xworm | 6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f

max time kernel
104s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

писька чит.exe
Size

71KB
MD5

ed3794861ddc34b4748ff8081e80cb2b
SHA1

e63cf084552f0c2803de0109e3d2fcd3102c4738
SHA256

6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f
SHA512

df771b8eecb7e065628c06b8cca9aa7df6dd05bbdba0f85ed34010e264a286a17129289d6ac3e9f87c56152ed7a35302e88ae6643a1bb06c45745cf3d5ea0b03
SSDEEP

1536:EYB+O1NIBlJ4wlA0B4GI0b0xEPdB8QlOrIXt6fT+S1va+OuPyGV54:EOgQwlRB4wb0xEFBdMIk+S19OuaGV54

Score

10^/10

xworm discovery execution rat trojan upx

Malware Config

Extracted

Family

xworm

main-although.gl.at.ply.gg:30970

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/3380-1-0x0000000000560000-0x0000000000578000-memory.dmp	family_xworm
behavioral2/files/0x0010000000023416-76.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4316	powershell.exe
4052	powershell.exe
4620	powershell.exe
3208	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	писька чит.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	писька чит.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	писька чит.exe

Executes dropped EXE 2 IoCs

pid	Process
5768	burbky.exe
6128	djzsen.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000235a5-343.dat	upx
behavioral2/memory/5768-346-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5768-388-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	burbky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	djzsen.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-384068567-2943195810-3631207890-1000\{12DC7B43-BF32-4624-B70B-BC6E35B77C4F}	msedge.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
3208	powershell.exe
3208	powershell.exe
4316	powershell.exe
4316	powershell.exe
4052	powershell.exe
4052	powershell.exe
4620	powershell.exe
4620	powershell.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4048	msedge.exe
4048	msedge.exe
4496	msedge.exe
4496	msedge.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
3296	msedge.exe
3296	msedge.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
2312	identity_helper.exe
2312	identity_helper.exe
4976	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3380	писька чит.exe
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	3380	писька чит.exe
Token: SeDebugPrivilege	4572	писька чит.exe
Token: SeDebugPrivilege	4976	taskmgr.exe
Token: SeSystemProfilePrivilege	4976	taskmgr.exe
Token: SeCreateGlobalPrivilege	4976	taskmgr.exe
Token: SeDebugPrivilege	1436	писька чит.exe
Token: SeSecurityPrivilege	4976	taskmgr.exe
Token: SeTakeOwnershipPrivilege	4976	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4976	taskmgr.exe
4976	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4976	taskmgr.exe
4976	taskmgr.exe
4976	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 3208	3380	писька чит.exe	91
PID 3380 wrote to memory of 3208	3380	писька чит.exe	91
PID 3380 wrote to memory of 4316	3380	писька чит.exe	93
PID 3380 wrote to memory of 4316	3380	писька чит.exe	93
PID 3380 wrote to memory of 4052	3380	писька чит.exe	95
PID 3380 wrote to memory of 4052	3380	писька чит.exe	95
PID 3380 wrote to memory of 4620	3380	писька чит.exe	97
PID 3380 wrote to memory of 4620	3380	писька чит.exe	97
PID 4496 wrote to memory of 2416	4496	msedge.exe	114
PID 4496 wrote to memory of 2416	4496	msedge.exe	114
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 2120	4496	msedge.exe	115
PID 4496 wrote to memory of 4048	4496	msedge.exe	116
PID 4496 wrote to memory of 4048	4496	msedge.exe	116
PID 4496 wrote to memory of 3576	4496	msedge.exe	117
PID 4496 wrote to memory of 3576	4496	msedge.exe	117
PID 4496 wrote to memory of 3576	4496	msedge.exe	117
PID 4496 wrote to memory of 3576	4496	msedge.exe	117
PID 4496 wrote to memory of 3576	4496	msedge.exe	117
PID 4496 wrote to memory of 3576	4496	msedge.exe	117
PID 4496 wrote to memory of 3576	4496	msedge.exe	117
PID 4496 wrote to memory of 3576	4496	msedge.exe	117
PID 4496 wrote to memory of 3576	4496	msedge.exe	117
PID 4496 wrote to memory of 3576	4496	msedge.exe	117
PID 4496 wrote to memory of 3576	4496	msedge.exe	117
PID 4496 wrote to memory of 3576	4496	msedge.exe	117

C:\Users\Admin\AppData\Local\Temp\писька чит.exe
"C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\писька чит.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'писька чит.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Users\Admin\AppData\Local\Temp\burbky.exe
  "C:\Users\Admin\AppData\Local\Temp\burbky.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5768
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2A42.tmp\2A43.tmp\2A44.bat C:\Users\Admin\AppData\Local\Temp\burbky.exe"
    3⤵
    PID:5256
  - - C:\Users\Admin\AppData\Roaming\fuck.exe
      fuck.exe
      4⤵
      PID:6076
- C:\Users\Admin\AppData\Local\Temp\djzsen.exe
  "C:\Users\Admin\AppData\Local\Temp\djzsen.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6128

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\писька чит.exe
"C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4976

C:\Users\Admin\AppData\Local\Temp\писька чит.exe
"C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=писька чит.exe писька чит.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffab94246f8,0x7ffab9424708,0x7ffab9424718
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3556 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3644 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7180 /prefetch:8
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6408 /prefetch:8
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6008 /prefetch:8
  2⤵
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4945611527700115445,10769491697399765358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:5152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:64

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b0 0x338
1⤵
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\писька чит.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\3f72fa8e-96e5-45b1-a8e4-f92882a59595.tmp

Filesize
10KB

MD5
4ee89e2ec4e7998aa48556555250d3f0

SHA1
080cbedd88d6e190e7302b870f4663a8cd5cea6e

SHA256
99173cf71ef986ababed691814be8dd300b7d366ae5163e132515e02551df623

SHA512
09f16933f773e4e28a098a06f05c0cc87d965306a0077893a8735e95509755922f576d20e72ceba8436a3b7b3cea226a9ebc0df6c6ab8ac616d3aef1620aeef1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3ee50fb26a9d3f096c47ff8696c24321

SHA1
a8c83e798d2a8b31fec0820560525e80dfa4fe66

SHA256
d80ec29cb17280af0c7522b30a80ffa19d1e786c0b09accfe3234b967d23eb6f

SHA512
479c0d2b76850aa79b58f9e0a8ba5773bd8909d915b98c2e9dc3a95c0ac18d7741b2ee571df695c0305598d89651c7aef2ff7c2fedb8b6a6aa30057ecfc872c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaaad45aced1889a90a8aa4c39f92659

SHA1
5c0130d9e8d1a64c97924090d9a5258b8a31b83c

SHA256
5e3237f26b6047f64459cd5d3a6bc3563e2642b98d75b97011c93e0a9bd26f3b

SHA512
0db1c6bdb51f4e6ba5ef4dc12fc73886e599ab28f1eec5d943110bc3d856401ca31c05baa9026dd441b69f3de92307eb77d93f089ba6e2b84eea6e93982620e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
20KB

MD5
4a2961dddc7ca6732df1c0646aad5129

SHA1
ff0b7265d2bef3824709ee3000621aca2d2c8724

SHA256
58a974546a65196f726ac5dbc25f1048991e8347bd53e7449102048a5a0dd597

SHA512
82c889adccb748ea06ced5db14b7f3f94b980215d350d7cf5463ad05de53b0421e0bc7fe6d0d3897480b2cbd6f34e0126814f166adb59b7f0a1c9cf960e8a2d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
57a2cad51d8d7b47ea41db03c43a3ac9

SHA1
c1b400d83d1c330175158128f94f4deeb201ac1f

SHA256
c969b001f953da69a25d53412a92e676a63cd638f42a6588014bd7f0b1ab1478

SHA512
2ce712c3c5c3bde8183b2d3bce6d161ed53b6e4f3605856d323ce002fca19ebef7aa92e2afcbdb0926ffa7b85434a3efe97a527879e8d0c1b5d19182847fa8bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
20a677e373f26c144819f2c966776581

SHA1
18eab1c93c8fac189b448f003154897a40c768fd

SHA256
e2beeda6757251602a51e37149659fd6fc8b69543d969d1a721d91306a1b89b6

SHA512
81d62952719f6d83f1c859df90f4e0dce6afd615454c8b056aba0fdad8e92bce6c0baa49a1ab4bc3a399511ad33e63279a3427ec98a00ce21a85fe3ba6690677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
fa2c989c8d09d2bf22debc6084f91e63

SHA1
f999a32a98200ae76d02c4a5f635c343d02a073e

SHA256
5a46946aeeb9add9f0c6951cd7de6bb1a69f932028d9b451a358a08eb55d486e

SHA512
fa078378bdf465814fbc1092e8c8f6267b74b6e738908896b6c262b448bb8041354d50f69bf218eba67db55d444bffca5c2549333167e6a337ad2368d0b5bd94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
354192685d68517052007c62e00dc6d2

SHA1
0b5afdf0fa681d06e5e7774fd6348830c0f9a4ff

SHA256
251db40938fd92af8e90fe0ffc459e76117449d1b3fe4f3ca3d766a8f97e75c7

SHA512
c07106b726cb1f8dead2559a26460e7b0f4bab1751e058d87b50862f5d566a34f13c5ec2c417385ed604a97d5dbb0fb939e1007090d93aebbc2416e96ff40f07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe594a5d.TMP

Filesize
1KB

MD5
494a57864fab55730dab5382a9cdbe26

SHA1
8827733912581a182f4571befaaeb28f2bc4cbab

SHA256
1714a4acea61aa53e042c477f32f25ce3854fa49ca2df78abbd442ef8668c8ba

SHA512
f4744eab303f92861260fc1f87161c97074426434f9ce84c5af1ebafa1ae80c7639945fe348069476678029ccc75c0f46d47d875ded4afb6c1940f578c8bbca4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ffe24accbbd840f489da2d46c353ce2f

SHA1
222b9e811c0371fa9634d34a0ddd6d8f505135e1

SHA256
d3e1facfd9717727959e54db25c20fd5d0a0cf2d5c2f6c6ff716c937e206728e

SHA512
797a5b8aeda7ce858137908d9f094e28ca00de035e33e9d9058686b21388edbbe6cc51ea57514e9dd9b69a843c347cfc73578b4efc02a890096b84e9ad0dcf3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
65e4f01c24b55569d54d23b8efd0c8d5

SHA1
2c58f21418af8c0f1e118a7f3cf17d8448a8be64

SHA256
c1e9cf9a0865152d180419cb3ebc77538bdbdc9d1e633eb71ad6871fbc4d4763

SHA512
afaf0c200caba78650aee46bd62994c5becc073c22cb62404f783b257c78a72061e240b8678c38790b2cec1e41429161b13c6d92cc9817fe70e86abff5af2056

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e5663972c1caaba7088048911c758bf3

SHA1
3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198

SHA256
9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e

SHA512
ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A42.tmp\2A43.tmp\2A44.bat

Filesize
30B

MD5
227fc8cd0abedbd965d1adb2791cdecf

SHA1
84c2f07c90825df70231e25fbd64b4a4e13b8129

SHA256
6d74cdd4d8206f83551619d9bd811135e82437294ad33360be77a7f5127689c5

SHA512
4fbf58d7a363c2335f6116a94b8f2368772943b3c98600276458a2ce555469159c64274c727e8c5f7f3f2fe38c3883dba05e6867341dda5a64c6c6cf6473e587

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_voarg43i.veo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\burbky.exe

Filesize
48KB

MD5
e4c3f8e4608d6415a8c1dbea81a56e99

SHA1
e65b6dbe02e7cdd7770bead3b18c5597a4d921d3

SHA256
5844c659c4ad02e5a5e38ae75ada3211202df32887f6a498e70cb90facb21288

SHA512
73c5d7a3e3e81b4105d5465de1e8f5a0cca81f059baafa03f75e23aa51b1980f62a30deb85bee4748ca7fbb8189b01eb02c992756bda6f8f55ac6eef80522ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\djzsen.exe

Filesize
7.4MB

MD5
3c3d1168fc2724c551837a505ea4374e

SHA1
86c913a12067fd2c1bbc31fb64a5b5d056175841

SHA256
f91c14c328544a2d4cc216c7c2115283806fa3201d40bd3c7c5d79dccd025b09

SHA512
0f181c9753a3f55e4f4a434ea3e972e00b46fb7319d95a4b7a5c7d09888537df4a8fc4c2c5e0232f96b441727e45a595eed42721ff8c7799302e4d3f13156a8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Filesize
771B

MD5
4b083463989b6a8199613c8a02f47441

SHA1
1ed271d78a9938f1bcb91f175d5436fdd608d9e0

SHA256
f0e3d291f37a3147f59134ce93513c24975bcc5d32501d736825e083483b9907

SHA512
2b3b280e2faa091f05d5e9a11bbaf2cdcb6617420c27a7c5bd4b1444ad4b0788d02ea8d088bba7dffa923397797a6d1d976eec4d07842bbc8b34981baaf50c1a

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
71KB

MD5
ed3794861ddc34b4748ff8081e80cb2b

SHA1
e63cf084552f0c2803de0109e3d2fcd3102c4738

SHA256
6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f

SHA512
df771b8eecb7e065628c06b8cca9aa7df6dd05bbdba0f85ed34010e264a286a17129289d6ac3e9f87c56152ed7a35302e88ae6643a1bb06c45745cf3d5ea0b03

Download Submit
C:\Users\Admin\AppData\Roaming\fuck.exe

Filesize
5KB

MD5
17b935ed6066732a76bed69867702e4b

SHA1
23f28e3374f9d0e03d45843b28468aace138e71c

SHA256
e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0

SHA512
774ea047cdc5f008df03ad67242df04d630bb962bc99f1ea8974a21baf6a902c7a5d8b8d09d9e5c7d7e46b0378c7baf33bf80fb3e34777cd0958b8fc740d0318

Download Submit
C:\Users\Admin\AppData\Roaming\xui2.cur

Filesize
3KB

MD5
76ae0d99909ff5e882f659464b552af9

SHA1
2070613616dd9ca9fb8c60241e8c76ee903a9e6e

SHA256
fe85c8acb9f990d80096d6f6f77456b7ebdee159ef799193b3ec7ece02fd0ae1

SHA512
4726b5b5040480c5660ce6a4e93e9fe5539e3634085222155923ee0862e9b94966338989c9bb72d60e82c10dd17d72661af978127e764b7d484e55d7f42b385f

Download Submit
memory/3208-14-0x000002A4B6460000-0x000002A4B6482000-memory.dmp

Filesize
136KB

Download
memory/3208-3-0x00007FFABCE80000-0x00007FFABD941000-memory.dmp

Filesize
10.8MB

Download
memory/3208-4-0x00007FFABCE80000-0x00007FFABD941000-memory.dmp

Filesize
10.8MB

Download
memory/3208-15-0x00007FFABCE80000-0x00007FFABD941000-memory.dmp

Filesize
10.8MB

Download
memory/3208-18-0x00007FFABCE80000-0x00007FFABD941000-memory.dmp

Filesize
10.8MB

Download
memory/3380-57-0x00007FFABCE80000-0x00007FFABD941000-memory.dmp

Filesize
10.8MB

Download
memory/3380-1-0x0000000000560000-0x0000000000578000-memory.dmp

Filesize
96KB

Download
memory/3380-2-0x00007FFABCE80000-0x00007FFABD941000-memory.dmp

Filesize
10.8MB

Download
memory/3380-0-0x00007FFABCE83000-0x00007FFABCE85000-memory.dmp

Filesize
8KB

Download
memory/3380-58-0x0000000000E40000-0x0000000000E4C000-memory.dmp

Filesize
48KB

Download
memory/4976-62-0x0000015A72250000-0x0000015A72251000-memory.dmp

Filesize
4KB

Download
memory/4976-67-0x0000015A72250000-0x0000015A72251000-memory.dmp

Filesize
4KB

Download
memory/4976-63-0x0000015A72250000-0x0000015A72251000-memory.dmp

Filesize
4KB

Download
memory/4976-61-0x0000015A72250000-0x0000015A72251000-memory.dmp

Filesize
4KB

Download
memory/4976-72-0x0000015A72250000-0x0000015A72251000-memory.dmp

Filesize
4KB

Download
memory/4976-71-0x0000015A72250000-0x0000015A72251000-memory.dmp

Filesize
4KB

Download
memory/4976-73-0x0000015A72250000-0x0000015A72251000-memory.dmp

Filesize
4KB

Download
memory/4976-70-0x0000015A72250000-0x0000015A72251000-memory.dmp

Filesize
4KB

Download
memory/4976-68-0x0000015A72250000-0x0000015A72251000-memory.dmp

Filesize
4KB

Download
memory/4976-69-0x0000015A72250000-0x0000015A72251000-memory.dmp

Filesize
4KB

Download
memory/5768-388-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5768-346-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6076-381-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/6128-386-0x0000000005760000-0x000000000576A000-memory.dmp

Filesize
40KB

Download
memory/6128-376-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/6128-375-0x0000000005D80000-0x0000000006324000-memory.dmp

Filesize
5.6MB

Download
memory/6128-374-0x0000000000750000-0x0000000000EB0000-memory.dmp

Filesize
7.4MB

Download