Overview

overview

10

Static

static

3

NetCat Loader.exe

windows10-2004-x64

10

NetCat Loader.exe

windows7-x64

10

NetCat Loader.exe

windows10-2004-x64

10

NetCat Loader.exe

windows10-ltsc 2021-x64

10

NetCat Loader.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-01-2025 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NetCat Loader.exe

  • Size

    76KB

  • MD5

    1a56b39b62cff3bf7a75a708f6a11762

  • SHA1

    180d91a57ebb95a81bfaa394bca35c123efa916e

  • SHA256

    ad34f6a17ee318591b59ac4fbc300c53808630e4f163b644a58eadc85057348a

  • SHA512

    b86dfa4287e283fd7e734cc3897589c2bb6b98e35f1c82a6ab50f271baf8a9748a125a6c04425ccdf93566ddacb453290a9a63e5fc0d2797b70fb70b6dac03fb

  • SSDEEP

    1536:JqDtM7DwroXh9bSQ6/jyrV9nmRWnXzWb6Alyj:EwblSlryrV9nmwPeyj

Score
10/10
xwormaspackv2bootkitdefense_evasiondiscoveryexecutionpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

C2

194.59.31.87:1111

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    defense_evasion
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 10 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
    defense_evasion
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NetCat Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\NetCat Loader.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:680
    • C:\Users\Admin\AppData\Roaming\System32.exe
      "C:\Users\Admin\AppData\Roaming\System32.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System32.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1732
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4968
      • C:\Users\Admin\AppData\Local\Temp\vmavfq.exe
        "C:\Users\Admin\AppData\Local\Temp\vmavfq.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E21E.tmp\PanKoza.bat" "
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1968
          • C:\Windows\SysWOW64\timeout.exe
            timeout 5 /nobreak
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:1744
          • C:\Users\Admin\AppData\Local\Temp\E21E.tmp\MBRPayload.exe
            MBRPayload.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Writes to the Master Boot Record (MBR)
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1600
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\E21E.tmp\MBRPayload.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1316
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:680
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E21E.tmp\note.vbs"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4512
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3 /nobreak
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:4456
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E21E.tmp\sites.vbs"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3004
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UCTmub7HjR9Kc8Uh-Vy3eLaw
              6⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:2824
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85ad946f8,0x7ff85ad94708,0x7ff85ad94718
                7⤵
                  PID:3564
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,3253048343536918114,8813815593730654291,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
                  7⤵
                    PID:4752
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,3253048343536918114,8813815593730654291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
                    7⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1592
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,3253048343536918114,8813815593730654291,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
                    7⤵
                      PID:1440
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3253048343536918114,8813815593730654291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
                      7⤵
                        PID:3448
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3253048343536918114,8813815593730654291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
                        7⤵
                          PID:3948
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3253048343536918114,8813815593730654291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
                          7⤵
                            PID:4704
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3253048343536918114,8813815593730654291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8
                            7⤵
                              PID:4276
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3253048343536918114,8813815593730654291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8
                              7⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:3392
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3253048343536918114,8813815593730654291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
                              7⤵
                                PID:4148
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3253048343536918114,8813815593730654291,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
                                7⤵
                                  PID:5008
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3253048343536918114,8813815593730654291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
                                  7⤵
                                    PID:4384
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3253048343536918114,8813815593730654291,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
                                    7⤵
                                      PID:1372
                                • C:\Users\Admin\AppData\Local\Temp\E21E.tmp\melter.exe
                                  melter.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:4160
                                • C:\Windows\SysWOW64\timeout.exe
                                  timeout 6 /nobreak
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Delays execution with timeout.exe
                                  PID:1540
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /f /im melter.exe
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2076
                                • C:\Windows\SysWOW64\timeout.exe
                                  timeout 3 /nobreak
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Delays execution with timeout.exe
                                  PID:4104
                                • C:\Users\Admin\AppData\Local\Temp\E21E.tmp\Craze.exe
                                  Craze.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:3584
                                • C:\Windows\SysWOW64\timeout.exe
                                  timeout 4 /nobreak
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Delays execution with timeout.exe
                                  PID:184
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /f /im craze.exe
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4996
                                • C:\Windows\SysWOW64\timeout.exe
                                  timeout 1
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Delays execution with timeout.exe
                                  PID:4004
                                • C:\Users\Admin\AppData\Local\Temp\E21E.tmp\screenscrew.exe
                                  screenscrew.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:2800
                                • C:\Windows\SysWOW64\timeout.exe
                                  timeout 3 /nobreak
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Delays execution with timeout.exe
                                  PID:4716
                                • C:\Users\Admin\AppData\Local\Temp\E21E.tmp\lines.exe
                                  lines.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:4104
                                • C:\Windows\SysWOW64\timeout.exe
                                  timeout 5 /nobreak
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Delays execution with timeout.exe
                                  PID:2836
                                • C:\Users\Admin\AppData\Local\Temp\E21E.tmp\INV.exe
                                  INV.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:2184
                                • C:\Windows\SysWOW64\timeout.exe
                                  timeout 6 /nobreak
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Delays execution with timeout.exe
                                  PID:60
                                • C:\Users\Admin\AppData\Local\Temp\E21E.tmp\Craze.exe
                                  craze.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:2024
                                • C:\Windows\SysWOW64\timeout.exe
                                  timeout 8 /nobreak
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Delays execution with timeout.exe
                                  PID:808
                                • C:\Windows\SysWOW64\shutdown.exe
                                  shutdown /r /t 1000 /c "It's Your final 1000 seconds to use Windows"
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2172
                          • C:\Windows\system32\NOTEPAD.EXE
                            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Thanks For Using.txt
                            2⤵
                              PID:3956
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1796
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4308
                              • C:\Windows\system32\AUDIODG.EXE
                                C:\Windows\system32\AUDIODG.EXE 0x41c 0x2c4
                                1⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2976

                              Network

                              MITRE ATT&CK Enterprise v15

                              Reconnaissance

                              Resource Development

                              Initial Access

                              Execution

                              Command and Scripting Interpreter

                              1
                              T1059

                              PowerShell

                              1
                              T1059.001

                              Scheduled Task/Job

                              1
                              T1053

                              Scheduled Task

                              1
                              T1053.005

                              Persistence

                              Boot or Logon Autostart Execution

                              1
                              T1547

                              Registry Run Keys / Startup Folder

                              1
                              T1547.001

                              Pre-OS Boot

                              1
                              T1542

                              Bootkit

                              1
                              T1542.003

                              Scheduled Task/Job

                              1
                              T1053

                              Scheduled Task

                              1
                              T1053.005

                              Privilege Escalation

                              Boot or Logon Autostart Execution

                              1
                              T1547

                              Registry Run Keys / Startup Folder

                              1
                              T1547.001

                              Scheduled Task/Job

                              1
                              T1053

                              Scheduled Task

                              1
                              T1053.005

                              Defense Evasion

                              Modify Registry

                              2
                              T1112

                              Pre-OS Boot

                              1
                              T1542

                              Bootkit

                              1
                              T1542.003

                              Credential Access

                              Discovery

                              Browser Information Discovery

                              1
                              T1217

                              Query Registry

                              2
                              T1012

                              System Information Discovery

                              3
                              T1082

                              System Location Discovery

                              1
                              T1614

                              System Language Discovery

                              1
                              T1614.001

                              Lateral Movement

                              Collection

                              Command and Control

                              Exfiltration

                              Impact

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                Filesize

                                2KB

                                MD5

                                d85ba6ff808d9e5444a4b369f5bc2730

                                SHA1

                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                SHA256

                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                SHA512

                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                6960857d16aadfa79d36df8ebbf0e423

                                SHA1

                                e1db43bd478274366621a8c6497e270d46c6ed4f

                                SHA256

                                f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

                                SHA512

                                6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                f426165d1e5f7df1b7a3758c306cd4ae

                                SHA1

                                59ef728fbbb5c4197600f61daec48556fec651c1

                                SHA256

                                b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

                                SHA512

                                8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                Filesize

                                240B

                                MD5

                                5986a2e7ca6d6745e7baf15f66f8e758

                                SHA1

                                bae98f79f76b0abe2432f707ea05d809a942c29e

                                SHA256

                                561f8c553d4b4c831c9cf3d0a9a3cbc2bd4aee24adc5d00bf0c55349970a03b0

                                SHA512

                                cc7a1a80a71cbede631f9df05e85d4a5721e0b45c6aabbc8e1c98a64e817c13c4692af205dd88ad8bc4b8e3b43e2585e6cc5aef899d98fa174ccef009d48744c

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                5990d3fdb69e78d8c2c85e50f04be7b4

                                SHA1

                                c8e109cf0fdf239e9f66891a3bde5bcdad362ffb

                                SHA256

                                fa8ed426fbbc7d21970ab5bcb954862d34a00cd37cc6153cf704223b3048760f

                                SHA512

                                a72f5225e11f2d9dfa16d0712dacb210baad0b34f11ccefb657685fa99fd68871ce28427480a0b12852ebd094121b3d5745d87e0eac82ac01859bd0edb6a8647

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                6KB

                                MD5

                                86b88032b908b4b1fce1493ad48ece55

                                SHA1

                                826ce91941afab125145717d3f7351589d528c52

                                SHA256

                                352f0bac3b6aa4fd38d68983d7a6a696e0e420e5bec02da626214b7953cf5193

                                SHA512

                                716d023d05e515bc30cebbfcfb8e209dfa6451575eca85fb3fa9464505f2072e32c254351f49f4c6ecdb64f54e7d40f66957e641ba2376e5a80f2e81fd4eff41

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                10KB

                                MD5

                                0170f01119041fae5e5a5469bfc136f0

                                SHA1

                                4ee26208779211c5b4630c16e2ba49a0ea5f57d0

                                SHA256

                                6fa38137d7f95703d2d1b51c91110ed3bf8d7f89dc23c61f08e13d3484758e95

                                SHA512

                                aa5defe48b7f93b2769dd16487cf586b080d11f52050a36b45caee3ebad9b72909a1ebc881250bdfc13ed02ab0ed19ae73ad19dc6531b9d2585d43ece1f36578

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                6d42b6da621e8df5674e26b799c8e2aa

                                SHA1

                                ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                SHA256

                                5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                SHA512

                                53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\E21E.tmp\Craze.exe
                                Filesize

                                202KB

                                MD5

                                ad27143d078706b7cadcbb3f63212384

                                SHA1

                                71e532c89954881636f8fe973b9ea035a9e2de6d

                                SHA256

                                0b86d60e99e9f4a3bfa60cd447ac62eda52428be564f777151c883fdf547fb26

                                SHA512

                                39d8abb4883d3db96a88e88ea76ec8cc6a11e8905eeba593789a08b7d26cf449d682b2537cda790b124e06dc94bede7a78477f941220fe47d3e7ffad3bf9868b

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\E21E.tmp\INV.exe
                                Filesize

                                103KB

                                MD5

                                e079c468c9caed494623dbf95e9ce5e8

                                SHA1

                                4d8d1d17e9d7ff455a5c69e048d7575b5a3ea0f7

                                SHA256

                                8e217ce5670ac1021fdb6101372f9322f7ff82481ecd9badc104ff542e46128c

                                SHA512

                                d9c1a6f28c0c76b6856dec8723eb79d1b620a70b8ab3b5f028848e890a684beeb3460e310959c69f21cffb0a14751ea6cb719aacdbc2043121f057dd56f868a8

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\E21E.tmp\MBRPayload.exe
                                Filesize

                                101KB

                                MD5

                                3aa620597abcae5c26b71e21e15b9acf

                                SHA1

                                ed797bc834050bc108a31f1511102608943391c5

                                SHA256

                                91f9327997754b0238caeff5cffced7eed3e13d5ac39dec87b329678bee8a145

                                SHA512

                                562de36b77f6cf5a369c8b434fb5605ee4169fa50c6a4df4d22c1a64dfec39d779b1fc285407ab851ef27b33061159cb1bb548079fa0d0a3d2e10517f8ee0b12

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\E21E.tmp\PanKoza.bat
                                Filesize

                                736B

                                MD5

                                24f0349bbf490fea5eb3acbf54bd1ba8

                                SHA1

                                e3ca3514fe098b27dac66dfaa93e035fe6ef25f0

                                SHA256

                                78c3005b4d5f500de7d540822cf2c334fc585a6a0d45da8c4af47f1500239899

                                SHA512

                                4aac8a6652c1ff52c797344299f5f21746ff1769425bcdbbe4b04fa9363619e320811a8bf8ef0c18e7d0758f38d6a33249c14c9af4a3773da61bb2d7910fa26b

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\E21E.tmp\lines.exe
                                Filesize

                                103KB

                                MD5

                                50caeee44dc92a147cf95fd82eb6e299

                                SHA1

                                a6619a150a31f4c1b4913884123f5b5334e23489

                                SHA256

                                81b9a2e3e9ee39f05b585ad871696a946837fcf784d3d4ecd4b9caea16560a1e

                                SHA512

                                e009de28d24abbecac2b20c4dcbbe4bd2de461c0d3140043d1ef6db3e4807d13723fb1916bc9bd1a636cfdc4bb3e102ecae645e783901ebdf9996e9bcdd9466b

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\E21E.tmp\melter.exe
                                Filesize

                                3KB

                                MD5

                                d9baac374cc96e41c9f86c669e53f61c

                                SHA1

                                b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

                                SHA256

                                a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

                                SHA512

                                4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\E21E.tmp\note.vbs
                                Filesize

                                123B

                                MD5

                                b41b06859fca8e157db46e6609e4a51d

                                SHA1

                                8daa0836735347c030e641abdc277bbd66662c33

                                SHA256

                                f613aec542d7967cae9d01794b7061bce5083d68c825821a5b702e97f32039c4

                                SHA512

                                4290d132c7c1ad154a3ade465e810e9fe4db5a8e0604a35d53e82a6482cd22fdd8ba74e97c0bc2e146e2bcf2ecc9afcc4e4e358e98b353168b67a71b71ced75c

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\E21E.tmp\screenscrew.exe
                                Filesize

                                111KB

                                MD5

                                e87a04c270f98bb6b5677cc789d1ad1d

                                SHA1

                                8c14cb338e23d4a82f6310d13b36729e543ff0ca

                                SHA256

                                e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

                                SHA512

                                8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\E21E.tmp\sites.vbs
                                Filesize

                                287B

                                MD5

                                5c5324b059b0abf1824a5223832b8479

                                SHA1

                                145c596bd6bfc1bfbd1a5a2aa8e5f4b3cef4ef57

                                SHA256

                                9fd517699e352ffb9fd73319eb1ec58e7e771457f6e7c1d715e0f57e1d37d733

                                SHA512

                                b8219eba1d34c83cc193b5ba2da8aa9dce4f8b221c9aac3a52256e6c2855b77be4270a629dec7e36c92652f9b5e4c1dbc84b91a3bcdca663cc3d728eada6c3e3

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hiit0qs4.nyb.ps1
                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\vmavfq.exe
                                Filesize

                                552KB

                                MD5

                                4860c95131365be3bfa06efd3d95b7af

                                SHA1

                                3bc68ad8b5725137ff85709988ef434088ae2c81

                                SHA256

                                7bda3690420d2b0cf562713a67b95071d9b44ac01bfabe6cab4c4acbbaa04737

                                SHA512

                                00dcca22cd2feeab004a44f8f61c8c67172c88ee4ff4fa8dd495d09606fb6f231be79c8a2707e1c8cc934ffda73445bdaeb05f5ba77034cfbce3a8af75c7f00e

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\System32.exe
                                Filesize

                                63KB

                                MD5

                                66bbe5829a613fedad7f79e2c6273448

                                SHA1

                                57314396a65e08b7bfc5f0b8cdfa9a050579d9d9

                                SHA256

                                72499a032c26ef7031b942590e4dd2e28d60b332620c7d2dc42bc4b70995e0dd

                                SHA512

                                9b0ea0bb6a4a6ae75c6463f2bc3b5bd012a40a89f491868979230b850b948240b40326c703211edd349911e97a218bf77d01d06f254c33d83939c21a152efae3

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Thanks For Using.txt
                                Filesize

                                57B

                                MD5

                                f9cfd0c4da0a9a068f8a26ee31c85036

                                SHA1

                                ea75b71cfdf7364eacfafcaac0421f9c80a2b4e5

                                SHA256

                                e52f33ee65ceb7e5fe9cd47744888c089c37ba7dbadeaf345e75b5cadd43ee2d

                                SHA512

                                f81823ed92d8f5aa299d0164f59fb77a3af4c6a9ca5a98e0d4b33104ec7f15ef19037d4bb4f3b2c8c1ca156bac2253f5052eb801468db73d71a67b10405e4b51

                                Download Submit

                              • memory/680-1-0x0000000000F50000-0x0000000000F6A000-memory.dmp

                                Filesize

                                104KB

                                Download

                              • memory/680-0-0x00007FF85E3C3000-0x00007FF85E3C5000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/1600-79-0x0000000000400000-0x0000000000423000-memory.dmp

                                Filesize

                                140KB

                                Download

                              • memory/1644-56-0x0000000000400000-0x00000000004F8000-memory.dmp

                                Filesize

                                992KB

                                Download

                              • memory/1644-115-0x0000000000400000-0x00000000004F8000-memory.dmp

                                Filesize

                                992KB

                                Download

                              • memory/1644-212-0x0000000000400000-0x00000000004F8000-memory.dmp

                                Filesize

                                992KB

                                Download

                              • memory/1732-25-0x00000158C5EF0000-0x00000158C5F12000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/2024-219-0x0000000000400000-0x0000000000474000-memory.dmp

                                Filesize

                                464KB

                                Download

                              • memory/2024-232-0x0000000000400000-0x0000000000474000-memory.dmp

                                Filesize

                                464KB

                                Download

                              • memory/2024-214-0x0000000000400000-0x0000000000474000-memory.dmp

                                Filesize

                                464KB

                                Download

                              • memory/2024-215-0x0000000000400000-0x0000000000474000-memory.dmp

                                Filesize

                                464KB

                                Download

                              • memory/2184-210-0x0000000000400000-0x000000000041D000-memory.dmp

                                Filesize

                                116KB

                                Download

                              • memory/2800-188-0x0000000000400000-0x000000000044A000-memory.dmp

                                Filesize

                                296KB

                                Download

                              • memory/3584-171-0x0000000000400000-0x0000000000474000-memory.dmp

                                Filesize

                                464KB

                                Download

                              • memory/3584-152-0x0000000000400000-0x0000000000474000-memory.dmp

                                Filesize

                                464KB

                                Download

                              • memory/4104-198-0x0000000000400000-0x000000000041D000-memory.dmp

                                Filesize

                                116KB

                                Download

                              • memory/4620-44-0x00007FF85E3C0000-0x00007FF85EE81000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/4620-175-0x000000001DCE0000-0x000000001DDC0000-memory.dmp

                                Filesize

                                896KB

                                Download

                              • memory/4620-45-0x00007FF85E3C0000-0x00007FF85EE81000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/4620-19-0x00007FF85E3C0000-0x00007FF85EE81000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/4620-18-0x00007FF85E3C0000-0x00007FF85EE81000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/4620-15-0x0000000000080000-0x0000000000096000-memory.dmp

                                Filesize

                                88KB

                                Download