xenarmor | 10db45b88db5377749bce89b2fe511917e38d027e539ac652ea79829fb82985d

Resubmissions

23/06/2024, 14:41

240623-r2tlnsyblp 10

23/06/2024, 14:41

240623-r2gbcavbqa 10

23/06/2024, 13:03

240623-qaqj9s1enc 10

23/06/2024, 12:34

240623-pr56lsthjk 10

Analysis

max time kernel
324s
max time network
324s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/06/2024, 12:34

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Bloxstrap 2.5.4.exe
Size

66KB
MD5

0680a239ba405c1935c687ebdf6d4540
SHA1

bf2cc8de357fe1af9888e120e1c139ca2bc77c15
SHA256

10db45b88db5377749bce89b2fe511917e38d027e539ac652ea79829fb82985d
SHA512

09ff2d0449404f7b704cb8270ceecfc87d84c42c202a55ce20fb425230d81f5bf8a798c1c52a2a1ed19c599ad8d2f72188c561d734dd79ac70b7973fbd07fc73
SSDEEP

1536:44Sw2KfDxiZcy2fdbdFSQ37E6vObaKjG:4OL1yGdbdF5ZObPG

Score

10^/10

xenarmor xworm collection execution password persistence ransomware rat recovery spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

medical-m.gl.at.ply.gg:28857

Attributes

Install_directory
%ProgramData%
install_file
Runtime Broker.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2964-1-0x0000000001010000-0x0000000001026000-memory.dmp	family_xworm

XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
recovery password xenarmor
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2708	powershell.exe
2372	powershell.exe
2464	powershell.exe
2772	powershell.exe

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000015ca5-51.dat	acprotect
behavioral1/files/0x0009000000015136-46.dat	acprotect
behavioral1/files/0x0006000000015cad-56.dat	acprotect
behavioral1/files/0x0007000000014e5a-41.dat	acprotect
behavioral1/files/0x0006000000015cb9-61.dat	acprotect

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk	Bloxstrap 2.5.4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk	Bloxstrap 2.5.4.exe

Executes dropped EXE 1 IoCs

pid	Process
1148	All-In-One.exe

Loads dropped DLL 1 IoCs

pid	Process
1148	All-In-One.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015ca5-51.dat	upx
behavioral1/files/0x0009000000015136-46.dat	upx
behavioral1/files/0x0006000000015cad-56.dat	upx
behavioral1/files/0x0007000000014e5a-41.dat	upx
behavioral1/files/0x0006000000015cb9-61.dat	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	All-In-One.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\ProgramData\\Runtime Broker.exe"	Bloxstrap 2.5.4.exe

Drops desktop.ini file(s) 14 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Bloxstrap 2.5.4.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Bloxstrap 2.5.4.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Bloxstrap 2.5.4.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Bloxstrap 2.5.4.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Bloxstrap 2.5.4.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini	Bloxstrap 2.5.4.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Bloxstrap 2.5.4.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Bloxstrap 2.5.4.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	Bloxstrap 2.5.4.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Bloxstrap 2.5.4.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Bloxstrap 2.5.4.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Bloxstrap 2.5.4.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Bloxstrap 2.5.4.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Bloxstrap 2.5.4.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	Bloxstrap 2.5.4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0029de146ac5da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000908c854328bbc941a88c884f85e3c9f6000000000200000000001066000000010000200000009d5734b5a741e5acca46f237da43c6165781c883ed8c1495c5c18f3c00ab9bf5000000000e8000000002000020000000d23cbeb5ad806a246228ef4f84a7664b8f97d7bda57fbae75a13415475ed0766200000007eef1c05541788e6a339c5598c93cc9dcaf76cda1382b654cb23672f74882b2b400000008f8b6f48180065a208060d49d3e48a1e25077f0609e16f422551f56f1e7bec517e209b76d552a174fcfae94976b4f3a9363df425eafbd3597acfe3a8ac293aea	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425308073"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{40702691-315D-11EF-8356-E61A8C993A67} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000908c854328bbc941a88c884f85e3c9f6000000000200000000001066000000010000200000000e110cd916a01791c2150c9852c5f9282fa18e9ac5ea2258da66463bcccadf6b000000000e8000000002000020000000f96688cb7b0205b7f2f8cd6a452924d9948046ae1ed9185d59d10cfe1c07a9269000000021f72dafa462d21702a7a36604890a94fa90ee87e3c50125a0523bf5dec5a61f3c359ad093e9f81e0eb870891a7ea9329ee13cd28408c90e027084c2570ad9b7472b036027e80e2b2c6f89f44dcea9449eeaf243e2d7e25d32dccc39394fabf08fd21860ac3af5eb2e942275345e9103533363e5b3c99c0708ecf4f6254671ee5a320a70e2a2818f9603df7c968f93ec40000000a43eadf6b56f569f3ac1dd963f143ec9e01398b7532ff8233c461d8e5ea84a2c88f42d4c27796279c0d7e3f767e4043e0788dd68ca8edbf9a0a4df37dd013b3e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1508	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1148	All-In-One.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2708	powershell.exe
2372	powershell.exe
2464	powershell.exe
2772	powershell.exe
2964	Bloxstrap 2.5.4.exe
1148	All-In-One.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	Bloxstrap 2.5.4.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2964	Bloxstrap 2.5.4.exe
Token: SeDebugPrivilege	1148	All-In-One.exe
Token: SeShutdownPrivilege	2256	shutdown.exe
Token: SeRemoteShutdownPrivilege	2256	shutdown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2924	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2964	Bloxstrap 2.5.4.exe
1148	All-In-One.exe
1148	All-In-One.exe
2924	iexplore.exe
2924	iexplore.exe
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2708	2964	Bloxstrap 2.5.4.exe	29
PID 2964 wrote to memory of 2708	2964	Bloxstrap 2.5.4.exe	29
PID 2964 wrote to memory of 2708	2964	Bloxstrap 2.5.4.exe	29
PID 2964 wrote to memory of 2372	2964	Bloxstrap 2.5.4.exe	31
PID 2964 wrote to memory of 2372	2964	Bloxstrap 2.5.4.exe	31
PID 2964 wrote to memory of 2372	2964	Bloxstrap 2.5.4.exe	31
PID 2964 wrote to memory of 2464	2964	Bloxstrap 2.5.4.exe	33
PID 2964 wrote to memory of 2464	2964	Bloxstrap 2.5.4.exe	33
PID 2964 wrote to memory of 2464	2964	Bloxstrap 2.5.4.exe	33
PID 2964 wrote to memory of 2772	2964	Bloxstrap 2.5.4.exe	35
PID 2964 wrote to memory of 2772	2964	Bloxstrap 2.5.4.exe	35
PID 2964 wrote to memory of 2772	2964	Bloxstrap 2.5.4.exe	35
PID 2964 wrote to memory of 1508	2964	Bloxstrap 2.5.4.exe	37
PID 2964 wrote to memory of 1508	2964	Bloxstrap 2.5.4.exe	37
PID 2964 wrote to memory of 1508	2964	Bloxstrap 2.5.4.exe	37
PID 2964 wrote to memory of 1688	2964	Bloxstrap 2.5.4.exe	42
PID 2964 wrote to memory of 1688	2964	Bloxstrap 2.5.4.exe	42
PID 2964 wrote to memory of 1688	2964	Bloxstrap 2.5.4.exe	42
PID 1688 wrote to memory of 1148	1688	cmd.exe	44
PID 1688 wrote to memory of 1148	1688	cmd.exe	44
PID 1688 wrote to memory of 1148	1688	cmd.exe	44
PID 1688 wrote to memory of 1148	1688	cmd.exe	44
PID 2964 wrote to memory of 2924	2964	Bloxstrap 2.5.4.exe	46
PID 2964 wrote to memory of 2924	2964	Bloxstrap 2.5.4.exe	46
PID 2964 wrote to memory of 2924	2964	Bloxstrap 2.5.4.exe	46
PID 2924 wrote to memory of 1700	2924	iexplore.exe	47
PID 2924 wrote to memory of 1700	2924	iexplore.exe	47
PID 2924 wrote to memory of 1700	2924	iexplore.exe	47
PID 2924 wrote to memory of 1700	2924	iexplore.exe	47
PID 2964 wrote to memory of 2256	2964	Bloxstrap 2.5.4.exe	49
PID 2964 wrote to memory of 2256	2964	Bloxstrap 2.5.4.exe	49
PID 2964 wrote to memory of 2256	2964	Bloxstrap 2.5.4.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Bloxstrap 2.5.4.exe
"C:\Users\Admin\AppData\Local\Temp\Bloxstrap 2.5.4.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bloxstrap 2.5.4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Bloxstrap 2.5.4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Cd %temp% && All-In-One.exe OutPut.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\All-In-One.exe
    All-In-One.exe OutPut.json
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Accesses Microsoft Outlook accounts
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1148
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2924 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1700
- C:\Windows\system32\shutdown.exe
  shutdown.exe /f /s /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2256

C:\Windows\system32\taskeng.exe
taskeng.exe {DC40C8C5-E2E4-41E4-9BE8-1B9E043128F9} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
PID:2228

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:996

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eaf0ef198bdd0a3817f23dbe0f67cafc

SHA1
d660d0e6e5673b181ca12f97b6851ba8bf57f0bf

SHA256
fdafd0461c7fb0dbb2be521b49e23861c8df1f441fecf44e6f8d7588f3ebe31c

SHA512
5ad44ce535381dd8a96be5935f96ef2cfebcbb7c3f40aa82a9252741201d2fea3102843745717b8b78c59451040a1edc21423ca6140f29d22f7dc3bb8a02621b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cdde4c462d481d8aaa554d368c8cfcd

SHA1
3c3c88a4231ffb7e4a18745f7fd3124e909f040c

SHA256
6204ab7ad1dc92755d16e3ce71bf0c18a1abf1326a65467bedd925c38ac4f1c5

SHA512
7a3f111662aca2e28d774ec9ce141e5df0dc6533693766e12e18175786efb707e8e64fcff43581c01c96ea5e42a4154a29ac226ce07b7abbd7dc51ce824caf35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c2c733822dd5ee4f256dedf36efdc72

SHA1
6a9cb41ba221391048b0f9737de13715804db7ce

SHA256
5ce49e786ad235499833122efe5c806d9dc52e77d3d004413f528cfdb733f9c3

SHA512
74c7b509719195824bd2a6ed2aa94fbcc01b970f08e39ad3786120f37748406560d9c6ba266489a9782ad50d496b7289792b3438e8f0c489b625e57231fb3de4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cd3618a1e8285b8bb09ccbe90c95971

SHA1
9d6cd4c6861ef2a35f745fb9aa9f4acf6b3c66dd

SHA256
ee5a901db0c876a04ecafd5077ae6c443f54ccf34ee97b376ee1cd74a1dead4e

SHA512
e535a1bcf22fdf81ea67a0f68e5680aeaacd8a56b4aceb2f7df84d83d525a55c55293c98eaa0eec51dda1337845c46b2d5eded5c0c8e25ec5ec2b05317b49970

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26035440568c97b45e8fdacd3d678c50

SHA1
73a3b8a2bed66ab680528607b4c93a6d8d13070f

SHA256
ff6b171186c4b9cbcfb4eb78898c46e4e12c75ba3977b73821576926f856e6bb

SHA512
3a1189a59d2a5e65a0da23c41366be56fbed748cfa3f1d0299c242eacbabd2b08de100b11710cc5987553dff397fad5bc5cd025ddbe8d7d9c1416db3d20708a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4cedc2261f66aff2c8a0aa8346b0872d

SHA1
5fa9222b891ddb4db91756b3703c9153945c6d8b

SHA256
e58d3bd0f2f7f8cb465cfe54084163de431e98e43c7eadd0dc00c59c4057d652

SHA512
3a4f120b9d2fb450cc8ce7a20da226cf7b9cd4cd232526d205e7be58a7994b930c323dcf1cbeab209570767c85375a477133f2b54aeddcb742c931141fd2ae7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23aa26fe7f9edf26a1f08d1e398f2ca4

SHA1
fd8fc92b66613afbbbc06101368935e301f57972

SHA256
404c02ca3af93dbc390122c8ce5b3a281ae4b71b1e2e3f823d19f72b42105bca

SHA512
f24f686bd776ee4e4c2d8d410151a4d3612bdfb3093260e39ddd942f97dfce2639a76e272c290e4c20a636b7071058760fda2e66cf40e841269d69cb9937a5f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff7393e7c60a0991179ac47c8acbc171

SHA1
923fd141804a9c1f08e81bb9a4190ab7d7c82bba

SHA256
81ea8c429d1e26239c0c520909f46f5a7fa24080573c94aa649bd2c7dd2a301f

SHA512
3861a13cf27be2551bc135d3034f0caedad9f581735bb17db30dccd281df696616c8d6f7a5ad69bdf432a0a6c36e3fd593c40547bc4fe6a70847afcb3992fccc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d175e87e2db3791e626f3e044d84971

SHA1
a3189c0d6444e71462e215087347d7d9e691e027

SHA256
1dc7f6bb2e6ca89030cf936b847ceed84ece5182f148ee7dd1eab5d208c098a9

SHA512
b88c18153cba676f9951f5b2e3724a2509c646523667cebbc472f2c341400bc5f99443ea6a2d5c0a1b7e2fa491669390d02b5afe3c470013416aec939723530a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98d0d24ff1564ebdb199a7a72d261aba

SHA1
d2d74afbb676378e7fc7735d9ff54b7e0a6b250d

SHA256
df6d6f6e8ad40f00dc3b8b667de0a7990bd8961c25cfbfdfd27bd0ed5cde2f30

SHA512
7ce4552748a4625cf50bee58c9483a1a3cc12c9f5f2c817eb48516dd25430460d91ac022cdc4c001457ca5601c549dd297e03d5209aab73aefb8a697bc485119

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98f4d2ca1d4c6427e5d4eeb7b8746c5c

SHA1
f4537452f1d381dd97fbcf01ce021c83dfe792c9

SHA256
71483af1289dd157fdbee5aa75ee328737a1d449ceec00acaf95324b2942da82

SHA512
1f77386f677ee290d15ecdb8f987d5eeb54346eadb109c9b7caef88acf0c2b35bc11758a641c1c50523657001ebf9e95204eb87ad72a4cafed6636385e787959

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4cc2b1a53bffb839c17c700532d3a90

SHA1
54871e8f385d8c8f322db791fd21508acac25081

SHA256
d11ead9fd12a975ae54b2be508f02a1c62516abc11ca940ec76f2f4f27e3e079

SHA512
5bb3be473d351e964b0549c5d490cc589654d3d44351ba1a01f681468ae4244cfee7fe9cb19c3ef6db4f7b073b8fc4f6b03f4d362e2b5621483d28b60d6c58a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec81a4f1cb0f1f687ccad66c7d5cd982

SHA1
5aa94659e382c996583c8ebccc16f2251a68735c

SHA256
318b3235552f1f74269040bc20086939e67dd88a9f96c0fd3cb9737512cfcb69

SHA512
36e15c7e8e526d9ce4cdd5d81df17285af6b6873d4d399e6f3a38249bc652240bef31b3f2e0223ce7155f175defc84977486568e7023fce50d7d3e3613033007

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abae0ba32f88c2058bf760e8d2228977

SHA1
da2cccec4777b058f2ede98b32591deaa54d7e16

SHA256
f479b2f2395b08b81a806593f81a363a85ec68e0511f8c197d5af579f9a0425a

SHA512
8c5c0c1bbddffb9e4cb0dd3086ad997664daf96e6082b7739ef465bcd64084b8ff1ce576b1d7200be123d3672291e041b0604ae657da023dc85d542f3b377150

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef62208ceb3227229e04c06711abd4ce

SHA1
d233e015175b7a4cc53eb87500aefca9b97729ce

SHA256
605127735719f9504c413c7b67dcc826952fc21cc34edb596533c03867faa4f2

SHA512
ce0d2181715ed9f32bef203aa52bcfa19967ebb69dfdc301cf1f87e50ed8d39f2ea91a05b6567cdfc03e59c6e85c29cd589007bf39689e8fba011fee358259fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca115162397314f6bea592d5522612a0

SHA1
c788a7b6a31dce0158fa9f535855be6bb6986c52

SHA256
7a8d56eb8d291e631ff41f55f817fb06fcf33fa30c384724af37c6466bb7c850

SHA512
33df4d3733439bed6e76f069c6e88617a368d2708c17577352cd4a297dd5c314b064da83e1a81c590fb20f40f3e97494e50ec370c55feeb0fe6f9c9aea178534

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39bdee11456f3eb7f56b66bb3c44f12c

SHA1
2bf6392165cb957a8aee280977c5af8f05fcd924

SHA256
64f31555fb80a23c4e12e8a97b1c783bb9d6b59690c0179e416f0046627f5424

SHA512
475b36ffd5f49fa123cd6c9d65077d9b0b454b0d30050c2dcecaceecb3e20221b216431bfc75dc02f26fa860be8790b8a0bd3f506769522342efd985e1d7399b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
649747c8fa80c969bcb857fd52565bb8

SHA1
1fd6afda102c40abf542df8994f94ddb41b67075

SHA256
54c16d12b3fed75ddddae0848be42b6da35b47e9bb499577a93c477b83a1e90d

SHA512
f46d405e77f61de340db29452fe894c2963c4008299c5d125921af0e7a88579df5a3d0f1af36a17764896548965317fe073532ba1392bee208b8c4d8db04c73a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8b9a4bcb90b775c4cf3c768345d9d8d

SHA1
4548f19de1432488880f9751135ad842a1fdcf16

SHA256
da2f0db84786c36fdbdfd42b050f2aeb5d454304dc97d783e9330a61c9bb6f45

SHA512
89d980d6b2a8761f1dd76858179037438b87d49015f9e07e97f231e84dcb809231e20035ab5440e4d592f46b4f409a0515a3a6d318c25ca4d3c8a9a38c019654

Download Submit
C:\Users\Admin\AppData\Local\Temp\All-In-One.exe

Filesize
5.1MB

MD5
a48e3197ab0f64c4684f0828f742165c

SHA1
f935c3d6f9601c795f2211e34b3778fad14442b4

SHA256
baecc747370a4c396ef5403a3a2b286465d8fe4677bf1bfd23b8164ef5c22bbb

SHA512
e0b0b73c39850a30aac89f84f721c79f863612f596d6ff3df0860a9faf743a81364656773c99708e9c0656c74b6a278b6bf7e648f7ff1b9080f9a21e10515a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDAD7.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDBB4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dll

Filesize
18KB

MD5
6ea692f862bdeb446e649e4b2893e36f

SHA1
84fceae03d28ff1907048acee7eae7e45baaf2bd

SHA256
9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2

SHA512
9661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dll

Filesize
21KB

MD5
72e28c902cd947f9a3425b19ac5a64bd

SHA1
9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7

SHA256
3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1

SHA512
58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dll

Filesize
18KB

MD5
ac290dad7cb4ca2d93516580452eda1c

SHA1
fa949453557d0049d723f9615e4f390010520eda

SHA256
c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382

SHA512
b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
19KB

MD5
aec2268601470050e62cb8066dd41a59

SHA1
363ed259905442c4e3b89901bfd8a43b96bf25e4

SHA256
7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2

SHA512
0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dll

Filesize
18KB

MD5
93d3da06bf894f4fa21007bee06b5e7d

SHA1
1e47230a7ebcfaf643087a1929a385e0d554ad15

SHA256
f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d

SHA512
72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dll

Filesize
18KB

MD5
a2f2258c32e3ba9abf9e9e38ef7da8c9

SHA1
116846ca871114b7c54148ab2d968f364da6142f

SHA256
565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33

SHA512
e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dll

Filesize
28KB

MD5
8b0ba750e7b15300482ce6c961a932f0

SHA1
71a2f5d76d23e48cef8f258eaad63e586cfc0e19

SHA256
bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed

SHA512
fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
25KB

MD5
35fc66bd813d0f126883e695664e7b83

SHA1
2fd63c18cc5dc4defc7ea82f421050e668f68548

SHA256
66abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735

SHA512
65f8397de5c48d3df8ad79baf46c1d3a0761f727e918ae63612ea37d96adf16cc76d70d454a599f37f9ba9b4e2e38ebc845df4c74fc1e1131720fd0dcb881431

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
22KB

MD5
41a348f9bedc8681fb30fa78e45edb24

SHA1
66e76c0574a549f293323dd6f863a8a5b54f3f9b

SHA256
c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b

SHA512
8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
23KB

MD5
fefb98394cb9ef4368da798deab00e21

SHA1
316d86926b558c9f3f6133739c1a8477b9e60740

SHA256
b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7

SHA512
57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dll

Filesize
22KB

MD5
404604cd100a1e60dfdaf6ecf5ba14c0

SHA1
58469835ab4b916927b3cabf54aee4f380ff6748

SHA256
73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c

SHA512
da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dll

Filesize
20KB

MD5
849f2c3ebf1fcba33d16153692d5810f

SHA1
1f8eda52d31512ebfdd546be60990b95c8e28bfb

SHA256
69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d

SHA512
44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dll

Filesize
18KB

MD5
b52a0ca52c9c207874639b62b6082242

SHA1
6fb845d6a82102ff74bd35f42a2844d8c450413b

SHA256
a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0

SHA512
18834d89376d703bd461edf7738eb723ad8d54cb92acc9b6f10cbb55d63db22c2a0f2f3067fe2cc6feb775db397030606608ff791a46bf048016a1333028d0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\freebl3.dll

Filesize
324KB

MD5
04a2ba08eb17206b7426cb941f39250b

SHA1
731ac2b533724d9f540759d84b3e36910278edba

SHA256
8e5110ce03826f680f30013985be49ebd8fc672de113fc1d9a566eced149b8c4

SHA512
e6e90b4becf472b2e8f716dbb962cd7de61676fcce342c735fccdc01268b5a221139bc9be0e0c9722e9978aefaae79c10bc49c43392aa05dd12244b3147aeffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\mozglue.dll

Filesize
135KB

MD5
591533ca4655646981f759d95f75ae3d

SHA1
b4a02f18e505a1273f7090a9d246bc953a2cb792

SHA256
4434f4223d24fb6e2f5840dd6c1eedef2875e11abe24e4b0e9bc1507f8f6fd47

SHA512
915b124ad595ee78feab8f3c9be7e80155445e58ed4c88b89665df5fb7e0a04e973374a01f97bb67aaa733a8ce2e91a9f92605ec96251906e0fb2750a719b579

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\msvcp140.dll

Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\nss3.dll

Filesize
1.2MB

MD5
fc57d044bfd635997415c5f655b5fffa

SHA1
1b5162443d985648ef64e4aab42089ad4c25f856

SHA256
17f8c55eba797bbc80c8c32ca1a3a7588415984386be56f4b4cdefd4176fb4c3

SHA512
f5a944230000730bc0aad10e6607e3389d9d82a0a4ab1b72a19d32e94e8572789d46fb4acd75ad48f17e2bbc27389d432086696f2ccc899850ff9177d6823efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\softokn3.dll

Filesize
140KB

MD5
1b304dad157edc24e397629c0b688a3e

SHA1
ae151af384675125dfbdc96147094cff7179b7da

SHA256
8f0c9ac7134773d11d402e49daa90958fe00205e83a7389f7a58da03892d20cb

SHA512
2dc625dbdf2aae4ade600cca688eb5280200e8d7c2dfc359590435afe0926b3a7446cc56a66023ee834366132a68ae68da51a5079e4f107201e2050f5c5512ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\vcruntime140.dll

Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\nspr4.dll

Filesize
72KB

MD5
72414dfb0b112c664d2c8d1215674e09

SHA1
50a1e61309741e92fe3931d8eb606f8ada582c0a

SHA256
69e73fea2210adc2ae0837ac98b46980a09fe91c07f181a28fda195e2b9e6b71

SHA512
41428624573b4a191b33657ed9ad760b500c5640f3d62b758869a17857edc68f90bc10d7a5e720029519c0d49b5ca0fa8579743e80b200ef331e41efde1dc8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\nss3.dll

Filesize
172KB

MD5
7ddbd64d87c94fd0b5914688093dd5c2

SHA1
d49d1f79efae8a5f58e6f713e43360117589efeb

SHA256
769703fb1ba6c95fb6c889e8a9baaea309e62d0f3ca444d01cc6b495c0f722d1

SHA512
60eaad58c3c4894f1673723eb28ddb42b681ff7aafe7a29ff8bf87a2da6595c16d1f8449096accdb89bd6cda6454eb90470e71dde7c5bd16abd0f80e115cfa2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\plc4.dll

Filesize
8KB

MD5
c73ec58b42e66443fafc03f3a84dcef9

SHA1
5e91f467fe853da2c437f887162bccc6fd9d9dbe

SHA256
2dc0171b83c406db6ec9389b438828246b282862d2b8bdf2f5b75aec932a69f7

SHA512
6318e831d8f38525e2e49b5a1661440cd8b1f3d2afc6813bb862c21d88d213c4675a8ec2a413b14fbdca896c63b65a7da6ec9595893b352ade8979e7e86a7fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\plds4.dll

Filesize
6KB

MD5
ee44d5d780521816c906568a8798ed2f

SHA1
2da1b06d5de378cbfc7f2614a0f280f59f2b1224

SHA256
50b2735318233d6c87b6efccccc23a0e3216d2870c67f2f193cc1c83c7c879fc

SHA512
634a1cd2baaef29b4fe7c7583c04406bb2ea3a3c93294b31f621652844541e7c549da1a31619f657207327604c261976e15845571ee1efe5416f1b021d361da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\softokn3.dll

Filesize
155KB

MD5
e846285b19405b11c8f19c1ed0a57292

SHA1
2c20cf37394be48770cd6d396878a3ca70066fd0

SHA256
251f0094b6b6537df3d3ce7c2663726616f06cfb9b6de90efabd67de2179a477

SHA512
b622ff07ae2f77e886a93987a9a922e80032e9041ed41503f0e38abb8c344eb922d154ade29e52454d0a1ad31596c4085f4bd942e4412af9f0698183acd75db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\License.XenArmor

Filesize
104B

MD5
774a9a7b72f7ed97905076523bdfe603

SHA1
946355308d2224694e0957f4ebf6cdba58327370

SHA256
76e56835b1ac5d7a8409b7333826a2353401cf67f3bd95c733adc6aa8d9fec81

SHA512
c5c77c6827c72901494b3a368593cb9a990451664b082761294a845c0cd9441d37e5e9ac0e82155cb4d97f29507ffc8e26d6ff74009666c3075578aa18b28675

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutPut.json

Filesize
59B

MD5
c5c15e7b1aac854b1e92a4d1c2fb59b6

SHA1
1c10b459171d26546eafac69d5647e744d6002c8

SHA256
c148de684bfb4400bbb5e4239a4e5f28c7b068160de8ad852f7606365ce623a2

SHA512
85be142ac152717148fc5819494457c61b9a2c7b30643a3d98415305b79ade5d3ddb65ce7f6a684ad2973fbad72f5e05409344c0d445fb0e542d352305fdb42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDBC9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XenManager.dll

Filesize
2.0MB

MD5
7a5c53a889c4bf3f773f90b85af5449e

SHA1
25b2928c310b3068b629e9dca38c7f10f6adc5b6

SHA256
baa9c3a0d0524263c4f848056b3f1da3b4bb913162362cbcabe77ce76a39870c

SHA512
f5943687d7e098790581bf56ac6fec3b7e9b83d0e29301077a8bc48768c5a0e9f54f53d926f9847885f6035a2b31e456e4e45ccf1c70be27229c46e79876e2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\settings.db

Filesize
20KB

MD5
56b941f65d270f2bf397be196fcf4406

SHA1
244f2e964da92f7ef7f809e5ce0b3191aeab084a

SHA256
00c020ba1cce022364976f164c575993cb3b811c61b5b4e05a8a0c3d1b560c0c

SHA512
52ad8c7ed497a5b8eed565b3abcbf544841f3c8c9ec3ca8f686846a2afd15ac4ac8b16abf1cb14aeca1a2fb31f3086ad17206ec4af28e77bae600dca15e8deab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
33a982164eb1f14e56fdcec511b6a603

SHA1
e73ae75c63b1c0cebabe2581f37ce778e2ce3d8b

SHA256
53c953fb1831056c42f182e92ab92302e475b2ec16150849cd5ce94671f81ef8

SHA512
7ea2036d3f3e8615501de2b093f52c2fb449d9668062741fca7151ab421d7ee5844b46559f5f531f019aa1c52c4185e4ecc23931796574ed40593a69ecf30f5b

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
640B

MD5
1ff4689e8688a48d978b6e3f46a0b7fe

SHA1
3fcfa319134a1abf6d38feb5fa27f10d32d163e1

SHA256
9acc3c4dc7d5437ded63a21f2751cdcbab556befd5c4e970e5fba98a46fd6c6c

SHA512
217533d7a5df7a606cc5b630725f77a7cff09b2358eedf0d9d25988a9825dfcf50ba19a19f8d787d9587f4713ee95044e2e786313aeb126e6b4e37dcad975732

Download Submit
C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
fe3907979d7da74e215004b312a2bcd6

SHA1
f18f1240bbaf4c03f68a5bc9984f3cff65a860af

SHA256
425e14c205234c2193ae9836f2f188c380d3a6ac3a092f58a6ecdc59324dd249

SHA512
6681d089c2d9ac5367445b0e20c38e1009b1763a5676b4027e13aa48f3f7e22081a4b7519377e964e1275b2c717d9a51e97cfc79cc29273003413b7082c99a21

Download Submit
memory/2372-15-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/2372-16-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2708-7-0x0000000002C10000-0x0000000002C90000-memory.dmp

Filesize
512KB

Download
memory/2708-8-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2708-9-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2964-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/2964-32-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/2964-33-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2964-35-0x000000001DA80000-0x000000001DF54000-memory.dmp

Filesize
4.8MB

Download
memory/2964-217-0x0000000000D40000-0x0000000000D4C000-memory.dmp

Filesize
48KB

Download
memory/2964-2-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2964-1-0x0000000001010000-0x0000000001026000-memory.dmp

Filesize
88KB

Download
memory/2964-1892-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads