xworm | 55edcf08f8521a9cddde8570baaac0ab8ef6e640e96c834db0e5c12f5b9c68fe

Analysis

max time kernel
105s
max time network
161s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3eedde12ec9a2f363c13d643bd2acdf.exe
Size

48KB
MD5

f3eedde12ec9a2f363c13d643bd2acdf
SHA1

2d53fef1c7b2036d4c25097fe1d3d5276cff9cb8
SHA256

63c8a594926959e99dbcaac2e4bdf923691373d432500ddc0572996bfb8e399e
SHA512

0f6f4ed01f591edb4565fd31169aebb3be2d2dec246459411c52db0c9c7168da4404d4657312c879980b524da6047d9a87b8a49bae5836bf40e9ebeb6f166a53
SSDEEP

768:p4Q66hONMScH5lT67gmvCrPz3uRr+Ubpi6yCAHBQSE+ZO+h+ArZ6T:pXOWpzPz3WrhbpryCAhQx+ZO+do

Score

10^/10

xworm defense_evasion discovery persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

request-busy.gl.at.ply.gg:6728

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral29/memory/2736-1-0x0000000000CB0000-0x0000000000CC2000-memory.dmp	family_xworm
behavioral29/files/0x000c00000001225c-100.dat	family_xworm

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f3eedde12ec9a2f363c13d643bd2acdf.lnk	f3eedde12ec9a2f363c13d643bd2acdf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f3eedde12ec9a2f363c13d643bd2acdf.lnk	f3eedde12ec9a2f363c13d643bd2acdf.exe

Executes dropped EXE 23 IoCs

pid	Process
2584	hqicuj.exe
3000	MTHR7H.EXE
3020	TOJNSR.exe
1740	MTHR7H.exe
1008	MTHR7H.exe
2320	MTHR7H.exe
2924	MTHR7H.exe
264	MTHR7H.exe
1688	MTHR7H.exe
1060	MTHR7H.exe
508	MTHR7H.exe
2496	MTHR7H.exe
2836	MTHR7H.exe
1848	MTHR7H.exe
2824	MTHR7H.exe
3060	MTHR7H.exe
1232	MTHR7H.exe
660	MTHR7H.exe
1744	MTHR7H.exe
2564	MTHR7H.exe
1856	MTHR7H.exe
2296	lxwtmq.exe
2948	MTHR7H.exe

Loads dropped DLL 1 IoCs

pid	Process
2008	migwiz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\f3eedde12ec9a2f363c13d643bd2acdf = "C:\\Users\\Admin\\AppData\\Roaming\\f3eedde12ec9a2f363c13d643bd2acdf.exe"	f3eedde12ec9a2f363c13d643bd2acdf.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\v:	TOJNSR.exe
File opened (read-only)	\??\w:	TOJNSR.exe
File opened (read-only)	\??\a:	TOJNSR.exe
File opened (read-only)	\??\e:	TOJNSR.exe
File opened (read-only)	\??\i:	TOJNSR.exe
File opened (read-only)	\??\p:	TOJNSR.exe
File opened (read-only)	\??\r:	TOJNSR.exe
File opened (read-only)	\??\s:	TOJNSR.exe
File opened (read-only)	\??\u:	TOJNSR.exe
File opened (read-only)	\??\y:	TOJNSR.exe
File opened (read-only)	\??\b:	TOJNSR.exe
File opened (read-only)	\??\k:	TOJNSR.exe
File opened (read-only)	\??\m:	TOJNSR.exe
File opened (read-only)	\??\n:	TOJNSR.exe
File opened (read-only)	\??\t:	TOJNSR.exe
File opened (read-only)	\??\z:	TOJNSR.exe
File opened (read-only)	\??\h:	TOJNSR.exe
File opened (read-only)	\??\l:	TOJNSR.exe
File opened (read-only)	\??\x:	TOJNSR.exe
File opened (read-only)	\??\g:	TOJNSR.exe
File opened (read-only)	\??\j:	TOJNSR.exe
File opened (read-only)	\??\o:	TOJNSR.exe
File opened (read-only)	\??\q:	TOJNSR.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral29/files/0x00050000000195c7-29.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\migwiz\cryptbase.dll	wusa.exe
File opened for modification	C:\Windows\system32\migwiz\$dpx$.tmp\job.xml	wusa.exe
File opened for modification	C:\Windows\system32\migwiz\$dpx$.tmp	wusa.exe
File created	C:\Windows\system32\migwiz\$dpx$.tmp\642420f840596c40860c44d66c8db5b2.tmp	wusa.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg"	TOJNSR.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TOJNSR.exe

Delays execution with timeout.exe 20 IoCs

defense_evasion

pid	Process
1560	timeout.exe
1128	timeout.exe
2808	timeout.exe
2564	timeout.exe
2748	timeout.exe
992	timeout.exe
2268	timeout.exe
2968	timeout.exe
2832	timeout.exe
784	timeout.exe
2320	timeout.exe
1564	timeout.exe
1480	timeout.exe
2304	timeout.exe
2272	timeout.exe
1612	timeout.exe
2776	timeout.exe
2836	timeout.exe
756	timeout.exe
744	timeout.exe

Modifies Control Panel 1 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop	TOJNSR.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.dot\ShellEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpe\OpenWithList\ois.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mcl\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.M2TS\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.rmf\AcroExch.RMFFile\ShellNew	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.ACCDTFile	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\accessthmltemplate\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.fnt	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.pch\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\BriefcasePage	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.accde	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.java\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.pptm\ShellEx\PropertyHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.rle	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.wav\OpenWithList	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.StoredProcedure.1\shell\Open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lgn	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.rqy	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.ACCDCFile\CurVer	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.Extension.14\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Report.1\shell\Browse\ddeexec\application	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.3ga	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Table.1\shell\print\ddeexec	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.hxd	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.msstyles	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.thmx	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\7-Zip.tar\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Acrobat.AcroAXDoc.1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Application.Reference\shellex\{000214F9-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.appref-ms	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.exp\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.rpc	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.wps\OpenWithList\winword.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.Application.14	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.WizardDataFile	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.RMFFile	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\BriefcaseMenu	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.cpl\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.p7m	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.xlsb\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.Application.14\shell\Open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.tp	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.7\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.dwfx\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.ofs	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.wm\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Query.1\shell\printto\ddeexec	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Table.1\shell\printto\ddeexec\ifexec	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.xlam\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{152DA466-C04C-4A4D-9707-0714DB744A7F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{e49dde22-c999-4d57-86fe-6d6c610d4b94}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.asc	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.au\OpenWithProgIds	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.m4p\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.psd1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtml	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XDPDoc\shell\Print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{b3fd0790-e46d-44d8-a88c-fcd99771da5e}	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
568	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1488	schtasks.exe
2612	schtasks.exe
2396	schtasks.exe
2392	schtasks.exe
2324	schtasks.exe
1912	schtasks.exe
904	schtasks.exe
2504	schtasks.exe
1160	schtasks.exe
1888	schtasks.exe
2148	schtasks.exe
908	schtasks.exe
1968	schtasks.exe
2888	schtasks.exe
2916	schtasks.exe
2612	schtasks.exe
2324	schtasks.exe
1288	schtasks.exe
1744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe
3020	TOJNSR.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	f3eedde12ec9a2f363c13d643bd2acdf.exe
Token: 33	3008	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3008	AUDIODG.EXE
Token: 33	3008	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3008	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2008	migwiz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2584	2736	f3eedde12ec9a2f363c13d643bd2acdf.exe	31
PID 2736 wrote to memory of 2584	2736	f3eedde12ec9a2f363c13d643bd2acdf.exe	31
PID 2736 wrote to memory of 2584	2736	f3eedde12ec9a2f363c13d643bd2acdf.exe	31
PID 2584 wrote to memory of 3020	2584	hqicuj.exe	32
PID 2584 wrote to memory of 3020	2584	hqicuj.exe	32
PID 2584 wrote to memory of 3020	2584	hqicuj.exe	32
PID 2584 wrote to memory of 3020	2584	hqicuj.exe	32
PID 2584 wrote to memory of 3000	2584	hqicuj.exe	33
PID 2584 wrote to memory of 3000	2584	hqicuj.exe	33
PID 2584 wrote to memory of 3000	2584	hqicuj.exe	33
PID 3020 wrote to memory of 584	3020	TOJNSR.exe	34
PID 3020 wrote to memory of 584	3020	TOJNSR.exe	34
PID 3020 wrote to memory of 584	3020	TOJNSR.exe	34
PID 3020 wrote to memory of 584	3020	TOJNSR.exe	34
PID 584 wrote to memory of 428	584	cmd.exe	36
PID 584 wrote to memory of 428	584	cmd.exe	36
PID 584 wrote to memory of 428	584	cmd.exe	36
PID 3000 wrote to memory of 1740	3000	MTHR7H.EXE	37
PID 3000 wrote to memory of 1740	3000	MTHR7H.EXE	37
PID 3000 wrote to memory of 1740	3000	MTHR7H.EXE	37
PID 3000 wrote to memory of 2324	3000	MTHR7H.EXE	38
PID 3000 wrote to memory of 2324	3000	MTHR7H.EXE	38
PID 3000 wrote to memory of 2324	3000	MTHR7H.EXE	38
PID 3000 wrote to memory of 2300	3000	MTHR7H.EXE	40
PID 3000 wrote to memory of 2300	3000	MTHR7H.EXE	40
PID 3000 wrote to memory of 2300	3000	MTHR7H.EXE	40
PID 2300 wrote to memory of 2564	2300	cmd.exe	42
PID 2300 wrote to memory of 2564	2300	cmd.exe	42
PID 2300 wrote to memory of 2564	2300	cmd.exe	42
PID 3020 wrote to memory of 1252	3020	TOJNSR.exe	43
PID 3020 wrote to memory of 1252	3020	TOJNSR.exe	43
PID 3020 wrote to memory of 1252	3020	TOJNSR.exe	43
PID 3020 wrote to memory of 1252	3020	TOJNSR.exe	43
PID 1252 wrote to memory of 2008	1252	WScript.exe	44
PID 1252 wrote to memory of 2008	1252	WScript.exe	44
PID 1252 wrote to memory of 2008	1252	WScript.exe	44
PID 2008 wrote to memory of 1456	2008	migwiz.exe	45
PID 2008 wrote to memory of 1456	2008	migwiz.exe	45
PID 2008 wrote to memory of 1456	2008	migwiz.exe	45
PID 1456 wrote to memory of 568	1456	cmd.exe	47
PID 1456 wrote to memory of 568	1456	cmd.exe	47
PID 1456 wrote to memory of 568	1456	cmd.exe	47
PID 1740 wrote to memory of 1008	1740	MTHR7H.exe	48
PID 1740 wrote to memory of 1008	1740	MTHR7H.exe	48
PID 1740 wrote to memory of 1008	1740	MTHR7H.exe	48
PID 1740 wrote to memory of 2916	1740	MTHR7H.exe	49
PID 1740 wrote to memory of 2916	1740	MTHR7H.exe	49
PID 1740 wrote to memory of 2916	1740	MTHR7H.exe	49
PID 1740 wrote to memory of 1884	1740	MTHR7H.exe	51
PID 1740 wrote to memory of 1884	1740	MTHR7H.exe	51
PID 1740 wrote to memory of 1884	1740	MTHR7H.exe	51
PID 1884 wrote to memory of 1564	1884	cmd.exe	54
PID 1884 wrote to memory of 1564	1884	cmd.exe	54
PID 1884 wrote to memory of 1564	1884	cmd.exe	54
PID 1008 wrote to memory of 2320	1008	MTHR7H.exe	55
PID 1008 wrote to memory of 2320	1008	MTHR7H.exe	55
PID 1008 wrote to memory of 2320	1008	MTHR7H.exe	55
PID 1008 wrote to memory of 1888	1008	MTHR7H.exe	56
PID 1008 wrote to memory of 1888	1008	MTHR7H.exe	56
PID 1008 wrote to memory of 1888	1008	MTHR7H.exe	56
PID 1008 wrote to memory of 552	1008	MTHR7H.exe	58
PID 1008 wrote to memory of 552	1008	MTHR7H.exe	58
PID 1008 wrote to memory of 552	1008	MTHR7H.exe	58
PID 552 wrote to memory of 2748	552	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f3eedde12ec9a2f363c13d643bd2acdf.exe
"C:\Users\Admin\AppData\Local\Temp\f3eedde12ec9a2f363c13d643bd2acdf.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\hqicuj.exe
  "C:\Users\Admin\AppData\Local\Temp\hqicuj.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\TOJNSR.exe
    "C:\Users\Admin\AppData\Local\Temp\TOJNSR.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:584
    - - C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\
        5⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:428
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1252
    - - C:\Windows\System32\migwiz\migwiz.exe
        
        "C:\Windows\System32\migwiz\migwiz.exe" C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:568
- - C:\Users\Admin\AppData\Local\Temp\MTHR7H.EXE
    "C:\Users\Admin\AppData\Local\Temp\MTHR7H.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
      "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1008
      - C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        6⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        7⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        8⤵
        Executes dropped EXE
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        9⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        10⤵
        Executes dropped EXE
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        11⤵
        Executes dropped EXE
        
        PID:508
        
        C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        12⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        13⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        14⤵
        Executes dropped EXE
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        15⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        16⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        17⤵
        Executes dropped EXE
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        18⤵
        Executes dropped EXE
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        19⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        20⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        21⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MTHR7H.exe"
        22⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2A99.tmp.bat""
        23⤵
        
        PID:756
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        24⤵
        Delays execution with timeout.exe
        
        PID:2320
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2392
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp233A.tmp.bat""
        22⤵
        
        PID:1048
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        23⤵
        Delays execution with timeout.exe
        
        PID:2836
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1160
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp19C8.tmp.bat""
        21⤵
        
        PID:2228
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        22⤵
        Delays execution with timeout.exe
        
        PID:2272
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2888
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp116E.tmp.bat""
        20⤵
        
        PID:1932
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        21⤵
        Delays execution with timeout.exe
        
        PID:2776
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2396
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp973.tmp.bat""
        19⤵
        
        PID:1688
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        20⤵
        Delays execution with timeout.exe
        
        PID:2808
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2612
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC.tmp.bat""
        18⤵
        
        PID:812
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        19⤵
        Delays execution with timeout.exe
        
        PID:2304
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1968
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF892.tmp.bat""
        17⤵
        
        PID:2924
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        18⤵
        Delays execution with timeout.exe
        
        PID:1128
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2324
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEFFA.tmp.bat""
        16⤵
        
        PID:2964
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        17⤵
        Delays execution with timeout.exe
        
        PID:784
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1488
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE743.tmp.bat""
        15⤵
        
        PID:2316
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        16⤵
        Delays execution with timeout.exe
        
        PID:2832
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2504
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDEBB.tmp.bat""
        14⤵
        
        PID:2056
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        15⤵
        Delays execution with timeout.exe
        
        PID:1612
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:904
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD643.tmp.bat""
        13⤵
        
        PID:2020
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        14⤵
        Delays execution with timeout.exe
        
        PID:2968
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:908
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpCEC4.tmp.bat""
        12⤵
        
        PID:1132
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        13⤵
        Delays execution with timeout.exe
        
        PID:1560
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1744
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC4D5.tmp.bat""
        11⤵
        
        PID:1040
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        12⤵
        Delays execution with timeout.exe
        
        PID:1480
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2612
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBD27.tmp.bat""
        10⤵
        
        PID:1916
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        11⤵
        Delays execution with timeout.exe
        
        PID:744
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2148
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB451.tmp.bat""
        9⤵
        
        PID:812
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        10⤵
        Delays execution with timeout.exe
        
        PID:2268
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1912
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC56.tmp.bat""
        8⤵
        
        PID:1156
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        9⤵
        Delays execution with timeout.exe
        
        PID:992
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1288
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA2A5.tmp.bat""
        7⤵
        
        PID:2908
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:756
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1888
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9AE8.tmp.bat""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:2748
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2916
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1884
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:1564
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "Mason" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Mason.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2324
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp89A9.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2564
- C:\Users\Admin\AppData\Local\Temp\lxwtmq.exe
  "C:\Users\Admin\AppData\Local\Temp\lxwtmq.exe"
  2⤵
  - Executes dropped EXE
  PID:2296
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k reg delete HKCR /f
    3⤵
    PID:2076
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      Modifies registry class
      PID:2416

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32.cab

Filesize
47KB

MD5
9dda4db9e90ff039ad5a58785b9d626d

SHA1
507730d87b32541886ec1dd77f3459fa7bf1e973

SHA256
fc31b205d5e4f32fa0c71c8f72ee06b92a28bd8690f71ab8f94ff401af2228fe

SHA512
4cfecaaccd0f8f9e31690ff80cca83edc962e73861043fffded1a3847201455d5adca7c5ef3866c65e6e516205e67b2f31c8149aad5be1065c1eb586b013f86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.cab

Filesize
49KB

MD5
8cfa6b4acd035a2651291a2a4623b1c7

SHA1
43571537bf2ce9f8e8089fadcbf876eaf4cf3ae9

SHA256
6e438201a14a70980048d2377c2195608d5dc2cf915f489c0a59ac0627c98fa9

SHA512
e0a73401ce74c8db69964ef5a53f2a1b8caf8c739359785970295dae82619e81c0a21466327a023cf4009e0c15981a20bf1e18c73821083908fce722faa82685

Download Submit
C:\Users\Admin\AppData\Local\Temp\888.vbs

Filesize
280B

MD5
8be57121a3ecae9c90cce4adf00f2454

SHA1
aca585c1b6409bc2475f011a436b319e42b356d8

SHA256
35d7204f9582b63b47942a4df9a55b8825b6d0af295b641f6257c39f7dda5f5e

SHA512
85521f6cd62dd5bb848933a188a9ddb83dd7ae2c5f4a97b65ba7785c3d58dba27694c7df308f4cf0fdaaa8c55251ff14ed1632e315a16d8d0b15217bac381f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\MTHR7H.EXE

Filesize
241KB

MD5
8964489afcdf25c4eef3aea0e0c9a872

SHA1
656485b929fd67c26f733ba6e85525d76c8f9791

SHA256
6b4840400cf2f697ce98a66af37497447278ffef8dcac35182726154146ea066

SHA512
3ff73c9c910e1f30c9235501864e79d6ac4bc8fafbb62191edca0b4f5ad5c6a46efce9065c2cf169775b83954085d79d2cb45d6f4be8fdbb85a6163f98fecfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mason.exe

Filesize
93KB

MD5
47654744c80359c665fc217abaabf4ab

SHA1
1a134118f4814291e8c55d4ee9ad723959de3707

SHA256
77c13653a4c452a3b72fc37cc151da4d5d5690cde11514018f4580df75c09152

SHA512
f73147521235ca4e607040f230712fc7f165533dd988c8ae03b387f21378466f1f86621f400e28fc86bb807616fcef4e20e3cc0b17012a6124b393506971c2dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOJNSR.exe

Filesize
950KB

MD5
2311b53a8f1f01801307ea1bad548206

SHA1
353e256310fdc375b88dc9f19aa3c261a3def500

SHA256
489f90e56364468967a75b16b5db8771c46909ce790a08b9a82528da53a34c99

SHA512
75f67a61e0ead274e0df537ea7585f23966fc3297a9a21884f94ad39437aa48215c5e5e1b0fee8894129819ce2fb77b47af41a939d2d52221fcae701856f6bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqicuj.exe

Filesize
716KB

MD5
fc3d69ead4dc6937cf562c2b5d1408ae

SHA1
44505edcea4c345607598ce0515b63556a2a82c6

SHA256
cfa99c839bf42e81ab27402aec06b4e5578df2f64cc0179a210a1f9978633e3d

SHA512
dd0df4636f90981d4743c8128e492970d146fab6a5358d9cc8fe08b0e9aa95b8fe0dd8c1a783599fa12862700464cc752d78020f8b8520418a83f18e3f09ef04

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxwtmq.exe

Filesize
11KB

MD5
7acf2bc6384803884953d14c1a87a15d

SHA1
417a34f43f2bcde6d876459d35da80bf82411e99

SHA256
59392a4c8e1e305e59a9b3b051c7b8488045d81a2c6b695dbf78c30c05d05b18

SHA512
ce44f9fa8524ea93d605afe1fc5320bfd6e611fd2de5c321bb041adea085ee00c87267ab8cae6bfe67168a8795d983c7371bde6f7a55699ffa29f5076cddfbbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp116E.tmp.bat

Filesize
158B

MD5
8230951f57891ad67ef2efba14eb40f1

SHA1
9037ea4e5d6a40b0a08c9924e71ea5200ad0efc7

SHA256
1c6499c2180415a75f75f9c2a9b9d7d433325e24241054e40f97db994729337a

SHA512
1aaf2d7417ac0d998e43df048027efe82ab404e6297471bdeb40c0e04a8cf08a04ce06f2a296c0774a64606ce177c8ac02d7bca22ce2dbd33c7305c52da95346

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp19C8.tmp.bat

Filesize
158B

MD5
7fa396d225cea01ad0c10a59716e6f5a

SHA1
f79e84911fa5e44ebf0fdc744eae8f6d9200f111

SHA256
03eabcf858bf5e7eff9c0dcbcdb1f418f533570b623ac8c16a046b43cc9b0496

SHA512
3151bec71dfcdc3a99a623e0a45db8a0b4dae72033a8ce8ff00858b6ab2287676ff23d05ada124d9c5ba239a8b2dea7ea216722b53470e7b33073abb93e6628f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp233A.tmp.bat

Filesize
158B

MD5
74b1e64757410ff268a3159e9eef8385

SHA1
fbb262896180ea0054b6438320b2e56f7b56ec33

SHA256
8472677c4bc28b5cba7ffa75756bdb5e035225d6e20dfd83f5aeb4bc3df86565

SHA512
0f5bdf93fb771f0c45928dc9cb863796ebd6fe4d9cf69395b31bc40b5e9750100810faa8ebc6c219b679c8ba6ca745f9befc7167b1ba89d34555360614e8539c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A99.tmp.bat

Filesize
158B

MD5
fdca5243bcc2467221476f7c40798cb6

SHA1
5ad759584ab9bb4d63a5a7ef82ed4da033b80127

SHA256
0f93bf1996a2f7eecdce0b6c6661c281d414a4bdba3e2ec5ad552f89904c64b1

SHA512
e7c894403cfd47f81eda2e45b2b4135cb66219d27783bfd5b243c42247321d63e5131209da887252f33efbfb2550742607ffc396e5053a9f0cc6cf48bf759f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp89A9.tmp.bat

Filesize
158B

MD5
7d181b412a405518da1a1729a609ef2a

SHA1
33a00ed7d9928aff76284e0d06cf97777f8262e3

SHA256
9268bb44cbdf67f060b123c1c485580cc8b0ec7e79ca4a43619162a3ff359278

SHA512
3374afc9d0b0c079df2c5e7540fdd5ff2689aad86704f00b6dbb971c1af58829fc9b9d4f1e49dc768f497fe4a93274c533155207bd240ae3b75224c5d2020179

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp.bat

Filesize
158B

MD5
75afb9e4d2e6765b6f415a22303a47e6

SHA1
d190f7b28eba2f9c0b00f0e12d9a5f9d3ad1d448

SHA256
b82a6eb4775f97685c7fd45adcd16cbe4822f210103e3758734d17e0e342640b

SHA512
98ecfb719d99dee1e4c7bd5eb02105f4530fae9157f42c6fa427156681c1d47d78fd8cc67ec3feac1949d480efa75c1776ff58f43e26e3a7f92530ab27586f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp973.tmp.bat

Filesize
157B

MD5
a8fac7da80cd807af63fedbf5bfd128b

SHA1
af62efa61b7b02faed574d4235ffafeaf9a3fa42

SHA256
24aafb996dfa3873cb5998afd9420ff52cf03df129c702cabf397ebe7f072a13

SHA512
093ff9f7b96cc9eb7900ab181b44e16db1f6aca39ae3f4f52238578f3571904dd26ce6e621378423aeeb269cc2fcfbf128ac201a3bb6ed8315c8ef2aaf16400d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9AE8.tmp.bat

Filesize
158B

MD5
04a6c21c9d582ea99b8b5cd85a6d5f1a

SHA1
6f45498e767eb8c7f9a57aaf625421fd054388d1

SHA256
ea900145d57481d8dffdb8f8f0e019cb3032a9f72aebf634326c2893ab45c9c6

SHA512
21649c1118e5c7b059d3be9e3ea66e50b0ac53e6251fbb7c907d5189873437f84a461a18f4c251b17988da68ba10591237ae3d8f9b46be25f8ecaa1c5afcb1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2A5.tmp.bat

Filesize
158B

MD5
7eb455ba5bdefc53264bfc669dac88ed

SHA1
9943e5c38268f3d8cf7cb560127656d950ef131e

SHA256
dd7be95086e2daf41bb11f7f4550a2a75323a1ded74871434725ca5a0e5bf735

SHA512
7d0eaf86045d3c886515f59f7eef2a9e83627fd42aa8a030f78930c0137752101ffe694cbbd16694d7649c3ec2bfb3f2430780ec010a486b5dbf3fc92eca20dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC.tmp.bat

Filesize
156B

MD5
1637428d5fae8f585f9aef2f614ae95a

SHA1
eb59dc472c9ca4efe0ae551e5a99a8d0a56a722d

SHA256
f0934cc866feae93af549f942a2a967a473e1ff6ee37720892fa99837ddbcfb9

SHA512
a5fc57c7c2113335b4a960678bcb5089cbe09fa60cc78d136e98916b22b8aa4540f3e27781b473775b94a61280c64864d325576b4b063041a807b8a4c66907bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC56.tmp.bat

Filesize
158B

MD5
46434e596d4ec27e4b935ed0a038e201

SHA1
bb3239705f3e28c05c44e998a4d99addd59d29e9

SHA256
c0309b6a96991c5f4b0a5e95bfd9f273510a5f557f7285d81196ef81c20f43ed

SHA512
1087944acb2cb65a754e07cdefa9b80d0184db8e7626b83126182bfd6cf9c30ecec97dfcd07faa63d4a28d0d74ffbdf33452ff4f0081baa16536e159235c5afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB451.tmp.bat

Filesize
158B

MD5
d930a0a6c1232d7972e1dba07087196e

SHA1
e246c0a7eecdd07c62756f9194bff8ff7c858719

SHA256
93598c8dabe3cc54c4c99896eedeb23a3442d7907a2fdb1fb832d43a8475a7ed

SHA512
b4510696600c1f383573984f080216be5aa7e9c4f013819d5b6dcef716b0c0abac64f3c094e264bd8f7693f6ac7df0283fb52a578333d0fc17b2ca3b36b772cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD27.tmp.bat

Filesize
158B

MD5
74e08567a1c6f24621efb27699b1af80

SHA1
27f33524333a8bcbe9d340b33c2cbb2e9c8151f3

SHA256
9cf12ef3b2b4057eb9bea80746ccbbcd4882514175bc0a148c3f35e7cb53d8ac

SHA512
5324ed509201589096c48bf2f4a57810e1c19cadec4fd262c10011a0304e7d8c4c7dcea08d31d979fab47ecb578f54c5408d9b4e2b59217636d83f4cb3bef0d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4D5.tmp.bat

Filesize
158B

MD5
2be7ef1287b458d099d669fb3f0caa7d

SHA1
ed7f3b4f904fbfa45ec90ee19faf818901863083

SHA256
ededffd5838446a007f2288c53c3aa4ae53573fb0003ad4fa332b329b26565fa

SHA512
9eb0b528bdb4182030bc124498061fe5e834d6dbf56511d1069e033077f625e903ab712ea673ee31339408964dd23819d13177b9dac248e8e88cbacbcd534311

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCEC4.tmp.bat

Filesize
158B

MD5
858a9d3b8f4b5b48851aa6e3dab43753

SHA1
ccffa637de941175c5b401ac0c1322ee73715622

SHA256
59a5fc752d3bd70716ec61c0abd8dfa43186dd96eaaf504642427af8885012c8

SHA512
3678a57be6a4a65aca887fbb7f104bd48548153bed7f034794231022c8725f935ed4737024703b3f834b12f779f149f5db923612ba0ce76643ec01ae8930b730

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD643.tmp.bat

Filesize
158B

MD5
e2b94afb7f92cdc87d9a3b81a38e51c3

SHA1
ad13fe266322935e619ede02f757b5c23e0d3189

SHA256
c5e7b730c86132bfbab8a34bf262ebfaba5e658d5437028d2274de8fe295cebf

SHA512
596b31f81da0dc9d659ebc6f0de005a7f09d5abe3023c7499578de1ce3768517a8bf734d5773b2968de00a04bd0f07a0ba618cc6cb50244fbd73de3a5ad7d295

