xworm | ad34f6a17ee318591b59ac4fbc300c53808630e4f163b644a58eadc85057348a

Analysis

max time kernel
148s
max time network
144s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24-01-2025 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NetCat Loader.exe
Size

76KB
MD5

1a56b39b62cff3bf7a75a708f6a11762
SHA1

180d91a57ebb95a81bfaa394bca35c123efa916e
SHA256

ad34f6a17ee318591b59ac4fbc300c53808630e4f163b644a58eadc85057348a
SHA512

b86dfa4287e283fd7e734cc3897589c2bb6b98e35f1c82a6ab50f271baf8a9748a125a6c04425ccdf93566ddacb453290a9a63e5fc0d2797b70fb70b6dac03fb
SSDEEP

1536:JqDtM7DwroXh9bSQ6/jyrV9nmRWnXzWb6Alyj:EwblSlryrV9nmwPeyj

Score

10^/10

xworm aspackv2 bootkit defense_evasion discovery execution persistence rat trojan upx

Malware Config

Extracted

Family

xworm

194.59.31.87:1111

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000600000004586f-6.dat	family_xworm
behavioral4/memory/688-21-0x0000000000CB0000-0x0000000000CC6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1596	powershell.exe
4552	powershell.exe

Disables Task Manager via registry modification
defense_evasion

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral4/files/0x0028000000046228-314.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	NetCat Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	cokwui.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
688	System32.exe
2268	cokwui.exe
2560	MBRPayload.exe
3664	melter.exe
5196	Craze.exe
5460	screenscrew.exe
5520	lines.exe
5644	INV.exe
5876	Craze.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DCCE.tmp\\MBRPayload.exe"	MBRPayload.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MBRPayload.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x0029000000046207-56.dat	upx
behavioral4/memory/2268-65-0x0000000000400000-0x00000000004F8000-memory.dmp	upx
behavioral4/memory/2268-193-0x0000000000400000-0x00000000004F8000-memory.dmp	upx
behavioral4/files/0x002800000004622a-280.dat	upx
behavioral4/memory/5196-281-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral4/memory/5196-312-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral4/memory/2268-358-0x0000000000400000-0x00000000004F8000-memory.dmp	upx
behavioral4/memory/5876-360-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral4/memory/5876-361-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral4/memory/5876-365-0x0000000000400000-0x0000000000474000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\5c7289a1-2397-4a8c-974c-0ad23865a897.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250124220554.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cokwui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Craze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MBRPayload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	melter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	screenscrew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lines.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Craze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 10 IoCs

defense_evasion

pid	Process
5440	timeout.exe
5536	timeout.exe
5668	timeout.exe
5888	timeout.exe
2528	timeout.exe
5212	timeout.exe
1136	timeout.exe
5476	timeout.exe
4660	timeout.exe
4372	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
4772	taskkill.exe
5392	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings	NetCat Loader.exe
Key created	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4220	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1584	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
688	System32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1596	powershell.exe
1596	powershell.exe
4552	powershell.exe
4552	powershell.exe
2464	msedge.exe
2464	msedge.exe
1236	msedge.exe
1236	msedge.exe
2252	identity_helper.exe
2252	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	688	System32.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeIncreaseQuotaPrivilege	1596	powershell.exe
Token: SeSecurityPrivilege	1596	powershell.exe
Token: SeTakeOwnershipPrivilege	1596	powershell.exe
Token: SeLoadDriverPrivilege	1596	powershell.exe
Token: SeSystemProfilePrivilege	1596	powershell.exe
Token: SeSystemtimePrivilege	1596	powershell.exe
Token: SeProfSingleProcessPrivilege	1596	powershell.exe
Token: SeIncBasePriorityPrivilege	1596	powershell.exe
Token: SeCreatePagefilePrivilege	1596	powershell.exe
Token: SeBackupPrivilege	1596	powershell.exe
Token: SeRestorePrivilege	1596	powershell.exe
Token: SeShutdownPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeSystemEnvironmentPrivilege	1596	powershell.exe
Token: SeRemoteShutdownPrivilege	1596	powershell.exe
Token: SeUndockPrivilege	1596	powershell.exe
Token: SeManageVolumePrivilege	1596	powershell.exe
Token: 33	1596	powershell.exe
Token: 34	1596	powershell.exe
Token: 35	1596	powershell.exe
Token: 36	1596	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeIncreaseQuotaPrivilege	4552	powershell.exe
Token: SeSecurityPrivilege	4552	powershell.exe
Token: SeTakeOwnershipPrivilege	4552	powershell.exe
Token: SeLoadDriverPrivilege	4552	powershell.exe
Token: SeSystemProfilePrivilege	4552	powershell.exe
Token: SeSystemtimePrivilege	4552	powershell.exe
Token: SeProfSingleProcessPrivilege	4552	powershell.exe
Token: SeIncBasePriorityPrivilege	4552	powershell.exe
Token: SeCreatePagefilePrivilege	4552	powershell.exe
Token: SeBackupPrivilege	4552	powershell.exe
Token: SeRestorePrivilege	4552	powershell.exe
Token: SeShutdownPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeSystemEnvironmentPrivilege	4552	powershell.exe
Token: SeRemoteShutdownPrivilege	4552	powershell.exe
Token: SeUndockPrivilege	4552	powershell.exe
Token: SeManageVolumePrivilege	4552	powershell.exe
Token: 33	4552	powershell.exe
Token: 34	4552	powershell.exe
Token: 35	4552	powershell.exe
Token: 36	4552	powershell.exe
Token: SeDebugPrivilege	688	System32.exe
Token: SeDebugPrivilege	4772	taskkill.exe
Token: SeDebugPrivilege	5392	taskkill.exe
Token: 33	5784	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5784	AUDIODG.EXE
Token: SeShutdownPrivilege	4328	shutdown.exe
Token: SeRemoteShutdownPrivilege	4328	shutdown.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1236	msedge.exe
1236	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 688	4408	NetCat Loader.exe	82
PID 4408 wrote to memory of 688	4408	NetCat Loader.exe	82
PID 4408 wrote to memory of 1888	4408	NetCat Loader.exe	83
PID 4408 wrote to memory of 1888	4408	NetCat Loader.exe	83
PID 688 wrote to memory of 1596	688	System32.exe	89
PID 688 wrote to memory of 1596	688	System32.exe	89
PID 688 wrote to memory of 4552	688	System32.exe	92
PID 688 wrote to memory of 4552	688	System32.exe	92
PID 688 wrote to memory of 2268	688	System32.exe	98
PID 688 wrote to memory of 2268	688	System32.exe	98
PID 688 wrote to memory of 2268	688	System32.exe	98
PID 2268 wrote to memory of 2532	2268	cokwui.exe	99
PID 2268 wrote to memory of 2532	2268	cokwui.exe	99
PID 2268 wrote to memory of 2532	2268	cokwui.exe	99
PID 2532 wrote to memory of 4660	2532	cmd.exe	102
PID 2532 wrote to memory of 4660	2532	cmd.exe	102
PID 2532 wrote to memory of 4660	2532	cmd.exe	102
PID 2532 wrote to memory of 2560	2532	cmd.exe	103
PID 2532 wrote to memory of 2560	2532	cmd.exe	103
PID 2532 wrote to memory of 2560	2532	cmd.exe	103
PID 2532 wrote to memory of 4220	2532	cmd.exe	104
PID 2532 wrote to memory of 4220	2532	cmd.exe	104
PID 2532 wrote to memory of 4220	2532	cmd.exe	104
PID 2560 wrote to memory of 1584	2560	MBRPayload.exe	105
PID 2560 wrote to memory of 1584	2560	MBRPayload.exe	105
PID 2560 wrote to memory of 1584	2560	MBRPayload.exe	105
PID 2532 wrote to memory of 2204	2532	cmd.exe	107
PID 2532 wrote to memory of 2204	2532	cmd.exe	107
PID 2532 wrote to memory of 2204	2532	cmd.exe	107
PID 2532 wrote to memory of 2528	2532	cmd.exe	108
PID 2532 wrote to memory of 2528	2532	cmd.exe	108
PID 2532 wrote to memory of 2528	2532	cmd.exe	108
PID 2532 wrote to memory of 4348	2532	cmd.exe	109
PID 2532 wrote to memory of 4348	2532	cmd.exe	109
PID 2532 wrote to memory of 4348	2532	cmd.exe	109
PID 2532 wrote to memory of 3664	2532	cmd.exe	110
PID 2532 wrote to memory of 3664	2532	cmd.exe	110
PID 2532 wrote to memory of 3664	2532	cmd.exe	110
PID 2532 wrote to memory of 4372	2532	cmd.exe	111
PID 2532 wrote to memory of 4372	2532	cmd.exe	111
PID 2532 wrote to memory of 4372	2532	cmd.exe	111
PID 4348 wrote to memory of 1236	4348	WScript.exe	112
PID 4348 wrote to memory of 1236	4348	WScript.exe	112
PID 1236 wrote to memory of 4252	1236	msedge.exe	113
PID 1236 wrote to memory of 4252	1236	msedge.exe	113
PID 1236 wrote to memory of 996	1236	msedge.exe	114
PID 1236 wrote to memory of 996	1236	msedge.exe	114
PID 1236 wrote to memory of 996	1236	msedge.exe	114
PID 1236 wrote to memory of 996	1236	msedge.exe	114
PID 1236 wrote to memory of 996	1236	msedge.exe	114
PID 1236 wrote to memory of 996	1236	msedge.exe	114
PID 1236 wrote to memory of 996	1236	msedge.exe	114
PID 1236 wrote to memory of 996	1236	msedge.exe	114
PID 1236 wrote to memory of 996	1236	msedge.exe	114
PID 1236 wrote to memory of 996	1236	msedge.exe	114
PID 1236 wrote to memory of 996	1236	msedge.exe	114
PID 1236 wrote to memory of 996	1236	msedge.exe	114
PID 1236 wrote to memory of 996	1236	msedge.exe	114
PID 1236 wrote to memory of 996	1236	msedge.exe	114
PID 1236 wrote to memory of 996	1236	msedge.exe	114
PID 1236 wrote to memory of 996	1236	msedge.exe	114
PID 1236 wrote to memory of 996	1236	msedge.exe	114
PID 1236 wrote to memory of 996	1236	msedge.exe	114
PID 1236 wrote to memory of 996	1236	msedge.exe	114

C:\Users\Admin\AppData\Local\Temp\NetCat Loader.exe
"C:\Users\Admin\AppData\Local\Temp\NetCat Loader.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Users\Admin\AppData\Roaming\System32.exe
  "C:\Users\Admin\AppData\Roaming\System32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System32.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4552
- - C:\Users\Admin\AppData\Local\Temp\cokwui.exe
    "C:\Users\Admin\AppData\Local\Temp\cokwui.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\PanKoza.bat" "
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5 /nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4660
    - - C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\MBRPayload.exe
        
        MBRPayload.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\MBRPayload.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1584
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4220
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\note.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3 /nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2528
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\sites.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4348
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UCTmub7HjR9Kc8Uh-Vy3eLaw
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7ffc892446f8,0x7ffc89244708,0x7ffc89244718
        7⤵
        
        PID:4252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,1095284474126441647,10038041398302882473,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
        7⤵
        
        PID:996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,1095284474126441647,10038041398302882473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,1095284474126441647,10038041398302882473,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
        7⤵
        
        PID:3544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1095284474126441647,10038041398302882473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
        7⤵
        
        PID:2860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1095284474126441647,10038041398302882473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
        7⤵
        
        PID:4476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1095284474126441647,10038041398302882473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
        7⤵
        
        PID:4716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,1095284474126441647,10038041398302882473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
        7⤵
        
        PID:1188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        7⤵
        Drops file in Program Files directory
        
        PID:2708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6e99b5460,0x7ff6e99b5470,0x7ff6e99b5480
        8⤵
        
        PID:4860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,1095284474126441647,10038041398302882473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1095284474126441647,10038041398302882473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
        7⤵
        
        PID:2388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1095284474126441647,10038041398302882473,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
        7⤵
        
        PID:1072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1095284474126441647,10038041398302882473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
        7⤵
        
        PID:2980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1095284474126441647,10038041398302882473,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
        7⤵
        
        PID:1188
    - - C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\melter.exe
        
        melter.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3664
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 6 /nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4372
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im melter.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3 /nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1136
    - - C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\Craze.exe
        
        Craze.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5196
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 4 /nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5212
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im craze.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5392
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5440
    - - C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\screenscrew.exe
        
        screenscrew.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5460
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3 /nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5476
    - - C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\lines.exe
        
        lines.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5520
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5 /nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5536
    - - C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\INV.exe
        
        INV.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5644
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 6 /nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5668
    - - C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\Craze.exe
        
        craze.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5876
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 8 /nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5888
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown /r /t 1000 /c "It's Your final 1000 seconds to use Windows"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Thanks For Using.txt
  2⤵
  PID:1888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1468

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xbc 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5408de1548eb3231accfb9f086f2b9db

SHA1
f2d8c7e9f3e26cd49ee0a7a4fecd70b2bf2b7e8a

SHA256
3052d0885e0ef0d71562958b851db519cfed36fd8e667b57a65374ee1a13a670

SHA512
783254d067de3ac40df618665be7f76a6a8acb7e63b875bffc3c0c73b68d138c8a98c437e6267a1eb33f04be976a14b081a528598b1e517cdd9ad2293501acc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
254fc2a9d1a15f391d493bff79f66f08

SHA1
6165d5a9de512bb33a82d99d141a2562aa1aabfb

SHA256
2bf9282b87bdef746d298cff0734b9a82cd9c24656cb167b24a84c30fb6a1fd0

SHA512
484a1c99ee3c3d1ebf0af5ec9e73c9a2ca3cf8918f0ba2a4b543b75fa587ec6b432866b74bcd6b5cdd9372532c882da438d44653bd5bccdbc94ebc27852ff9e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
b3b20ee16f1748b9a9fd7b983dce01f9

SHA1
189555c2fe2f860a8899ac2c2c0bc558037e5946

SHA256
b1378860c18055f6d4e8dd8aa127194d6054fd5283a6c3d9a08ac9a9696095d9

SHA512
24f070bdf1d9329ff85bd7ac52b3de7d2ae577f7534fd18d450b3bb37bffa6d565cf4ef37c3b4386d1059526ae92945f4ec784aa81b781fdd583c1f81cb96b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5954fc.TMP

Filesize
48B

MD5
3b39e0c95ff7f605356481c0f1fb985a

SHA1
c035ea00e7ebe34d1d3dd517e022340887391c4a

SHA256
09e966322ce0517ac4169b62997d763dfa4d26b8add470c15827fec430dad840

SHA512
12141ffcfdb552cd93d45764fb513a578152022b3dede82fe745c100778e4b46a73107c5d562975b90726c2804522901e3ab98dd207278278b404ea35dce2042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
19b58d3f4dff019c9c895e3685dd7464

SHA1
4fbe382c98817f3712b6aec87b367a1813f4104b

SHA256
b4a61ff8ad1028c0572de59a4d49b483fee7f5ef978a7a3aafaf5402a983c3c4

SHA512
ad82f59003d1caa60947d2a624103f42139c688b9f0c9c7935de98c21d203820dadbb9fb5d535b49048d5d45f06502e9cd6f35178b48a1859d724b37adc884fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
ea1d5ba4f25689922ca245f84fda7121

SHA1
c0db7bce35fa4d3961663c2df8c7410062121add

SHA256
40110b57aaec2eac84fa48fecf21af86b7b671933b8d6c688432f2bd389ef27f

SHA512
e569251272fe636d148428c1fcea4821319c5be63b8e46d5194467cdd6e9ca8b1efa899b58dd4aecd27dd0213555d4eb7b789fdc58ae377216d126c8bedf670f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1fb85ee68e5b6ae3479331f4d050376c

SHA1
852d9dd0e04e7a9db90649956c7cd122042d43df

SHA256
26dde639df8a7e45addd31ae2ce54c51ae5921d8a4d0b9df3e2fb9b4ab8f895e

SHA512
bbbedcce4611a7478f004f2d95218d97963ef0081b5b814e5ac52cac5e1edb02fa91fb14aef5f34211c926919937df90ef450c92ac8a07a6ad792fa27dc6225c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
48febe0b0625901956573dfb2378e7ed

SHA1
c324173a8f8fd7a6a7398f6bb24dd2ee11d3cf24

SHA256
f0fae7ad33efdd05845d0d631ce8341ea4b6dfd4c45be844f0c117738df9c0d0

SHA512
fc38a0c64e67e3b5d43f787fe86f700e6f753d8e90bcebc446d4a8c631b9e4362a74fa862a5b2ffc74f3f5236d3ecf006b341042b5469d1cc24f2c325a607a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
bc3a0ca62cfef580ff9ebbb7afc92b9b

SHA1
fde9832ce521fcd53850d0701a543ef75b772e3b

SHA256
b0203fb7c3812937e92ac04ad6065a2129bc165a36a60a4d2fdb0accc4499464

SHA512
fc1f3a5bd2106d9b6ed5a678c2f4978550a0d7414172b0ce6954a835b0da01ac28c177955a48c2ef56ea3d517a6672474a9cab873aeccae3f22a45ccf2d070de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
cc36caab770ef0038aa24dbdcec4373a

SHA1
308a1c02c7163ad682d815941428a22ff3e19ac1

SHA256
61bf92b8b1c9026bfd6ae04f90d7b34f9d6b006bfcd5ec490bd37cee548e6cb4

SHA512
61a1e9f9feb743f1fe5aa7045acbecaea60377f1112fe4dd3cd27922841ac86dd4443dd1d68fac6e495895f43c4f561890bdb55d3ce37f73767e23bf4aefca45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c67441dfa09f61bca500bb43407c56b8

SHA1
5a56cf7cbeb48c109e2128c31b681fac3959157b

SHA256
63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

SHA512
325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\Craze.exe

Filesize
202KB

MD5
ad27143d078706b7cadcbb3f63212384

SHA1
71e532c89954881636f8fe973b9ea035a9e2de6d

SHA256
0b86d60e99e9f4a3bfa60cd447ac62eda52428be564f777151c883fdf547fb26

SHA512
39d8abb4883d3db96a88e88ea76ec8cc6a11e8905eeba593789a08b7d26cf449d682b2537cda790b124e06dc94bede7a78477f941220fe47d3e7ffad3bf9868b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\INV.exe

Filesize
103KB

MD5
e079c468c9caed494623dbf95e9ce5e8

SHA1
4d8d1d17e9d7ff455a5c69e048d7575b5a3ea0f7

SHA256
8e217ce5670ac1021fdb6101372f9322f7ff82481ecd9badc104ff542e46128c

SHA512
d9c1a6f28c0c76b6856dec8723eb79d1b620a70b8ab3b5f028848e890a684beeb3460e310959c69f21cffb0a14751ea6cb719aacdbc2043121f057dd56f868a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\MBRPayload.exe

Filesize
101KB

MD5
3aa620597abcae5c26b71e21e15b9acf

SHA1
ed797bc834050bc108a31f1511102608943391c5

SHA256
91f9327997754b0238caeff5cffced7eed3e13d5ac39dec87b329678bee8a145

SHA512
562de36b77f6cf5a369c8b434fb5605ee4169fa50c6a4df4d22c1a64dfec39d779b1fc285407ab851ef27b33061159cb1bb548079fa0d0a3d2e10517f8ee0b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\PanKoza.bat

Filesize
736B

MD5
24f0349bbf490fea5eb3acbf54bd1ba8

SHA1
e3ca3514fe098b27dac66dfaa93e035fe6ef25f0

SHA256
78c3005b4d5f500de7d540822cf2c334fc585a6a0d45da8c4af47f1500239899

SHA512
4aac8a6652c1ff52c797344299f5f21746ff1769425bcdbbe4b04fa9363619e320811a8bf8ef0c18e7d0758f38d6a33249c14c9af4a3773da61bb2d7910fa26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\lines.exe

Filesize
103KB

MD5
50caeee44dc92a147cf95fd82eb6e299

SHA1
a6619a150a31f4c1b4913884123f5b5334e23489

SHA256
81b9a2e3e9ee39f05b585ad871696a946837fcf784d3d4ecd4b9caea16560a1e

SHA512
e009de28d24abbecac2b20c4dcbbe4bd2de461c0d3140043d1ef6db3e4807d13723fb1916bc9bd1a636cfdc4bb3e102ecae645e783901ebdf9996e9bcdd9466b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\melter.exe

Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\note.vbs

Filesize
123B

MD5
b41b06859fca8e157db46e6609e4a51d

SHA1
8daa0836735347c030e641abdc277bbd66662c33

SHA256
f613aec542d7967cae9d01794b7061bce5083d68c825821a5b702e97f32039c4

SHA512
4290d132c7c1ad154a3ade465e810e9fe4db5a8e0604a35d53e82a6482cd22fdd8ba74e97c0bc2e146e2bcf2ecc9afcc4e4e358e98b353168b67a71b71ced75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\screenscrew.exe

Filesize
111KB

MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCCE.tmp\sites.vbs

Filesize
287B

MD5
5c5324b059b0abf1824a5223832b8479

SHA1
145c596bd6bfc1bfbd1a5a2aa8e5f4b3cef4ef57

SHA256
9fd517699e352ffb9fd73319eb1ec58e7e771457f6e7c1d715e0f57e1d37d733

SHA512
b8219eba1d34c83cc193b5ba2da8aa9dce4f8b221c9aac3a52256e6c2855b77be4270a629dec7e36c92652f9b5e4c1dbc84b91a3bcdca663cc3d728eada6c3e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y1nbapra.h0i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cokwui.exe

Filesize
552KB

MD5
4860c95131365be3bfa06efd3d95b7af

SHA1
3bc68ad8b5725137ff85709988ef434088ae2c81

SHA256
7bda3690420d2b0cf562713a67b95071d9b44ac01bfabe6cab4c4acbbaa04737

SHA512
00dcca22cd2feeab004a44f8f61c8c67172c88ee4ff4fa8dd495d09606fb6f231be79c8a2707e1c8cc934ffda73445bdaeb05f5ba77034cfbce3a8af75c7f00e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
3762648e5f9d5df01eb504112ad2a255

SHA1
2f339879d0fa85300f7f3ee01a841e3e50843e15

SHA256
4b0851460f6026054533f4f7d0ad6deded8f5da72d7b9f8169fe0157c23c1266

SHA512
4c145e2c05e0b8c2ef84bc5679177076db40821eca22abaf75706c052b283d0e2c9ed6d72df538e69001ae1bbe4628b6e2ff7a8b371c1abe7053cc11c8bfc77b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
888da3e3de40f8b530e036e7b27a144b

SHA1
498a535a51db06306e6319e6bfcf238835bbdecf

SHA256
d544391ca1ea1684f9ab0dadbc2e09c62a277ad9a6b2e0d95fdc3153e6498f66

SHA512
68b718026db6258c79a083ee2975cda77f51f7bc98c74f154f0167c52263b8b4f5bcb60570f3023e8664a0299ca8456f6faa13013796001f2405784dbb6a310c

Download Submit
C:\Users\Admin\AppData\Roaming\System32.exe

Filesize
63KB

MD5
66bbe5829a613fedad7f79e2c6273448

SHA1
57314396a65e08b7bfc5f0b8cdfa9a050579d9d9

SHA256
72499a032c26ef7031b942590e4dd2e28d60b332620c7d2dc42bc4b70995e0dd

SHA512
9b0ea0bb6a4a6ae75c6463f2bc3b5bd012a40a89f491868979230b850b948240b40326c703211edd349911e97a218bf77d01d06f254c33d83939c21a152efae3

Download Submit
C:\Users\Admin\AppData\Roaming\Thanks For Using.txt

Filesize
57B

MD5
f9cfd0c4da0a9a068f8a26ee31c85036

SHA1
ea75b71cfdf7364eacfafcaac0421f9c80a2b4e5

SHA256
e52f33ee65ceb7e5fe9cd47744888c089c37ba7dbadeaf345e75b5cadd43ee2d

SHA512
f81823ed92d8f5aa299d0164f59fb77a3af4c6a9ca5a98e0d4b33104ec7f15ef19037d4bb4f3b2c8c1ca156bac2253f5052eb801468db73d71a67b10405e4b51

Download Submit
memory/688-21-0x0000000000CB0000-0x0000000000CC6000-memory.dmp

Filesize
88KB

Download
memory/688-51-0x00007FFC8C9B0000-0x00007FFC8D472000-memory.dmp

Filesize
10.8MB

Download
memory/688-50-0x00007FFC8C9B0000-0x00007FFC8D472000-memory.dmp

Filesize
10.8MB

Download
memory/688-319-0x000000001E5D0000-0x000000001E6B0000-memory.dmp

Filesize
896KB

Download
memory/688-23-0x00007FFC8C9B0000-0x00007FFC8D472000-memory.dmp

Filesize
10.8MB

Download
memory/688-25-0x00007FFC8C9B0000-0x00007FFC8D472000-memory.dmp

Filesize
10.8MB

Download
memory/1596-26-0x00000255F3390000-0x00000255F33B2000-memory.dmp

Filesize
136KB

Download
memory/2268-358-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/2268-193-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/2268-65-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/2560-91-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4408-0-0x00007FFC8C9B3000-0x00007FFC8C9B5000-memory.dmp

Filesize
8KB

Download
memory/4408-1-0x0000000000550000-0x000000000056A000-memory.dmp

Filesize
104KB

Download
memory/5196-312-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5196-281-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5460-342-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5520-343-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5644-354-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5876-360-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5876-361-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5876-365-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download