Overview

overview

10

Static

static

3

NetCat Loader.exe

windows7-x64

10

NetCat Loader.exe

windows7-x64

10

NetCat Loader.exe

windows10-2004-x64

10

NetCat Loader.exe

windows10-ltsc 2021-x64

10

NetCat Loader.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-01-2025 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NetCat Loader.exe

  • Size

    76KB

  • MD5

    1a56b39b62cff3bf7a75a708f6a11762

  • SHA1

    180d91a57ebb95a81bfaa394bca35c123efa916e

  • SHA256

    ad34f6a17ee318591b59ac4fbc300c53808630e4f163b644a58eadc85057348a

  • SHA512

    b86dfa4287e283fd7e734cc3897589c2bb6b98e35f1c82a6ab50f271baf8a9748a125a6c04425ccdf93566ddacb453290a9a63e5fc0d2797b70fb70b6dac03fb

  • SSDEEP

    1536:JqDtM7DwroXh9bSQ6/jyrV9nmRWnXzWb6Alyj:EwblSlryrV9nmwPeyj

Score
10/10
xwormaspackv2bootkitdefense_evasiondiscoveryexecutionpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

C2

194.59.31.87:1111

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    defense_evasion
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 14 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 10 IoCs
    defense_evasion
  • Kills process with taskkill 2 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NetCat Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\NetCat Loader.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Users\Admin\AppData\Roaming\System32.exe
      "C:\Users\Admin\AppData\Roaming\System32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System32.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2672
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2808
      • C:\Users\Admin\AppData\Local\Temp\xbvynl.exe
        "C:\Users\Admin\AppData\Local\Temp\xbvynl.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\FA08.tmp\PanKoza.bat" "
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2032
          • C:\Windows\SysWOW64\timeout.exe
            timeout 5 /nobreak
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:328
          • C:\Users\Admin\AppData\Local\Temp\FA08.tmp\MBRPayload.exe
            MBRPayload.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Writes to the Master Boot Record (MBR)
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2856
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\FA08.tmp\MBRPayload.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:920
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1652
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FA08.tmp\note.vbs"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1440
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3 /nobreak
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:2348
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FA08.tmp\sites.vbs"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1780
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/channel/UCTmub7HjR9Kc8Uh-Vy3eLaw
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2044
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2044 CREDAT:275457 /prefetch:2
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2928
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2044 CREDAT:734221 /prefetch:2
                7⤵
                  PID:1796
            • C:\Users\Admin\AppData\Local\Temp\FA08.tmp\melter.exe
              melter.exe
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1560
            • C:\Windows\SysWOW64\timeout.exe
              timeout 6 /nobreak
              5⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:2168
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im melter.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2068
            • C:\Windows\SysWOW64\timeout.exe
              timeout 3 /nobreak
              5⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:940
            • C:\Users\Admin\AppData\Local\Temp\FA08.tmp\Craze.exe
              Craze.exe
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1524
            • C:\Windows\SysWOW64\timeout.exe
              timeout 4 /nobreak
              5⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:2236
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im craze.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2000
            • C:\Windows\SysWOW64\timeout.exe
              timeout 1
              5⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:2328
            • C:\Users\Admin\AppData\Local\Temp\FA08.tmp\screenscrew.exe
              screenscrew.exe
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1856
            • C:\Windows\SysWOW64\timeout.exe
              timeout 3 /nobreak
              5⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:1708
            • C:\Users\Admin\AppData\Local\Temp\FA08.tmp\lines.exe
              lines.exe
              5⤵
              • Executes dropped EXE
              PID:1748
            • C:\Windows\SysWOW64\timeout.exe
              timeout 5 /nobreak
              5⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:1204
            • C:\Users\Admin\AppData\Local\Temp\FA08.tmp\INV.exe
              INV.exe
              5⤵
              • Executes dropped EXE
              PID:1532
            • C:\Windows\SysWOW64\timeout.exe
              timeout 6 /nobreak
              5⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:2056
            • C:\Users\Admin\AppData\Local\Temp\FA08.tmp\Craze.exe
              craze.exe
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1740
            • C:\Windows\SysWOW64\timeout.exe
              timeout 8 /nobreak
              5⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:2248
            • C:\Windows\SysWOW64\shutdown.exe
              shutdown /r /t 1000 /c "It's Your final 1000 seconds to use Windows"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2580
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Thanks For Using.txt
        2⤵
          PID:2724

