
440KB

MD5
851ff23ec947c790fa9fd697d372898c

SHA1
a282f457c3cba86ae4832a42042c274d507d0a68

SHA256
fda7de89865eb1e8075b139fb105fcbb12f4737824a87ee665b720914550267f

SHA512
76be5250267fa059f36ca53fba738fceaa5c1c6a992a03bf8c0069ad85821a982a72e311de8407780f1e3185dd57dcaa2472e99635ba06fce716f6a8bc750b86

Download Submit
C:\Users\Admin\Desktop\ExpandClose.gif

Filesize
1.0MB

MD5
a20aca4aa5becc03805def164b419e01

SHA1
a05ee5d7d684518b8f023e55c91a05fe4420fd49

SHA256
32755c44b6395830011b3ab20d4699332c8221346dc65105ca6276968996374a

SHA512
48665e377700eea4658f8c91bd05671a8a05cd87dbd6163e9b418c2d5e45fe732b37ac162f609850010c17920336447fd30648e27e8ea119472dbd68dc700dec

Download Submit
C:\Users\Admin\Desktop\ExportFind.ppsm

Filesize
733KB

MD5
fc58eaead5664d8caf7261f7ecd24fb8

SHA1
46b7a1dac69bf0cb6c63e855809dcfbecdc47bb6

SHA256
c67f465ad22395f4de9595de826a3c3a5e5404051f949c2377a757edb7d6efab

SHA512
2076978f757e3c4f61b95380d45819958c01d70d553c62ab6d1138398d99eeee2c32f7a4175a3b298953d34c00ad3fbe4f284c0eddfd9c64c7b9333dd0834081

Download Submit
C:\Users\Admin\Desktop\HideConvertFrom.xlsx

Filesize
13KB

MD5
14bd11c553df7ddb39a20b6bebbfc797

SHA1
40ba6d4f1e3bce2197b805d15ba3b3f4f5a28897

SHA256
bd06bbc660dc0338aab2d2f49c9067199137bc819a08614e73ba713cdbedd2f9

SHA512
2a440a8448e982da8335808fa0d670c0f507f7aee6740a279f642e656c30186152e668cb09d7ebda8985247e26c22a4ddda0ef5e47e55568e9c282f6986d8401

Download Submit
C:\Users\Admin\Desktop\ImportDismount.csv

Filesize
573KB

MD5
c7b5b3fa69ddc98f3971b6f0fff375c5

SHA1
88c6c2f3280aec141841eb72cc16513d09775ddb

SHA256
999c82f185d9ff434980dc67c1dbd8fed5dfc2681f940f58dad96bbf950f148b

SHA512
bdcad2e888e6212ed4d2e7120d9c9c844dd903b9a99f1aed1b9c9cf920d21fbc3ea0d878f5e8f49896113d445292e676c6219a7180d9c057029de5d26550bbdf

Download Submit
C:\Users\Admin\Desktop\InvokeWait.mpv2

Filesize
520KB

MD5
a468464d14d936efe5ad48238e973ba8

SHA1
8072283c8d8872d6f1bf1aaed45abda84419d4ac

SHA256
01dd09e95b43c3f5fc708f790e0a147edd776fc6207d9ef756962eab10f14ec8

SHA512
248b463405b96167cda9c5edb0c10c2d147ea588e77d022f6b700bd61074fab3dad6ef61e73f2a8757bd2ac3332aebffb6a0777761f2e49583307dcb6e29f907

Download Submit
C:\Users\Admin\Desktop\LimitMeasure.potm

Filesize
760KB

MD5
7d5949282095825e84061201b9d00ffd

SHA1
f8fca3b7277a78a83959985a9f18918d9825856f

SHA256
143fcae6cd4e495a50bd7af4b719283137ca8eaaad04d7323804cf880e9537bb

SHA512
6f835d0c4fcf542a27843819f46b6c2aee20d9192bba8121d052e72549cc16b4a9669b0a92155313a5b485cc903d99dd66d3d898a1283bc5ade84d1b3e0c60ac

Download Submit
C:\Users\Admin\Desktop\LimitStart.wmv

Filesize
813KB

MD5
9072ae5fa2acf189274bd6de2a5255fc

SHA1
646d77d14af9d017cdeb1ba1bacc840d2088d1f2

SHA256
d093c1468c25dad7acf85086a59237d6374790fb9396b93846b8cc9f06db6922

SHA512
311b1daf1b85fae00b5d0d53ab1d7b3cf509f8dc1ad6aa9b5926f808bbf2c623d9028c5657e768f29c142ad431599e17ce12d450bf9f2f1c05da9a5b56a7dec4

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
e38941d4a6f0b9ccced7289e75c6cecc

SHA1
b5d57843c68bbf4d45958b4dea8046d4c4bdb13e

SHA256
5fee93634a60723ba21f9c7e58fc2e04b83aaeec79790a737e7b823e4ab9afc7

SHA512
4424a2f8515b4f73592d0fface79f85d765ff225cdee0fe6dbbc2d76c6f3e16c00357b0ca4d08a3a47f1c4a01dd33b52448279818b99a5897f8ec7ee653703e7

Download Submit
C:\Users\Admin\Desktop\MountInitialize.iso

Filesize
867KB

MD5
29befb54b9e193bc01d2b227d453baa7

SHA1
4e49f6da0bf2365fb3b60773bbcefbc290ee49e7

SHA256
80ed161d2c11d4ecffa13f0a42c813d070145b3d7da73a1ec1ba2746cc0c4e65

SHA512
1b6e6d82e7dc6e5d100284bf1fa7bac463d93e0cdcb2f8c2f0226cf7ba742f2d0dc6c0516772645e70e1c66449871b44098fe30b04f0a1f08de918cdfe3fec12

Download Submit
C:\Users\Admin\Desktop\MountShow.vdx

Filesize
947KB

MD5
a9e9d8353ebd145b1ac112ab6ddd226b

SHA1
9f8e4a7e1258614706af38d59fbf03a2bfc87fa5

SHA256
4113afd77d853c5bbce274cceb910995ee89a439afff8a3a1330b68cf390e86b

SHA512
57e840574073b1ae4d17be0e63018461fdf7cfd4513683dc24ce8494ba55d38b149ec72df0dfa72ba42b21cd5cc6b409c2e6283da747634520e2cc19f74f0fc4

Download Submit
C:\Users\Admin\Desktop\OpenReset.docx

Filesize
627KB

MD5
f7a3882c7d75c6be35eb96f9ece0e4ef

SHA1
b2b7730ea41d8744ba98daf5931cabe54b48cd8d

SHA256
fcd25af14219783cd67868be73443551c77147ccf6784e1fd64be36d3c26144e

SHA512
bdddff14c6dc103c6f238e97ba8dad5ceaf6f1df25432dad0cf7ad66a9dfa2f8bb92de4e5fe2d8599c28f4f607487e272da98d8e2f87c3fc29bc2750b95a5a14

Download Submit
C:\Users\Admin\Desktop\OpenUnpublish.xlsx

Filesize
12KB

MD5
83dfa45380e062394fe0d8ca6fb819e3

SHA1
9f00e59f3bdf29aab981865eaa9534c1d190af75

SHA256
3968cc30af65f757811a6e74adeb83e6787ac31491b1e9011a4b633fb40122e9

SHA512
c07c8b50c0b99a6b847662054222a41fb44e14423fa7517d16ef646a45cb7477b8f6e6bc0e5695ffa880c15e393bba071455657f296269619d84a0a71b02a498

Download Submit
C:\Users\Admin\Desktop\OptimizeSelect.MTS

Filesize
493KB

MD5
8ae66a02fad919693a4997cd2c9d5fed

SHA1
074751a8dacda342d9f899409cbf263f3781491b

SHA256
08b438ff4b239f6ce4ffd4dea282ed55e07fbbfa315677a469c6422f241b7651

SHA512
9a82afbb83a51e06ccdc9ac75d228028efbc6c326020a8aefb1ba77555137986bfd8085b2032884fb9c9aaa493f9157943e37f889f2a7d2c52c2a54f7549c704

Download Submit
C:\Users\Admin\Desktop\OutGrant.wma

Filesize
547KB

MD5
05e3b4b60a5d6273745014d9465a21a8

SHA1
8f75979174c8f51778356cbb964f77e34bc22e14

SHA256
5366d04b6195b4bbe7f7d4b657b5fbd1a7d8e5cef2dc3b0623ac54614de416b4

SHA512
0d282dd93eedbc48d5c86f947dfca4f0714848aee1339c93121bb9e6215e458a4a6f9ef57a0d28a429321fea88f8a06b14d673af2a364d0bda75de6fca7bf2da

Download Submit
C:\Users\Admin\Desktop\RequestEnter.mp2v

Filesize
653KB

MD5
cbc9f8ba34069d96e69031237e0ddcd4

SHA1
753243e0093c1dc745bf0956c4fecfaf24d03c86

SHA256
2b7f65a00aa422dc83a79d87dea6b1e81219260023a141b201dbdb84b43893ed

SHA512
849e54a0b720fefc233b495a8d93d7a4992e86abd23e58749d1ea61eae11efcb20e724ba70f50fe071381e97cfee7c7927f52946c85615e4251dfe55ce741103

Download Submit
C:\Users\Admin\Desktop\RestoreRestart.xlsx

Filesize
11KB

MD5
d108a37536f778c2ee9868e2e5f3d87d

SHA1
eb9c9174a887852da39ecb0393fab5548b7d987f

SHA256
523868362fc3b29c35a3803034d4e9a611b7ac20ccdf8e1d4ffc5f2d51073164

SHA512
3b6df65e9e0091a17856e9180f890761ae671c89725d2c1dd49fb6187f507ef8f97400a553d349ea9ac673d6ec81f994b7270a9fba416ad1955b7fecf5769170

Download Submit
C:\Users\Admin\Desktop\SelectExpand.MTS

Filesize
680KB

MD5
daab63e3ff4cd734e14e0b26e243043c

SHA1
4c5cd124aff327f2d00c87b272795641c0a4e901

SHA256
9294828e1081a8e6c60eb7fe559f30b5f1caea7c75dc4b69e60358dd5c243de3

SHA512
e9e41c99db478b1b2f6b512b257b790464765da403004f73082e7b5fe6af6727e0d51983bb1d0c9d300bd7cc13d2201587742db7f54253d6ae8bc216c8fc8f7f

Download Submit
C:\Users\Admin\Desktop\SetWait.ppsm

Filesize
600KB

MD5
d7d11e43fba783827bdd593aaf197bc7

SHA1
db25bd67be7945fff93f3c17364ef646c8a05f71

SHA256
a8e08e202c4dcd9061178d2a4c3646999839b18e471afb84de942446172cb1f8

SHA512
ec585a0edc78f81ff953583f967888d6e7b6dd6f6224cd2c2e406784d20a55cd5aff3f880e57245a351e14ec56812006c07835386c8d009d56c77b0b121bea71

Download Submit
C:\Users\Admin\Desktop\StopMerge.dot

Filesize
1000KB

MD5
902d9cc673b4a29ccb77ddb1d244c801

SHA1
e1f7e562d0f54ddc6faf247fe4a19bb093c0da73

SHA256
eec9dd1c070f0883d7a1b43b40142f5ce6f3d48f951bd50629aec26fed26aff9

SHA512
9d693aadbadaa476af44ca98800ae3f83d6f290beef69e276ac3c7c2de978326514034271c3083e5e4cb4e27157ceaab3cadc4b8b0bdc1c8573858d7c0dda79d

Download Submit
C:\Users\Admin\Desktop\TraceExport.vb

Filesize
467KB

MD5
d6f2ba2c41fb8d714f38d2a69de9ee57

SHA1
392be89be2d7e9b225e0c5667fec175129fe39dd

SHA256
48cac6a1cd7323f289140472553fba0e5a3fce494b7859917659e332ebd535e1

SHA512
c107ab56ddd7316410c7755f3f3c5864c9ac7964fab18c288384e2879cc478e86e4f0f0c1219ed4c88fdd4dbb897f847ec44b0c24a815a427450ca24eb6634de

Download Submit
C:\Users\Admin\Desktop\TraceSet.jpg

Filesize
920KB

MD5
830d4019a77ddab8872d1cda91493c8d

SHA1
76820e106d6696c81e5c850bebf02b1470eca599

SHA256
df370f78449d0a2b9cfe6c046426302568e404927e82a209722606c4265c1e64

SHA512
fd441f20a34ec9ecf66f789e713bca87c75912c72adb93cb2d283a78973b7c8b1ceee04c15c438ef3f27c1d4ca9c06256017c3dd62f2c82519b32f3ef23cc492

Download Submit
C:\Users\Admin\Desktop\UnlockStop.xps

Filesize
386KB

MD5
c7f10bb669c28e5140744f283e0c7675

SHA1
f97cfc0e29e30b08ec71d589347bee7048ce2e3e

SHA256
ddaa11b6edc5dd5131be47f49dd252c9d76223a1ad2637d85d197a19360bc28f

SHA512
41abd7c97fe515b178574fa72b53df0c54862b1f4ed7a0374322f0e552a98250c0bbe2bfc668172a817bebd91ce29ecfc6668825b84afff68e024d4581a232d8

Download Submit
C:\Users\Admin\Desktop\UnpublishRemove.tiff

Filesize
707KB

MD5
7bc19b57720c9b960ba43648601a65a3

SHA1
f63582c7a7d3598d6acb9ca9e799af0e40744ec6

SHA256
81f69abd4e2109e85abde96466621467128a19138476712b2e4e2699dc45710e

SHA512
8ad137d3f0c79088c8d618c281447d6704a8470b6edf151cf4b150851adfa2e6c6c20df3da6e2b2f75f3ca0738d87c1aba39a1ab4e4e1a4ddb6f88fc65999951

