xworm | 670a60509510a9632c21f2f8d1f9262f9f74a37d8eb5aa2b8437107c2bb5067f

Analysis

max time kernel
103s
max time network
106s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
04-05-2024 12:44

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Outpdsaut.exe
Size

60.5MB
MD5

a81db6baae418498efad231a602e95e0
SHA1

9381ede78e644f16fd1126f08c129d27f627ac73
SHA256

670a60509510a9632c21f2f8d1f9262f9f74a37d8eb5aa2b8437107c2bb5067f
SHA512

eccc2502b53b55b125d59b2d986f365ef099269e55194d51e91020202efa3ff381c01afe13ed0cfb5490b325ad302cbb5f7ac49d74ab1b61f07d6d4c2fd914ac
SSDEEP

1572864:XqQgZKg6Y6NnbqKCjZaJ1khXbzKuLyt8zVf3kYkMt2XRq:XqFgpHqLye13pkMsc

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4932-64-0x0000000000F40000-0x0000000000F50000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2120	powershell.exe
2080	powershell.exe
2436	powershell.exe
4552	powershell.exe
3712	powershell.exe
1852	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Skype.lnk	Wservices.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Skype.lnk	Wservices.exe

Executes dropped EXE 3 IoCs

pid	Process
3856	Xfc.exe
4932	Wservices.exe
1948	Skype.exe

Loads dropped DLL 2 IoCs

pid	Process
1312	MsiExec.exe
2916	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\ProgramData\\Skype.exe"	Wservices.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	3456	msiexec.exe
4	3456	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Wservices.exe	Xfc.exe
File opened for modification	C:\Windows\System32\Wservices.exe	Xfc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Go\src\crypto\internal\alias\alias.go	msiexec.exe
File created	C:\Program Files\Go\test\fixedbugs\bug306.dir\p2.go	msiexec.exe
File created	C:\Program Files\Go\test\fixedbugs\issue28390.out	msiexec.exe
File created	C:\Program Files\Go\src\cmd\compile\internal\ssa\_gen\PPC64latelower.rules	msiexec.exe
File created	C:\Program Files\Go\src\math\sinh_s390x.s	msiexec.exe
File created	C:\Program Files\Go\src\internal\types\testdata\fixedbugs\issue49003.go	msiexec.exe
File created	C:\Program Files\Go\test\inline_math_bits_rotate.go	msiexec.exe
File created	C:\Program Files\Go\src\internal\syscall\unix\asm_aix_ppc64.s	msiexec.exe
File created	C:\Program Files\Go\src\cmd\go\testdata\script\fmt_load_errors.txt	msiexec.exe
File created	C:\Program Files\Go\src\go\constant\kind_string.go	msiexec.exe
File created	C:\Program Files\Go\src\cmd\compile\internal\ssa\_gen\RISCV64.rules	msiexec.exe
File created	C:\Program Files\Go\test\fixedbugs\issue42284.dir\b.go	msiexec.exe
File created	C:\Program Files\Go\test\typeparam\structinit.go	msiexec.exe
File created	C:\Program Files\Go\src\runtime\cpuflags_amd64.go	msiexec.exe
File created	C:\Program Files\Go\src\path\filepath\symlink_plan9.go	msiexec.exe
File created	C:\Program Files\Go\test\import6.go	msiexec.exe
File created	C:\Program Files\Go\test\fixedbugs\issue15609.dir\call_386.s	msiexec.exe
File created	C:\Program Files\Go\src\internal\types\testdata\fixedbugs\issue57160.go	msiexec.exe
File created	C:\Program Files\Go\src\cmd\go\testdata\script\cgo_path.txt	msiexec.exe
File created	C:\Program Files\Go\src\go\doc\comment\testdata\text5.txt	msiexec.exe
File created	C:\Program Files\Go\test\fixedbugs\bug199.go	msiexec.exe
File created	C:\Program Files\Go\src\runtime\mheap.go	msiexec.exe
File created	C:\Program Files\Go\test\fixedbugs\issue44355.dir\a.go	msiexec.exe
File created	C:\Program Files\Go\src\runtime\defs_linux_mips64x.go	msiexec.exe
File created	C:\Program Files\Go\test\fixedbugs\issue21221.go	msiexec.exe
File created	C:\Program Files\Go\src\internal\profile\proto_test.go	msiexec.exe
File created	C:\Program Files\Go\src\cmd\cgo\internal\test\issue24161arg\def.go	msiexec.exe
File created	C:\Program Files\Go\test\fixedbugs\bug030.go	msiexec.exe
File created	C:\Program Files\Go\src\syscall\ztypes_linux_ppc64.go	msiexec.exe
File created	C:\Program Files\Go\test\fixedbugs\bug246.go	msiexec.exe
File created	C:\Program Files\Go\src\cmd\compile\internal\ssa\_gen\RISCV64latelower.rules	msiexec.exe
File created	C:\Program Files\Go\test\fixedbugs\issue19710.go	msiexec.exe
File created	C:\Program Files\Go\src\cmd\compile\internal\syntax\testdata\issue56022.go	msiexec.exe
File created	C:\Program Files\Go\src\cmd\compile\internal\ir\type.go	msiexec.exe
File created	C:\Program Files\Go\src\vendor\golang.org\x\text\unicode\norm\normalize.go	msiexec.exe
File created	C:\Program Files\Go\src\cmd\go\testdata\script\test_compile_multi_pkg.txt	msiexec.exe
File created	C:\Program Files\Go\src\cmd\go\testdata\mod\example.com_retract_self_pseudo_v1.9.0.txt	msiexec.exe
File created	C:\Program Files\Go\src\unicode\script_test.go	msiexec.exe
File created	C:\Program Files\Go\src\internal\abi\testdata\x.go	msiexec.exe
File created	C:\Program Files\Go\test\typeparam\mdempsky\1.go	msiexec.exe
File created	C:\Program Files\Go\src\go\doc\comment\testdata\doclink6.txt	msiexec.exe
File created	C:\Program Files\Go\src\crypto\x509\sec1_test.go	msiexec.exe
File created	C:\Program Files\Go\src\internal\trace\v2\event\requirements.go	msiexec.exe
File created	C:\Program Files\Go\src\index\suffixarray\gen.go	msiexec.exe
File created	C:\Program Files\Go\src\net\internal\socktest\switch.go	msiexec.exe
File created	C:\Program Files\Go\test\fixedbugs\bug195.go	msiexec.exe
File created	C:\Program Files\Go\src\cmd\go\testdata\script\work_vendor_main_module_replaced.txt	msiexec.exe
File created	C:\Program Files\Go\src\regexp\onepass.go	msiexec.exe
File created	C:\Program Files\Go\src\cmd\vendor\golang.org\x\tools\go\analysis\passes\testinggoroutine\util.go	msiexec.exe
File created	C:\Program Files\Go\test\fixedbugs\bug276.go	msiexec.exe
File created	C:\Program Files\Go\src\cmd\compile\internal\ssa\_gen\AMD64splitload.rules	msiexec.exe
File created	C:\Program Files\Go\src\os\file_plan9.go	msiexec.exe
File created	C:\Program Files\Go\src\log\slog\internal\buffer\buffer_test.go	msiexec.exe
File created	C:\Program Files\Go\test\fixedbugs\issue15528.go	msiexec.exe
File created	C:\Program Files\Go\test\fixedbugs\issue19261.dir\q.go	msiexec.exe
File created	C:\Program Files\Go\src\cmd\dist\testjson.go	msiexec.exe
File created	C:\Program Files\Go\test\fixedbugs\issue44732.dir\bar\bar.go	msiexec.exe
File created	C:\Program Files\Go\src\cmd\vendor\golang.org\x\sys\unix\zsysnum_openbsd_ppc64.go	msiexec.exe
File created	C:\Program Files\Go\src\cmd\compile\internal\ssa\opGen.go	msiexec.exe
File created	C:\Program Files\Go\src\runtime\pprof\vminfo_darwin.go	msiexec.exe
File created	C:\Program Files\Go\src\syscall\ztypes_solaris_amd64.go	msiexec.exe
File created	C:\Program Files\Go\src\internal\types\testdata\fixedbugs\issue43527.go	msiexec.exe
File created	C:\Program Files\Go\src\internal\types\testdata\check\issues1.go	msiexec.exe
File created	C:\Program Files\Go\src\reflect\example_test.go	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{393945AA-EA94-415A-857C-0E0AEE321905}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{393945AA-EA94-415A-857C-0E0AEE321905}\gopher.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c9a9.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF10F99025765FA880.TMP	msiexec.exe
File created	C:\Windows\Installer\e57c9ab.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F60.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF1F106BB5F988E66C.TMP	msiexec.exe
File created	C:\Windows\Installer\e57c9a9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID86E.tmp	msiexec.exe
File created	C:\Windows\Installer\{393945AA-EA94-415A-857C-0E0AEE321905}\gopher.ico	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE82A940E23D17A1E.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF398BB8DA45E3924B.TMP	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000ac0d0bd70b51cb00000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000ac0d0bd0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000ac0d0bd000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0ac0d0bd000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000ac0d0bd00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5028	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4572	timeout.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings	Outpdsaut.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\PackageCode = "92AD874C4109CA243AFC01E8AB68257E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\Version = "18219010"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0567AE226CA41004FB924F8B77D51B0C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0567AE226CA41004FB924F8B77D51B0C\AA54939349AEA51458C7E0A0EE239150	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\2 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\3 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\5 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\6 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\ProductIcon = "C:\\Windows\\Installer\\{393945AA-EA94-415A-857C-0E0AEE321905}\\gopher.ico"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\PackageName = "go1.22.2.windows-amd64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\9 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\15 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\18 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\20 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\16 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\17 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\24 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AA54939349AEA51458C7E0A0EE239150	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\21 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\22 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\25 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AA54939349AEA51458C7E0A0EE239150\GoTools	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\8 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\14 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\19 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\12 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\13 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\23 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\ProductName = "Go Programming Language amd64 go1.22.2"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\4 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\7 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\10 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\Media\11 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA54939349AEA51458C7E0A0EE239150\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3856	Xfc.exe
3856	Xfc.exe
3856	Xfc.exe
3856	Xfc.exe
3856	Xfc.exe
3856	Xfc.exe
3856	Xfc.exe
3856	Xfc.exe
3856	Xfc.exe
3856	Xfc.exe
3856	Xfc.exe
3856	Xfc.exe
3856	Xfc.exe
3856	Xfc.exe
3856	Xfc.exe
3856	Xfc.exe
3856	Xfc.exe
2120	powershell.exe
2120	powershell.exe
2080	powershell.exe
2080	powershell.exe
2436	powershell.exe
2436	powershell.exe
4552	powershell.exe
4552	powershell.exe
3712	powershell.exe
3712	powershell.exe
1852	powershell.exe
1852	powershell.exe
4932	Wservices.exe
3984	msiexec.exe
3984	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3456	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3456	msiexec.exe
Token: SeDebugPrivilege	3856	Xfc.exe
Token: SeSecurityPrivilege	3984	msiexec.exe
Token: SeCreateTokenPrivilege	3456	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3456	msiexec.exe
Token: SeLockMemoryPrivilege	3456	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3456	msiexec.exe
Token: SeMachineAccountPrivilege	3456	msiexec.exe
Token: SeTcbPrivilege	3456	msiexec.exe
Token: SeSecurityPrivilege	3456	msiexec.exe
Token: SeTakeOwnershipPrivilege	3456	msiexec.exe
Token: SeLoadDriverPrivilege	3456	msiexec.exe
Token: SeSystemProfilePrivilege	3456	msiexec.exe
Token: SeSystemtimePrivilege	3456	msiexec.exe
Token: SeProfSingleProcessPrivilege	3456	msiexec.exe
Token: SeIncBasePriorityPrivilege	3456	msiexec.exe
Token: SeCreatePagefilePrivilege	3456	msiexec.exe
Token: SeCreatePermanentPrivilege	3456	msiexec.exe
Token: SeBackupPrivilege	3456	msiexec.exe
Token: SeRestorePrivilege	3456	msiexec.exe
Token: SeShutdownPrivilege	3456	msiexec.exe
Token: SeDebugPrivilege	3456	msiexec.exe
Token: SeAuditPrivilege	3456	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3456	msiexec.exe
Token: SeChangeNotifyPrivilege	3456	msiexec.exe
Token: SeRemoteShutdownPrivilege	3456	msiexec.exe
Token: SeUndockPrivilege	3456	msiexec.exe
Token: SeSyncAgentPrivilege	3456	msiexec.exe
Token: SeEnableDelegationPrivilege	3456	msiexec.exe
Token: SeManageVolumePrivilege	3456	msiexec.exe
Token: SeImpersonatePrivilege	3456	msiexec.exe
Token: SeCreateGlobalPrivilege	3456	msiexec.exe
Token: SeBackupPrivilege	2344	vssvc.exe
Token: SeRestorePrivilege	2344	vssvc.exe
Token: SeAuditPrivilege	2344	vssvc.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	4932	Wservices.exe
Token: SeDebugPrivilege	4932	Wservices.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeCreateTokenPrivilege	3456	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3456	msiexec.exe
Token: SeLockMemoryPrivilege	3456	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3456	msiexec.exe
Token: SeMachineAccountPrivilege	3456	msiexec.exe
Token: SeTcbPrivilege	3456	msiexec.exe
Token: SeSecurityPrivilege	3456	msiexec.exe
Token: SeTakeOwnershipPrivilege	3456	msiexec.exe
Token: SeLoadDriverPrivilege	3456	msiexec.exe
Token: SeSystemProfilePrivilege	3456	msiexec.exe
Token: SeSystemtimePrivilege	3456	msiexec.exe
Token: SeProfSingleProcessPrivilege	3456	msiexec.exe
Token: SeIncBasePriorityPrivilege	3456	msiexec.exe
Token: SeCreatePagefilePrivilege	3456	msiexec.exe
Token: SeCreatePermanentPrivilege	3456	msiexec.exe
Token: SeBackupPrivilege	3456	msiexec.exe
Token: SeRestorePrivilege	3456	msiexec.exe
Token: SeShutdownPrivilege	3456	msiexec.exe
Token: SeDebugPrivilege	3456	msiexec.exe
Token: SeAuditPrivilege	3456	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3456	msiexec.exe
3456	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4932	Wservices.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 3456	4312	Outpdsaut.exe	81
PID 4312 wrote to memory of 3456	4312	Outpdsaut.exe	81
PID 4312 wrote to memory of 3856	4312	Outpdsaut.exe	82
PID 4312 wrote to memory of 3856	4312	Outpdsaut.exe	82
PID 3856 wrote to memory of 2120	3856	Xfc.exe	90
PID 3856 wrote to memory of 2120	3856	Xfc.exe	90
PID 3856 wrote to memory of 2080	3856	Xfc.exe	92
PID 3856 wrote to memory of 2080	3856	Xfc.exe	92
PID 3856 wrote to memory of 2332	3856	Xfc.exe	95
PID 3856 wrote to memory of 2332	3856	Xfc.exe	95
PID 2332 wrote to memory of 4572	2332	cmd.exe	97
PID 2332 wrote to memory of 4572	2332	cmd.exe	97
PID 4932 wrote to memory of 2436	4932	Wservices.exe	98
PID 4932 wrote to memory of 2436	4932	Wservices.exe	98
PID 4932 wrote to memory of 4552	4932	Wservices.exe	100
PID 4932 wrote to memory of 4552	4932	Wservices.exe	100
PID 4932 wrote to memory of 3712	4932	Wservices.exe	102
PID 4932 wrote to memory of 3712	4932	Wservices.exe	102
PID 4932 wrote to memory of 1852	4932	Wservices.exe	104
PID 4932 wrote to memory of 1852	4932	Wservices.exe	104
PID 4932 wrote to memory of 5028	4932	Wservices.exe	106
PID 4932 wrote to memory of 5028	4932	Wservices.exe	106
PID 3984 wrote to memory of 1312	3984	msiexec.exe	108
PID 3984 wrote to memory of 1312	3984	msiexec.exe	108
PID 3984 wrote to memory of 1312	3984	msiexec.exe	108
PID 3984 wrote to memory of 2528	3984	msiexec.exe	109
PID 3984 wrote to memory of 2528	3984	msiexec.exe	109
PID 3984 wrote to memory of 2916	3984	msiexec.exe	112
PID 3984 wrote to memory of 2916	3984	msiexec.exe	112
PID 3984 wrote to memory of 2916	3984	msiexec.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Outpdsaut.exe
"C:\Users\Admin\AppData\Local\Temp\Outpdsaut.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\go1.22.2.windows-amd64.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3456
- C:\Users\Admin\AppData\Roaming\Xfc.exe
  "C:\Users\Admin\AppData\Roaming\Xfc.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Wservices.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Wservices.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7157.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4572

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 414202D4BE4F2FEB6786BA9715184D36 C
  2⤵
  - Loads dropped DLL
  PID:1312
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2528
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 727F607BFEE512D59189400A8536602C
  2⤵
  - Loads dropped DLL
  PID:2916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\System32\Wservices.exe
C:\Windows\System32\Wservices.exe
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Wservices.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Wservices.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Skype.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Skype.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Skype" /tr "C:\ProgramData\Skype.exe"
  2⤵
  - Creates scheduled task(s)
  PID:5028
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "Skype"
  2⤵
  PID:1248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDB67.tmp.bat""
  2⤵
  PID:1492

C:\ProgramData\Skype.exe
C:\ProgramData\Skype.exe
1⤵
- Executes dropped EXE
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57c9aa.rbs

Filesize
2.7MB

MD5
d10c38a7c388d6e5bd233d04f2821f68

SHA1
5d55a622a50582b4eb593f334fc2e54d9d921490

SHA256
0da13836fc27eea56a708d88bd779a3527764f59f0e9c6bf68f527c1babc6bcf

SHA512
4183ceb511fd54432bc87db2ee41a2c3b31b57d8daea8e730144272b3815aeff668eaf46894172190d299aac37ce99fd9fa7839712d79945f7c0d32488e04ffb

Download Submit
C:\Program Files\Go\src\cmd\vendor\golang.org\x\mod\LICENSE

Filesize
1KB

MD5
5d4950ecb7b26d2c5e4e7b4e0dd74707

SHA1
d6a5f1ecaedd723c325a2063375b3517e808a2b5

SHA256
2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067

SHA512
5bbb2d94184f661d95ac3db758b72a9ce25d409b1179264634bf0612f797424b15a3f6e02069442a75561ca5054e4c4111b158b8dce4d545a7348f6392506a35

Download Submit
C:\Program Files\Go\src\cmd\vendor\golang.org\x\sync\PATENTS

Filesize
1KB

MD5
3a55d95595a6f9e37dee53826b4daff2

SHA1
4eca45b612f7d86f2f598f238074a0dac9b72bc9

SHA256
96f408bfae65bf137fc2525d3ecb030271c50c1e90799f87abf8846d8dd505cc

SHA512
c15bbad668d0cfbb752645504e15cc5a4d613dedb28be825f39769a9c06cba19180140d0d6d8087c0e8489dc1363d8bd99aefc1f6579e7f103e0e8f81f5262c2

Download Submit
C:\Program Files\Go\test\fixedbugs\issue32595.go

Filesize
187B

MD5
e6c3b20f5ea4b807599b7c9a0669315b

SHA1
6c126b5d6fdc23ab9b67fd77f1022a791ec5379b

SHA256
981d96ffeca48c0c85e4b8356b06256841f4ec0419c25c3c28226dd3f95742af

SHA512
9c017b6a69f2a6ffaa92b64063cbebeade67d55e19d24d470d57b6fe308f2e9afb3b119f47a1e3d47304f9af650ae2d67f7d929ef354654bd2fb717657516e84

Download Submit
C:\Program Files\Go\test\fixedbugs\issue52128.go

Filesize
191B

MD5
8e59a1ebfda51e2a1f403dc38fcabdeb

SHA1
238794947b687e46828baf6a328830d54b4e1dc7

SHA256
964e1853b653b9c6cf3f9f3cc32e98fb57066d0b1fed3e934976634aff087f2b

SHA512
6fd5c49d652e3955142133a9f954a7a3ef721daf82a0b71d184928f910c4d850ff78e1a9f4a0d2f0fbf39d2453ee9f48a926dbd7436f676a9bd6217d17945bea

Download Submit
C:\Program Files\Go\test\typeparam\issue47892b.go

Filesize
191B

MD5
ead61cbe89c838b7f30760dca7b1bad1

SHA1
0425279890c13b52f976ee11d95d587a9f0eca26

SHA256
47539505b1fa7ea4cfd08d3f136b171789b21b05948e41bb74f8184ce84a6219

SHA512
de9ece21abef46d021335ff5ef5b17c012723bedbc7e87268d8b4dc99fd790563e84809aa68b0ef814a3ea53ac5a793c4e324fe38df3695b712bc079482c3225

Download Submit
C:\Program Files\Go\test\typeparam\issue50121b.go

Filesize
187B

MD5
93f57cb9aafd5139173a8f94136f3d43

SHA1
e1e47ab5fd3d0158be7f51e4f502e43bd6ad5dd4

SHA256
a9479d7c22dbe82085d58f275f1d94aa1b9caab62b8d5507762a10a3696a4e4b

SHA512
b222a38f0012f81509706fc01f849a568d5c2073b7540186bacc0cb6396010dcfde54efceec9b72c717aef949b7086057e05fc30f50bd6e65e57f833345d72bc

Download Submit
C:\Program Files\Go\test\typeparam\issue51250a.go

Filesize
187B

MD5
39704e1b2c683c78bcf6ff3a4045f768

SHA1
ac0897b1c11bc7e92493b89c5e30ad5af08fce0f

SHA256
c367e24723070d9d4b38599e0b89ab697cd10cc4f07b3d5afacc0c182e789a89

SHA512
76a110116c5df8ccbc1e58f52b3e7517e31b69348cdc28445e0290a023256dc7510a5875637654e8ac499ffa9e9527b4a5b23a71463375c8789fffefe73fc1d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
6f7d4198f10ed256eb253f6bff3b747b

SHA1
3f0d3ddf37cd6f248a82ac691ff737c133b8087b

SHA256
15341ecbe6b8c1dcc259909c63b1198aeb9996a195adfcc5c8de991c6316fba7

SHA512
b3ba0ea2e4ddea61658692da76a54986e046c16c9421ea1107d531044d68d8a12fff9593b1ca4a71d054a3068bfe391f061165eeafd64bc9506d482a99867818

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D

Filesize
727B

MD5
c446f20b026ca2a92fb612eca64b069b

SHA1
1746b082b6598176cbe61eca629464104c06f4c8

SHA256
106dec2c2b8e7a3045bfa773ff988ab47c7371ecc77fb6a892332a23b4858e53

SHA512
6ce7528d13955d9bd0cde4ff2c30072a9006cae216f328ece83bebd01c76ef58919531bd15fcf7ffe7bf92b5e228fcf44c14863aecb96c825d5195b0088f3043

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
ff274dfacd6e046e1349e47cb5dd3abd

SHA1
0847dc44786bb43c0215605f06d105708b175e42

SHA256
90b00b8a12917d3afc5be8bb3bb2c957943c0449ef555c7d2116379c09b35ec8

SHA512
686e5826da24f0cd27a54d182b98565a96d4b79c5cb35e60bbecaf0a074d126397d5a6bd16734d029df075fdd32d1e6fe3f544f5be80f0620b7669235d81463b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
2c159af2a083e07bef1cb89b4eb116fc

SHA1
a0544152eb4e3bcb0c6840f0b15e41c609388855

SHA256
319a610c0c47bb899ea8ca088f6e754322b5fcbae2b7c71b2a8e2c4ec16fbfec

SHA512
105d9c60863f6007405ab2358ca43b9113e2c31c9a3f4e8d54c61016df39737bc67e3f1e248b66f5a99f735486d0517e5eb236c3912a60eb5955a6a482ec421f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D

Filesize
404B

MD5
3d020d95d0fb80a07642acd8baf1b715

SHA1
80e38da9125f5b4d8139afcc214c9354f0654bb7

SHA256
30cfe6e082fc8147da86aca29a228ef749f5789e45567d281831a731bf86edfb

SHA512
c96b1fe600169d37c0ecba525aebff44906ad76f730ffbe4e271e91f6f7a1dd7ff645f7437e0c217b14b83d31e8e2c2c8fe76f313d64282a75b0b1dceb3d15d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
b21fe8b019b8e67b1922ba858ca6d1cf

SHA1
a43ba35ff10780312384b51c7c58c4bac0067e31

SHA256
0d453ffa89687a5215bd03510039d8f87dbfcb5633e6684c8a36076473425809

SHA512
e74caa4e27dc27afe85bf962bd826f9dfb8c5ccd813fc75d0faa8ba2c3aa43e10d71e34f71db2f4db7461436e60b8acdc383399b2f27497ebbb5b9de85a0c403

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5ba388a6597d5e09191c2c88d2fdf598

SHA1
13516f8ec5a99298f6952438055c39330feae5d8

SHA256
e6b6223094e8fc598ad12b3849e49f03a141ccd21e0eaa336f81791ad8443eca

SHA512
ead2a2b5a1c2fad70c1cf570b2c9bfcb7364dd9f257a834eb819e55b8fee78e3f191f93044f07d51c259ca77a90ee8530f9204cbae080fba1d5705e1209f5b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
69416944dac24129d0969e2ac46f0533

SHA1
d71969659956b32411e0606a9bee640a0b108ef4

SHA256
dffc7e01106427982d7cafd3d7e3be37e16b098fbb0958410ea8d7c68bfb97ca

SHA512
aabb330053579af0d9de2661bd70eaadfd2e2e617759bc9c380db1c64731c6711304e49882138e9d337815377ee012a7458f91f692cb31538d73624385867f4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
037e8ff3605b11897a997dc992ac0fbc

SHA1
9bd9814bb069de28c073e81e3122f5cec34d1cd1

SHA256
988fbc10e01737b0847bc61a07034d58b35bb473145b49e0d5d24a5e8410fbd4

SHA512
830ced3ded9fced94c783c773369c561712d4cff8a39277e19b21d632b430c3eeeb140bc273fcf231ae8c3f8aa8261909a01692de16c43ff5c2430488f698f13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5b705b4839f481b2485f2195c589cad0

SHA1
a55866cd9e6fedf352d0e937101755ea61a50c86

SHA256
f6a3b94a63de605bbbcf1e95cb2d743166f44ea7e9d0d2bfa0e88c94c26e37c6

SHA512
f228eccd5646068a81e79baeaf7e8bfa470b30d503bf0ca8cc746c009510ab609b5c091cadf08fab1e3581900cdb7834c775c61a95a29c2d73ccd0dcbd851bab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b53572e2d17619ae41d35cf6e0dccb47

SHA1
ca931e853cfdc259d033a6a89182da6f8c4c7617

SHA256
5d84c6c0dc45638b6f3e5beb807b31754ecad504b845933d822c1a2c22c637de

SHA512
dcc3820410a27124f620ecef61ca46e9dff1a99587174976983a08dcf75796ef68a2dff62de61f19f1ddb799f24fc3c66ea93478126efb7609529c5ab3ce663e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa6b748cd8f3e3c0e41549529b919e21

SHA1
5a4b9721f9fb5042f6ef7afd698d5ac5216a88bb

SHA256
d7d665a42f940443efb28eb231dfe1c4062394e71fba145d6eea9ec075b0f0e8

SHA512
361c523f49428a7e430279099e669a1a8af8764653f42e83105c0da3f8e8dd3be6c1719ea8c158d8f2e8425d74457147a4683190eb4a67019b9d02be44c13534

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIADF3.tmp

Filesize
104KB

MD5
f54bffe4d54c0b794c5389bd2c7baac2

SHA1
c472c6a4bd6510b02244d53819ef07882bc101e0

SHA256
3c06f5beca24d0edaeb63bdd5e671386ffc66807e323ba6bcb893260eb52d433

SHA512
a722d4770d605d489c14fde532cacd031b11467041c5ff304c4c63a95efc21896996cc6eeef45bc462f7c72361763885f763ed732b75436e4bd191eeed829441

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nc4aa2yt.uyl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7157.tmp.bat

Filesize
152B

MD5
29323d37cb66a66150e6115cad11f4a2

SHA1
9b7eac7184e725d8928bfa0f403c30f4fdc820f0

SHA256
6d8752e0760ed4a6c12c25b1c87f02b80269e0e36a7b48fce98530c623afeaf5

SHA512
536118a373e38cdf3129719c8aa9360dfdaade4babf2e2ba10d1eafec5944b570243d9c7afb8e8c0cc944b428d83b4a7c81aff602a5bb0800f38c82eed4c2c35

Download Submit
C:\Users\Admin\AppData\Roaming\Xfc.exe

Filesize
239KB

MD5
f5d83f09af3da232a5f6bd4d640eca79

SHA1
9cecb55456ccd6e5bc419956be66fb7464566426

SHA256
085b39eefbcb6dfa76672df25fbccda2b43e20cb018023f838ec9e00b4420edd

SHA512
9a290ebba0cf381cea1941e39a008a6958478bb059b15737aca171015e1fc1ad557c42fe766c6dd1ad15f9680e125a7189c80bcd96deec496956e49e232895ec

Download Submit
C:\Windows\Installer\MSI6F60.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
4f25c7efcea72d10234a3c8abd2b5b00

SHA1
b212a5fd2d78fcaca477211429eb0e74b29910cf

SHA256
e5ebf2326247ecf0b27f489f9db24cb2bf7a0584b4d371735294701d847add4a

SHA512
8965d89237e8b723f0d0f231e331de3f69aa45e3ad556caa909c9b8d4259d2f2fa4409aa28d6c5e1317ae472d1c5f031b3dcc0ed07629fd9e0a56a85f65e13a7

Download Submit
\??\Volume{bdd0c00a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4df067ce-e7d9-42e1-b975-22c10abf74eb}_OnDiskSnapshotProp

Filesize
6KB

MD5
4c1cd3439c52ceb38df9ec57e638a485

SHA1
3a4f69953dc19392d332e2595ce039be8ecfffe4

SHA256
3005818acbf7ce2e50c2cba6da6a29a39438e4c68cabc6f44be4bfe59ed26156

SHA512
10857598576fb89b01b58588483245c8af52eb393f3df09cdeddd04f1a53f1364bf99f4de76f179af4dd502f5d146d4fb6f1da404c139aba58508d07c642cd2b

Download Submit
memory/2120-41-0x000001FF73920000-0x000001FF73942000-memory.dmp

Filesize
136KB

Download
memory/3856-21-0x00000000005F0000-0x0000000000632000-memory.dmp

Filesize
264KB

Download
memory/3856-20-0x00007FFACD220000-0x00007FFACDCE2000-memory.dmp

Filesize
10.8MB

Download
memory/3856-63-0x00007FFACD220000-0x00007FFACDCE2000-memory.dmp

Filesize
10.8MB

Download
memory/4312-0-0x00007FFACD223000-0x00007FFACD225000-memory.dmp

Filesize
8KB

Download
memory/4312-1-0x00000000003A0000-0x0000000004020000-memory.dmp

Filesize
60.5MB

Download
memory/4932-64-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads