Overview

overview

10

Static

static

3

NetCat Loader.exe

windows10-2004-x64

10

NetCat Loader.exe

windows7-x64

10

NetCat Loader.exe

windows10-2004-x64

10

NetCat Loader.exe

windows10-ltsc 2021-x64

10

NetCat Loader.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    144s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24-01-2025 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NetCat Loader.exe

  • Size

    76KB

  • MD5

    1a56b39b62cff3bf7a75a708f6a11762

  • SHA1

    180d91a57ebb95a81bfaa394bca35c123efa916e

  • SHA256

    ad34f6a17ee318591b59ac4fbc300c53808630e4f163b644a58eadc85057348a

  • SHA512

    b86dfa4287e283fd7e734cc3897589c2bb6b98e35f1c82a6ab50f271baf8a9748a125a6c04425ccdf93566ddacb453290a9a63e5fc0d2797b70fb70b6dac03fb

  • SSDEEP

    1536:JqDtM7DwroXh9bSQ6/jyrV9nmRWnXzWb6Alyj:EwblSlryrV9nmwPeyj

Score
10/10
xwormaspackv2bootkitdefense_evasiondiscoveryexecutionpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

C2

194.59.31.87:1111

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    defense_evasion
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 10 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
    defense_evasion
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 56 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NetCat Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\NetCat Loader.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Users\Admin\AppData\Roaming\System32.exe
      "C:\Users\Admin\AppData\Roaming\System32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System32.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3488
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2368
      • C:\Users\Admin\AppData\Local\Temp\bsvbeb.exe
        "C:\Users\Admin\AppData\Local\Temp\bsvbeb.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3660
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\136F.tmp\PanKoza.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4180
          • C:\Windows\SysWOW64\timeout.exe
            timeout 5 /nobreak
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:2324
          • C:\Users\Admin\AppData\Local\Temp\136F.tmp\MBRPayload.exe
            MBRPayload.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Writes to the Master Boot Record (MBR)
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1544
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\136F.tmp\MBRPayload.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1916
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1184
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\136F.tmp\note.vbs"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:124
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3 /nobreak
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:1964
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\136F.tmp\sites.vbs"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3948
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UCTmub7HjR9Kc8Uh-Vy3eLaw
              6⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:676
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb95353cb8,0x7ffb95353cc8,0x7ffb95353cd8
                7⤵
                  PID:3596
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,4424517233982750366,6045413078369188615,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
                  7⤵
                    PID:1804
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,4424517233982750366,6045413078369188615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
                    7⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4700
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,4424517233982750366,6045413078369188615,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
                    7⤵
                      PID:2880
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4424517233982750366,6045413078369188615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
                      7⤵
                        PID:4740
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4424517233982750366,6045413078369188615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
                        7⤵
                          PID:4492
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4424517233982750366,6045413078369188615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
                          7⤵
                            PID:4512
                          • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,4424517233982750366,6045413078369188615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:8
                            7⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4972
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,4424517233982750366,6045413078369188615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
                            7⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4152
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4424517233982750366,6045413078369188615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
                            7⤵
                              PID:932
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4424517233982750366,6045413078369188615,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
                              7⤵
                                PID:4852
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4424517233982750366,6045413078369188615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
                                7⤵
                                  PID:3624
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4424517233982750366,6045413078369188615,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
                                  7⤵
                                    PID:1692
                              • C:\Users\Admin\AppData\Local\Temp\136F.tmp\melter.exe
                                melter.exe
                                5⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:1452
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout 6 /nobreak
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Delays execution with timeout.exe
                                PID:1616
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /f /im melter.exe
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3148
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout 3 /nobreak
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Delays execution with timeout.exe
                                PID:3752
                              • C:\Users\Admin\AppData\Local\Temp\136F.tmp\Craze.exe
                                Craze.exe
                                5⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:1212
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout 4 /nobreak
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Delays execution with timeout.exe
                                PID:3172
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /f /im craze.exe
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4544
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout 1
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Delays execution with timeout.exe
                                PID:4316
                              • C:\Users\Admin\AppData\Local\Temp\136F.tmp\screenscrew.exe
                                screenscrew.exe
                                5⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:4000
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout 3 /nobreak
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Delays execution with timeout.exe
                                PID:3700
                              • C:\Users\Admin\AppData\Local\Temp\136F.tmp\lines.exe
                                lines.exe
                                5⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:1260
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout 5 /nobreak
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Delays execution with timeout.exe
                                PID:4868
                              • C:\Users\Admin\AppData\Local\Temp\136F.tmp\INV.exe
                                INV.exe
                                5⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:4704
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout 6 /nobreak
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Delays execution with timeout.exe
                                PID:4556
                              • C:\Users\Admin\AppData\Local\Temp\136F.tmp\Craze.exe
                                craze.exe
                                5⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:2684
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout 8 /nobreak
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Delays execution with timeout.exe
                                PID:5084
                              • C:\Windows\SysWOW64\shutdown.exe
                                shutdown /r /t 1000 /c "It's Your final 1000 seconds to use Windows"
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4868
                        • C:\Windows\system32\NOTEPAD.EXE
                          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Thanks For Using.txt
                          2⤵
                            PID:3396
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:4660
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4544
                            • C:\Windows\system32\AUDIODG.EXE
                              C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004B8
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2000

                            Network

                            MITRE ATT&CK Enterprise v15

                            Reconnaissance

                            Resource Development

                            Initial Access

                            Execution

                            Command and Scripting Interpreter

                            1
                            T1059

                            PowerShell

                            1
                            T1059.001

                            Scheduled Task/Job

                            1
                            T1053

                            Scheduled Task

                            1
                            T1053.005

                            Persistence

                            Boot or Logon Autostart Execution

                            1
                            T1547

                            Registry Run Keys / Startup Folder

                            1
                            T1547.001

                            Pre-OS Boot

                            1
                            T1542

                            Bootkit

                            1
                            T1542.003

                            Scheduled Task/Job

                            1
                            T1053

                            Scheduled Task

                            1
                            T1053.005

                            Privilege Escalation

                            Boot or Logon Autostart Execution

                            1
                            T1547

                            Registry Run Keys / Startup Folder

                            1
                            T1547.001

                            Scheduled Task/Job

                            1
                            T1053

                            Scheduled Task

                            1
                            T1053.005

                            Defense Evasion

                            Modify Registry

                            2
                            T1112

                            Pre-OS Boot

                            1
                            T1542

                            Bootkit

                            1
                            T1542.003

                            Credential Access

                            Discovery

                            Browser Information Discovery

                            1
                            T1217

                            Query Registry

                            1
                            T1012

                            System Information Discovery

                            2
                            T1082

                            System Location Discovery

                            1
                            T1614

                            System Language Discovery

                            1
                            T1614.001

                            Lateral Movement

                            Collection

                            Command and Control

                            Exfiltration

                            Impact

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                              Filesize

                              2KB

                              MD5

                              627073ee3ca9676911bee35548eff2b8

                              SHA1

                              4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                              SHA256

                              85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                              SHA512

                              3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              c0a1774f8079fe496e694f35dfdcf8bc

                              SHA1

                              da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

                              SHA256

                              c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

                              SHA512

                              60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              e11c77d0fa99af6b1b282a22dcb1cf4a

                              SHA1

                              2593a41a6a63143d837700d01aa27b1817d17a4d

                              SHA256

                              d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

                              SHA512

                              c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                              Filesize

                              240B

                              MD5

                              f942fe04c84cd7be22319739b14cab87

                              SHA1

                              8c19d73e24d08862d49733adc5bcb482193522e6

                              SHA256

                              42b129733c9594b7fff94cf0cdae4bb8d9346b6b988aed8bb1e506ab20d0c620

                              SHA512

                              82c650e0b61bf0a4bb3519422889c9dd37b7bc8a2aafb6d1ffbc8e661b132a36fb6445ffc3c9325ec8c016de628f5faa65d190ca92ae44ac1a59e4db048717c4

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              a9ddb05ef87272fa598590df511de938

                              SHA1

                              d7ea0f20219291b9671e3eefbccbdfc253e4be2c

                              SHA256

                              37e2a4f755df5e4d228a7945167afbb332c64baaef21c14490afadf21f822cc3

                              SHA512

                              afff796a932a1344237a1d95e8c8e80a7a67f66111d4c629a2a9fbbacc8abf25ac51d1414c874da4a24111e97f692cbf1e9d22053bd694d834f84826f0f88364

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              5KB

                              MD5

                              c8422f2613591485c731643e1fabb6ac

                              SHA1

                              3fe2eeb140f5d5c40a2b7cccdc5a6e216bcea425

                              SHA256

                              d6e25ca18f92b70a0a76249e8de8822e7adbe1de248bc2118a3491f244d6023e

                              SHA512

                              5da6db7c4573c72d6f87350080a2f6d8c1e88d7859746580910296012d111c1041720ca08e54faf5af779001f6e2cb6ad2ce28c495c9e2c72fcd9f22bd9c9d4d

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                              Filesize

                              16B

                              MD5

                              6752a1d65b201c13b62ea44016eb221f

                              SHA1

                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                              SHA256

                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                              SHA512

                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              10KB

                              MD5

                              fc01272cc5e5a23baf184de7532af93f

                              SHA1

                              e8f1bf51ae90f3615fe71e7a626bcf14701c1b92

                              SHA256

                              1d6398946f26f0be1323700ca5fc425f3e11eb95b6833a0206a276939d9e6408

                              SHA512

                              5cf1cfa09b7f402ad4653c717c6f6e9cf51b08584819b2f8b17137c467043034e9bc0bc4c3eba78acdbf587bee6d3d99baaff3d6610fbd587d2afd312b9bb510

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              10KB

                              MD5

                              561757d37b31910731c4b5a461d2bd67

                              SHA1

                              0295afbd7d2466ea649e4945d589554383e304a5

                              SHA256

                              b64ea2435d1c331ae235880db3527edfed7b6128be7cae5a5e4abfa77ffc8696

                              SHA512

                              17d62bff69eb2994e16f8da7dd3c9bb835ee883efec1f10a1871e1a5624cff336fc928252f3209af4fc5f7402e83a6e3eb75fed28cf01191188475e4584f8080

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              944B

                              MD5

                              2e8eb51096d6f6781456fef7df731d97

                              SHA1

                              ec2aaf851a618fb43c3d040a13a71997c25bda43

                              SHA256

                              96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

                              SHA512

                              0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\136F.tmp\Craze.exe
                              Filesize

                              202KB

                              MD5

                              ad27143d078706b7cadcbb3f63212384

                              SHA1

                              71e532c89954881636f8fe973b9ea035a9e2de6d

                              SHA256

                              0b86d60e99e9f4a3bfa60cd447ac62eda52428be564f777151c883fdf547fb26

                              SHA512

                              39d8abb4883d3db96a88e88ea76ec8cc6a11e8905eeba593789a08b7d26cf449d682b2537cda790b124e06dc94bede7a78477f941220fe47d3e7ffad3bf9868b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\136F.tmp\INV.exe
                              Filesize

                              103KB

                              MD5

                              e079c468c9caed494623dbf95e9ce5e8

                              SHA1

                              4d8d1d17e9d7ff455a5c69e048d7575b5a3ea0f7

                              SHA256

                              8e217ce5670ac1021fdb6101372f9322f7ff82481ecd9badc104ff542e46128c

                              SHA512

                              d9c1a6f28c0c76b6856dec8723eb79d1b620a70b8ab3b5f028848e890a684beeb3460e310959c69f21cffb0a14751ea6cb719aacdbc2043121f057dd56f868a8

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\136F.tmp\MBRPayload.exe
                              Filesize

                              101KB

                              MD5

                              3aa620597abcae5c26b71e21e15b9acf

                              SHA1

                              ed797bc834050bc108a31f1511102608943391c5

                              SHA256

                              91f9327997754b0238caeff5cffced7eed3e13d5ac39dec87b329678bee8a145

                              SHA512

                              562de36b77f6cf5a369c8b434fb5605ee4169fa50c6a4df4d22c1a64dfec39d779b1fc285407ab851ef27b33061159cb1bb548079fa0d0a3d2e10517f8ee0b12

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\136F.tmp\PanKoza.bat
                              Filesize

                              736B

                              MD5

                              24f0349bbf490fea5eb3acbf54bd1ba8

                              SHA1

                              e3ca3514fe098b27dac66dfaa93e035fe6ef25f0

                              SHA256

                              78c3005b4d5f500de7d540822cf2c334fc585a6a0d45da8c4af47f1500239899

                              SHA512

                              4aac8a6652c1ff52c797344299f5f21746ff1769425bcdbbe4b04fa9363619e320811a8bf8ef0c18e7d0758f38d6a33249c14c9af4a3773da61bb2d7910fa26b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\136F.tmp\lines.exe
                              Filesize

                              103KB

                              MD5

                              50caeee44dc92a147cf95fd82eb6e299

                              SHA1

                              a6619a150a31f4c1b4913884123f5b5334e23489

                              SHA256

                              81b9a2e3e9ee39f05b585ad871696a946837fcf784d3d4ecd4b9caea16560a1e

                              SHA512

                              e009de28d24abbecac2b20c4dcbbe4bd2de461c0d3140043d1ef6db3e4807d13723fb1916bc9bd1a636cfdc4bb3e102ecae645e783901ebdf9996e9bcdd9466b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\136F.tmp\melter.exe
                              Filesize

                              3KB

                              MD5

                              d9baac374cc96e41c9f86c669e53f61c

                              SHA1

                              b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

                              SHA256

                              a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

                              SHA512

                              4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\136F.tmp\note.vbs
                              Filesize

                              123B

                              MD5

                              b41b06859fca8e157db46e6609e4a51d

                              SHA1

                              8daa0836735347c030e641abdc277bbd66662c33

                              SHA256

                              f613aec542d7967cae9d01794b7061bce5083d68c825821a5b702e97f32039c4

                              SHA512

                              4290d132c7c1ad154a3ade465e810e9fe4db5a8e0604a35d53e82a6482cd22fdd8ba74e97c0bc2e146e2bcf2ecc9afcc4e4e358e98b353168b67a71b71ced75c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\136F.tmp\screenscrew.exe
                              Filesize

                              111KB

                              MD5

                              e87a04c270f98bb6b5677cc789d1ad1d

                              SHA1

                              8c14cb338e23d4a82f6310d13b36729e543ff0ca

                              SHA256

                              e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

                              SHA512

                              8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\136F.tmp\sites.vbs
                              Filesize

                              287B

                              MD5

                              5c5324b059b0abf1824a5223832b8479

                              SHA1

                              145c596bd6bfc1bfbd1a5a2aa8e5f4b3cef4ef57

                              SHA256

                              9fd517699e352ffb9fd73319eb1ec58e7e771457f6e7c1d715e0f57e1d37d733

                              SHA512

                              b8219eba1d34c83cc193b5ba2da8aa9dce4f8b221c9aac3a52256e6c2855b77be4270a629dec7e36c92652f9b5e4c1dbc84b91a3bcdca663cc3d728eada6c3e3

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ld4m0pme.1jj.ps1
                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\bsvbeb.exe
                              Filesize

                              552KB

                              MD5

                              4860c95131365be3bfa06efd3d95b7af

                              SHA1

                              3bc68ad8b5725137ff85709988ef434088ae2c81

                              SHA256

                              7bda3690420d2b0cf562713a67b95071d9b44ac01bfabe6cab4c4acbbaa04737

                              SHA512

                              00dcca22cd2feeab004a44f8f61c8c67172c88ee4ff4fa8dd495d09606fb6f231be79c8a2707e1c8cc934ffda73445bdaeb05f5ba77034cfbce3a8af75c7f00e

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\System32.exe
                              Filesize

                              63KB

                              MD5

                              66bbe5829a613fedad7f79e2c6273448

                              SHA1

                              57314396a65e08b7bfc5f0b8cdfa9a050579d9d9

                              SHA256

                              72499a032c26ef7031b942590e4dd2e28d60b332620c7d2dc42bc4b70995e0dd

                              SHA512

                              9b0ea0bb6a4a6ae75c6463f2bc3b5bd012a40a89f491868979230b850b948240b40326c703211edd349911e97a218bf77d01d06f254c33d83939c21a152efae3

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Thanks For Using.txt
                              Filesize

                              57B

                              MD5

                              f9cfd0c4da0a9a068f8a26ee31c85036

                              SHA1

                              ea75b71cfdf7364eacfafcaac0421f9c80a2b4e5

                              SHA256

                              e52f33ee65ceb7e5fe9cd47744888c089c37ba7dbadeaf345e75b5cadd43ee2d

                              SHA512

                              f81823ed92d8f5aa299d0164f59fb77a3af4c6a9ca5a98e0d4b33104ec7f15ef19037d4bb4f3b2c8c1ca156bac2253f5052eb801468db73d71a67b10405e4b51

                              Download Submit

                            • memory/900-0-0x00007FFB882F3000-0x00007FFB882F5000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/900-1-0x00000000003B0000-0x00000000003CA000-memory.dmp

                              Filesize

                              104KB

                              Download

                            • memory/1212-165-0x0000000000400000-0x0000000000474000-memory.dmp

                              Filesize

                              464KB

                              Download

                            • memory/1212-137-0x0000000000400000-0x0000000000474000-memory.dmp

                              Filesize

                              464KB

                              Download

                            • memory/1260-201-0x0000000000400000-0x000000000041D000-memory.dmp

                              Filesize

                              116KB

                              Download

                            • memory/1544-75-0x0000000000400000-0x0000000000423000-memory.dmp

                              Filesize

                              140KB

                              Download

                            • memory/1744-41-0x00007FFB882F0000-0x00007FFB88DB2000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/1744-205-0x000000001C480000-0x000000001C48D000-memory.dmp

                              Filesize

                              52KB

                              Download

                            • memory/1744-172-0x000000001BC50000-0x000000001BD30000-memory.dmp

                              Filesize

                              896KB

                              Download

                            • memory/1744-18-0x00007FFB882F0000-0x00007FFB88DB2000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/1744-207-0x000000001D190000-0x000000001D19B000-memory.dmp

                              Filesize

                              44KB

                              Download

                            • memory/1744-16-0x0000000000AF0000-0x0000000000B06000-memory.dmp

                              Filesize

                              88KB

                              Download

                            • memory/1744-203-0x000000001D140000-0x000000001D186000-memory.dmp

                              Filesize

                              280KB

                              Download

                            • memory/1744-204-0x000000001C450000-0x000000001C459000-memory.dmp

                              Filesize

                              36KB

                              Download

                            • memory/1744-206-0x000000001C8D0000-0x000000001C8EE000-memory.dmp

                              Filesize

                              120KB

                              Download

                            • memory/2684-220-0x0000000000400000-0x0000000000474000-memory.dmp

                              Filesize

                              464KB

                              Download

                            • memory/2684-208-0x0000000000400000-0x0000000000474000-memory.dmp

                              Filesize

                              464KB

                              Download

                            • memory/2684-219-0x0000000000400000-0x0000000000474000-memory.dmp

                              Filesize

                              464KB

                              Download

                            • memory/2684-238-0x0000000000400000-0x0000000000474000-memory.dmp

                              Filesize

                              464KB

                              Download

                            • memory/3488-19-0x000002EDF6E00000-0x000002EDF6E22000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/3660-52-0x0000000000400000-0x00000000004F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3660-212-0x0000000000400000-0x00000000004F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/3660-125-0x0000000000400000-0x00000000004F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/4000-200-0x0000000000400000-0x000000000044A000-memory.dmp

                              Filesize

                              296KB

                              Download

                            • memory/4704-210-0x0000000000400000-0x000000000041D000-memory.dmp

                              Filesize

                              116KB

                              Download