Download Submit
C:\Users\Admin\Desktop\UnregisterInstall.ttf

Filesize
840KB

MD5
92b7ebcab204c1941cfcef21c5ca32d8

SHA1
52cb312de615be4c907b9a24b80fcd7e72c8e04f

SHA256
f20d9752443fe17d88d4e7a4184153e251cd1ee0490f7c2ff735d33cdbda8e9b

SHA512
7d381ee43363f1d9f0324c844673bcc3b0b04ed3caed62fd04c503d35958ef5565c484dc9e88ab3fd6931c76352218594ce44efbcbc4915a170deb95e5a3a433

Download Submit
C:\Users\Admin\Desktop\UpdateGet.csv

Filesize
413KB

MD5
589da0bc7f0a05bf39adfaf4de64f7f8

SHA1
73df832dc0b2c60f8f820305cc9e1177af87023f

SHA256
a3ccb05299875ea0c8fdbceed2d0f57df516784fd527e25ce148c11ae777d281

SHA512
1ef3d48a610f6d4c21f02469245f30ca7f04573d327121006b0f064a1c956052b89ac9403ef21ec18129aa90e5f24ead5b9160356cfd038e39ab73db0636f2f8

Download Submit
C:\Users\Admin\Desktop\UpdateWatch.aifc

Filesize
894KB

MD5
dfe2c371710cc972df68770cf0c09cea

SHA1
89e7582f0e2f8e0f43345124a81d29698ee09ade

SHA256
a0d7df577d5aae6eeaf3eeec11183ea2ca4d32fdb5e1b4766ff3716706ffef4b

SHA512
b58f762195f6fc9a9cc73ddad700d16aa1ebb6bf1a5d1fdcfb4df764d3cb07ba2076aab1b5b28a43047a7c6730f1dd1e2d5e81beb0c87af5aceb661e7d674cab

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
e5ccf08dd2ec3fd5b3283e3acd738e21

SHA1
00a9560622280c16f11dfd379b131ebad4d3839b

SHA256
f968c04b67034e11b9a90736ca21c9a3b53d1f57c6614bc97c74c8e3a1b2ddf5

SHA512
077746409012414fd01de054e56475d597820fb6717283dfa3751251b86cda095122c5497a26d2d197502284fe8b69f84871661b561370e55d5795a445697c49

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
5b4808de6d4a285089bbb29bf789cdae

SHA1
4af5af1e97433a2ae8850cd7aa329c21d018b125

SHA256
484cfc7ea33e2b6d4b7748c02a3fe6fad99811f7074932d057d6b84303f0c3ee

SHA512
a636de4b16a667e07e42a8dc09c875831bb3d979f83b6e3678319a32dbd6de20c521ee1a86ccbece65f2bf4ede7aa92b7d6830e300048ceaaf7600ca2663505a

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
f10d3c066617c0176bbc94b41d655d76

SHA1
44b2f66730ea406e5e01ebb8dd13de971a6a9a5e

SHA256
1e51e1a2794331fb2cbef6e39fc78ccc60b057fc160b1b599dba6e86dbe22acd

SHA512
3b4728296211bf3486f9cab796977b87673a34a748a9d6e134db12cde63667cc63c020b979181c72ba80d598c97526f1785c6574d718f54c95d4e9de95536aa8

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
bcf0f175448af9ed659c37c00fb2c803

SHA1
331765cb401a734b10eb0a60c1f5a5d358417815

SHA256
7fe5c4e11ba4d13c1384a43fdfdd23da62a67b86faded43aab69d1ccb715f585

SHA512
e7c1b9747116c0ba979cc01be4d29c60197d5cd670e242822bd544af5e469c1a461bcf3720f42f0fdcad4b281beaf9dc91a3ba77e003e830a4c1504761aa3302

Download Submit
memory/3524-0-0x00007FFFC0F03000-0x00007FFFC0F05000-memory.dmp

Filesize
8KB

Download
memory/3524-10-0x00007FFFC0F00000-0x00007FFFC19C1000-memory.dmp

Filesize
10.8MB

Download
memory/3524-46-0x00007FFFC0F00000-0x00007FFFC19C1000-memory.dmp

Filesize
10.8MB

Download
memory/3524-1-0x0000000000BF0000-0x0000000000C06000-memory.dmp

Filesize
88KB

Download
memory/3524-57-0x00000000013F0000-0x0000000001472000-memory.dmp

Filesize
520KB

Download
memory/4756-49-0x00007FFFC0F00000-0x00007FFFC19C1000-memory.dmp

Filesize
10.8MB

Download
memory/4756-51-0x00007FFFC0F00000-0x00007FFFC19C1000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads