xworm | aee4ca6b2f3b07e85920f81b32acc5350d198439b181e997cd6a8e3ecbe9c939

Analysis

max time kernel
274s
max time network
285s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 23:18

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

wave.executor.exe
Size

79KB
MD5

810d912112f579781879ada392b70a53
SHA1

247bc212d2d44184bae484049765240ac9fa5c32
SHA256

aee4ca6b2f3b07e85920f81b32acc5350d198439b181e997cd6a8e3ecbe9c939
SHA512

30fb6d77563a3a0d6b94a9ea9fc2f67c6dda3dc3ac2afd4e968ec998f2eabd1797d751fdac491a979e68301efc633c47fb2668a8abd0c5f0dcff6d12ed8ead0e
SSDEEP

1536:N/SpZjwaZD0YqEnwqaDrMk+bXxNEPZSBVGGmMRZOf4miljMt8xwR2:CEYqEwjrv+bB8DMRZOf4m8M+a2

Score

10^/10

xworm defense_evasion discovery persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

daily-sexually.gl.at.ply.gg:25670

Attributes

Install_directory
%AppData%
install_file
Update.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2040-99-0x0000000000D50000-0x0000000000D5E000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2040-1-0x0000000000590000-0x00000000005AA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wave.executor.exe

Disables Task Manager via registry modification
defense_evasion

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk	wave.executor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk	wave.executor.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\Update.exe"	wave.executor.exe

Drops desktop.ini file(s) 17 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	wave.executor.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	wave.executor.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	wave.executor.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	wave.executor.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	wave.executor.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	wave.executor.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wave.executor.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	wave.executor.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wave.executor.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	wave.executor.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	wave.executor.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	wave.executor.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	wave.executor.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	wave.executor.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini	wave.executor.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	wave.executor.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	wave.executor.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	wave.executor.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe
2040	wave.executor.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2040	wave.executor.exe
4392	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	wave.executor.exe
Token: SeDebugPrivilege	2040	wave.executor.exe
Token: 33	1444	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1444	AUDIODG.EXE
Token: SeDebugPrivilege	588	firefox.exe
Token: SeDebugPrivilege	588	firefox.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
2584	msedge.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe
588	firefox.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
2040	wave.executor.exe
4392	OpenWith.exe
4392	OpenWith.exe
4392	OpenWith.exe
4392	OpenWith.exe
4392	OpenWith.exe
4392	OpenWith.exe
4392	OpenWith.exe
4392	OpenWith.exe
4392	OpenWith.exe
4392	OpenWith.exe
4392	OpenWith.exe
4392	OpenWith.exe
4392	OpenWith.exe
4392	OpenWith.exe
4392	OpenWith.exe
4392	OpenWith.exe
4392	OpenWith.exe
588	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2584	2040	wave.executor.exe	109
PID 2040 wrote to memory of 2584	2040	wave.executor.exe	109
PID 2584 wrote to memory of 1924	2584	msedge.exe	110
PID 2584 wrote to memory of 1924	2584	msedge.exe	110
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 4612	2584	msedge.exe	111
PID 2584 wrote to memory of 3904	2584	msedge.exe	112
PID 2584 wrote to memory of 3904	2584	msedge.exe	112
PID 2584 wrote to memory of 1292	2584	msedge.exe	113
PID 2584 wrote to memory of 1292	2584	msedge.exe	113
PID 2584 wrote to memory of 1292	2584	msedge.exe	113
PID 2584 wrote to memory of 1292	2584	msedge.exe	113
PID 2584 wrote to memory of 1292	2584	msedge.exe	113
PID 2584 wrote to memory of 1292	2584	msedge.exe	113
PID 2584 wrote to memory of 1292	2584	msedge.exe	113
PID 2584 wrote to memory of 1292	2584	msedge.exe	113
PID 2584 wrote to memory of 1292	2584	msedge.exe	113
PID 2584 wrote to memory of 1292	2584	msedge.exe	113
PID 2584 wrote to memory of 1292	2584	msedge.exe	113
PID 2584 wrote to memory of 1292	2584	msedge.exe	113
PID 2584 wrote to memory of 1292	2584	msedge.exe	113
PID 2584 wrote to memory of 1292	2584	msedge.exe	113
PID 2584 wrote to memory of 1292	2584	msedge.exe	113
PID 2584 wrote to memory of 1292	2584	msedge.exe	113
PID 2584 wrote to memory of 1292	2584	msedge.exe	113
PID 2584 wrote to memory of 1292	2584	msedge.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\wave.executor.exe
"C:\Users\Admin\AppData\Local\Temp\wave.executor.exe"
1⤵
- Disables RegEdit via registry modification
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe6bf246f8,0x7ffe6bf24708,0x7ffe6bf24718
    3⤵
    PID:1924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,6609165617294154324,13345683907964804229,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
    3⤵
    PID:4612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,6609165617294154324,13345683907964804229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
    3⤵
    PID:3904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,6609165617294154324,13345683907964804229,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
    3⤵
    PID:1292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6609165617294154324,13345683907964804229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
    3⤵
    PID:1572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6609165617294154324,13345683907964804229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
    3⤵
    PID:2960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6609165617294154324,13345683907964804229,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
    3⤵
    PID:2296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6609165617294154324,13345683907964804229,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:1
    3⤵
    PID:2336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6609165617294154324,13345683907964804229,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
    3⤵
    PID:1256

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x494
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:3904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4392
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\CloseDisconnect.docx.ENC"
  2⤵
  PID:4776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\CloseDisconnect.docx.ENC
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:588
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {980eeecc-2779-4268-a032-62ae0992f05a} 588 "\\.\pipe\gecko-crash-server-pipe.588" gpu
      4⤵
      PID:4756
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdf32310-fb0c-4722-8ef9-1228255bfc4e} 588 "\\.\pipe\gecko-crash-server-pipe.588" socket
      4⤵
      Checks processor information in registry
      PID:4220
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3296 -childID 1 -isForBrowser -prefsHandle 3420 -prefMapHandle 3440 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99e63b8f-137e-4d8e-9f9b-1169a2aca890} 588 "\\.\pipe\gecko-crash-server-pipe.588" tab
      4⤵
      PID:3668
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2784 -childID 2 -isForBrowser -prefsHandle 2764 -prefMapHandle 3204 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8764ceb4-22e9-475c-a2e0-00ef62daba2e} 588 "\\.\pipe\gecko-crash-server-pipe.588" tab
      4⤵
      PID:524
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5192 -prefMapHandle 5188 -prefsLen 32338 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2cd4da5-66e5-47e1-a858-5401b4a12545} 588 "\\.\pipe\gecko-crash-server-pipe.588" utility
      4⤵
      Checks processor information in registry
      PID:5532
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 3 -isForBrowser -prefsHandle 5384 -prefMapHandle 3048 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b4fbfe8-447c-488d-acd1-6e52052287a1} 588 "\\.\pipe\gecko-crash-server-pipe.588" tab
      4⤵
      PID:5816
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5624 -childID 4 -isForBrowser -prefsHandle 5544 -prefMapHandle 5552 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {450b3291-6531-4a80-9ab4-08faac6e95ca} 588 "\\.\pipe\gecko-crash-server-pipe.588" tab
      4⤵
      PID:5828
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5392 -childID 5 -isForBrowser -prefsHandle 5764 -prefMapHandle 5768 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {574fece3-8fec-4668-891e-d4a0006f440a} 588 "\\.\pipe\gecko-crash-server-pipe.588" tab
      4⤵
      PID:5840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5b353ca10ad4feddb0f30874e54c79ed

SHA1
77a6129da80c4f8ec1d45bb26b845a98c4863d8d

SHA256
0062a8a8173f63e6421c2f96d402a641765d300948d3ae6fb44b1b27576f30f5

SHA512
e64d63acf3c3279b21115d7752a4997b3776591ed5d6b3f36086077071a95f5126ac377ade44c6230198250a8593e3b2d912542bc1a3f718556884675a1afceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7d6c3e15e179d017a547faf88e0b7f4f

SHA1
72702493f288f31a9824f2fb74df9a194c0b8a81

SHA256
85012f2a195deca7df1cce01f9bc61357d78f7aa608e98cc422c03a4aea53fd1

SHA512
3beb0d31905f1d232d19b54e85dd86d996409eede7701c0f2c505ab4d430a47c694fcfecb4df35ae9558d289ba4a2f33f61710c37756933a9342530c2c2f3f62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
68c957912ad3c569beee20997f1f6bd5

SHA1
e6111c0bc4491c2e2f72fc23cdf94a9237eb1fb6

SHA256
7ee0bcd970cf0735130de13ee27b1d3438a546ffc1c05b2e1bae86ffdf544600

SHA512
21569c710cafb937464d94011b833105a4ee6becb8f373f176c0e2329ff7de4a35c32812c861617f2ae30672973b9061e4ce28d2829f51631cbd0f6e437dac84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d5390f76c7a972f89eda09e5fe1f3cde

SHA1
8789d3930653b89a216d2ebe66e7a1e23013c686

SHA256
1e3da9987c1653b15a8f50cb30510ccb4a5aec57acf591f45bc45273dff2787c

SHA512
be51b9b82ec9f6ba69884c4f4dff79c78910b92f2a501baa23ba4b5bc8a17e6da89e1e58ae35bbbcec1211dcbc70e3014fc878b80058d0425378ba586ba8e044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
76955accb16567529d14c601e09a9524

SHA1
91208d3e93e646a8c41c9888d7133eec4ef4dced

SHA256
537a3684ac27c0f6911b87f06e533776d1e96e59ed1c0c8ef56fb15bd6aceb43

SHA512
84fc87ba72dd3f4ca27b6f7465ccd15a10b67b1f8782f46c7cc5128e7ce485cb045acae8ba0cc578b738aa7250511ade65c321ddfe1b983dda33aa9ce82c012a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\activity-stream.discovery_stream.json

Filesize
27KB

MD5
c90c1bce149b016c9bb3ecf15158a57e

SHA1
b195c650609910c6024128c64f0be2aebcf2230a

SHA256
0f5ff223cd59047f9b39d8327b86f857c78e9d11150eea8761c49ae801b05733

SHA512
ba27260167f8877309c82d9835beb10c17274194acc4ffb5d2a03f47b45c6caf442c86ff8b22e5ccad2ccc9f816bbad7b06a5596ffbbe9cc123a71cf15a78b35

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk

Filesize
766B

MD5
64f4f9fcb8769c4f8671ec0b0b0d72ba

SHA1
2e453bd09e0a8e8f254009d5da6d2f405314a847

SHA256
28894d26bb2dab3bd36cd975ef5afbda947d2c2ce22e5e962966fb44cd6bb67f

SHA512
590f234d424bc20e3da9e3a9b1f3a789cc45d58986dd98c60b3a8285a196eeb013bb016859381254714924227fded4e6719d9c9c2c99aa010e40b4ea541ab943

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\AlternateServices.bin

Filesize
6KB

MD5
acfdfea383655f276adbe894cf325703

SHA1
fa2021709b58ed9c8835fa48f10750935a6c5686

SHA256
127b6df588342d30795ff9fe655ad453d0f0263667b43955510695a066c6281d

SHA512
2ff81f652b998e40e13de4e7eabb4c6fb04509cbc12c60b018cd5ef8c3e28043ace7af6fac91fbb86e21c96f4ba2bbcc0bd7bd3c462316a87007eb1d93a9178e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
f6f1035c4f602d9a1be7dd6cc2fb332b

SHA1
c2981e2224297e9b6d1b69520d5c90460699963d

SHA256
a2db1e9f768d9adfca1cfdd23e607c21e66767810bcb3262ff543b021300f9a6

SHA512
500c7b1a4d532d8eb5f8fbb28d1e6bb38926c498295462935fde6831c792afacbd087187003547165fb35109b77fa2a48ab5973ef0fb6e90ef5522c4b7f4d6d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\0cf29fb4-28f4-4899-bbe3-18cfc487cfec

Filesize
982B

MD5
217ca1f8e1d54f9a6713bff061e94b8e

SHA1
7a3b56bae51b9d689e2ed205edf460a8f3093e00

SHA256
3d5c2b4a8b0b1a0cce93d220df2e817cdf4a8da0c33a08cd62f23951b801e9ba

SHA512
1d1578f7bcb7f0759f203f775ab9ce5eeddeb5dde6c3b53c11606493e42ee1151d3bd226f0354bd95308ed8d5f390e64fa1b84311e907d78536e57e2170d0bff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\442ee0de-4ff4-4388-8d93-2a6ccb075172

Filesize
671B

MD5
00c4d80b5d0097b864201ca66b1527b3

SHA1
2df1cd671b0e38586b93fdc2016944f983b9de4f

SHA256
14ffd9286fb52dd6fe517beee10eac21839a76c6651be80b09f03cedceb970cf

SHA512
49334ebc01bd3de8f52bae262578e865f9d8eebc18e61d5d8466b170a2f79b183ba87078af56210ddfc130f36c6c1df57645b66ff29450c0cf31397b87e93678

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\da90423b-e5a2-4202-9ec6-e4eba2aca174

Filesize
27KB

MD5
acae1f911e419615e21b00bbd7e8d78e

SHA1
082b893deac3099d86422fef9cdd12b3b8709f8d

SHA256
36ed7e9b50f614641de31edc229edd2bd10528409e91bf6df347db082e00e49e

SHA512
f59ed667826234ef2f2e15ff92da026e26c5318b17d7a18bbf06b531887de7ab9f40d26141627aa4722908fd33130c61aae77db259ca617df64954ac8e166c44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs-1.js

Filesize
9KB

MD5
5fc5daf76564b45870bfdd11e119201e

SHA1
d73981f3c2468a0dbaf06e121ae30a4b270c0899

SHA256
f413cd563be2458f44d58327a03e951b8651b8f8b7afb2bade7327a6530d1471

SHA512
cea74eaf766478a71707ebab6e74c913e0923c9c73cdc042a3f67896f64d7c46010aa6a3d7667f84485d51efaf9709ef7d080a8d609aeaacbadfe54ab909d884

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs.js

Filesize
10KB

MD5
a3a431705409e45d5bf2c5ac38b7f99b

SHA1
c117dd5dd59571f1a38ca476a03d3e9045fd7002

SHA256
3e87262d23f409cd7c11fd1ce378122836097b18c53cb6d69599f90eaa6b964e

SHA512
d5accec3581a9702bfeec85344fa8fc32681fd618c5fd3967e20f84ac9be5c65fcfa1e7888e91f721ca6b14af795d01e7ea32261987d3e7fca11db72b88f6950

Download Submit
C:\Users\Admin\Desktop\CloseDisconnect.docx.ENC

Filesize
14KB

MD5
4ba943568d9d6e8937ff60628175c516

SHA1
885a4445b2e0e17025fe5d53dcd827bace0e7493

SHA256
b4edaeab53b25695529724990c0625052c793362f8ed5f05879b2f1dccca5a44

SHA512
8bc37338e18b826f9ee3d354f71d0b16194dddd3ea0cc73c7b41420cda81b6db9639cb3b61b73f131e7aa76bb9b2ecc9fb5e189246c47fbe9e21cb2582d0bae1

Download Submit
C:\Users\Admin\Desktop\CloseMove.jpg.ENC

Filesize
298KB

MD5
62577c6105919c893ddbdf49ffc216bf

SHA1
a606a75f322ac63c2c54312606018467e1aad13b

SHA256
edf222e843fd505cbc2a3c7dd5b54b6449e59ba56942c95e84b2367f433cf074

SHA512
50aa38cc7c0b1c8bb17a488266b2bcbff3780396e3e649dbf714b209287df45615696325de9ac8ecfffe9045b173448e57872dbd610c2a93c18bfe60a0a0468c

Download Submit
C:\Users\Admin\Desktop\CompareEdit.aifc.ENC

Filesize
512KB

MD5
6ef7f92b0dd7c5793fcf7dc66bf36421

SHA1
3e256802ac4758e833d0d5ef58d262dc9c49f1de

SHA256
8e1337b0b56cf4ca00905a37dcc4f1740f1088f9fad25aaf5a4b35e958e81eba

SHA512
59b13767906206a757d893ffce45d6826a820b8859b9def90b5568ac6e0b9c5e6603caa08441373c37687262d1f937af976a6114aa78752682a2cc9817327ea5

Download Submit
C:\Users\Admin\Desktop\DisconnectConvertTo.docx.ENC

Filesize
19KB

MD5
58662cdede26081393e74781f910e4b4

SHA1
6cd7720f38431f3ce3b4f0119ee8a3600dedd5e5

SHA256
d4c53248f537b879e5c1e78b8f3ea83a6a7b09eb62f4fab5f744f9b219c0f413

SHA512
f423a75f3348d40a03fd0d822f9bb28036a88501748bd39537051be544558ece851406cfdf0e1ac389166b0c3c65115acb98670507e1a98babec5440437a6f6a

Download Submit
C:\Users\Admin\Desktop\EnableRename.inf.ENC

Filesize
426KB

MD5
bcc213a7c5dfae4ae829abc5e6a9d4ba

SHA1
285ab8a86fbc842cad15b4d7ee9dfa5e8f0fbb3d

SHA256
42ac36d1524ed68902dd1475e0d224578d4e262640ad1dcee7a2655b3f69a573

SHA512
b31590a04c95642bc24d690c662d38d6819e0c9a42cea05e4d16e465651cd0244243d148cc588f858ab30c89e883f0d72f14fe49df4428073dfcb9d09bc63d40

Download Submit
C:\Users\Admin\Desktop\FindConvert.bat.ENC

Filesize
362KB

MD5
34276922b5477e526eafebb2839199aa

SHA1
3a1b9495dcefd92dbe64c7aeea3377cd4596c0c4

SHA256
a3e1e10bc9f858aefce05d38e3b563de60025cb73db0532bd56f563bf17cc7c3

SHA512
8efab87407715b38b377fffefb7607e5f396f9d7be6b6304bd5fa083e43c265d16817ae6128f2166880e6c588345ebd7e520870b2eced2bf3945dd09cba0557b

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk.ENC

Filesize
2KB

MD5
903973ce7214e69afb04f6aeece26022

SHA1
9e1f37c39e321ec8f2a130918154f1337d96dad3

SHA256
866b44a072b49d7b8fb19b43cd9021146ea9abc05d0f94cd5cfd611cedc6d8cb

SHA512
f100a0d35a58e72ce98b03e8ebba5dcbaf3464cd8c9466a124fcdd59f7c0682c7d7470aa1e0d48bfbbc38778cdbf99a79c74d06596887489458016b6eefef588

Download Submit
C:\Users\Admin\Desktop\MoveExpand.avi.ENC

Filesize
618KB

MD5
02aad50d1d7f8e29b905d5db988f946e

SHA1
322e685e2b05a7e428e0b2f68b4209477fc098bc

SHA256
4a1d9c9f37067f68bab0391cf3485638593a51f9fe6f2734b3c0c6a4e445c4cf

SHA512
aca0040cc96b6d5c7050823b7ee1323266df5e0f8a4b20d65007b30447b12e309e141ea23d5046f6a3399c7e0488421e8944885e47ea3341e26febb603b3eaf1

Download Submit
C:\Users\Admin\Desktop\OutEdit.M2TS.ENC

Filesize
725KB

MD5
0acff52ec3d631a668576f485d5893a5

SHA1
09a8afbd489ff3d1a0deb9980aa569a9be582b09

SHA256
e07c6666c3c349544212f57c276289b868b132632d2be25f727aa75d4a263116

SHA512
0b7314a92d1c916691e60817cb60368c6885671ebbd088d0bb8af3bdb6738cff2c731e911c4cb4954e015afbe864a9aa587b0e5b76f0e5baf8de03a3d9bf8e72

Download Submit
C:\Users\Admin\Desktop\ResizeRename.html.ENC

Filesize
448KB

MD5
36e287be490e787568ce694fb0452bf6

SHA1
d514f180be818f2e8808c6237fdabc08140677bb

SHA256
d1518a4e6b9bb0019cb3d9acd9c395f05f93138e4c3a5370817bbeb52017064b

SHA512
944d308e4ac83378501084dd561d4758e850da9f96a20d9157ec15d484f8f59d6d2956bec431e017e03aabdf77df41fefae6422433f5d4c72152fbe097e18d0b

Download Submit
C:\Users\Admin\Desktop\RestartMove.xlsx.ENC

Filesize
12KB

MD5
d127243d7b3ef173a04d6c6e96086142

SHA1
59de19e62f5ddc42395d0474a231c6b49c91c166

SHA256
69a1a4d58104ff432be36c54dfef9e27b8b74778a558df90d773891c601b626f

SHA512
89112dd66c03760285c68f7ee50bb3d108b04576b812a1df6bcffe1ad902e7c9c77317b1053b3045017689140219b0d879348a2953c35c6b4d631bbcd2d80c70

Download Submit
C:\Users\Admin\Desktop\ResumeOut.wax.ENC

Filesize
1002KB

MD5
67ccb5e2af77dc198b15d31459b2557f

SHA1
54769dccbf8e20b11c3599b933d1a59f52b6a546

SHA256
b210ed804432605867e759c47b8908f91af8bc0acc51300f4af8031fe4efda70

SHA512
39e5cbea9e993cdc3123e3f0809d80060c91d9a45e35dfbab5177d73c9bd6b68616a8f0acc0de7c00bde89687c8511d94511c649fffa0a286dca5dcee7b5385f

Download Submit
C:\Users\Admin\Desktop\StartRedo.vbe.ENC

Filesize
597KB

MD5
d3a7c9b9bd97bda1adaaac47aee00552

SHA1
6b4ce8d23a4ec6a3706e4425e08f78b1c1b39773

SHA256
6b601eb54ff983ce31623a7db2c345f0b28e4ad01b0d6eefd890b2882331b7b2

SHA512
0e59204d20dcb6d59b0b357571205e6fde26fed65367b52d985d4f990d673a2482e12047cc0860a926ddc90dc569a67be797a533f95dfec610d03597b3ceebb0

Download Submit
C:\Users\Admin\Desktop\StepRepair.wvx.ENC

Filesize
554KB

MD5
f95f77f6365282e3d4f739f4bb536327

SHA1
854a01f92e267c9c7be06be685bf0679da8582bc

SHA256
093185e1ca236e7fc732ba0af895e22416d3afae4aa2a40cbae4ff1c3ad116f9

SHA512
6d1b27b4d1617178ac2312274bdead43e48230d6195fff33835254165d60408b2031220c4f46aff1f4012493dd09428b3a96f0260fb17a51e62a2f333eb97574

Download Submit
C:\Users\Admin\Desktop\UninstallExpand.wmf.ENC

Filesize
405KB

MD5
ac97dbae55e64eb0003b4555ae809652

SHA1
26392b570a4952adbdfccf40c5fd61cd70f6c84c

SHA256
9a2fac7c26a8aae02433ed30a88488e4c2d4ac036e9d5a8603c20e7348524540

SHA512
d84294e34aba19d8fd9600eac8ea1150f24145174289a5562d0fb9012694d13eb4b9ed82f1e9910cc89631cf247402f7dc81137e84fb0176293a9f853ae499b6

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
fc0852590a01f242bcde4b10aeb4d392

SHA1
d2f527f8c16706b0c065ed09d66a41c5e5a1dab9

SHA256
5b936daad6292b0a107ade3ba5d1502b12abf25a37f79a69d69113586428680b

SHA512
864694f9a8405412ab527c51379f9c060425f340c7bf34a1f8883c0ec4a79653fc2c1dca022d007767a98a1a9bd5e8c6f82177acb793aa5eb3eb31a9481de04b

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
fb403f4c0a2f136a17f88d5b5c1e9b19

SHA1
91f288b1c4a287c69d0ab749587b2ee8331cf61c

SHA256
25dcb57716c31be9aa6520a99233cca5d931ad46837eddf427ada6a98f799e03

SHA512
ff5143a469252458c8a9a0d015b7198e5f11eba6639e69b8f7a3fc2cd924f6bb4f4238b37ceec246e8173fa8769b137c2dac381846db124a3419e0ed1ef5b96d

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
784a575a09a0e4809a8b088d589125d9

SHA1
5089bae4b1bc72e256b0d83fd9aefdc4ebb143d4

SHA256
67ec237f8ff4c653457010e81444cb86b52be5fa65aba0da0458d288ad47bc42

SHA512
fe06ef8b36468201f82c1925c4b717327b2504a8e6d70942af8fb9ce0c5d6cd224769bd93707a9cb8e077f17ac943077eb2db4d36e72461adc7e5606bcdbfc41

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
c77306ee504f281e6069d721ebceb3e9

SHA1
ac733bd8a2f9f9c31e13a29f013de69caad07200

SHA256
9e67a1b951a1b11c4ae62dd958227f4d071177794e1d6ca6d86bfd33a2d24daa

SHA512
d93951a645967a1afc41a53d577562c3d3642edf91a3d0bb363b29dacbd82cfd854aaccd5c75ef41245865afa7e2ac22df222b627af22b3dfb3772acf11daf70

Download Submit
memory/2040-96-0x000000001D770000-0x000000001D7FE000-memory.dmp

Filesize
568KB

Download
memory/2040-97-0x0000000000D40000-0x0000000000D4A000-memory.dmp

Filesize
40KB

Download
memory/2040-9-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp

Filesize
10.8MB

Download
memory/2040-98-0x0000000000D70000-0x0000000000D82000-memory.dmp

Filesize
72KB

Download
memory/2040-99-0x0000000000D50000-0x0000000000D5E000-memory.dmp

Filesize
56KB

Download
memory/2040-105-0x0000000000DA0000-0x0000000000DAC000-memory.dmp

Filesize
48KB

Download
memory/2040-0-0x00007FFE71FB3000-0x00007FFE71FB5000-memory.dmp

Filesize
8KB

Download
memory/2040-1-0x0000000000590000-0x00000000005AA000-memory.dmp

Filesize
104KB

Download
memory/2040-6-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp

Filesize
10.8MB

Download
memory/2040-7-0x00007FFE71FB3000-0x00007FFE71FB5000-memory.dmp

Filesize
8KB

Download
memory/2040-8-0x000000001B0F0000-0x000000001B0FC000-memory.dmp

Filesize
48KB

Download
memory/2040-1198-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads