xworm | ea0cd48a7bbf5c3df7505631380715287c22db6cdb770dc36f211bba02bae59b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02/03/2025, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MasonClient.exe
Size

48KB
MD5

8f28ca9a926d19b481928e7943818c18
SHA1

c39af1be425a90eb806d2874ad210266f55f297c
SHA256

ea0cd48a7bbf5c3df7505631380715287c22db6cdb770dc36f211bba02bae59b
SHA512

2acdbfe077ebc93a50836c7a719646445e48bfb893c05ccc06260bc815b91e28b0f5cd478131be2a71e330621f50d7712a3169c4234e68ebb6d7367aac9fc789
SSDEEP

1536:Wt1VFdabn9SaSLxeQSoY7r8WnRzWnRYWnRVWnRyWnR899LSyYaW2ta46aXHWnRo5:m1DD3A5b3hbO1

Score

10^/10

xworm bootkit defense_evasion discovery persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%port%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/6EU9ps8S

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/memory/4800-1-0x0000000000C40000-0x0000000000C52000-memory.dmp	family_xworm
behavioral2/memory/4800-3-0x000000001BAB0000-0x000000001BAC2000-memory.dmp	family_xworm
behavioral2/files/0x000c000000027c1d-6.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Pendulum.exe

Downloads MZ/PE file 6 IoCs

flow	pid	Process
76	4800	MasonClient.exe
76	4800	MasonClient.exe
76	4800	MasonClient.exe
76	4800	MasonClient.exe
76	4800	MasonClient.exe
78	4800	MasonClient.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Control Panel\International\Geo\Nation	MasonClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Control Panel\International\Geo\Nation	Smil.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Control Panel\International\Geo\Nation	MatrixVirus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Control Panel\International\Geo\Nation	Squidward.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Control Panel\International\Geo\Nation	Magellan.exe

Executes dropped EXE 15 IoCs

pid	Process
4848	MasonClient.exe
2240	MasonClient.exe
756	Pendulum.exe
4484	Knuckles.exe
2544	Stalin.exe
2528	Squidward.exe
5160	Magellan.exe
5260	Smil.exe
5492	MatrixVirus.exe
5484	MasonSmil.exe
5848	MasonMBR-SLEEP.exe
5924	MasonRootkit.exe
6000	MasonGDI.exe
5244	MasonGDI.exe
5328	MasonClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MasonClient = "C:\\Users\\Admin\\AppData\\Roaming\\MasonClient.exe"	MasonClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
76	raw.githubusercontent.com
78	raw.githubusercontent.com
3	pastebin.com
4	pastebin.com
12	raw.githubusercontent.com
13	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Stalin.exe
File opened for modification	\??\PhysicalDrive0	Knuckles.exe
File opened for modification	\??\PhysicalDrive0	Pendulum.exe
File opened for modification	\??\PhysicalDrive0	MatrixVirus.exe
File opened for modification	\??\PhysicalDrive0	MasonSmil.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENC.img"	MasonClient.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MasonGDI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stalin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MasonSmil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MasonGDI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pendulum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knuckles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MatrixVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5224	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3496	schtasks.exe
5340	schtasks.exe
6056	schtasks.exe
5276	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
448	msedge.exe
448	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
3052	identity_helper.exe
3052	identity_helper.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe
5924	MasonRootkit.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	MasonClient.exe
Token: SeDebugPrivilege	4848	MasonClient.exe
Token: SeDebugPrivilege	2240	MasonClient.exe
Token: 33	3480	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3480	AUDIODG.EXE
Token: SeDebugPrivilege	5492	MatrixVirus.exe
Token: SeDebugPrivilege	5924	MasonRootkit.exe
Token: SeShutdownPrivilege	3612	Explorer.EXE
Token: SeCreatePagefilePrivilege	3612	Explorer.EXE
Token: SeShutdownPrivilege	3612	Explorer.EXE
Token: SeCreatePagefilePrivilege	3612	Explorer.EXE
Token: SeShutdownPrivilege	3612	Explorer.EXE
Token: SeCreatePagefilePrivilege	3612	Explorer.EXE
Token: SeDebugPrivilege	5328	MasonClient.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
4800	MasonClient.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe
1648	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 3496	4800	MasonClient.exe	80
PID 4800 wrote to memory of 3496	4800	MasonClient.exe	80
PID 4800 wrote to memory of 1648	4800	MasonClient.exe	93
PID 4800 wrote to memory of 1648	4800	MasonClient.exe	93
PID 1648 wrote to memory of 4044	1648	msedge.exe	94
PID 1648 wrote to memory of 4044	1648	msedge.exe	94
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 3080	1648	msedge.exe	95
PID 1648 wrote to memory of 448	1648	msedge.exe	96
PID 1648 wrote to memory of 448	1648	msedge.exe	96
PID 1648 wrote to memory of 848	1648	msedge.exe	97
PID 1648 wrote to memory of 848	1648	msedge.exe	97
PID 1648 wrote to memory of 848	1648	msedge.exe	97
PID 1648 wrote to memory of 848	1648	msedge.exe	97
PID 1648 wrote to memory of 848	1648	msedge.exe	97
PID 1648 wrote to memory of 848	1648	msedge.exe	97
PID 1648 wrote to memory of 848	1648	msedge.exe	97
PID 1648 wrote to memory of 848	1648	msedge.exe	97
PID 1648 wrote to memory of 848	1648	msedge.exe	97
PID 1648 wrote to memory of 848	1648	msedge.exe	97
PID 1648 wrote to memory of 848	1648	msedge.exe	97
PID 1648 wrote to memory of 848	1648	msedge.exe	97
PID 1648 wrote to memory of 848	1648	msedge.exe	97
PID 1648 wrote to memory of 848	1648	msedge.exe	97
PID 1648 wrote to memory of 848	1648	msedge.exe	97
PID 1648 wrote to memory of 848	1648	msedge.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1068

