Malware Analysis Report

2024-11-16 13:32

Sample ID 240620-yz6a1szdnr
Target Bezpieczny Plik.exe
SHA256 733cef3e9946378bf9f84d6f19cf1ea8c696d98a759838eb88e0673f21ad8730
Tags
xworm evasion execution persistence privilege_escalation ransomware rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

733cef3e9946378bf9f84d6f19cf1ea8c696d98a759838eb88e0673f21ad8730

Threat Level: Known bad

The file Bezpieczny Plik.exe was found to be: Known bad.

Malicious Activity Summary

xworm evasion execution persistence privilege_escalation ransomware rat trojan

Detect Xworm Payload

Xworm

Xworm family

Contains code to disable Windows Defender

Command and Scripting Interpreter: PowerShell

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Drops startup file

Enumerates connected drives

Adds Run key to start application

Looks up external IP address via web service

Sets desktop wallpaper using registry

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 20:14

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 20:14

Reported

2024-06-20 20:22

Platform

win7-20240611-en

Max time kernel

464s

Max time network

471s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Defender.exe" C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\System32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\System32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\System32\netsh.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 008a9a9b4fc3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C67EDAA1-2F42-11EF-9E55-E6415F422194} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000005c63fa9519fb7bb1639660f463a6cdebe062b770efc252828245506d503409f000000000e8000000002000020000000b6156aac3451162e6731cbeafec666a97856471d089171f7252da24613ab454b90000000015e572a6196e5423cca4c15caf58a7d480e2ce065b41d6bdc530fd560eb3d4390c584df06e353fbca02ae62c790d3a8f22b957a6d29a0355e49e8d1b8c02b2e928842706973b479ebf09a07e16a7e1b7948c28b215e92719ed2c712c64cefd535c0457bdbc524ff312ae1bc693f501b43c58975b2b67a64739de60d535f76f4e53c3016ab6a57480da171cfffed1d2940000000e0013f75f6cd99aba557b692714be2ba4d13357ef1ceb2f67b4cf7ad3fe96292307470639a44cfe8f6b9f9badcf9ab38b5600820d4de5d690d7f6362806cee89 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000aaf8947392313e51ad2ab4af68647f552a6ab1a02ba6c986bd27f980dd24829b000000000e8000000002000020000000c7c73f64a85ad3bf5aace548120d7a48f9cbdf5a2f45c1c9908647db113938b420000000669d5de58785efd61203a6d7ec91fe3d6e5ea7e843c9a7451bab36fdfaf55e974000000008511d432582098cba44146b8306b2ff9c2568d3130b3c21dfd5c9637ad0553aff518032be72190f373f4aca640c111ca3d1dadb27c05febf7b02a302b7c1069 C:\Program Files\Internet Explorer\iexplore.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1440 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1440 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1440 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1440 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1440 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1440 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1440 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1440 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1440 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1440 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1440 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1440 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1440 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\schtasks.exe
PID 1440 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\schtasks.exe
PID 1440 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\schtasks.exe
PID 1440 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\netsh.exe
PID 1440 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\netsh.exe
PID 1440 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\netsh.exe
PID 1440 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1440 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1440 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1072 wrote to memory of 3016 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1072 wrote to memory of 3016 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1072 wrote to memory of 3016 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1072 wrote to memory of 3016 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1440 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\system32\shutdown.exe
PID 1440 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\system32\shutdown.exe
PID 1440 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\system32\shutdown.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe

"C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Bezpieczny Plik.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender" /tr "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {FB1EC592-7FDF-4875-859D-E95215B036C4} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]

C:\Windows\System32\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1072 CREDAT:275457 /prefetch:2

C:\Windows\system32\shutdown.exe

shutdown.exe /f /s /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 remember-sail.gl.at.ply.gg udp
US 147.185.221.20:33823 remember-sail.gl.at.ply.gg tcp
US 147.185.221.20:33823 remember-sail.gl.at.ply.gg tcp
US 147.185.221.20:33823 remember-sail.gl.at.ply.gg tcp

Files

memory/1440-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

memory/1440-1-0x0000000000C90000-0x0000000000CC2000-memory.dmp

memory/1440-2-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

memory/2800-7-0x000000001B270000-0x000000001B552000-memory.dmp

memory/2800-8-0x0000000002490000-0x0000000002498000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 701a1d61b87e57e83ecf600f5e89297a
SHA1 0f993c8e5587144870d024b60e2cc27e9b09d643
SHA256 134b943bedb33e4f7625c079fcaa1ffaea1b9903c1f7c97fcaf4579b12a24fe7
SHA512 b5c7dd2378bee0f5f8d6492b7ff61d3b6ef1f51a99334a676280b883b09c0580e8921c252b6aa658d9853831081cc9dabc37a9b64496a3e53ac6425aa03dfc44

memory/2632-14-0x000000001B470000-0x000000001B752000-memory.dmp

memory/2632-15-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1440-31-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

memory/1440-32-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

memory/1440-34-0x000000001A7F0000-0x000000001A7FC000-memory.dmp

memory/1440-35-0x000000001AC40000-0x000000001AC4E000-memory.dmp

memory/1440-36-0x000000001AC50000-0x000000001AC5A000-memory.dmp

memory/1440-37-0x000000001B0B0000-0x000000001B0BC000-memory.dmp

C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC

MD5 5c088134b8d44512417f3c0c5b5e0b28
SHA1 9fa38efde1cf2b2f30746e1524d12c6f188068a8
SHA256 65ccc62d0c35f7f700c9801ef817968ad89f6d711897361b62d5556234387d74
SHA512 3d01738706d99d989a63caac5de5fd4fbc2a062949437231e29a54a74f2912e5f042c1476be135be5eeafb1dc222441cf4ad67ea8ad443bde59566ff1186859c

C:\Users\Admin\Desktop\How To Decrypt My Files.html

MD5 67a803ecf30cb281b5944055eab437bd
SHA1 6f4aeded87fcc7607cb959830bfd55866effcff6
SHA256 755f39cdc15a4a15ff6a5243831f32881f3c5b0517eba5951d234ac737300566
SHA512 56bc98d95ef24bfe513bbbed6faae771f0420e64b1c2e230553519e4c8480e898268a5c679bf9d8b818e0a1a22c1edd98ce4ecf7a9ea03c213b14738c27ead60

C:\Users\Admin\AppData\Local\Temp\CabC32.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarCF2.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 def3e184f81f09ce59a01cf7a7cb24db
SHA1 a1b6dfa1258ace49ae5d99fa68248869ab16b2b3
SHA256 19621d1cf1ddb5ea54ef9dbf6f5e93162c5e179b276961747cca0273711cc39d
SHA512 b0de4b4cb24d97c5dedeaf80ba9d240f264c87683eaafc61de7959d2e5bf6ab9268c39c67c37d59f9222c2ac8a3ee7312404d0724688525a3452502db06d9632

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e20197cfe7d597dcbfaa5376cd74588e
SHA1 56a631fce7b82bbdafb76d643d9bc2e53977c839
SHA256 41b3f7b73ada3be2983dde01be1b6975c856ff73450a244cc3acd3925ee6f930
SHA512 5ee5b643e243f71975e8a50679f37f91906eedc302de84f1dba598c7bff18ee005e078a7252baa4cccf2041bf0c9330f516ba9846ff839f461a70a8a27472d0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 193568ac33eccb47fc770fe2f5313160
SHA1 779c914c76b592ef7f2c4e45efe47fc93b4154df
SHA256 926559176a3b93d68a6b483ff2888bf390fbc8ce618e157ab7d9f5adf098c5bd
SHA512 122199ed43729b2d0d577472b16d92db0d5bae913c2a6ee05e17ebde2b79a311ed1fe2de80ee314566004f22d2d364ede59f839d713d1578b4abe602af0b69ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 901fd4e6b925a29aa38e1342e330c4f4
SHA1 c442f6b2e82733d5fa3e7fbe68ba6490375f8a32
SHA256 3f9ad41f87dc63fe0f1a3a9243ee34710a1a98b3a00e18d5d1dd244aa49a4d19
SHA512 66068d55c3e1f4fd46a535ed8552041e7710b1110e07b6e5079590991a725481aa6585e899d8b1c8c1944ff3cbd24b1e42287834c689c7d9c3f320358e1390b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5735e8c8878563bf4d94778c085d405
SHA1 bd8698b33a3397fd84411ff2e7642d5032d68f81
SHA256 cfe8ffec1840150ebae99bc9d89f9e71cbf4c0169998073bc01a684a6c4d65e5
SHA512 0d20477cdb71d052251ac04d7acb107eff4f6de36d6f66e736870c05e5c3b1b4026e84e4705f492445a0dd85e18e7e31f7f2b0dc6af21bff506c7f5fe940c538

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 06dbe8bdc22314888ebbba501dc2b22f
SHA1 336e59f8704998fdb59c263a35de56f19bd476f3
SHA256 fdf4cce931df9bdca68c881ae1b3736f27f7148606546cf745066fa7b486a266
SHA512 db4b451a95803aae52ed01e70dd787ccab04e0b49949170b0e69cb1fbe9ac146c998940cff9b048aa6e9e9058323e91095809a3bc0af8cf865db7e9cc4858d4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a1bd045a7efcb393ce0b441f6f341a0
SHA1 ed4292da0e8d30c2783e190e8cc3da8b2a195b75
SHA256 3b7e822abe9c577263684b927f979fcece46953506d139cbffbc62ec5c2e609a
SHA512 c65890ea8b47a3e3e4635d282c758290187be72f9255d825d60bcc3714143e756e35c7cc4c6f12ec0b105aa66d9dcb0c3db9715d193d0c0daf753147085236de

memory/1440-668-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 20:14

Reported

2024-06-20 20:22

Platform

win10v2004-20240611-en

Max time kernel

465s

Max time network

472s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Defender.exe" C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: C:\Windows\system32\cmd.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "197" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SYSTEM32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SYSTEM32\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3500 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3500 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3500 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3500 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3500 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3500 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3500 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3500 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3500 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\schtasks.exe
PID 3500 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\System32\schtasks.exe
PID 3500 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\system32\cmd.exe
PID 3500 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\system32\cmd.exe
PID 3500 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3500 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3500 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\SYSTEM32\shutdown.exe
PID 3500 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe C:\Windows\SYSTEM32\shutdown.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe

"C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bezpieczny Plik.exe'

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4252,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Bezpieczny Plik.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender" /tr "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"

C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe

"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dbxxcm.bat" "

C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe

"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"

C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe

"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"

C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe

"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"

C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe

"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"

C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe

"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"

C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe

"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2832,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=1376,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=1384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=3668,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=4804 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --field-trial-handle=5360,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5528,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5540,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:8

C:\Windows\SYSTEM32\shutdown.exe

shutdown.exe /f /s /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa38d8055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
N/A 127.0.0.1:33823 tcp
US 8.8.8.8:53 remember-sail.gl.at.ply.gg udp
US 147.185.221.20:33823 remember-sail.gl.at.ply.gg tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.242.123.52.in-addr.arpa udp
US 147.185.221.20:33823 remember-sail.gl.at.ply.gg tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 2.20.12.87:443 bzib.nelreports.net tcp
GB 2.21.189.233:443 www.microsoft.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 172.165.61.93:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 233.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 87.12.20.2.in-addr.arpa udp

Files

memory/3500-0-0x00007FFC79173000-0x00007FFC79175000-memory.dmp

memory/3500-1-0x0000000000770000-0x00000000007A2000-memory.dmp

memory/3500-2-0x00007FFC79170000-0x00007FFC79C31000-memory.dmp

memory/1164-8-0x0000018DA0FB0000-0x0000018DA0FD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p0gqnmqq.kok.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1164-13-0x00007FFC79170000-0x00007FFC79C31000-memory.dmp

memory/1164-14-0x00007FFC79170000-0x00007FFC79C31000-memory.dmp

memory/1164-15-0x00007FFC79170000-0x00007FFC79C31000-memory.dmp

memory/1164-18-0x00007FFC79170000-0x00007FFC79C31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2979eabc783eaca50de7be23dd4eafcf
SHA1 d709ce5f3a06b7958a67e20870bfd95b83cad2ea
SHA256 006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903
SHA512 92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 10890cda4b6eab618e926c4118ab0647
SHA1 1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA256 00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512 a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60945d1a2e48da37d4ce8d9c56b6845a
SHA1 83e80a6acbeb44b68b0da00b139471f428a9d6c1
SHA256 314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3
SHA512 5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

memory/3500-57-0x00007FFC79173000-0x00007FFC79175000-memory.dmp

memory/3500-58-0x00007FFC79170000-0x00007FFC79C31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe

MD5 60159d1426f5bbd7c7de39beb0045da1
SHA1 fb161b3cc263337dd116a3b1de699c5ba348308d
SHA256 733cef3e9946378bf9f84d6f19cf1ea8c696d98a759838eb88e0673f21ad8730
SHA512 6285f771484a8d430a864cad7f75457f04c07eddb420c678f9060ff6de5bab8921b8b5f9e8bc1318817677f3e71ab301cb4766d54e112f0c7a3dc97daa2f33ea

C:\Users\Admin\AppData\Local\Temp\dbxxcm.bat

MD5 5a0044fb674fde17aaef6aa5cec860ec
SHA1 e589f24b6f840cbe5bb9495f6d6261766d5c791c
SHA256 d5090e4b5fa48b21108c7a5711fa8ce484f45f88b7264a5467e32f493c8437de
SHA512 46db229454b0debb8e9a9f559c117896fe6a0025f4015b61efb716f326b7a8f6b951cf086a3b049bd674516a78b45685487e5adde7a71b68819cddfa63b497aa

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows Defender.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/3500-71-0x0000000002930000-0x000000000293A000-memory.dmp

memory/3500-72-0x000000001BCC0000-0x000000001BCD2000-memory.dmp

memory/3500-76-0x000000001BCA0000-0x000000001BCAC000-memory.dmp

C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

MD5 e6899d047e74fbaee76bc9b05e321645
SHA1 30f607b0f013858070b27dfb44c88ea13a9e9e9d
SHA256 ea5c8c2e4f5f1e901bbd119874e3af341e97a8b7e5cc5c1399fc45f6e5d5ae0d
SHA512 988a6488a667550e1e71e8bf2fc614d257ff36d55cb1a57efbc9ec1554046cbce62b35043c8ffae3e811471e6b4b82be5d65ce5f5130ecb6ade11d5ad6be9f5d

memory/3500-272-0x00007FFC79170000-0x00007FFC79C31000-memory.dmp