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDEBB.tmp.bat

Filesize
158B

MD5
42fb1292919446f13e66a67dc5e58c5b

SHA1
46bbaa07c8a185579973f8147fd8fb36ebad18d1

SHA256
7074dfe5b2df3a88786ae9fb1ebce9a7eb30ddbc3f68efa6140de3b07d8c5459

SHA512
fb1d29efed6ccfbfc41e70d159b7142e61ce2a9657bb89de56974658da9ef8b9eb15075357498d7eaa8937d59570e705c582e3ad381f00238efa9d6449502a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE743.tmp.bat

Filesize
158B

MD5
481882c10556b0aeb38df9c8a1e9beaf

SHA1
1542de340c428da04df0874ba8be9ea69bdf8ac1

SHA256
397d7e55332ec69f906e93def4e5a37f007e596fa94f75a4db331648529df577

SHA512
56650ce2155458ddd9d94ef2660adc85fde1fc479e0c5da96a5a9b10f04cef995a22529175abca6ea867060ba3e3549b56110ac42df291ad2aee1bc1078bddb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEFFA.tmp.bat

Filesize
158B

MD5
c76799c3a6355b10bc48bae55cb76c7d

SHA1
3b4f8fa991396be84b561bee4adcc0c97522efa8

SHA256
b793553e8ee8cc4193cc3488c77ee8b93586557a564757fac57bf8567a434ebd

SHA512
daf69e51bb8141517b0ad4fbd7e56c67e04b7eccfc31bbb02bafda02e25ffc402b6d771c166d6c858423c3b1e78777130f2a5d8b3d5b5ed98dadba9683a6454a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF892.tmp.bat

Filesize
158B

MD5
583b041bc62af52f49baaba0a0ab5a70

SHA1
8bed1c469ec9fda31ea5f76e7f170b9c456cf98d

SHA256
6ac3bd43477f5071b5266d578ace0a37803642ede93d92450b1662fb5227d16d

SHA512
c454487cf11d02863e878ea8fbdada4e623b224445a85e1245a4d13fb0942617d901502ce73d28662d7a340912b8a296963804ac391a1161d3f69b3b3c94e4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\wl.jpg

Filesize
71KB

MD5
84bc45875eb60512e25dca16d4e5304d

SHA1
5965867a44a5809ad57eaaab978c698104103e34

SHA256
52a9fd513a7085c8814e13e8f25a1ab7aade6c02ae387e745237dfa36d088f39

SHA512
df08663efbf471f4b1cedeac3c5e2af432e729008b02b14b31e9feac229bdd54ae76644c903cf56ecc87eabcab3c0f44f1296726e338645ccf148ef7d11a552a

Download Submit
C:\Users\Admin\AppData\Roaming\f3eedde12ec9a2f363c13d643bd2acdf.exe

Filesize
48KB

MD5
f3eedde12ec9a2f363c13d643bd2acdf

SHA1
2d53fef1c7b2036d4c25097fe1d3d5276cff9cb8

SHA256
63c8a594926959e99dbcaac2e4bdf923691373d432500ddc0572996bfb8e399e

SHA512
0f6f4ed01f591edb4565fd31169aebb3be2d2dec246459411c52db0c9c7168da4404d4657312c879980b524da6047d9a87b8a49bae5836bf40e9ebeb6f166a53

Download Submit
\Windows\System32\migwiz\cryptbase.dll

Filesize
106KB

MD5
1deeaa34fc153cffb989ab43aa2b0527

SHA1
7a58958483aa86d29cba8fc20566c770e1989953

SHA256
c3cfa6c00f3d2536c640f1ee6df3f289818628c0e290be2f08df2c330097158a

SHA512
abbd5e28096a981a1d07a38bb1808fab590d78a890fc7960a86d8d9a1ae0c597eab655a2457d61afbfbce8c720965b89c1071759b819168b08058ee5be17dc86

Download Submit
memory/2296-374-0x0000000000910000-0x000000000091A000-memory.dmp

Filesize
40KB

Download
memory/2584-32-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2584-23-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2584-17-0x0000000000B20000-0x0000000000BDA000-memory.dmp

Filesize
744KB

Download
memory/2584-18-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-0-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download
memory/2736-11-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2736-10-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-9-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download
memory/2736-8-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-1-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

Filesize
72KB

Download
memory/3000-31-0x0000000000A10000-0x0000000000A52000-memory.dmp

Filesize
264KB

Download
memory/3000-40-0x00000000004F0000-0x0000000000506000-memory.dmp

Filesize
88KB

Download