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:60

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1296
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2928
- C:\Users\Admin\AppData\Roaming\MasonClient.exe
  "C:\Users\Admin\AppData\Roaming\MasonClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- C:\Users\Admin\AppData\Roaming\MasonClient.exe
  "C:\Users\Admin\AppData\Roaming\MasonClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Users\Admin\AppData\Roaming\MasonClient.exe
  "C:\Users\Admin\AppData\Roaming\MasonClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1524
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1864
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x458 0x3f8
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1724

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2960

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:3024

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3552

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3612
- C:\Users\Admin\AppData\Local\Temp\MasonClient.exe
  "C:\Users\Admin\AppData\Local\Temp\MasonClient.exe"
  2⤵
  - Downloads MZ/PE file
  - Checks computer location settings
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "MasonClient" /tr "C:\Users\Admin\AppData\Roaming\MasonClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff87b8446f8,0x7ff87b844708,0x7ff87b844718
      4⤵
      PID:4044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,13967021964952791682,9617378445497138073,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
      4⤵
      PID:3080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,13967021964952791682,9617378445497138073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,13967021964952791682,9617378445497138073,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
      4⤵
      PID:848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13967021964952791682,9617378445497138073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      PID:1124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13967021964952791682,9617378445497138073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
      4⤵
      PID:4088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,13967021964952791682,9617378445497138073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
      4⤵
      PID:1752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,13967021964952791682,9617378445497138073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13967021964952791682,9617378445497138073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
      4⤵
      PID:1192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13967021964952791682,9617378445497138073,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
      4⤵
      PID:892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13967021964952791682,9617378445497138073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
      4⤵
      PID:4548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,13967021964952791682,9617378445497138073,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      PID:1412
- - C:\Users\Admin\AppData\Local\Temp\Pendulum.exe
    "C:\Users\Admin\AppData\Local\Temp\Pendulum.exe"
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\Knuckles.exe
    "C:\Users\Admin\AppData\Local\Temp\Knuckles.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:4484
- - C:\Users\Admin\AppData\Local\Temp\Stalin.exe
    "C:\Users\Admin\AppData\Local\Temp\Stalin.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:2544
- - C:\Users\Admin\AppData\Local\Temp\Squidward.exe
    "C:\Users\Admin\AppData\Local\Temp\Squidward.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\MasonMBR-SLEEP.exe
      "C:\Users\Admin\AppData\Local\Temp\MasonMBR-SLEEP.exe"
      4⤵
      Executes dropped EXE
      PID:5848
  - - C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe
      "C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5924
  - - C:\Users\Admin\AppData\Local\Temp\MasonGDI.exe
      "C:\Users\Admin\AppData\Local\Temp\MasonGDI.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6000
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "MasonMBR" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\\MasonMBR.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp92D0.tmp.bat""
      4⤵
      PID:5152
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5132
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:5224
- - C:\Users\Admin\AppData\Local\Temp\Magellan.exe
    "C:\Users\Admin\AppData\Local\Temp\Magellan.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:5160
  - - C:\Users\Admin\AppData\Local\Temp\MasonGDI.exe
      "C:\Users\Admin\AppData\Local\Temp\MasonGDI.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5244
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "MasonMBR" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\\MasonMBR.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5276
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5300
- - C:\Users\Admin\AppData\Local\Temp\Smil.exe
    "C:\Users\Admin\AppData\Local\Temp\Smil.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:5260
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "MasonMBR" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\\MasonMBR.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5340
  - - C:\Users\Admin\AppData\Local\Temp\MasonSmil.exe
      "C:\Users\Admin\AppData\Local\Temp\MasonSmil.exe"
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      PID:5484
- - C:\Users\Admin\AppData\Local\Temp\MatrixVirus.exe
    "C:\Users\Admin\AppData\Local\Temp\MatrixVirus.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5492
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k reg delete HKCR /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5712
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5720
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKCR /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3796