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      3
      T1112

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        072f842f0b0ecaea0d65724230e006d0

        SHA1

        0457d8c8b2d38f1b3437f758df5d995e815f66ba

        SHA256

        b8d1f14fb1436e5edd0e7b69c41868405618ccdbb9413fae5027c11a5bcb6ca7

        SHA512

        22a390861dfa45e097cb744dcfd76b59e01022cd5fce48ffb229d8f8db65ce00e0c0f99e038104945a05361dbe0cd798d29825f0a811cae7c1476a69bc188e7d

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        33a6a358896788c45845701b06b77b57

        SHA1

        5e6539bb43a1ce43ceb495dc6d58b3dd4bbe4d93

        SHA256

        87f6b10d06fc09d658fc8189795bb6d51b0851e1b87f9194f011682e0a7a5d60

        SHA512

        e6ec5d0dad69d62cb84c8d17740ff0380462256ac2c8a66489adf4971acec3c53133f3f05184e83c5ad148241188754f72c9415e845096e1380326ce5a432388

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        8a11ff2a889c7acfa183cfe3ff65b82b

        SHA1

        cd4ae1114d4b4d8ffed2b7bad27b791ada5c23f7

        SHA256

        a7269d110cf7dfc1cd5b2db2fb5a06ff88c6b1176117dd3fa6e80ee9ae508f4e

        SHA512

        604fd51bae6e415d85ce120d9e93a65116553453c250ce9f351f42151f17edcc1b0b8d2529927dc6c357e31425e0fe6f1ede5aeb99ce06ae38cfca8dd61998b8

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        8c76b6d320c0dc750b8643c3ddc20240

        SHA1

        83c39f79091d97edc8be6c85d36b8e87b638d040

        SHA256

        e01738debe3eb13cf99e07e84e53d44f105b9f57cb948b1eb75a601fa49c583d

        SHA512

        9c6f3105e82e7b88c54b447903916c1ca01003ebb47d48d19200e2fe282e0d9eb70a3656026d474b972698f0d981721b4e5834772b1b2a0b38fe568ea11b60a1

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        6a618443272fb0fb38d08e3d4a797e6b

        SHA1

        128f778c406ab33fca107528d74cd601122aa2e4

        SHA256

        c6f7d366f64794c9aadcf9c778eb43647d1c8b4d3002c07ab998653704119746

        SHA512

        86b2dd7aaaa0fd8f79a4da4f0f95765fc8ce656507e99d39aabe30098ed0d7faa4cd8ffb824f409d9e94ce7cb4a77d2b54283629fd139c96d55004f9bcadbf00

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        4c73e7c098ad95f7939fcebad55f861f

        SHA1

        8a52efdc1c8fe4608faf39a7b19e4c53785bd2f5

        SHA256

        d447392265158655a9cacd4c795d7d9f87a6be49687df5cde4426bc8a05f52af

        SHA512

        11dfaa0296fedbd91d9ceeb3fafb533c0b3bd7ff51e8210fed17cdc3150353f0bb7f56416acb40cb731a180b6bef4a6ec0f551da719d506affea5fc2c092847b

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        5e2a810b8175b2958386529f8ae306b3

        SHA1

        96d623f2b48f4ab12b599314f88d270ee90b0189

        SHA256

        f0d8172e907ae9451a33ab74e2275ad1341cee79b35e4ce7004580c7a3265f76

        SHA512

        fae0e2c902079783475c754e4f0a0836c977ccccbe84169a4afd4c4c104870b2fec55311ec6a6e3154dad8a94b9e3f9d22405195f98d7c30377362426cf25050

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        1f3d2594c1e4acb86044131002744af0

        SHA1

        1bf4bd50bb873a07f222337dd92f6a9bf387dce4

        SHA256

        857f1090607c93e772fc53c8575daec67b2fd36f196c57bb16d190cf3fafba51

        SHA512

        dc30d97ba63a0dedfdab55a3b6f68c0d1a563fe1827d02fcc58c31ee6cb048c9d39decfac5c44c95cb869c4b91152a45d2f38b73697d0905dcd58439210a7954

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        380c4d45a5f81c29cdb846dd9222541b

        SHA1

        c1ec3385784bf6863aa67dee78852107bc4f1d31

        SHA256

        5283664a71892e32fac056e659f2bc185196d2f6d7581a965314efe37e1b2a72

        SHA512

        47ba2b86d302fadefc74de6f00a6a6d5f2dfc94ee92a9abcaed7e1c2739e284a81708405756386b69f817179602a9901266357e9434130f526544e67d82fff5e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        31290369798b206de50761cdee8442a3

        SHA1

        6c6fa91c4f84d1dd4e066a276c529c25164d2933

        SHA256

        1ed2edf83c90dc1f5d78ea60100e651f2a2c7f38a09ff6e01b36db83c812b8b1

        SHA512

        6cb9e28b570999a9a148b82d2110dd86c39222d620a0de66c4df06427a59222eff9e04d24150938ae4f114875ff73a281f2bf44bdee837e28b36f7c3c4f73e1d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\njqq61f\imagestore.dat
        Filesize

        5KB

        MD5

        f20a2f263d28646e67381a2100f083c1

        SHA1

        1e64df710c5a5109dbdf83394ec94c154bef7739

        SHA256

        1da5b04eac7774859fb22b9e90907a5dfcc5f2c097924540c480ba0a25cb0b67

        SHA512

        64013a74f9cbb8b5f03241321a108fa159048172c71bda1d154617fa2d02b2a05d311e7752e1c6def755ea5309d5cc3e42e0b4e7ca86e3a0af16699e1fd95fef

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\favicon[1].ico
        Filesize

        5KB

        MD5

        f3418a443e7d841097c714d69ec4bcb8

        SHA1

        49263695f6b0cdd72f45cf1b775e660fdc36c606

        SHA256

        6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

        SHA512

        82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Cab3F91.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\FA08.tmp\INV.exe
        Filesize

        103KB

        MD5

        e079c468c9caed494623dbf95e9ce5e8

        SHA1

        4d8d1d17e9d7ff455a5c69e048d7575b5a3ea0f7

        SHA256

        8e217ce5670ac1021fdb6101372f9322f7ff82481ecd9badc104ff542e46128c

        SHA512

        d9c1a6f28c0c76b6856dec8723eb79d1b620a70b8ab3b5f028848e890a684beeb3460e310959c69f21cffb0a14751ea6cb719aacdbc2043121f057dd56f868a8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\FA08.tmp\PanKoza.bat
        Filesize

        736B

        MD5

        24f0349bbf490fea5eb3acbf54bd1ba8

        SHA1

        e3ca3514fe098b27dac66dfaa93e035fe6ef25f0

        SHA256

        78c3005b4d5f500de7d540822cf2c334fc585a6a0d45da8c4af47f1500239899

        SHA512

        4aac8a6652c1ff52c797344299f5f21746ff1769425bcdbbe4b04fa9363619e320811a8bf8ef0c18e7d0758f38d6a33249c14c9af4a3773da61bb2d7910fa26b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\FA08.tmp\melter.exe
        Filesize

        3KB

        MD5

        d9baac374cc96e41c9f86c669e53f61c

        SHA1

        b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

        SHA256

        a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

        SHA512

        4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\FA08.tmp\note.vbs
        Filesize

        123B

        MD5

        b41b06859fca8e157db46e6609e4a51d

        SHA1

        8daa0836735347c030e641abdc277bbd66662c33

        SHA256

        f613aec542d7967cae9d01794b7061bce5083d68c825821a5b702e97f32039c4

        SHA512

        4290d132c7c1ad154a3ade465e810e9fe4db5a8e0604a35d53e82a6482cd22fdd8ba74e97c0bc2e146e2bcf2ecc9afcc4e4e358e98b353168b67a71b71ced75c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\FA08.tmp\sites.vbs
        Filesize

        287B

        MD5

        5c5324b059b0abf1824a5223832b8479

        SHA1

        145c596bd6bfc1bfbd1a5a2aa8e5f4b3cef4ef57

        SHA256

        9fd517699e352ffb9fd73319eb1ec58e7e771457f6e7c1d715e0f57e1d37d733

        SHA512

        b8219eba1d34c83cc193b5ba2da8aa9dce4f8b221c9aac3a52256e6c2855b77be4270a629dec7e36c92652f9b5e4c1dbc84b91a3bcdca663cc3d728eada6c3e3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Tar3F94.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\xbvynl.exe
        Filesize

        552KB

        MD5

        4860c95131365be3bfa06efd3d95b7af

        SHA1

        3bc68ad8b5725137ff85709988ef434088ae2c81

        SHA256

        7bda3690420d2b0cf562713a67b95071d9b44ac01bfabe6cab4c4acbbaa04737

        SHA512

        00dcca22cd2feeab004a44f8f61c8c67172c88ee4ff4fa8dd495d09606fb6f231be79c8a2707e1c8cc934ffda73445bdaeb05f5ba77034cfbce3a8af75c7f00e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        9843405d0a5bb5361ce65c4ef61c553c

        SHA1

        60027d5f4f48bcfe366d2bb1231c404bf609f24d

        SHA256

        69f2ce3e2515243aaff30ee9e4b28fab302e568c69bb8f96c29af34a357bfadd

        SHA512

        4c5b42a7466ebf74088997a3746d51b6eeffdc64aeff659e4cb99a8495abd348f962f7425c12dca9ddd856f04cd29c5bf20f609b6bb805ecffa4518246b9a304

        Download Submit

      • C:\Users\Admin\AppData\Roaming\System32.exe
        Filesize

        63KB

        MD5

        66bbe5829a613fedad7f79e2c6273448

        SHA1

        57314396a65e08b7bfc5f0b8cdfa9a050579d9d9

        SHA256

        72499a032c26ef7031b942590e4dd2e28d60b332620c7d2dc42bc4b70995e0dd

        SHA512

        9b0ea0bb6a4a6ae75c6463f2bc3b5bd012a40a89f491868979230b850b948240b40326c703211edd349911e97a218bf77d01d06f254c33d83939c21a152efae3

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Thanks For Using.txt
        Filesize

        57B

        MD5

        f9cfd0c4da0a9a068f8a26ee31c85036

        SHA1

        ea75b71cfdf7364eacfafcaac0421f9c80a2b4e5

        SHA256

        e52f33ee65ceb7e5fe9cd47744888c089c37ba7dbadeaf345e75b5cadd43ee2d

        SHA512

        f81823ed92d8f5aa299d0164f59fb77a3af4c6a9ca5a98e0d4b33104ec7f15ef19037d4bb4f3b2c8c1ca156bac2253f5052eb801468db73d71a67b10405e4b51

        Download Submit

      • \Users\Admin\AppData\Local\Temp\FA08.tmp\Craze.exe
        Filesize

        202KB

        MD5

        ad27143d078706b7cadcbb3f63212384

        SHA1

        71e532c89954881636f8fe973b9ea035a9e2de6d

        SHA256

        0b86d60e99e9f4a3bfa60cd447ac62eda52428be564f777151c883fdf547fb26

        SHA512

        39d8abb4883d3db96a88e88ea76ec8cc6a11e8905eeba593789a08b7d26cf449d682b2537cda790b124e06dc94bede7a78477f941220fe47d3e7ffad3bf9868b

        Download Submit

      • \Users\Admin\AppData\Local\Temp\FA08.tmp\MBRPayload.exe
        Filesize

        101KB

        MD5

        3aa620597abcae5c26b71e21e15b9acf

        SHA1

        ed797bc834050bc108a31f1511102608943391c5

        SHA256

        91f9327997754b0238caeff5cffced7eed3e13d5ac39dec87b329678bee8a145

        SHA512

        562de36b77f6cf5a369c8b434fb5605ee4169fa50c6a4df4d22c1a64dfec39d779b1fc285407ab851ef27b33061159cb1bb548079fa0d0a3d2e10517f8ee0b12

        Download Submit

      • \Users\Admin\AppData\Local\Temp\FA08.tmp\lines.exe
        Filesize

        103KB

        MD5

        50caeee44dc92a147cf95fd82eb6e299

        SHA1

        a6619a150a31f4c1b4913884123f5b5334e23489

        SHA256

        81b9a2e3e9ee39f05b585ad871696a946837fcf784d3d4ecd4b9caea16560a1e

        SHA512

        e009de28d24abbecac2b20c4dcbbe4bd2de461c0d3140043d1ef6db3e4807d13723fb1916bc9bd1a636cfdc4bb3e102ecae645e783901ebdf9996e9bcdd9466b

        Download Submit

      • \Users\Admin\AppData\Local\Temp\FA08.tmp\screenscrew.exe
        Filesize

        111KB

        MD5

        e87a04c270f98bb6b5677cc789d1ad1d

        SHA1

        8c14cb338e23d4a82f6310d13b36729e543ff0ca

        SHA256

        e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

        SHA512

        8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

        Download Submit

      • memory/1524-620-0x0000000000400000-0x0000000000474000-memory.dmp

        Filesize

        464KB

        Download

      • memory/1532-645-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/1740-649-0x0000000000400000-0x0000000000474000-memory.dmp

        Filesize

        464KB

        Download

      • memory/1740-660-0x0000000000400000-0x0000000000474000-memory.dmp

        Filesize

        464KB

        Download

      • memory/1740-643-0x0000000000400000-0x0000000000474000-memory.dmp

        Filesize

        464KB

        Download

      • memory/1740-656-0x0000000000400000-0x0000000000474000-memory.dmp

        Filesize

        464KB

        Download

      • memory/1740-650-0x0000000000400000-0x0000000000474000-memory.dmp

        Filesize

        464KB

        Download

      • memory/1748-638-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/1856-658-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/1856-637-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/1856-662-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/1856-646-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/2032-630-0x00000000023F0000-0x0000000002464000-memory.dmp

        Filesize

        464KB

        Download

      • memory/2032-648-0x00000000023F0000-0x0000000002464000-memory.dmp

        Filesize

        464KB

        Download

      • memory/2032-631-0x00000000023F0000-0x0000000002464000-memory.dmp

        Filesize

        464KB

        Download

      • memory/2032-189-0x00000000023F0000-0x0000000002464000-memory.dmp

        Filesize

        464KB

        Download

      • memory/2032-642-0x00000000023F0000-0x0000000002464000-memory.dmp

        Filesize

        464KB

        Download

      • memory/2032-187-0x00000000023F0000-0x0000000002464000-memory.dmp

        Filesize

        464KB

        Download

      • memory/2136-1-0x0000000000CC0000-0x0000000000CDA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2136-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2372-652-0x0000000000400000-0x00000000004F8000-memory.dmp

        Filesize

        992KB

        Download

      • memory/2372-31-0x0000000000400000-0x00000000004F8000-memory.dmp

        Filesize

        992KB

        Download

      • memory/2372-130-0x0000000000400000-0x00000000004F8000-memory.dmp

        Filesize

        992KB

        Download

      • memory/2672-16-0x000000001B5B0000-0x000000001B892000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2672-17-0x0000000002230000-0x0000000002238000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2808-24-0x0000000001E80000-0x0000000001E88000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2808-23-0x000000001B540000-0x000000001B822000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2856-67-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/2900-625-0x000000001B1D0000-0x000000001B2B0000-memory.dmp

        Filesize

        896KB

        Download

      • memory/2900-8-0x0000000000AF0000-0x0000000000B06000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2900-10-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2900-11-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2900-25-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

        Filesize

        9.9MB

        Download