rhadamanthys | 7dea4330525071e258fa1ec05d1aa44abdc046a9d7cbc7aab5cb6a10ebaf00dd

Analysis

max time kernel
74s
max time network
74s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13-06-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.html
Size

312KB
MD5

062033d29b2360355a50a03e588e350b
SHA1

0db5ea48582d67a6efca5d78edafab8bc655a778
SHA256

7dea4330525071e258fa1ec05d1aa44abdc046a9d7cbc7aab5cb6a10ebaf00dd
SHA512

4c15de043d288da5175be1d65eecdb97c68ff9f05a37c2a243520c0db5a3f3fabce56a1decec793b52dd36f0a9f812b988895039e810a9c269fdb4a4b67b6448
SSDEEP

3072:BiugAkHnjPIQ6KSEX/fHoPaW+LN7DxRLlzglKvVsuk:1gAkHnjPIQBSEnIPCN7jBvVsuk

Score

10^/10

rhadamanthys evasion stealer

Malware Config

Signatures

Detect rhadamanthys stealer shellcode 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/764-1018-0x0000000001DC0000-0x00000000021C0000-memory.dmp	family_rhadamanthys
behavioral1/memory/764-1019-0x0000000001DC0000-0x00000000021C0000-memory.dmp	family_rhadamanthys
behavioral1/memory/764-1017-0x0000000001DC0000-0x00000000021C0000-memory.dmp	family_rhadamanthys
behavioral1/memory/764-1020-0x0000000001DC0000-0x00000000021C0000-memory.dmp	family_rhadamanthys
behavioral1/memory/2492-1027-0x0000000001E20000-0x0000000002220000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

XWorm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	XWorm.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

XWorm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	XWorm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	XWorm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	XWorm.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

XWorm.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions XWorm.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

XWorm.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools XWorm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	XWorm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	XWorm.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XWorm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	XWorm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	XWorm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	XWorm.exe

Executes dropped EXE 2 IoCs

Processes:

XWorm.exeXWorm.exe

pid process

764 XWorm.exe
2492 XWorm.exe

pid	process
764	XWorm.exe
2492	XWorm.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XWorm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	XWorm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	XWorm.exe

Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\system32\taskschd.msc mmc.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

XWorm.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN XWorm.exe

description	ioc	process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	XWorm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

XWorm.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	XWorm.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = b09c89b0c0bdda01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006c04c31a256c4d42b2305e446171e823000000000200000000001066000000010000200000008d3b86d3b40bbaeccdb125539ce405ab5109fc19f55110ec3948f21ffd3af3b2000000000e80000000020000200000004c395f86339e5945b43005bd94d6070978258c0abd242454fc815185e6ba523620000000a31665d47bb6d2e4f86a5bf30fcf5cc2fc4bafbe713cbc4351a89849b04ec18e40000000c4274e8b33fb72b1c613de0240b91de59dcf1ad7a218fb2aa98d76610b187015b1d5a416e5e392961f54e6f995e6222c409c0e2030994dbafc45fc004008f6d5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006c04c31a256c4d42b2305e446171e82300000000020000000000106600000001000020000000786c71039480dac0ab5449332f0a8043ec3718f22bee360d9f1c0603a2f70dd7000000000e80000000020000200000007755c3925c13e42fe083c312f775ef29a935aa15bfffa74c60b57e45efec256490000000bf511dd7240dddaf25eb6b5bd8feb9aa3fda497721b9de66064fdc80a536b7c1ea9f6159a1819e3a645a703a5ef9cb0254c5e63320c6f7fe4298a23aa0fbefe706142541e7eefbcd7e12b0c166f45337a5486fa32174e80dccfeefc69469266252040a786d1df1d208ec83e54927b87dec13a467220fff40fd3350b661fb221f861d78fc2cd0092c981d9f09cce5178c4000000062bdce13a0a487c9da7e2bee1cf22de59b183f8e09dd0959e3b1ac403b27f0ae929afb51a994632e0b7e4dcb381fb6bb2386a8a0d9382f3d1d67202f8966be88	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6100000016000000e70400007b020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80d245c1c0bdda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424465687"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EB2A1071-29B3-11EF-910D-CE7E212FECBD} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