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4080

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3812

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4948

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:740

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:5100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3824

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2736

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:4508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3100

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3128

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1924

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MasonClient.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed05621b2a1e4a5665da21bfaf333a47

SHA1
4cd83a338b9bb2940b9cd9c3c8cc6a7638556579

SHA256
bc3f423aae2852f02ecee50bc19e7c78cc61b20e0d3bb04237ec628c3cf63c5a

SHA512
775d9523db85198ce510e082e2932fdcb7ef2ef1ec8d730cada441f795919399ecb3fb72b498c1c20c555aa95728a33bc45387ae43818cef51a19316bd80b2df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\988c9963-84bd-4c9f-9203-50a65f6e7111.tmp

Filesize
5KB

MD5
20f807bf70b4ac279fc9c2d45eb46ea1

SHA1
a9db17c2b7ce6f52f6f36dd5e05f1fdc6a69c480

SHA256
d43521fbd08521b9965651a1d8e5e1c6c6510e655506faf2fe5f0cc9ba988e87

SHA512
90ae9924324e562c2c7be3a3f3d71caac3a4bd90518dd16c8b2515c1d3add40ef10e101c61f0dd9715df9e4e8d7ef523249f09fe78a7a64afe4b62dcf3473e0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e66612a6f7e1eb2089f2d6b2cad46436

SHA1
58531a8c09f898b22f4699ae2d2d8ea0acf891bb

SHA256
15ce918459be46e87fae5f189e679b3c84dc5d19370d34258cddaa78472bda1e

SHA512
25ed8bf983eea22b96b69dac9f317ad417762d2038c3f6c33ac41e88e6ac9582e38e9941288f1e4f69dbdc655e0c1105735dae2db8411fdeee6717ea8f63a4e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e06e0eabe13da96c0555c9f41f27680f

SHA1
aeb0ff83a4000fc3425afae51862c468d640d773

SHA256
41cdd39dd72d2e3b06cb3894fb08435c66cab64a4b5e6f7c42744886e60a6368

SHA512
6fdc73101ec2eb9d36a7614e6e824b90af33ffc9a2249f08060f0d26bf0776d07bb65eb4f11fa2a9c07e248e7f5396d8fb5271a48b9927e2603edcf332a527aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
eee005bad8f2e3c778415c55abe1b053

SHA1
ee45eff5c0fec2918b718f5c44b91859e9b19d27

SHA256
cdc15c48d53c40b80c643904ec30855d0dc2c99b6fb53d95782379a3f27fc024

SHA512
0a3478fe2263896c9c81695fc51ccb73e84f96329cb217579c6aa921ef4d22a35ccaf5bb556b2f947b91cba23e2d9dde413f604f93827c21b32769dcd73759fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Knuckles.exe

Filesize
289KB

MD5
7e9d3109b138c0a67be983159fbbde98

SHA1
012308407fada7ecb5edfe4e067fa4d18acba424

SHA256
1f98a3f8852d28ed3b2f64e529c1ae1eafc5ef942a962ec89163f3db2744c8a4

SHA512
ac6a5a4ec87fe8770c1903f62d181f94366b2f9b3d3a4e8a04ec7f25b9e9d026762efc96ba5883474b9d1c2d0cca4a99e12f0343f6eac51af12d628a926a5e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Magellan.exe

Filesize
167KB

MD5
dcea41cf1d8e08ba9cf571fdb21f1db4

SHA1
da14f6d77d84da5e4290a28ce04e215d7cbfb937

SHA256
5f9c6b82e9f287d67b30c6edac1e8e606b6fb719206c88c5421846d48d64d271

SHA512
d094aad5cd856683e551a519039c183ba440052639f82c0fc9e9124714f4bd843f83fa5a400386add08ed30b1dfb51c095e0055c96f601bca0c18acff5bcaf2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MasonGDI.exe

Filesize
61KB

MD5
2f9823efd49a6f8fc32ba52d75e620a4

SHA1
39f79bc2bba2f33f2e82da2dee4c8cf3be052b7e

SHA256
57eff2792a929b479b3e3bb9a25bbe750034dcba4213e2abb8865ff2268b53f6

SHA512
2f68ddb1d7d070f7d8675791f8ccc3b9d73236834f1bc787afdf1074d4d17601f77e53a98024a12e29119c5c38333cd7f6200a186e2ba96fc4186c86ca2cb6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\MasonMBR-SLEEP.exe

Filesize
65KB

MD5
f006d2343d121bd2043925e87063fde7

SHA1
402799473ca52edb826a37e0042456032db121f3

SHA256
de93250a0f249700407cd893e1b4d6b167c5e909b4b8f09cbefbbae473f4ad93

SHA512
707c803508308fa0d002aa31187476cf1b000118f9b0d89982ab60a674de09f028ae860c3dbdad9fa902ee4e9d0771f8fa79e356bb2ae8bf4f2c57d61f3e68e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MasonMBR.exe

Filesize
93KB

MD5
03eadaa6ca74c654b50d544ead5350af

SHA1
383fdb5317129f46bc5ec164a481563d941f6ddf

SHA256
190e70e1df7f1b7b526c557c0ef0da3b67d3da130a56dc52666a65266b8146af

SHA512
404ea870675104ed57d8c87f380abcf2658e5e4c201dfe157dee0ab040f80f425395b5d74ed695f0b3bebdf9c178fe04827dbe5afa686932a24be99a3619f20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe

Filesize
161KB

MD5
94f1ab3a068f83b32639579ec9c5d025

SHA1
38f3d5bc5de46feb8de093d11329766b8e2054ae

SHA256
879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0

SHA512
44d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MasonSmil.exe

Filesize
161KB

MD5
2672a80cf701037e262f1bb55c5202b5

SHA1
fe35a751182023ea77e876a327d5e47f1e02885b

SHA256
fc18ac689568aea34f287e1ff20bfee7cfec3f3f626aab3d2c23a180969ae0a6

SHA512
e1356770d6e23795170d855ae8cecfa29521a0dee86993e45c875f6cde2f0682d79a56d5ba6ad5b88817e886e21485e5755960a80bafd59d2bdd175ce845237a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MatrixVirus.exe

Filesize
14KB

MD5
13e1f4bc5b116e4ec87f055715563193

SHA1
9eea7e9fce555b6c35730ec3dba29a13921f53f1

SHA256
5906dc7c3cd938b874cfb12cd9a14a6e72116c31385f4584f997f1544e3da492

SHA512
a53f446a2063684e401ad8c7da70ea7be4d23a2043341d9ab280dd36a1e91ef43b11ff510405125b957d88f5d9c7c00edb35977d8fe512e6fd0236f6447a030f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pendulum.exe

Filesize
219KB

MD5
25c10f0ddf7f592df6b8f8b4564d340f

SHA1
d438750f1420857237546b943b63a4b39b8ccefb

SHA256
5510587a96e59199167ed1ac5d7e53f22d0f702c01958e67f332e6a6685d8138

SHA512
b4bbc94a71853f1a9c4126a15ce35797e003028c7d0dde0fff82d0a8ab09c2949b29c8bacfe8962f009c5b2ef16f9de4e532098f1eec7e0cb7e3665a7e4aafd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Smil.exe

Filesize
365KB

MD5
ea210a16c2cd0f7d84d3961bccbfe73a

SHA1
598a97e9c7aef20ccc65ed04aa9449564b53f48f

SHA256
f534bb9d7cc4c0f8abf8adcc592a328a64a902211ab66bafd9a0c7a333e86a20

SHA512
baad73a63e0e4c56bea3283f0072ff7682e37afa96403c99e714373ab49b20e990044f6a221a89d27fd8c763af06e7418886880d41cc557be9892daeb3877c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Squidward.exe

Filesize
535KB

MD5
82bf26203c5d76dfa3a591f1cb60d7b5

SHA1
93bf418f64ec701fd0d3232a00a167d04ba9a6d2

SHA256
2b6455abbf84755be4dcf840ebbfed9c480dced7bd74806bafee05465a5e752d

SHA512
6a896c274958467e18579affe68a2e0acb68ea633715920d244974765dbf577ce7558cb3dc467a69a656cb82c2f588565f71c4413b5dedc1005fba35303ed2f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stalin.exe

Filesize
30KB

MD5
65f583c1c4322f11c7f947948d9c70fd

SHA1
b570e11c47d64af6b00a3b6f362e067144a692ab

SHA256
4f50bb2cd893f1f225e02f66ecf0765830f078265e81096dbf551589cc641d43

SHA512
da14e6ffc9ebb593f0f5fcf199cfe3db48fb16683ad617fddac27b49e2b911e35fbbde271ab7d82d702b80d3558c6ee25c3759d01dafa8c1229a1efee4f44fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp92D0.tmp.bat

Filesize
161B

MD5
e2222921fed0ac3af69a44644d718b59

SHA1
e1bd411480ff0655e33265530bf00258b72714f7

SHA256
0efaac94b92101b506ca98a1adf731d917de4b6e0cb52089550457f9fb4ff242

SHA512
90565384c5c08a918d056375e8e9fb2eebcd28364b66be3dd8eddc4311a303548b57b7db9dd1651b54a24b44452cfb9b95ca446157101ac6cfa155a3a0abb852

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp932E.tmp

Filesize
873KB

MD5
7bfe4475c45768860615d6cdc19dc622

SHA1
d937f02f743833748dbc391211602c28f0eaca8f

SHA256
6a1e08d3a6759f42ea2480450bdf1f369bf50236ba1dc94cfddbf02b5dd7ecaa

SHA512
64bb4d4ebc82a7509ded16677592dacb862bfbdbb9c06a871f7d051aa7a5c67c5a5358ddd3f44ca7922fd3f406a784c768737dddafc49075f496452b96597681

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC626.tmp

Filesize
109KB

MD5
7ccccd0ddf864a061e175cf9e5114a46

SHA1
c0b798cd725d5f270f347790e2ad13dab60108e3

SHA256
fe74cb06318fd7451fed5ad5ce5605bb746bb5ef55da3fe96f52ba20e159db49

SHA512
8ad1bb6375e7f35e0dc41353d2e79499285cc401c412ea16fdbb123c3a53aef315186f594364a4f4156a58fa780c973bbc7e0202e6a1ed8380742b6c45058132

Download Submit
C:\Users\Admin\AppData\Roaming\MasonClient.exe

Filesize
48KB

MD5
8f28ca9a926d19b481928e7943818c18

SHA1
c39af1be425a90eb806d2874ad210266f55f297c

SHA256
ea0cd48a7bbf5c3df7505631380715287c22db6cdb770dc36f211bba02bae59b

SHA512
2acdbfe077ebc93a50836c7a719646445e48bfb893c05ccc06260bc815b91e28b0f5cd478131be2a71e330621f50d7712a3169c4234e68ebb6d7367aac9fc789

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
724B

MD5
320517c54f4245df10a53f23e15ef629

SHA1
b7991388b4b1aee9f10fcd16bab3d7a7a5e4013a

SHA256
fd0bc4f04864dbd7d89c8eb185663bce7f16ad4800fa89f4a0adb640ae5f5f73

SHA512
ff00989e081603a9c902aea81ac9b3ca3a72b4db2c87a337b9be3ef79d1bad0a0c81776978c417b3ea3ccc0ac39e1bd7a07f5da2fdc5875612e2c7f27014d6f0

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
108e48edb35a582a25e40448db5a42fd

SHA1
078a06cf0eda1a85e7918ae712e5c7416d7defe4

SHA256
87c9aba043ba45db61e957598182a03419d7af7af3df2ba48c0c1f21a6bdf312

SHA512
bdafab2d5d1d0fd0d349b08290b322b189fcff5469e465fafb89ef33650f9c5a69ba3e3eefb4c4861a803b0707f7b1e2c071e9f63c34e719eafd13a337d8b9c9

Download Submit
memory/628-459-0x000002913B500000-0x000002913B525000-memory.dmp

Filesize
148KB

Download
memory/628-463-0x00007FF85D590000-0x00007FF85D5A0000-memory.dmp

Filesize
64KB

Download
memory/628-462-0x000002913B530000-0x000002913B55B000-memory.dmp

Filesize
172KB

Download
memory/680-465-0x00007FF85D590000-0x00007FF85D5A0000-memory.dmp

Filesize
64KB

Download
memory/680-461-0x000001CCAB310000-0x000001CCAB33B000-memory.dmp

Filesize
172KB

Download
memory/756-310-0x0000000006910000-0x0000000006EB6000-memory.dmp

Filesize
5.6MB

Download
memory/756-298-0x0000000000EB0000-0x0000000000EEC000-memory.dmp

Filesize
240KB

Download
memory/756-326-0x0000000007360000-0x000000000736A000-memory.dmp

Filesize
40KB

Download
memory/1068-478-0x00007FF85D590000-0x00007FF85D5A0000-memory.dmp

Filesize
64KB

Download
memory/1068-476-0x000001CDCF300000-0x000001CDCF32B000-memory.dmp

Filesize
172KB

Download
memory/2528-328-0x000000001B300000-0x000000001B342000-memory.dmp

Filesize
264KB

Download
memory/2528-327-0x00000000007C0000-0x000000000084C000-memory.dmp

Filesize
560KB

Download
memory/2544-300-0x0000000000FC0000-0x0000000000FCC000-memory.dmp

Filesize
48KB

Download
memory/4484-299-0x0000000000100000-0x000000000014E000-memory.dmp

Filesize
312KB

Download
memory/4484-301-0x0000000004970000-0x0000000004A02000-memory.dmp

Filesize
584KB

Download
memory/4800-5-0x00007FF87F110000-0x00007FF87FBD2000-memory.dmp

Filesize
10.8MB

Download
memory/4800-12-0x00000000012D0000-0x00000000012DC000-memory.dmp

Filesize
48KB

Download
memory/4800-3-0x000000001BAB0000-0x000000001BAC2000-memory.dmp

Filesize
72KB

Download
memory/4800-0-0x00007FF87F113000-0x00007FF87F115000-memory.dmp

Filesize
8KB

Download
memory/4800-177-0x0000000001290000-0x000000000129E000-memory.dmp

Filesize
56KB

Download
memory/4800-1-0x0000000000C40000-0x0000000000C52000-memory.dmp

Filesize
72KB

Download
memory/4800-2-0x00007FF87F110000-0x00007FF87FBD2000-memory.dmp

Filesize
10.8MB

Download
memory/4800-4-0x00007FF87F113000-0x00007FF87F115000-memory.dmp

Filesize
8KB

Download
memory/4848-9-0x00007FF87F110000-0x00007FF87FBD2000-memory.dmp

Filesize
10.8MB

Download
memory/4848-7-0x00007FF87F110000-0x00007FF87FBD2000-memory.dmp

Filesize
10.8MB

Download
memory/5160-343-0x0000000000670000-0x00000000006A0000-memory.dmp

Filesize
192KB

Download
memory/5160-344-0x000000001AFE0000-0x000000001B006000-memory.dmp

Filesize
152KB

Download
memory/5260-360-0x0000000002D60000-0x0000000002D98000-memory.dmp

Filesize
224KB

Download
memory/5260-359-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/5484-394-0x00000000000B0000-0x00000000000DE000-memory.dmp

Filesize
184KB

Download
memory/5492-393-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

Filesize
40KB

Download
memory/5848-425-0x0000000000870000-0x0000000000886000-memory.dmp

Filesize
88KB

Download
memory/5924-441-0x00007FF89D510000-0x00007FF89D708000-memory.dmp

Filesize
2.0MB

Download
memory/5924-445-0x00007FF89B8D0000-0x00007FF89B98D000-memory.dmp

Filesize
756KB

Download
memory/6000-447-0x0000000000430000-0x0000000000446000-memory.dmp

Filesize
88KB

Download