xenarmor | 10db45b88db5377749bce89b2fe511917e38d027e539ac652ea79829fb82985d

Resubmissions

23/06/2024, 14:41 UTC

240623-r2sdlsyblm 10

23/06/2024, 14:41 UTC

240623-r2eshsvbpf 10

23/06/2024, 12:35 UTC

240623-pseeaathkk 10

Analysis

max time kernel
299s
max time network
300s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
23/06/2024, 12:35 UTC

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Multitool.exe
Size

66KB
MD5

0680a239ba405c1935c687ebdf6d4540
SHA1

bf2cc8de357fe1af9888e120e1c139ca2bc77c15
SHA256

10db45b88db5377749bce89b2fe511917e38d027e539ac652ea79829fb82985d
SHA512

09ff2d0449404f7b704cb8270ceecfc87d84c42c202a55ce20fb425230d81f5bf8a798c1c52a2a1ed19c599ad8d2f72188c561d734dd79ac70b7973fbd07fc73
SSDEEP

1536:44Sw2KfDxiZcy2fdbdFSQ37E6vObaKjG:4OL1yGdbdF5ZObPG

Score

10^/10

xenarmor xworm collection execution password persistence ransomware rat recovery spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

medical-m.gl.at.ply.gg:28857

Attributes

Install_directory
%ProgramData%
install_file
Runtime Broker.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2412-1-0x00000000009C0000-0x00000000009D6000-memory.dmp	family_xworm

XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
recovery password xenarmor
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2716	powershell.exe
2760	powershell.exe
2488	powershell.exe
2964	powershell.exe

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000014a29-45.dat	acprotect
behavioral1/files/0x0006000000015cc2-60.dat	acprotect
behavioral1/files/0x0006000000015ca9-55.dat	acprotect
behavioral1/files/0x0009000000015c9b-50.dat	acprotect
behavioral1/files/0x00070000000148af-40.dat	acprotect

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk	Multitool.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk	Multitool.exe

Executes dropped EXE 1 IoCs

pid	Process
1244	All-In-One.exe

Loads dropped DLL 1 IoCs

pid	Process
1244	All-In-One.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000014a29-45.dat	upx
behavioral1/files/0x0006000000015cc2-60.dat	upx
behavioral1/files/0x0006000000015ca9-55.dat	upx
behavioral1/files/0x0009000000015c9b-50.dat	upx
behavioral1/files/0x00070000000148af-40.dat	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	All-In-One.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\ProgramData\\Runtime Broker.exe"	Multitool.exe

Drops desktop.ini file(s) 14 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Multitool.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Multitool.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Multitool.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Multitool.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Multitool.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	Multitool.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Multitool.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Multitool.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini	Multitool.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Multitool.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Multitool.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Multitool.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Multitool.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Multitool.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	Multitool.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000006ed13ccc70184df0b7ce364f313014df27aae2f7a2cbf19d9160836fa8d06895000000000e80000000020000200000009308c4c622bc79c9739db1564c022eec3cc7fa1d7f1a39ed5bb64e61cacd42e9900000008d04cc394d8a4c242e7db0b2c55af5b16fd33ca71c2bb152e73c6fe99fcdba62e5b843fe3be946c2ec5ac4b2c61501c927be0432bc31175d57e98f479ff6d0a5c72a6dc5afbcf00b5241846da872848dc29173be349f285cfa601daa33a0b98f0b68716d06e8ccb310e3081a98611c10952d62c3d00c436b56a992c0c2d520d03753195bd4535e2fc634331202da5d044000000017858c1a7aaf28f35fdbcfb35c4e418345cc25ada47cb0cf58175ddf8a2007f13e82671088bf69b784636db66cfe12cd2bcfe405619c3450893d083673066c9b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000942056e1b3f7320eec799963b133a53f807e4b90b3e437f7fa87521316eb0189000000000e800000000200002000000085315c1e47c754e42744091f848108ecb301ffa7c3374dea4ef5fdb81d38663f20000000109e731ec9a623da637788f7014692c34d1a7501b5b25fcf015606a1f99dd0b7400000006badbbd94230f7f50f652b547c412e71bce23b866b32879a14d244c4cb0216f5ec3f642db04e308ea05c09a78e770b844d33dd705b1ffe6d5e4fc035a69ad795	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3FF84711-315D-11EF-88D8-5E50367223A7} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425308072"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0077e146ac5da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2576	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1244	All-In-One.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2716	powershell.exe
2760	powershell.exe
2488	powershell.exe
2964	powershell.exe
2412	Multitool.exe
1244	All-In-One.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	Multitool.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2412	Multitool.exe
Token: SeDebugPrivilege	1244	All-In-One.exe
Token: SeShutdownPrivilege	1924	shutdown.exe
Token: SeRemoteShutdownPrivilege	1924	shutdown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
332	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2412	Multitool.exe
1244	All-In-One.exe
1244	All-In-One.exe
332	iexplore.exe
332	iexplore.exe
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2716	2412	Multitool.exe	29
PID 2412 wrote to memory of 2716	2412	Multitool.exe	29
PID 2412 wrote to memory of 2716	2412	Multitool.exe	29
PID 2412 wrote to memory of 2760	2412	Multitool.exe	31
PID 2412 wrote to memory of 2760	2412	Multitool.exe	31
PID 2412 wrote to memory of 2760	2412	Multitool.exe	31
PID 2412 wrote to memory of 2488	2412	Multitool.exe	33
PID 2412 wrote to memory of 2488	2412	Multitool.exe	33
PID 2412 wrote to memory of 2488	2412	Multitool.exe	33
PID 2412 wrote to memory of 2964	2412	Multitool.exe	35
PID 2412 wrote to memory of 2964	2412	Multitool.exe	35
PID 2412 wrote to memory of 2964	2412	Multitool.exe	35
PID 2412 wrote to memory of 2576	2412	Multitool.exe	37
PID 2412 wrote to memory of 2576	2412	Multitool.exe	37
PID 2412 wrote to memory of 2576	2412	Multitool.exe	37
PID 2412 wrote to memory of 1872	2412	Multitool.exe	40
PID 2412 wrote to memory of 1872	2412	Multitool.exe	40
PID 2412 wrote to memory of 1872	2412	Multitool.exe	40
PID 1872 wrote to memory of 1244	1872	cmd.exe	42
PID 1872 wrote to memory of 1244	1872	cmd.exe	42
PID 1872 wrote to memory of 1244	1872	cmd.exe	42
PID 1872 wrote to memory of 1244	1872	cmd.exe	42
PID 2412 wrote to memory of 332	2412	Multitool.exe	46
PID 2412 wrote to memory of 332	2412	Multitool.exe	46
PID 2412 wrote to memory of 332	2412	Multitool.exe	46
PID 332 wrote to memory of 1256	332	iexplore.exe	47
PID 332 wrote to memory of 1256	332	iexplore.exe	47
PID 332 wrote to memory of 1256	332	iexplore.exe	47
PID 332 wrote to memory of 1256	332	iexplore.exe	47
PID 2412 wrote to memory of 1924	2412	Multitool.exe	50
PID 2412 wrote to memory of 1924	2412	Multitool.exe	50
PID 2412 wrote to memory of 1924	2412	Multitool.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Multitool.exe
"C:\Users\Admin\AppData\Local\Temp\Multitool.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Multitool.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Multitool.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Cd %temp% && All-In-One.exe OutPut.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Users\Admin\AppData\Local\Temp\All-In-One.exe
    All-In-One.exe OutPut.json
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Accesses Microsoft Outlook accounts
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1244
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:332 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1256
- C:\Windows\system32\shutdown.exe
  shutdown.exe /f /s /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1924

C:\Windows\system32\taskeng.exe
taskeng.exe {2D05A7FF-52E9-4159-BAAB-22E0361193EA} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
1⤵
PID:2276

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2244

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1920

Network

DNS

ip-api.com

Multitool.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/line/?fields=hosting

Multitool.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 23 Jun 2024 12:35:27 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 10
X-Rl: 42
DNS

medical-m.gl.at.ply.gg

Multitool.exe

Remote address:

8.8.8.8:53

Request

medical-m.gl.at.ply.gg

IN A

Response

medical-m.gl.at.ply.gg

IN A

147.185.221.16

208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

Multitool.exe

310 B
347 B
5
4

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
147.185.221.16:28857

medical-m.gl.at.ply.gg

Multitool.exe

142.4kB
7.9MB
3028
5986
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

753 B
7.8kB
9
13
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

753 B
7.8kB
9
13
204.79.197.200:443

ieonline.microsoft.com

tls

iexplore.exe

831 B
7.8kB
10
13

8.8.8.8:53

ip-api.com

dns

Multitool.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

medical-m.gl.at.ply.gg

dns

Multitool.exe

68 B
84 B
1
1

DNS Request

medical-m.gl.at.ply.gg

DNS Response

147.185.221.16

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e126bbae0f54ff1087e2302e5e713a07

SHA1
3e55efe00eb3db4f8a64dbf1a39173bf1e6dddd5

SHA256
117ada3ac9de54a7a423f4f5731956a06a2355bcce572b1fe9901bd9c00e7de3

SHA512
d3aa8ba4bccec31576da1de9bdc4ea826362f38bf126cab8752c71b145c01284b5d85fbfca890e7b9ff50ddf432f774b480741b63df03ced68f9367298442cbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d22d2680ec2da0fe16c1c71d777fa60f

SHA1
0ace5e556bcd3a4ef31635118568af5f10d3b9a1

SHA256
918cc2a0885af68e9663a54579189ea68b73edd10201b82ca7589960781d0771

SHA512
f23b55574c240db93c38087a837755e93daba3cdbfe74916d81ff9aa03570581013450073ee5f41242f11fb3fd5a50c32553dc83ac77586236811620dd4b73f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
838ca0cdab3aa7e41065dee09dbc3248

SHA1
4e7740ed9d53027e11eb53d6b7820abf9d487e21

SHA256
387234d4b46bd9db47b974af985ac5ae027bf3f0f0ad185df7be7a42380b00d1

SHA512
5c1a9d558ce2f1cab6da0bd9e51c98bb321668df4bcc3dfb6455469d198947d9ff28157bb29252d984f41a546d442749357b0057ff6367a966e9dc67a29f5325

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f20529af0f4edb389eac4deb5e64133

SHA1
d64a689cc05c527b04c221d8177d256463770227

SHA256
fb347c31bcfb09ec35465af8faa2873f022a536e182408fd4b92193ff626b2b7

SHA512
f39c1cb15395dbec63640583dfec5293fb4d860660d201f201b656119dc5dd3cc76e8663227a79ed3e5644a27e196b8ada786990323aac7d43ae33617e0e6ae0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ff0d721c7ede90c67856dd6d21aa7e4

SHA1
c0502b4c7ce6c0cd8b9dde94e46256ca6b9509e2

SHA256
6fa4a8c696a95f24e4f10d89f802c54c8b4e4fc57e1eac33ab7bf5b1fbe16686

SHA512
4f1a3b84082f9c714583722035f705b6ba1ed1807863c2778bc88dd5d0d6c78cccfeef099438aa41550ab89b387dfbdc8446f7993ed8062b4e4f5ffe9264d9be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e96cde4524b8cf4f0ea6b2ae4e798dd

SHA1
41fa3e0a07931cd2c7dec274f19b4c85d6062d26

SHA256
531b33ca2d2d069217adbfe3c6cc0f5e7998b16d916fb2713a79f868b8f2b3da

SHA512
5b079bd0cef866d69c54ad8f50b11e4c71a1bd9eda8e2b9c13d31c10595e163f94e31f60feac3be1c4e6f19fc79045811160a527af2d1e7057c9e3dca9606988

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98efb43b5e2139a09ad8d2a55dcc684d

SHA1
184a9e21a1caa283f48c92ea9b825f08c6069a3b

SHA256
8d14ae75abe4151175e6448a50f4f4ee0617895ae99af368d9c0ff8d79360581

SHA512
718612c02c078e5e1a515d7964e7a1365da4771f5b086d239f570f51e70fcc5bdbb0766d189790b9ca71b5f4f7f8669d8701c3915ff2ce51a56924c17af3f5fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c79670a321b0be9bc349979b9c0fd7a

SHA1
6b5bd14f95dec397a3c7ff09f3160cb55efa640b

SHA256
cc4284f2c42ecb74c3bc8f8c42617ba2cb77f94cf1c7e2ed660e00fc614b5a12

SHA512
2e7fb6cca04ee24c0ccd64b77419cc052f47859f31e8d7a3c68940ed7a2338390e0aca9e84a98d9ac0bf84df133bfd9246140975200634886446d006cbf038aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b10c11c7cc770f3d57597945d3e0eb9e

SHA1
fc55c73155886f2b96a80a7358854098c6fcadc2

SHA256
315e80cf02741453b012395f427e2a4b95b58b81e55d79080b321f41f8739425

SHA512
fc43d471640178b50aebaf79896e1cf3c18a79777b894702c396d08f5b67a0f90d1e52eaf5fb75edec3c4c0ed0cba5d50edcac6086ad298a83278ca9760bd282

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05d6b955073590b0a541b0b447a8accc

SHA1
18c1c49a744f96cf69f26461423ed07f338bd080

SHA256
05ccaab8697e33d0b18b3a99282677057f4a689fc90ea4e51a09c5f588ad11ab

SHA512
f161d7b4dcb58d8f4e43b991af3d6228f3930a8ec913b8bfda7f700c476db69518d57b6b5bf179e3118d09cbd16e7cd3e9361046cc1dbabae3e72b6d3adc0d9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8234c83035b1a53766f091d03d055ae

SHA1
1caa6b9b36166d2c84fef8c0a735953d8e341be7

SHA256
8b4ff047733b96e50cb2a0ef56434143ea9fa3eea4369b88f2ec250990ff1f5c

SHA512
883bc2a53d6a5227d1cc45f0419131ad92c010563cd3f955a0f8230477a35b6f0f71ca959577f22f4ff79880a81419a74ecddb4a4e886bbd3623664cdaae8e4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f22b307f341ab32bfb9ad4ce779395be

SHA1
4f5b93216c00e785d0aa330e7f13e62af0009129

SHA256
fc6b6a70b73e0a5baa89b289be1076dac23235dc8a556350cfb3a9ab39442cc0

SHA512
a30f033cce3e56fb4874ae8b82828d05b3da2c7452526c94bdfed119c7284eb812054ade2e23e26cb89088674f64cb2d56564470b519f4d1f38c37f75811937b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9199a61210d9c31b16a004e7a9ceccfc

SHA1
da45c5b11f73363b3b06b3cb8a35d950a20ae492

SHA256
8d142cb4db10f2044dd912748055dc294f8f93d19c27da3f78bb79ca59ba0654

SHA512
1192412729570d46ab54ba4864e19d8931b63405c8f43750e217a3e2cc33a8756e71a49d95c86b7cde2bae64528bf81e09db728abc2bbd47f20a36a9bb966f24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e567761102f3a78dcea05732d6c9bde

SHA1
452607dc65e83ad97283dc544e905cab6602dc99

SHA256
03d3badb23750d229ae136bd7ceef029ea70d93103885e52ab94550ffbe8870a

SHA512
0f3b9ca5b73c927680c3eec59a4c9680f454ee3337615a16fc0d78383d9d24f5810ca59aab6280bb51050c8976bc2e1203e55efeb85702b6d149952738027f73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
052d6076f8bbab8839bbd195ad6bdead

SHA1
b33e538e606644613b92e8641aee9212b125e2b0

SHA256
4024664414cd831f3980dcde02ac21015e9fc52fea78239f1eef2851b32ec2a0

SHA512
1cf2e97e79aa16cf278659ebd9e1492777ec7fab04a3b65137a2bb1fe8366909571a71ab80c9a6f1a17821837a6c1fc585d37a92e16c44b0fd7b03f9c5c56eb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e7036e875002a659180372d01c495fe

SHA1
9edd91d7e760eb73388ed8fa6f359379f22787cb

SHA256
59f5440a32500c4e448cb6301476b94b47d8662a45e17eb70689005d712f9acb

SHA512
46a67086994b5632eb799242a3744797581125932bc8c534b5901a1ea27d79d3a9687d453659e35b269622a92d3ff7095d94b10c2d3faa49d7b4222e4c44d575

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
687edc1b4d8433bd8e23c8fa7879adf3

SHA1
d285e3087f06b8a47eab2dc39cef54fe4f3e5999

SHA256
f256eddd8305bc9d0790c79f5b15b9535aa300c5375d1d6f7fa30188ec4a573c

SHA512
153b64faac8498bc608463b4ee2b2876b7bab20f189e3e18714643245664d7d0d3a0df21c6e95dd4d0b5d5256c3ea7b81c4138c6c41066f2dd15b0401a94debb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4c0630c679d171362e01366a33103ce

SHA1
640fae462fd9bafd2e9d85d1e78dbcee50c13a4d

SHA256
0e14ebac6a73e9491e7a0b0dd15e27f9dd1af4f74cff6aae710fb4da866d81ce

SHA512
4b333e8d6e93fb27adf39197ff93ba9e784a781a07d083c2e20476e66b8664a8308c5ff3c7a909c1037648f2f37b4b9034ff2067056cd7b164a363b42c8ed0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\All-In-One.exe

Filesize
5.1MB

MD5
a48e3197ab0f64c4684f0828f742165c

SHA1
f935c3d6f9601c795f2211e34b3778fad14442b4

SHA256
baecc747370a4c396ef5403a3a2b286465d8fe4677bf1bfd23b8164ef5c22bbb

SHA512
e0b0b73c39850a30aac89f84f721c79f863612f596d6ff3df0860a9faf743a81364656773c99708e9c0656c74b6a278b6bf7e648f7ff1b9080f9a21e10515a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7726.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dll

Filesize
18KB

MD5
6ea692f862bdeb446e649e4b2893e36f

SHA1
84fceae03d28ff1907048acee7eae7e45baaf2bd

SHA256
9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2

SHA512
9661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dll

Filesize
21KB

MD5
72e28c902cd947f9a3425b19ac5a64bd

SHA1
9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7

SHA256
3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1

SHA512
58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dll

Filesize
18KB

MD5
ac290dad7cb4ca2d93516580452eda1c

SHA1
fa949453557d0049d723f9615e4f390010520eda

SHA256
c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382

SHA512
b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
19KB

MD5
aec2268601470050e62cb8066dd41a59

SHA1
363ed259905442c4e3b89901bfd8a43b96bf25e4

SHA256
7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2

SHA512
0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dll

Filesize
18KB

MD5
93d3da06bf894f4fa21007bee06b5e7d

SHA1
1e47230a7ebcfaf643087a1929a385e0d554ad15

SHA256
f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d

SHA512
72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dll

Filesize
18KB

MD5
a2f2258c32e3ba9abf9e9e38ef7da8c9

SHA1
116846ca871114b7c54148ab2d968f364da6142f

SHA256
565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33

SHA512
e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dll

Filesize
28KB

MD5
8b0ba750e7b15300482ce6c961a932f0

SHA1
71a2f5d76d23e48cef8f258eaad63e586cfc0e19

SHA256
bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed

SHA512
fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
25KB

MD5
35fc66bd813d0f126883e695664e7b83

SHA1
2fd63c18cc5dc4defc7ea82f421050e668f68548

SHA256
66abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735

SHA512
65f8397de5c48d3df8ad79baf46c1d3a0761f727e918ae63612ea37d96adf16cc76d70d454a599f37f9ba9b4e2e38ebc845df4c74fc1e1131720fd0dcb881431

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
22KB

MD5
41a348f9bedc8681fb30fa78e45edb24

SHA1
66e76c0574a549f293323dd6f863a8a5b54f3f9b

SHA256
c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b

SHA512
8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
23KB

MD5
fefb98394cb9ef4368da798deab00e21

SHA1
316d86926b558c9f3f6133739c1a8477b9e60740

SHA256
b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7

SHA512
57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dll

Filesize
22KB

MD5
404604cd100a1e60dfdaf6ecf5ba14c0

SHA1
58469835ab4b916927b3cabf54aee4f380ff6748

SHA256
73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c

SHA512
da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dll

Filesize
20KB

MD5
849f2c3ebf1fcba33d16153692d5810f

SHA1
1f8eda52d31512ebfdd546be60990b95c8e28bfb

SHA256
69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d

SHA512
44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dll

Filesize
18KB

MD5
b52a0ca52c9c207874639b62b6082242

SHA1
6fb845d6a82102ff74bd35f42a2844d8c450413b

SHA256
a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0

SHA512
18834d89376d703bd461edf7738eb723ad8d54cb92acc9b6f10cbb55d63db22c2a0f2f3067fe2cc6feb775db397030606608ff791a46bf048016a1333028d0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\freebl3.dll

Filesize
324KB

MD5
04a2ba08eb17206b7426cb941f39250b

SHA1
731ac2b533724d9f540759d84b3e36910278edba

SHA256
8e5110ce03826f680f30013985be49ebd8fc672de113fc1d9a566eced149b8c4

SHA512
e6e90b4becf472b2e8f716dbb962cd7de61676fcce342c735fccdc01268b5a221139bc9be0e0c9722e9978aefaae79c10bc49c43392aa05dd12244b3147aeffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\mozglue.dll

Filesize
135KB

MD5
591533ca4655646981f759d95f75ae3d

SHA1
b4a02f18e505a1273f7090a9d246bc953a2cb792

SHA256
4434f4223d24fb6e2f5840dd6c1eedef2875e11abe24e4b0e9bc1507f8f6fd47

SHA512
915b124ad595ee78feab8f3c9be7e80155445e58ed4c88b89665df5fb7e0a04e973374a01f97bb67aaa733a8ce2e91a9f92605ec96251906e0fb2750a719b579

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\msvcp140.dll

Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\nss3.dll

Filesize
1.2MB

MD5
fc57d044bfd635997415c5f655b5fffa

SHA1
1b5162443d985648ef64e4aab42089ad4c25f856

SHA256
17f8c55eba797bbc80c8c32ca1a3a7588415984386be56f4b4cdefd4176fb4c3

SHA512
f5a944230000730bc0aad10e6607e3389d9d82a0a4ab1b72a19d32e94e8572789d46fb4acd75ad48f17e2bbc27389d432086696f2ccc899850ff9177d6823efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\softokn3.dll

Filesize
140KB

MD5
1b304dad157edc24e397629c0b688a3e

SHA1
ae151af384675125dfbdc96147094cff7179b7da

SHA256
8f0c9ac7134773d11d402e49daa90958fe00205e83a7389f7a58da03892d20cb

SHA512
2dc625dbdf2aae4ade600cca688eb5280200e8d7c2dfc359590435afe0926b3a7446cc56a66023ee834366132a68ae68da51a5079e4f107201e2050f5c5512ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\vcruntime140.dll

Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\nspr4.dll

Filesize
72KB

MD5
72414dfb0b112c664d2c8d1215674e09

SHA1
50a1e61309741e92fe3931d8eb606f8ada582c0a

SHA256
69e73fea2210adc2ae0837ac98b46980a09fe91c07f181a28fda195e2b9e6b71

SHA512
41428624573b4a191b33657ed9ad760b500c5640f3d62b758869a17857edc68f90bc10d7a5e720029519c0d49b5ca0fa8579743e80b200ef331e41efde1dc8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\nss3.dll

Filesize
172KB

MD5
7ddbd64d87c94fd0b5914688093dd5c2

SHA1
d49d1f79efae8a5f58e6f713e43360117589efeb

SHA256
769703fb1ba6c95fb6c889e8a9baaea309e62d0f3ca444d01cc6b495c0f722d1

SHA512
60eaad58c3c4894f1673723eb28ddb42b681ff7aafe7a29ff8bf87a2da6595c16d1f8449096accdb89bd6cda6454eb90470e71dde7c5bd16abd0f80e115cfa2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\plc4.dll

Filesize
8KB

MD5
c73ec58b42e66443fafc03f3a84dcef9

SHA1
5e91f467fe853da2c437f887162bccc6fd9d9dbe

SHA256
2dc0171b83c406db6ec9389b438828246b282862d2b8bdf2f5b75aec932a69f7

SHA512
6318e831d8f38525e2e49b5a1661440cd8b1f3d2afc6813bb862c21d88d213c4675a8ec2a413b14fbdca896c63b65a7da6ec9595893b352ade8979e7e86a7fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\plds4.dll

Filesize
6KB

MD5
ee44d5d780521816c906568a8798ed2f

SHA1
2da1b06d5de378cbfc7f2614a0f280f59f2b1224

SHA256
50b2735318233d6c87b6efccccc23a0e3216d2870c67f2f193cc1c83c7c879fc

SHA512
634a1cd2baaef29b4fe7c7583c04406bb2ea3a3c93294b31f621652844541e7c549da1a31619f657207327604c261976e15845571ee1efe5416f1b021d361da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\softokn3.dll

Filesize
155KB

MD5
e846285b19405b11c8f19c1ed0a57292

SHA1
2c20cf37394be48770cd6d396878a3ca70066fd0

SHA256
251f0094b6b6537df3d3ce7c2663726616f06cfb9b6de90efabd67de2179a477

SHA512
b622ff07ae2f77e886a93987a9a922e80032e9041ed41503f0e38abb8c344eb922d154ade29e52454d0a1ad31596c4085f4bd942e4412af9f0698183acd75db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\License.XenArmor

Filesize
104B

MD5
774a9a7b72f7ed97905076523bdfe603

SHA1
946355308d2224694e0957f4ebf6cdba58327370

SHA256
76e56835b1ac5d7a8409b7333826a2353401cf67f3bd95c733adc6aa8d9fec81

SHA512
c5c77c6827c72901494b3a368593cb9a990451664b082761294a845c0cd9441d37e5e9ac0e82155cb4d97f29507ffc8e26d6ff74009666c3075578aa18b28675

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutPut.json

Filesize
59B

MD5
c5c15e7b1aac854b1e92a4d1c2fb59b6

SHA1
1c10b459171d26546eafac69d5647e744d6002c8

SHA256
c148de684bfb4400bbb5e4239a4e5f28c7b068160de8ad852f7606365ce623a2

SHA512
85be142ac152717148fc5819494457c61b9a2c7b30643a3d98415305b79ade5d3ddb65ce7f6a684ad2973fbad72f5e05409344c0d445fb0e542d352305fdb42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar778B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XenManager.dll

Filesize
2.0MB

MD5
7a5c53a889c4bf3f773f90b85af5449e

SHA1
25b2928c310b3068b629e9dca38c7f10f6adc5b6

SHA256
baa9c3a0d0524263c4f848056b3f1da3b4bb913162362cbcabe77ce76a39870c

SHA512
f5943687d7e098790581bf56ac6fec3b7e9b83d0e29301077a8bc48768c5a0e9f54f53d926f9847885f6035a2b31e456e4e45ccf1c70be27229c46e79876e2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\settings.db

Filesize
20KB

MD5
56b941f65d270f2bf397be196fcf4406

SHA1
244f2e964da92f7ef7f809e5ce0b3191aeab084a

SHA256
00c020ba1cce022364976f164c575993cb3b811c61b5b4e05a8a0c3d1b560c0c

SHA512
52ad8c7ed497a5b8eed565b3abcbf544841f3c8c9ec3ca8f686846a2afd15ac4ac8b16abf1cb14aeca1a2fb31f3086ad17206ec4af28e77bae600dca15e8deab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
45c02ca65b89f13533f0e7193f8d0ca5

SHA1
728d6b04922e9d00fda5e38612d4cab609f5b27a

SHA256
419383d3b7f68b3b7dd1bdf8acb8d11839b5240b279ee57e79b7028e1e9577f6

SHA512
e3e78e3f241736795f6e2dd47831089303b645e450d252fbcd33209053914505a0d27ffa8ca44ee7ae3521831e75b1e76bf5d42b724d1465d66b161446c5d9bc

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
640B

MD5
1ff4689e8688a48d978b6e3f46a0b7fe

SHA1
3fcfa319134a1abf6d38feb5fa27f10d32d163e1

SHA256
9acc3c4dc7d5437ded63a21f2751cdcbab556befd5c4e970e5fba98a46fd6c6c

SHA512
217533d7a5df7a606cc5b630725f77a7cff09b2358eedf0d9d25988a9825dfcf50ba19a19f8d787d9587f4713ee95044e2e786313aeb126e6b4e37dcad975732

Download Submit
C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.ENC

Filesize
16B

MD5
b71c8cd21e9189a1e43cfa482b3ab84f

SHA1
6eb8286a351ba93c37ad1e6489545979351e12cc

SHA256
8f38a90bb263d3ea2a5054cb92679d8d164c285a818098adfdb0e37d9dce91bd

SHA512
2a060815605ac947ddc0e8877b86fb34d92f0d4f7e61e2bcceaa0c4c25af8b1e654b07f9ac171d1c092475fa27806ddc480fa3c43756a656c01c99d478751b73

Download Submit
memory/2412-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/2412-217-0x000000001A690000-0x000000001A69C000-memory.dmp

Filesize
48KB

Download
memory/2412-34-0x000000001DC80000-0x000000001E154000-memory.dmp

Filesize
4.8MB

Download
memory/2412-33-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2412-32-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/2412-1860-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2412-1-0x00000000009C0000-0x00000000009D6000-memory.dmp

Filesize
88KB

Download
memory/2412-2-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-7-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2716-8-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2716-9-0x0000000002B80000-0x0000000002B88000-memory.dmp

Filesize
32KB

Download
memory/2760-15-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2760-16-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.