hxxps://github[.]com/pankoza2-pl/malwaredatabase-old/raw/refs/heads/main/PankozaDestructive%202[.]0[.]exe

Analysis

max time kernel
28s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 12:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/pankoza2-pl/malwaredatabase-old/raw/refs/heads/main/PankozaDestructive%202.0.exe

Score

8^/10

bootkit discovery persistence privilege_escalation upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	PankozaDestructive 2.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wscript.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

pid	Process
5196	PankozaDestructive 2.0.exe
5704	MBRTrash.exe
5820	1.exe
5832	2.exe
5884	3.exe

Modifies system executable filetype association 2 TTPs 34 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
26	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MBRTrash.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000023b87-50.dat	upx
behavioral1/memory/5196-89-0x0000000000400000-0x00000000004FE000-memory.dmp	upx
behavioral1/memory/5196-111-0x0000000000400000-0x00000000004FE000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PankozaDestructive 2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MBRTrash.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0145-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0163-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0214-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ELMFile	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ExcelWorksheet\NotInsertable	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CID\99bdfb60-e22d-46b0-a021-b577349c638f\Svcid	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.faq\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.jav	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0065-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.cgm\PersistentHandler	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0331-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\.bmp\OpenWithProgids	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\mspaint.exe\shell\edit	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0344-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0088-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.TemplateMacroEnabled\CLSID	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0088-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0292-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.crl	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{047ea9a0-93bb-415f-a1c3-d7aeb3dd5087}\DefaultIcon	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0121-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0265-ABCDEFFEDCBC}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetMacroEnabled.12\shell\Edit\ddeexec	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\.oga\OpenWithProgids	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0180-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0242-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3BE786A2-0366-4F5C-9434-25CF162E475E}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0099-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0169-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0148-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\DVD	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0386-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0244-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5512D114-5CC6-11CF-8D67-00AA00BDCE1D}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0075-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0082-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0130-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0366-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0322-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{CC7BFB46-F175-11d1-A392-00E0291F3959}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\.fff\OpenWithProgids	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0038-ABCDEFFEDCBC}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\printto\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.Search_1.14.2.19041_neutral_neutral_cw5n1h2txyewy	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.blg	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0128-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0335-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\manage-bde\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.FDFDoc\shell\Open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C177EBD-C42D-4728-A04B-4131892EDBF6}\Implemented Categories\{4FED769C-D8DB-44EA-99EA-65135757C156}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\DocObject	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0171-ABCDEFFEDCBC}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0039-ABCDEFFEDCBA}	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 37852.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4376	msedge.exe
4376	msedge.exe
4780	msedge.exe
4780	msedge.exe
4828	identity_helper.exe
4828	identity_helper.exe
3424	msedge.exe
3424	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5196	PankozaDestructive 2.0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 2204	4780	msedge.exe	84
PID 4780 wrote to memory of 2204	4780	msedge.exe	84
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 468	4780	msedge.exe	85
PID 4780 wrote to memory of 4376	4780	msedge.exe	86
PID 4780 wrote to memory of 4376	4780	msedge.exe	86
PID 4780 wrote to memory of 4728	4780	msedge.exe	87
PID 4780 wrote to memory of 4728	4780	msedge.exe	87
PID 4780 wrote to memory of 4728	4780	msedge.exe	87
PID 4780 wrote to memory of 4728	4780	msedge.exe	87
PID 4780 wrote to memory of 4728	4780	msedge.exe	87
PID 4780 wrote to memory of 4728	4780	msedge.exe	87
PID 4780 wrote to memory of 4728	4780	msedge.exe	87
PID 4780 wrote to memory of 4728	4780	msedge.exe	87
PID 4780 wrote to memory of 4728	4780	msedge.exe	87
PID 4780 wrote to memory of 4728	4780	msedge.exe	87
PID 4780 wrote to memory of 4728	4780	msedge.exe	87
PID 4780 wrote to memory of 4728	4780	msedge.exe	87
PID 4780 wrote to memory of 4728	4780	msedge.exe	87
PID 4780 wrote to memory of 4728	4780	msedge.exe	87
PID 4780 wrote to memory of 4728	4780	msedge.exe	87
PID 4780 wrote to memory of 4728	4780	msedge.exe	87
PID 4780 wrote to memory of 4728	4780	msedge.exe	87
PID 4780 wrote to memory of 4728	4780	msedge.exe	87
PID 4780 wrote to memory of 4728	4780	msedge.exe	87
PID 4780 wrote to memory of 4728	4780	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old/raw/refs/heads/main/PankozaDestructive%202.0.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb596c46f8,0x7ffb596c4708,0x7ffb596c4718
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,13263183279941756856,17177471441093240120,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,13263183279941756856,17177471441093240120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,13263183279941756856,17177471441093240120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,13263183279941756856,17177471441093240120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,13263183279941756856,17177471441093240120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,13263183279941756856,17177471441093240120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,13263183279941756856,17177471441093240120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,13263183279941756856,17177471441093240120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,13263183279941756856,17177471441093240120,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,13263183279941756856,17177471441093240120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,13263183279941756856,17177471441093240120,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2184,13263183279941756856,17177471441093240120,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,13263183279941756856,17177471441093240120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2184,13263183279941756856,17177471441093240120,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2184,13263183279941756856,17177471441093240120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3424
- C:\Users\Admin\Downloads\PankozaDestructive 2.0.exe
  "C:\Users\Admin\Downloads\PankozaDestructive 2.0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5196
- - C:\Windows\system32\wscript.exe
    "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\DC27.tmp\DC28.tmp\DC29.vbs //Nologo
    3⤵
    - Checks computer location settings
    PID:5396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DC27.tmp\z.cmd" "
      4⤵
      PID:5620
    - - C:\Windows\system32\msg.exe
        
        msg * your pc was destroyed by PankozaDestructive 2.0
        5⤵
        
        PID:5684
    - - C:\Users\Admin\AppData\Local\Temp\DC27.tmp\MBRTrash.exe
        
        MBRTrash.exe
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:5704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UCVTSRzzkAAtUZzX88xoMdhw
        5⤵
        
        PID:5796
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb596c46f8,0x7ffb596c4708,0x7ffb596c4718
        6⤵
        
        PID:5808
    - - C:\Users\Admin\AppData\Local\Temp\DC27.tmp\1.exe
        
        1.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5820
    - - C:\Users\Admin\AppData\Local\Temp\DC27.tmp\2.exe
        
        2.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5832
    - - C:\Users\Admin\AppData\Local\Temp\DC27.tmp\3.exe
        
        3.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5884
    - - C:\Windows\system32\reg.exe
        
        reg delete hkcr /f
        5⤵
        Modifies system executable filetype association
        Modifies registry class
        
        PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,13263183279941756856,17177471441093240120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,13263183279941756856,17177471441093240120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:6120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
31c91010c36d1322fe41b76d571651ef

SHA1
5c3b11f2cb7d4c7ae09b858bc4286f182d862ec8

SHA256
32a254aa292845e9cf5d8f19b9ae54322a75ef8f0db45ab23bda3dd01d281d24

SHA512
b241bb237b6d3db278411195fc8671e44a12af2a7b6d66103f9306b71e2167dd68fdd28cb4bf004ab17ccc722a06236e930838af8c24f04d4a072032aa08060e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dfff543ddc65c6456a7a77cb628efce6

SHA1
8682a8739778198c635cf5b4b8b5a9cf148ca572

SHA256
8563ed4a1121b66a987ea2dd49c9a66f7b163d34e5063cf00e271e23919c13f6

SHA512
0a500057d94d29f327c9a437d107e93284ab6bc3bbfff11b6bba936568da6c5d911dce82844979ac2804b7cf6b75840b8455fbc702dabe9c90cd627bdb57db80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d3e067945f99c4eaca7ef25b6a85791f

SHA1
695c825a381f79bae03a5f3e30a59922b6325080

SHA256
6304dae463aaf36c13adc2cb41a8661e30a9ece419680b3b35a24f6281c5d610

SHA512
63d80dd657f5a40d7611d31c86a4974bb37fa48ec6ecea9f70644b12ee146febf0d090eb931f6ea45a61896a0a86d7efd1d4750646837a4d81dab7453153a38b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ac985935ab529bb55f66302fbeb41fa2

SHA1
cbae1140cef3bba75d60868ba09eae4ad603a816

SHA256
f0b5e08e6d50af4d1fd7b04cbb7c22f2b1f4d50c54a0f7ee1679f2365633d333

SHA512
d761b29ff6343f028185fe35d1b6f22e486388801e25415b5883ec323d31385921dcfe196cd0468ef00298000fb442069ae82b4f9d5982c773afed3c54d5561f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7b5613acf72f56c9da2acd48fd8ad663

SHA1
bc6483feb63b2800ae58a2475f0767fe875eac35

SHA256
19d7ac13f6393103311b5acfdb295562f50e8890f77e7bd1c008f058e384f64c

SHA512
52cbaf3a72e705167471a217c8f706e7e994cecfe664c5eca119718eef13937af3efc97b925dcb938f5f35696693af06e9c5348a09ee5dab2be83bd1cd469419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3e7d765fb7380fce747b0dbb5b181813

SHA1
6294ab6739d68ec10d10a08b5de7b4f5352f4bb4

SHA256
9a679723695c7d50a5881fb36269c41f948d2e51a382eb8d29ccc1773588bc21

SHA512
da102b2ed445f685f40c258083b6a358832578e7f363f0d7943fa8cb18219b0a56dbf16db0899f10eabbcd140784c81a88910c814cb84d0651c5a21cc493c1f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
36317b10af94492e54ddd6e0d95bafe6

SHA1
7a971d49691453b1c1aea596985b7eee918a45d1

SHA256
3de6c416c90d801ac58c57325966d4f074061837b271a6e9419b988eb5875615

SHA512
962139eac68a9346ca7545a3f53a11ec7fc26bb9171ef2bb29c3437e73de41149d447b59807b51c4ad04fea56e79aed6a1497dd5aa9f4268566d31727499e559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582a95.TMP

Filesize
371B

MD5
5eae6d20c85c8261b5f9d62b0a1ac8c1

SHA1
7048951540c3baeccc4666293f64874874575afd

SHA256
7a1b4621b8a8c1023b718a76356ab04c3bb64f4d3d47a8b21885a23af707457f

SHA512
1a3d223191901afd32d9caf96a6230105c3b0276d19726c3a0b2667bbed282d4ec27c60e304690b5c2e6c02a69957987c0cfd10d71ce431c00ee9c6a3c5de595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d7f9067d-36e8-4c91-8060-8f834724b7b2.tmp

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9d5b1abcb02a635f3652e56cf844f5b2

SHA1
d113ca3aaab604370cd0ec1f29e81cd0ca12b371

SHA256
cfdae159365e7a728b7c8454216fbf3756da7f6308f66a2393ac46dc38ee9cd8

SHA512
a102b197281b28462b885681b57a52f0da289cebd01b150c0ae8b29c62dc1dc4db2086e3123a66a042af5196ad2456bace0440cfcc3bdf142c035c512937df5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC27.tmp\1.exe

Filesize
105KB

MD5
e3ad0fce5b7affbd427c44dbccf3a2a6

SHA1
20d123432852d8a0d0ddb8e7508fe0f57885d111

SHA256
c5518cf71337856ba8e39dabde1130a846d25a90f8ac6935e772cd38fdd628cc

SHA512
68f2fbab56eed7ca082a63b71a4faff132c7cca8ffc5f072d6a4003190dcb1d212bdeaa2aa618d3c29eb91c10bc706edd278cae37d5a1f057c32591569ae62fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC27.tmp\2.exe

Filesize
103KB

MD5
84a2c1994a66f68ea0de1ca54f2daf8d

SHA1
6ac5d9893549810063a7f3a4c11e3acfe7fff198

SHA256
a3f537d75fe7bee34ef70c0997c4dd003f1b463d6ccb5fcdb996a78a41f851d5

SHA512
43697a8813138e8d72678810842594b1669000683a5224ca274fff4c905717ae61d8c4300f8480bb56105dbc827b8c9fcedc10e1d0a7697a8bd92c72cdd6a769

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC27.tmp\3.exe

Filesize
49KB

MD5
6cefab6016b44454e094b35bc84bd948

SHA1
0413ea19c49c7572e5b5ed53d057442f1763bea2

SHA256
b7edad47d3eaff2ab66e6f25ddac676e86bbb477c54ed83aefefc8cad65d694f

SHA512
f55316fa5fdcbc489e36bbd778ab6ffabafabfcd0e5575327e07649a1549b6758859dba4e91fa3350b90de9da28b5af740a7914d58265e2ec49509423564e9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC27.tmp\DC28.tmp\DC29.vbs

Filesize
510B

MD5
109768b34b00dcb845bbe2e6b232f907

SHA1
01936f9faba2274ab97d23e150c4ae4be13a1e6c

SHA256
db25a503c58209a43df5f7af4bea2ad62943b00ad5ec70abc9223f5d6436456d

SHA512
f9b7dcc291f8e6d99f7e3fbbcc7589e5c8c4d3d883b543b7e30959b7b38be39287f26cfb5d4f34689bcc92a11572e689d7edd7fef09e4bf1b06776596aa62099

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC27.tmp\MBRTrash.exe

Filesize
1.3MB

MD5
1f7e6f09dd9e7c40ddf8993d73bbad0d

SHA1
e671e3225623efda87d61e025b20c791d8f4973c

SHA256
734f955f5cd99a47cd6e500efd96cf5e5aa4d420cda4f9ef170d6b1fa3eafefe

SHA512
e8c2046be890aa84a02a19a2f04c8d3546121f978895e286950b9091363f4c2a3d144314db2cc529a8a99333895590e3b786ed41264cbc1d7840aa770c152005

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC27.tmp\z.cmd

Filesize
208B

MD5
4b4ea7740ea13b18e73d9f958ea775cc

SHA1
27bae1aa5cd752bd52b8fa014360faa7153eb3b8

SHA256
58de6c1e7bcf4ce71aebbca0ddf2c81efde4f67a2a89fa8eb7d8e009e029f892

SHA512
444c4d8dff6b36013b621d3e06bb936bf3b7fe0d96ad72cda66c6216f10b8e0640832e50177a195d264212c8b79beec170b69d52db3be5f1bac651a5a0b954fd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 37852.crdownload

Filesize
734KB

MD5
b172b2bcebd8e4797ceaf0503c5840ae

SHA1
ecaec7910a01b4a142741a0ff0d49c0a47acdfd1

SHA256
86b279800d7aa3025b59391f4f8bab2039c41258d0daf3d85365b0c3ddf05065

SHA512
f1e2a996be71155e1a101ad5e28c826ef61baaa4d5bb5a003b7038531e647d02438a4b82f67ab26d96c0b6af412b7e0b45b2568a8325beb1b90b81fb4266947a

Download Submit
memory/5196-111-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/5196-89-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/5704-115-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5820-168-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5832-203-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5832-169-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5832-220-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5884-170-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download