XWorm.exeXWorm.exe

pid process

764 XWorm.exe
764 XWorm.exe
764 XWorm.exe
764 XWorm.exe
764 XWorm.exe
764 XWorm.exe
764 XWorm.exe
764 XWorm.exe
764 XWorm.exe
764 XWorm.exe
764 XWorm.exe
764 XWorm.exe
2492 XWorm.exe
2492 XWorm.exe

pid	process
764	XWorm.exe
764	XWorm.exe
764	XWorm.exe
764	XWorm.exe
764	XWorm.exe
764	XWorm.exe
764	XWorm.exe
764	XWorm.exe
764	XWorm.exe
764	XWorm.exe
764	XWorm.exe
764	XWorm.exe
2492	XWorm.exe
2492	XWorm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zG.exeXWorm.exemmc.exe

description	pid	process
Token: SeRestorePrivilege	2972	7zG.exe
Token: 35	2972	7zG.exe
Token: SeSecurityPrivilege	2972	7zG.exe
Token: SeSecurityPrivilege	2972	7zG.exe
Token: SeShutdownPrivilege	764	XWorm.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe
Token: SeIncBasePriorityPrivilege	1952	mmc.exe
Token: 33	1952	mmc.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exe7zG.exe

pid process

2240 iexplore.exe
2240 iexplore.exe
2240 iexplore.exe
2972 7zG.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXEmmc.exe

pid process

2240 iexplore.exe
2240 iexplore.exe
2252 IEXPLORE.EXE
2252 IEXPLORE.EXE
2252 IEXPLORE.EXE
2252 IEXPLORE.EXE
1952 mmc.exe
1952 mmc.exe

pid	process
2240	iexplore.exe
2240	iexplore.exe
2240	iexplore.exe
2972	7zG.exe

pid	process
2240	iexplore.exe
2240	iexplore.exe
2252	IEXPLORE.EXE
2252	IEXPLORE.EXE
2252	IEXPLORE.EXE
2252	IEXPLORE.EXE
1952	mmc.exe
1952	mmc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2240 wrote to memory of 2252	2240	iexplore.exe	IEXPLORE.EXE
PID 2240 wrote to memory of 2252	2240	iexplore.exe	IEXPLORE.EXE
PID 2240 wrote to memory of 2252	2240	iexplore.exe	IEXPLORE.EXE
PID 2240 wrote to memory of 2252	2240	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\file.html
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2240 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2252

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2016

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm\" -spe -an -ai#7zMap25841:72:7zEvent3484
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2972

C:\Users\Admin\Downloads\XWorm\XWorm.exe
"C:\Users\Admin\Downloads\XWorm\XWorm.exe"
1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Checks system information in the registry
- Checks for VirtualBox DLLs, possible anti-VM trick
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Users\Admin\Downloads\XWorm\XWorm.exe
"C:\Users\Admin\Downloads\XWorm\XWorm.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2492

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A9377E7E528F7E56B69A81C500ABC24
Filesize
889B

MD5
3e455215095192e1b75d379fb187298a

SHA1
b1bc968bd4f49d622aa89a81f2150152a41d829c

SHA256
ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99

SHA512
54ba004d5435e8b10531431c392ed99776120d363808137de7eb59030463f863cadd02bdf918f596b6d20964b31725c2363cd7601799caa9360a1c36fe819fbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
8fb6b232da26f53a61f1a2144cdb1e0a

SHA1
48c17eb02bc09331fb0dc19d55bea354041db287

SHA256
8b425b9f4a8d67fa1ebc594abd2f90a021000f16318492b1b0ad0b7eb83f37df

SHA512
41b53fb49b5a979dbddbe5e53e832c175cc1d16a3eafff2ba007d914f91aae875faf482b236b7a8f3bbb8341d7eee4d667229bf8191f5a49fc470a92d02758fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
9f97375303e0f9ee5063ca3db934563e

SHA1
c83d70f7709096244df08c5fc0494ba4c0ab82c5

SHA256
66203a03988f872b3fb72690b0a855844e1591167051afe54caabb45a26a49c6

SHA512
6e7b6ef7360cf70fe8cb095c7c0df9dda1081d1af3a70df3a579ce1c974a9aa5e6958e7d9296d18a2e605857b75d9708458bf39f9ecf9b8b4b2a4b6939ff2115

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
cb2a57ef407332b65ac8723583195dab

SHA1
879177c1ff030a4c608503eb0b9117ecc394420d

SHA256
6c41c4315eebc9d1e8b41883f92f21cb28bd15863d8a6903c68b032b9e37df2c

SHA512
7e98352fb981dd42ddf860d5bb2942b81b4a777adb942a7dd1894a585f4ce9a5b652226f997696079e22e3fd754bd58bb6b5a3979b839241a53ac69400c7fd5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
667a2437aaec63bd6f8a7df022b189e0

SHA1
7740196d6c19818f7b0b778c362c83c3e9da4b98

SHA256
a43324a49e656b72f25a6d95939fb849b0259b0096d212bd4c2020a9401237cf

SHA512
a0ba207bbb81a87e84574af158cad6ac0d4cfa9c0d419869e4153d7a05940de4b5128e6b3a6d33c0dbaf53cade31d3c672ccd2bd18fa7633eff14aea3363e3cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
81394c967abe4db6e1939be225fba50d

SHA1
cd444e33d30fed205396dea99fcb62807f2d5f0e

SHA256
62e2e9be740daffe6c7843beffec4930bd9ad06018e6786e6cd87d7462b4d3a6

SHA512
9806c62f61cf6ace0297c0dee664dc1d1a2f442480b3367062157bac13e89eb60eddcc268844eab276e4f6874e1a94d8900b5c8d21ff814ffc4f103ca9fcb2e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3a56d8caba6601c79c3b6310398548e0

SHA1
10d78ef9d8570e54126340512b5893f0ba98eb60

SHA256
19a5907e65b55d9c58feb488ba1fdae52e8293b7addbcacfcc29e53a50eed05c

SHA512
4b4c65eb4c2fa93c193b0d9742fa31bb0b71862b21ef638d550f430cee56f0125ed8a5d9b7ad24700dcd83ae7a4c38235f86b550277fb9bad084a9c91c4aa493

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
031c0eb61b20892222afc65152ac3cfb

SHA1
1997afb388366dc3ab97f817af0df2a610552700

SHA256
5274e8f5c8224e528a54da041cb58852d5b8f4ff6506af7fb008a16ce588564d

SHA512
0c053c9795f7c15d131d006ae5827f9b0fb6d16ceaa859edb3a37c010ebce979bb5c4a3984cd3b5be5012a331e9530ff3c4a8e0a3febb398550173e984d22207

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
7f8373b4df7b753eb72b8cecf4067cb1

SHA1
44638da4dae312aa615136ac1197573f473e0de4

SHA256
a3fae169d53d19c35cf374c2846cc1d7a4b2c3f3833cc36f74e08d418c760e04

SHA512
8b1405bd4f08a88762013012d502a8249987e8f0bc959e686906cb64dfcc49bcf257a1e053c43eafe1d3b47a4b0c28e58255247095a9181843ed74bba803545d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b09eed6f4f6cb2fcb72b38107bd2fbe7

SHA1
4c89cf23dc909f314b9f9200da675e9bbab3b476

SHA256
ace7f225b64b8cf85fe959f9348d68c3511c88e4a5f3e0b6fcf0f48a1506cf95

SHA512
c3bc1952c739e04ff986c5b39cd7616d83a5f00884b997a621766a50b903beb882db7d081e8750cb2efd470eb75964be640ca8fc310de6b0ed9d84586d351f7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9bb60ded59e27f00b7c7594d016caeed

SHA1
46f8409a1e56b982328688321850d674216b4e62

SHA256
f1653a259fb018a0999d80618aa993b9ae72dd19d9298aec5c0ab819d77db556

SHA512
f911615774d345249aff60407a19a98f9b63483f445973710ef449683b692dd1639d4b9a24dd58b326ad3ec6c538361fe79a5a4151980b2a1420549111b8005a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
28ecf49e11c9af3ebd1d5bc783e1579a

SHA1
d0bb48a2bfa3beb6bcf24620f591e53c66b0998e

SHA256
7fa020d6ef4c711e18c3d780fd80add6131546e94daee61af3fae096b277e041

SHA512
da98b33a1dcaf8a644b55da4eab57d368b69b27743cc9eafb5ee68b7a42fc25a3264c2ec1fca26daae7e24ba7f8553cfa819d7215052dacb9904ad08a6d5e7ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
cbefb88e247d24ada070a7ea39272428

SHA1
0a3f3c198f2ab42c8e1d865e99424f1a6380218e

SHA256
84367d1a6f6191d0162455719f55bef21dc35b649613071eae93f8b55c16c3ec

SHA512
c82afa61756e0cd9a4f2113c7d677c70f01a835ce175bb4c82cdaa27f424a9d70f1d5258df40661eebbc941ea24f50dd7f280d6d87e454411fec4c86251e9f3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1696913dce9406b3f69742ebca99a978

SHA1
95e63a2288c635301c0b132379ffb7e2c101e929

SHA256
121c4485e66bc83c0caf5af81f562340af7b009c556b9cce4c525bcf0593a326

SHA512
b20fb8cbdd0c6ce0b2dc905a6249dafdbae50a11f71dea7defb5f5bd4d140a1132e8a88b1fac017649755269d93ce4924a1e77ee7c0b1fd8a9795e4309a6577d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a9ce549f0b6a480ad58353143587e343

SHA1
7c5652cf0cc109c077d6ceed468f75a82b739f75

SHA256
40d4738c862289dd2a9b7351f7b624add081e06e23b16540a4d841f61f0efd5a

SHA512
6acd853c562bbac3a77bae5d90e5a25a98dbd98129f77b3e4a4f7dec5cb9d8b1aeda3940f2c9e64fbdb498172566ec5f8281bdcf96801ed9d21622972aea23db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5442fbb82342b331b7a475673ed63bf2

SHA1
bfb8503051a31296fc1474db04f468ffea218324

SHA256
54fd431bf958e7553899d9acef7830e1b2d14041847a7536016ae5ea9182b683

SHA512
7d41aa016c650183374a6460f5574a527c9646e7536f13a3d37cdd58036fb6e3dd21748269dcdd75f8e60963a71daeb749f0963133f893b71d121312611d80eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e64375250060ac1525b5d270ba6145a9

SHA1
9c9ed9f7b95a7879d084329865b93ca53f6d8b03

SHA256
4e88bed53d2dc2985a0ee66a6196fb4801340c0225d06667c151eed2cae28600

SHA512
9e319b1c2d5646d49589fe99008fe504023683ab9dce7d5ff73556409ea6ad89caeba01788ca551e7f2d2db2940d444f19d2b4dff9cc906ab98a486ae708721b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b674c4d43ee56fcb5227d42fdbbbbbaa

SHA1
f22025efc11fcc5dc1335c37a6e2fa7edfe71591

SHA256
7670fc8151f1704f5ab143594eb0aab5fa971214d45c41c94a635a74e72e6e80

SHA512
ec097085cff7fd565cd5fd3c005367e18bb65acdda0d163e033f9545e08c40af27de8b0769ffceddefd4f5047f19432db7f9d11603f4cdab1f8346c22e4226bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d7529f3a585329072a94363ea7ff98d0

SHA1
dc021bb9037c4e495fb6f42cee2829aeafa321c2

SHA256
248bb485d12d51fa9c6e6451fc94232e511fa42180a0404c77a218afb3622e91

SHA512
6a8d104e6558a7060b8b3b88c3e1958759b9c8a0bc4ca172712538802f939e078df983d4282bf2fd6466ee834c6c7885421d9da66ae8ebaf46927c4e78ec6a82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
05f80cb3719d2e36c649490aa3112030

SHA1
fdaca97c454734fb5cb71a661285ef3639f5f095

SHA256
31aabfd033fd6f4304c6b92fb17185c1b44fe8495c017612a5fa01967bbf95e1

SHA512
24e822b9f71f1657bfdac9a7b08988397299b6a3f0d0b4051284777d1d7edc727fc0e92bb0919f9be5706d925daab428c74569cfa91c1c92dd3e3b6667481422

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
056f35bdb4b3eac3073feb79ce8ff81c

SHA1
55972a834b6da6566d4e3f79d3128d5135aeed65

SHA256
53179d37048f517ace3f4ed9123044cfdd335d0944d8e7b4730fb7df89c7387c

SHA512
bc31b24e5499bc71c94d38cac872bf5141b612dac010a1bc89f6f68b77f2b208576429b8aaf0a854883670bd23189184bdf28a4a00c3e2dc903e93925c6b164b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e8a720ce5711bf6a658ed01aecd691dd

SHA1
f9435df24c2e5a5c091114634151218586089d62

SHA256
f96f3fa5a494abd5039decc77fc589e391a1f2ca427c171a4c4f8fa9436c0075

SHA512
ef2503459c88daf3f6eb3d7fbb99ea64f61fc409d36f15c448001790d33790e026ba0875e6c359c8cf1b57bd56abb90bcd6ef9ace7d361e94f9dba47cff112a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
37e7d2f234861005ecafaf8cce6d6710

SHA1
505ae08c89ea1dc7fa46245d3855f396fbb78cc4

SHA256
cfa3f4805af5bbbe682806d489074716e689fc80742a87ffe4a9202b9cf41fa7

SHA512
c11d9774b8fdc2e6c684b92382b12480b514eb456dd6c2f3a90ef42267458a0a2498cf0122ee80c557bc6c20aa4c30ee7d36095fa52eefd860c81a280f22d0cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
bf5da2f0a908ae7e512699b112223193

SHA1
136b897da1d5750267de4df488bb581717bb7d48

SHA256
064578e84061ca7085965fcff2253a1e4f6166714144a3b8a839530ec9413165

SHA512
5cf6120bd00dcc631244a9cb83570b646f6e25320fafb505c6404b9aa59e3007063ebfc6aee3ea3a4fa9d1e422dde12c48ad7edfacc06dfd711c2188f4676170

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ce314aca6834c70e01d3fff23fd052a2

SHA1
c4d17b0cc125a28613f002f3b08c9d66bf410bf3

SHA256
1fbb1138317ff2fb5a7372bce12da6189afa54c9b88b10ef604fbbab5a898c06

SHA512
fc13f8c50242aea3ac98616f67462d7ba98567ecb979fbb2bb8c547784f11bbb806d13fba2eb18c9f8aee6365de7b07243e3e70ca79a5423c2d3dd8c0089d076

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
656d32f34aeda88c353b7e00eaa8eab9

SHA1
b5800b256cf5cdbfb2aa262b770b3171bd745be4

SHA256
72b9fb372e88674935546bce5fe939f5a89fbdb6f5b6f26e16ed50b16c301f45

SHA512
8dfb8bb502b48b441cce6ec51a3091e79d7a02a53d4062d5fbd1a18b4874bf35752a85fac57b43e169524524f12c4c9c65ff06c9c36f69316bc45c77bf2310c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c4959da0e6e7b6097ee91c02f0a79a8b

SHA1
97fcbbaa1ac49203662b844261809811ee42ab78

SHA256
b317ac934593d312ee5862caf9e7e527ef87fbfb57df6b872003a85115b15f5e

SHA512
92d2d44a1dc73f25d448828e938526d0ebb8717009d85e60fcaa536af903611fb8631c73a879c8537f5309e6790fb28eac4b1d8b12212245cb776a1e97aedcaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
152c326d03319bd75260ca52e7dda5fd

SHA1
97298c6701004b9c0685e4cdfccd612d69a5eb4d

SHA256
bc1cb5edf88a27c7a270ca57492f4a2ec9f7fa9eeb2fe54b9a4f2bc81a00d28a

SHA512
742cb3fd8f1fc70d6cfdeac0ec7388c2deaf217a6370ac14147c1919a056f51eb9402f7376573495272f0e79e6db3a02f86055ce6cd080cf36d290f28ebc6634

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
efd5b452e024a07b14b4ab5962308001

SHA1
325ac94494a8173f0ebde2d585aa8ca67c8e50e2

SHA256
20b34f11db818b17b2e74bd48ded373859eb7e58a96a01804cfb0517eb7a7544

SHA512
0ce6cbe12100d1bb7e39f520bb9d48022ec30b889395cd495197d070d7bfd6797a92865422ed53a1716083077092cc56457e4c5c4efd2b02fb4f2ef664b70f23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
ab3d14b22ba3ecaffd143854edbe06fe

SHA1
d0d748507e36fc1c9be31b07f86d564b0fb5c753

SHA256
d043adcbd2a565d2baf6e99e2c7b56f1e382f10c762bb9281690f5ac3d40d695

SHA512
60ace84a51967436a3ab34120767e75bc64df8ecbe3281d0cbe35388247800364f4bd644207137df1189c08da86dd875c852e82feb8e8333f680c48f961c6ba1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MW1T3CYG\XWorm[1].rar
Filesize
3.8MB

MD5
8845f7149b64a79343f12ee97b8d90ad

SHA1
d48a4d2b00859e6e7e362e38a34190da60ff8550

SHA256
17c103b0cd832139aded6213496300760f83abc7922d3829d10f09d422b2b348

SHA512
132c47c287aad520e29c42debff6c2a847487323a57824e7b43f48fa5562d9b008c28b297fd3a260b108aebfd99246ed2fff5d38cc9fd52b3406a047aedd5bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar10E7.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFB7D11FA479A4349A.TMP
Filesize
16KB

MD5
444c11d286695bf18e0fa5be20407bd3

SHA1
04bd8a415ead9b2afbaa49380f1fff856c56e597

SHA256
c45386c44ea99d1bf8f55c0b1ae1d04183fc048b34777979c4da2d52ad5f15ff

SHA512
2310739f21994c5802dfa9882dac00f437019adc1b6fce34a895db3fae94d173c36d98725250a3d15192441967e2ad71312e31672b201d4553079e4f5b5fabcb

Download Submit
C:\Users\Admin\Downloads\XWorm\XWorm.exe
Filesize
456KB

MD5
515a0c8be21a5ba836e5687fc2d73333

SHA1
c52be9d0d37ac1b8d6bc09860e68e9e0615255ab

SHA256
9950788284df125c7359aeb91435ed24d59359fac6a74ed73774ca31561cc7ae

SHA512
4e2bd7ce844bba25aff12e2607c4281b59f7579b9407139ef6136ef09282c7afac1c702adebc42f8bd7703fac047fd8b5add34df334bfc04d3518ea483225522

Download Submit
memory/764-1018-0x0000000001DC0000-0x00000000021C0000-memory.dmp

Filesize
4.0MB

Download
memory/764-1016-0x0000000000250000-0x0000000000257000-memory.dmp

Filesize
28KB

Download
memory/764-1020-0x0000000001DC0000-0x00000000021C0000-memory.dmp

Filesize
4.0MB

Download
memory/764-1019-0x0000000001DC0000-0x00000000021C0000-memory.dmp

Filesize
4.0MB

Download
memory/764-1017-0x0000000001DC0000-0x00000000021C0000-memory.dmp

Filesize
4.0MB

Download
memory/1952-1022-0x000000001D430000-0x000000001D776000-memory.dmp

Filesize
3.3MB

Download
memory/1952-1021-0x00000000027B0000-0x00000000027CE000-memory.dmp

Filesize
120KB

Download
memory/2492-1027-0x0000000001E20000-0x0000000002220000-memory.dmp

Filesize
4.0MB

Download