xworm | hxxps://github[.]com/MasonGroup/SvcinjCrypter

Analysis

max time kernel
337s
max time network
336s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2025, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/MasonGroup/SvcinjCrypter

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Attributes

install_file
MasonUSB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/5612-328-0x0000000008C80000-0x0000000008C92000-memory.dmp	family_xworm

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
980	powershell.exe
1520	powershell.exe
728	powershell.exe
5312	powershell.exe
5580	powershell.exe
3844	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	injectiosn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	injectiosn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	injection.exe

Executes dropped EXE 8 IoCs

pid	Process
4296	injection.exe
1788	injection.exe
5228	RtkAudUService64.exe
5524	injection.exe
5764	injection.exe
2392	injectiosn.exe
4852	injectiosn.exe
4056	injectiosn.exe

Loads dropped DLL 7 IoCs

pid	Process
1516	rundll32.exe
1516	rundll32.exe
1516	rundll32.exe
3804	DllHost.exe
5612	explorer.exe
5612	explorer.exe
5612	explorer.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
26	camo.githubusercontent.com
27	camo.githubusercontent.com
28	camo.githubusercontent.com
100	raw.githubusercontent.com
101	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RtkAudUService64.exe	injection.exe
File opened for modification	C:\Program Files\RtkAudUService64.exe	injectiosn.exe
File opened for modification	C:\Program Files\RtkAudUService64.exe	injectiosn.exe
File created	C:\Program Files\RtkAudUService64.exe	injection.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	SVCINJ.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	SVCINJ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	SVCINJ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	SVCINJ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	SVCINJ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	SVCINJ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15301#immutable1 = "Manage your RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	SVCINJ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	SVCINJ.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	SVCINJ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-2#immutable1 = "Conserve energy or maximize performance by choosing how your computer manages power."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-15#immutable1 = "Troubleshoot and fix common computer problems."	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	SVCINJ.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	SVCINJ.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	SVCINJ.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	SVCINJ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-1#immutable1 = "Phone and Modem"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-103#immutable1 = "Customize your keyboard settings, such as the cursor blink rate and the character repeat rate."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4312#immutable1 = "Internet Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-51#immutable1 = "Date and Time"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	SVCINJ.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	SVCINJ.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-7#immutable1 = "Change advanced color management settings for displays, scanners, and printers."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	SVCINJ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	SVCINJ.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	SVCINJ.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	SVCINJ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	SVCINJ.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	SVCINJ.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	SVCINJ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-6#immutable1 = "Color Management"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	SVCINJ.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	SVCINJ.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg	SVCINJ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-4#immutable1 = "Device Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-301#immutable1 = "Configure your audio devices or change the sound scheme for your computer."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	SVCINJ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	SVCINJ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	SVCINJ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	SVCINJ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-1#immutable1 = "Credential Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	SVCINJ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	SVCINJ.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	SVCINJ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-602#immutable1 = "Change how Windows indexes to search faster"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-100#immutable1 = "Recover copies of your files backed up in Windows 7"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-52#immutable1 = "File History"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	SVCINJ.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	SVCINJ.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	SVCINJ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-102#immutable1 = "Keyboard"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	SVCINJ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	SVCINJ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	SVCINJ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	SVCINJ.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-2#immutable1 = "Manage your Windows credentials."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-2#immutable1 = "Recovery"	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3132	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5612	explorer.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2940	msedge.exe
2940	msedge.exe
1704	msedge.exe
1704	msedge.exe
3924	identity_helper.exe
3924	identity_helper.exe
2052	msedge.exe
2052	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
5704	msedge.exe
1516	rundll32.exe
1516	rundll32.exe
5612	explorer.exe
5612	explorer.exe
5312	powershell.exe
5312	powershell.exe
5312	powershell.exe
5580	powershell.exe
5580	powershell.exe
5580	powershell.exe
3844	powershell.exe
3844	powershell.exe
3844	powershell.exe
980	powershell.exe
980	powershell.exe
980	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5996	SVCINJ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: 33	5144	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5144	AUDIODG.EXE
Token: SeDebugPrivilege	1516	rundll32.exe
Token: SeShutdownPrivilege	5612	explorer.exe
Token: SeCreatePagefilePrivilege	5612	explorer.exe
Token: SeDebugPrivilege	5612	explorer.exe
Token: SeDebugPrivilege	4296	injection.exe
Token: SeDebugPrivilege	5312	powershell.exe
Token: SeDebugPrivilege	5580	powershell.exe
Token: SeDebugPrivilege	1788	injection.exe
Token: SeDebugPrivilege	5228	RtkAudUService64.exe
Token: SeDebugPrivilege	5524	injection.exe
Token: SeDebugPrivilege	5764	injection.exe
Token: SeDebugPrivilege	2392	injectiosn.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	4852	injectiosn.exe
Token: SeDebugPrivilege	4056	injectiosn.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
5612	explorer.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
5996	SVCINJ.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
2872	vbc.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
5996	SVCINJ.exe
1176	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2876	1704	msedge.exe	88
PID 1704 wrote to memory of 2876	1704	msedge.exe	88
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 4500	1704	msedge.exe	89
PID 1704 wrote to memory of 2940	1704	msedge.exe	90
PID 1704 wrote to memory of 2940	1704	msedge.exe	90
PID 1704 wrote to memory of 1512	1704	msedge.exe	91
PID 1704 wrote to memory of 1512	1704	msedge.exe	91
PID 1704 wrote to memory of 1512	1704	msedge.exe	91
PID 1704 wrote to memory of 1512	1704	msedge.exe	91
PID 1704 wrote to memory of 1512	1704	msedge.exe	91
PID 1704 wrote to memory of 1512	1704	msedge.exe	91
PID 1704 wrote to memory of 1512	1704	msedge.exe	91
PID 1704 wrote to memory of 1512	1704	msedge.exe	91
PID 1704 wrote to memory of 1512	1704	msedge.exe	91
PID 1704 wrote to memory of 1512	1704	msedge.exe	91
PID 1704 wrote to memory of 1512	1704	msedge.exe	91
PID 1704 wrote to memory of 1512	1704	msedge.exe	91
PID 1704 wrote to memory of 1512	1704	msedge.exe	91
PID 1704 wrote to memory of 1512	1704	msedge.exe	91
PID 1704 wrote to memory of 1512	1704	msedge.exe	91
PID 1704 wrote to memory of 1512	1704	msedge.exe	91
PID 1704 wrote to memory of 1512	1704	msedge.exe	91
PID 1704 wrote to memory of 1512	1704	msedge.exe	91
PID 1704 wrote to memory of 1512	1704	msedge.exe	91
PID 1704 wrote to memory of 1512	1704	msedge.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/MasonGroup/SvcinjCrypter
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9df1a46f8,0x7ff9df1a4708,0x7ff9df1a4718
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,14560978928186017515,10098938616015275954,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,14560978928186017515,10098938616015275954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,14560978928186017515,10098938616015275954,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14560978928186017515,10098938616015275954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14560978928186017515,10098938616015275954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,14560978928186017515,10098938616015275954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,14560978928186017515,10098938616015275954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14560978928186017515,10098938616015275954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14560978928186017515,10098938616015275954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,14560978928186017515,10098938616015275954,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3412 /prefetch:8
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14560978928186017515,10098938616015275954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,14560978928186017515,10098938616015275954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14560978928186017515,10098938616015275954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14560978928186017515,10098938616015275954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,14560978928186017515,10098938616015275954,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1848 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4324

C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\SVCINJ.exe
"C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\SVCINJ.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fww1afrt\fww1afrt.cmdline"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2872
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB64.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc715FC7804D7B4D09B7A1B4CDA3FC90AD.TMP"
    3⤵
    PID:5832
- C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection\injection.exe
  "C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection\injection.exe" /ndebug /targetplatform:v4 /out:"C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection.exe" "C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection.exe" "C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection\injection.dll"
  2⤵
  PID:5920
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe" "C:\ProgramData\MicrosoftEdgeUpdateTaskMachineCore{B9628470-0974-424D-A682-B27DBCA9C283}.cpl",
  2⤵
  PID:3828
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\ProgramData\MicrosoftEdgeUpdateTaskMachineCore{B9628470-0974-424D-A682-B27DBCA9C283}.cpl",
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "MicrosoftEdgeUpdateTaskMachineCore{B9628470-0974-424D-A682-B27DBCA9C283}" /SC ONLOGON /TR "mshta.exe vbscript:Execute(\"on error resume next:CreateObject(\"\"Wscript.Shell\"\").Run \"\"\"\"\"\"C:\ProgramData\MicrosoftEdgeUpdateTaskMachineCore{B9628470-0974-424D-A682-B27DBCA9C283}.lnk\"\"\"\"\"\",0:close\"")"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3132
  - - C:\Windows\system32\SCHTASKS.exe
      SCHTASKS.exe /RUN /TN "MicrosoftEdgeUpdateTaskMachineCore{B9628470-0974-424D-A682-B27DBCA9C283}"
      4⤵
      PID:3284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3zcfqru2\3zcfqru2.cmdline"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1176
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5E41C002822748979A091E7886B2B1.TMP"
    3⤵
    PID:3276
- C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection\injection.exe
  "C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection\injection.exe" /ndebug /targetplatform:v4 /out:"C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection\injectiosn.exe" "C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection\injectiosn.exe" "C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection\injection.dll"
  2⤵
  PID:5296

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x490 0x4b8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5144

C:\Windows\system32\mshta.exe
mshta.exe vbscript:Execute("on error resume next:CreateObject(""Wscript.Shell"").Run """"""C:\ProgramData\MicrosoftEdgeUpdateTaskMachineCore{B9628470-0974-424D-A682-B27DBCA9C283}.lnk"""""",0:close")
1⤵
- Modifies registry class
PID:5296

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5612

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3804

C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection.exe
"C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\RtkAudUService64.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RtkAudUService64.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5580

C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection.exe
"C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Program Files\RtkAudUService64.exe
"C:\Program Files\RtkAudUService64.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5228

C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection.exe
"C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5524

C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection.exe
"C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5764

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:2372

C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\SVCINJ.exe
"C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\SVCINJ.exe"
1⤵
PID:2564

C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection\injectiosn.exe
"C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection\injectiosn.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\RtkAudUService64.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RtkAudUService64.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:980

C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection\injectiosn.exe
"C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection\injectiosn.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection\injectiosn.exe
"C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection\injectiosn.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Program Files\RtkAudUService64.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RtkAudUService64.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MicrosoftEdgeUpdateTaskMachineCore{B9628470-0974-424D-A682-B27DBCA9C283}.cpl

Filesize
17KB

MD5
ede3183a9939e13c65d835620fc29895

SHA1
d215d81b5436303909addb5d6fff8b2689c81676

SHA256
665f2add2543c54ce93d92b19f8d8ddb735f9bc0b53dd4017c3a7975e27c46d5

SHA512
479232b720da6f257e9aa67173496c99329fbb0fe16dab5cc190f5bbd2ed47e3b9cc2c4efad81d3b682d9910cc6ee4a9e8a239b05192473355d7998790979466

Download Submit
C:\ProgramData\MicrosoftEdgeUpdateTaskMachineCore{B9628470-0974-424D-A682-B27DBCA9C283}.lnk

Filesize
104B

MD5
62658c068ffbf0e44a72ac7ad1d0de8c

SHA1
be24daae430936518ccafa73d53e64ca3f29f4b1

SHA256
b87ace89fe7d8861eaa93dde044ba1b74d7fb29b84ec945e5ec681511fe3096a

SHA512
0e56c57ebeaba882ce2b1290f053b2d95367b2809306b31cd7b0fbe7f47c7f656818f8a49311c8bccaa67c8f0b16d6c3d25119289adbfb27b275eb780e8dd036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SVCINJ.exe.log

Filesize
1KB

MD5
33732cec5fa7accba569ced041a71df7

SHA1
2e2e485b8316eb0c5345c9fff258b57d6ffba4f3

SHA256
c2fe1c5c68a02ff5beafacee7993ed5cfe3df27dbf5793f3d7ad63931cec4da9

SHA512
263105872b68d5d60482e4bdbdd8d6e90c6dd6344217e06ca1a51f70d62a01e77c05362b4a0e94b9d7d2b23fa32dff797a60c1b7542ac91240213d353b306679

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\injection.exe.log

Filesize
422B

MD5
6b273e0cbcea417b261afe54d2c7a997

SHA1
caaae505b76884ba95b2465c95c1a47144ecaf8f

SHA256
5e96a6e6a2e5a7216941871f67b8e683b9eea2be80d66d7542b65a6491ba5480

SHA512
968d8a83c63c3029a122e9fc647663f5af261e12a7b23164ed514600174befad6ec3e3767de71607062c9dc37e2968a991b55fa76e35064c3819f960fb7ba196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\injectiosn.exe.log

Filesize
1KB

MD5
fe1d7aaec1f8e21554b2dea87bb42a6e

SHA1
950dd9254713ada2269bd96aaf12a08c4828f0bc

SHA256
471356f5b299eaaaf1856e0f3d93a94c68321a326f5210a952e93ddb3848647c

SHA512
7ada22e7d6902659e998ef5e3987ace84f79533dc42696a20aa7a75d21b5a1fcc70076ec85b0951ac72880947083ce4854eeae64ea0b614fbdac369dfe52e01d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab283f88362e9716dd5c324319272528

SHA1
84cebc7951a84d497b2c1017095c2c572e3648c4

SHA256
61e4aa4614e645255c6db977ea7da1c7997f9676d8b8c3aaab616710d9186ab2

SHA512
66dff3b6c654c91b05f92b7661985391f29763cf757cc4b869bce5d1047af9fb29bbe37c4097ddcfa021331c16dd7e96321d7c5236729be29f74853818ec1484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fffde59525dd5af902ac449748484b15

SHA1
243968c68b819f03d15b48fc92029bf11e21bedc

SHA256
26bc5e85dd325466a27394e860cac7bef264e287e5a75a20ea54eec96abd0762

SHA512
f246854e8ed0f88ca43f89cf497b90383e05ffa107496b4c346f070f6e9bbf1d9dc1bdcc28cad6b5c7810e3ba39f27d549061b3b413a7c0dd49faacae68cd645

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
eced757ad5a695405a7cd9ab9e3f35a2

SHA1
df57838944f8364ac458a02ece4a11b54560e3d1

SHA256
8277a4d967a3fdd61736b5a41aeb40ae6bfc11823713acda90cb4784d092cfda

SHA512
d2c66c14c4f2ba2e2f6adb324a16fa328baf4f3184e582c0a0cd5c322b596bb5c12c99a82f0bec3eea1d85a4d0e76b8451e867be2d2c99ec78e9e4dcc6d4ed03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
657B

MD5
cee71c2501fbf3f7c793fb1537f39362

SHA1
68449c1322a773b9be344f66bdc02cf6247d7df7

SHA256
9829a6b4586d5689c023784f94fa6df2baf22c209d779b4866c50cbc288860fd

SHA512
c932268f9a1eda03f7d62f9b36c1d716ad0984fde2176613d0b2124e76de6c1bac7152201068277ba64d42e707b061ef9bae5758c79defdf0438c41bf314df5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fec17a304eb27cf5593e67ea71164e08

SHA1
7c0cc1703ed236e2decd6f30949ecc0a43d2fcf9

SHA256
81a7ea7c8ac08723b6fd73086aa292bdd6512abdcb91feb0d77e31e07369e56b

SHA512
d5a4fb6c914a63a0e6182f358e643de8ad392e46536e12fe8f1a8372a1a73c2cbc9af731c439c8f7b34ee78a067b2bc11474b467963aa103c71154bec58dec14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c19e464a1504a75b768f1a7899c578ca

SHA1
0be8c26f2f0c2df45440d5b8cc9df5ac0e94ff4e

SHA256
3472d526c5cfebade4c04a227146b50f6ba4bb90d2be381b40f92b0e1b40d270

SHA512
e89c61447442cac8a44c39fd3f9ad0a95c0234afbe450db1a7d3386466a572c0e7234151999320ccf913fa51298bacbebcb7f9751db5b97a95b1035f98e1ff32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
114ef6e12f10370be8fa0d5daa348dce

SHA1
64790be0b4650477e17a281259c0ebecfd1171b6

SHA256
481a952d1f19c9d2a159d4a368b0463ba1d4a2d2f227455bdea0d7a23886cc44

SHA512
9c115419ac2493bbc310a17bab3d6ce0f1171188c4547d062d42d171899800c60e3fb09c8db40321f6e67313be0389ccd3b76ac90a2b356b8abc30cdd75f7d0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e6ba2d63b08b1156378d3d8a94027be4

SHA1
7c2afd31226b50f45e3debedd9d20f5ad1a71b01

SHA256
d857ed519691080bb9e3c3cc43709886af8e8d6bd787042698442d89db876c34

SHA512
97bf3c11a4e3872dc0679071c715a702bb23d7625ba0162572d6bf9214402f6d6b7961287cd1fb70cbdd5252bcc1f00da069ed9fc366d854af2b5e553cb3c951

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58436d.TMP

Filesize
1KB

MD5
164cf39dbf79c72e31860418d6a87fce

SHA1
d2e549ce9aef71a15e93a31f1cfa9e92d659b02b

SHA256
db47cc7e4fe7452fc76ff7791a9c9f07ce725813c8ea55d97a716706bf5a65e0

SHA512
b9c34c3a48351d29a641f8bd41496e1a2baaa43cf3b2b29dba3e21c6d05401336554bda5ef57e7da47216acb9b785a0a2669ab2082ccd68247370710c76d15f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0bb899b98a961f4888a62f1f735ddf8b

SHA1
ce65c0db54119811a64fbfeae4c15d130c163984

SHA256
b40b59f3b825d72e4d32e44c14f6b1ab6f8f127cfc6e46cca741de43a43320f4

SHA512
66d10f2af697c1e457a068da8eb60f0b448efefbff339ab61821d279df5bb7831e96e925b66b54baf6f90259450d2113c687be73ca9ad94bfeb7341622080763

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4f960511202a5a964d6acbd09b70c016

SHA1
79881f911ec06210a0cf2c47f0f02caa7b86b523

SHA256
02b18d48a6b9c3e723df099ab4d20dcb284d679ee5c5d26c344bf939c18efa50

SHA512
1f0921e27db26958c87144cd386d946b95635b41e46aa7403f0f099476b7c1410a6d50ee387c7ae5d7f0a41edf67362878982bf44341a4a3a7f501edfbfffb49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ee9f1be5d4d351a5c376b370adcf0eea

SHA1
1779cecfb13c6a2f0f2813ae65d0d91ebdcf5583

SHA256
70600f0f93bca5f0548bfe5503513caadda31cbcd14dc007824b0925a8626e4b

SHA512
fda7345f64a6352e99bb3f5d94e58751a71d45a27147f60da32d12ff0307dbe416f482f1b9950e52ce63cbb5f0e5c1647f72dbb7a05c5419ccd8b7980ea86754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bb812b3e31d6bcd9430e1859693c9856

SHA1
2e2fd106bd4c2cfb827a2db22cdfc12d9a2aebe1

SHA256
36d73bca447ed277c72b5af7fe1e4f8d076e857fa82a7dd00e485138b9da673b

SHA512
8bb6f11f4a69f6b1b0a2ff36f45c646cb726933a613e7c4d4b7c20e6c042616047beb4057675687d9f96e564c141b1a4b6f50fe793ec163393d57124a06319f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
63aec5618613b4be6bd15b82345a971e

SHA1
cf3df18b2ed2b082a513dd53e55afb720cefe40e

SHA256
f67a667039290434cad954285ef9a93ab76b848158bb7fd1f698bd76b5bdd721

SHA512
a6c3b084ae6b41b2c3a9acb90a6f52a5acaff3bd94927389aa6698d1f2713e494b2e8f190cbbc963d56d8d30d5644df0e5c616c1f081d19275e0803dc576a033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\#4#2#.Resources

Filesize
912KB

MD5
da5e1f58eb079dbf8e5aa1662578f5c8

SHA1
07d3c48d0cd38de3923190c674ba52a31d0be96a

SHA256
d16c770f29e61f5e51d9d3c20461ae9c1c165af86cd5a734f86a1a37eda919be

SHA512
3d02994fe87ed7f0dc379f9f90547fbd21f6449b0c64403f664b87cb5ca9501b9330cb681a3be6a8106a0fb413d09d42e8362508701602eb07ec05f5e4fa8915

Download Submit
C:\Users\Admin\AppData\Local\Temp\#4#2#.Resources

Filesize
774KB

MD5
311e0df6490c81448199cd4ceb7e5bd3

SHA1
c23b00477966a113a921dcc3e3983a8b2d99cba5

SHA256
c55efcd85563eae43ba87c9d4735c405698e14bf827667151e568c708c7fb6f7

SHA512
6bfb06ceded33a0f7d088138929da3633fcad77771bbfd8c7f3ef4262ee7062a983f109590fbcff8bbb85d246212be72eb4700c6ca4d0084f8369d91dcb231f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3zcfqru2\3zcfqru2.0.vb

Filesize
27KB

MD5
bda8cd3c38fab115b4f5ccd5ad3308f3

SHA1
0e414f7985908745b8eb81e4b87f89067e21e9ce

SHA256
36bc2544ec1147a4dfdbe7f5f0f5bef28dacd05214a65fcc4d87f4c6d61ab8c1

SHA512
945214f9e0b9bc4eb854e91e47add852189014ce64c59d943c64c4a26900500398c0c1d4bfefe8c9293a632d9b011cc2429df7a33028a3d0e4ccb637a51f6621

Download Submit
C:\Users\Admin\AppData\Local\Temp\3zcfqru2\3zcfqru2.cmdline

Filesize
489B

MD5
21a23a7813e71ca8ec8f99289c9c96a1

SHA1
75cc87bf0956bd4033b4b48a05a93673ed90df4b

SHA256
211288dd4e4c5bfc2fb20f67dcc02c66cc90cf7a4471e56eed6fa545a7f3312e

SHA512
f22812345c29a7d6ecb2663ff95e2986abd2ab1736434222f42d3abad46e5b7f9dbebade159273a17a3ea2bf5f482b98e6c377f0f178c8d6d6a9b8330506096d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCB64.tmp

Filesize
1KB

MD5
6fba3b8cd5ba247681c965dc5efa9a56

SHA1
a99bf1a036a3b4c337f2b19950a9698a782e1f85

SHA256
c83b812836b1294c1550416e4b28124913c307ed26c8188873d9b89c0a08ddd2

SHA512
d7d4a9e484310393e9d068554909aa0915951146d1f2cdd7f4d2bb4952458d762c2fb1b06bfb5b0a1c5723b9352546d1a16cac8c6135f75363b598182f605c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD0F4.tmp

Filesize
1KB

MD5
c52d1bd5e0a3dbf9ee4682cb07365f99

SHA1
5fa34926e4a34f4af61aa050e7775911e830cfb4

SHA256
4496bc99a728ca0315af9fb41f71a1b93a382dbe2f7407eb17b94a45b91e3dc3

SHA512
3220cb2c68545b1bc3698311c1cb4a429cb58100491c6c6f93e4c20f036eb40160aa6a9e702a51eb5271277edc6843838b73a03e42fee04aba906a90f3c5df4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pt1hr2tp.e2i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fww1afrt\fww1afrt.0.vb

Filesize
27KB

MD5
d7b0b53df0ca745be282d90a56c4a953

SHA1
93f913732554580746b80730e08111e3bc170d78

SHA256
dde80264ead38650c96280c41c5c7a7ca23822d058f9c17869693bcebfcd3c79

SHA512
e85113ebaf03c9c9a3ca297617929f5ba317f6ffa2bc7770bddf98f47d4a699abe4bdc59e6e1551dd9f49fee29e082aac011b415e5373685270a6bded314672f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fww1afrt\fww1afrt.cmdline

Filesize
478B

MD5
c6b432bc754dff24ea72ac5cccbb4784

SHA1
a25bc5cbd68b99e46d92c952a58771ca096bbaf2

SHA256
5c0eee5fb2c6f941cfb44a578215b749ac4520829c9ab1de2c7e40aebd4262cd

SHA512
795c6af7411e84ce67d103307d67b897079fb09ac7317a071011f49450139d1a2f238032d9f1cd69822e39d7e96af81c327b867c6fab9c5e1e7c5e6a91b42fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5E41C002822748979A091E7886B2B1.TMP

Filesize
1KB

MD5
75e52264783219b9c0895aa1aad906f3

SHA1
e91e4cf19c4f6da9e2f55e13761f67a9c6a9a9c8

SHA256
d4900f28a32bc14b33a0a9f856c837eb7943cc52b324308e268cf195042e5402

SHA512
d721360f79852acf78014bf731e9d881e8555449d69aaa6b2574602e58e78c79078669e99134174c6f12dc504f97daddc5eacc2d3d77e509a1dd0da1f980dac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc715FC7804D7B4D09B7A1B4CDA3FC90AD.TMP

Filesize
1KB

MD5
20ff54661586be6f917870b64b7006e3

SHA1
2e2d11babe1def5432cc75823103e44c1dc5d9e3

SHA256
c338259559ab600e53e19072329410b5c210d12aa417cf05240f26c6c4f9386f

SHA512
b0e2332c29e68f6a8654f9cb55b233c716b8213b1d78f0717cf6ce1b7ac2c3f3bfeaa8ca7915a97bae5900f01188e471c74841554874dfa23a62d6431a365eac

Download Submit
C:\Users\Admin\Downloads\SvcinjCrypter-main.zip

Filesize
2.7MB

MD5
8df9390fe3592a73f74afde573186b5f

SHA1
a76b5467ea4b43c23e5ec5017e7294f9706b5ba2

SHA256
3959ee745f85eee797c4557dafc8b3f91716329888f486a8a6f500b9cb1458f6

SHA512
842080c3c05bec859ba24d4b001702a81087d1b21de7574bbacbb984a2481240a60206d778b4235da78c92a864facaf70e2ea21931db0367eb5bca01ca584851

Download Submit
C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection.exe

Filesize
789KB

MD5
a1f00eb7628da1b722ced03c21337552

SHA1
e16c0ee0817279b770050f6408579e6bd055575d

SHA256
e15e94a6389d3d4f212cf136bbbfa9774c303c935072493b9cfd76491e883b32

SHA512
a91c0f4e6848f2abf97d78cdefc9b2274e6f1a076a7f7f84c82298a6cb14364d88a1f8110a174e7212347f3f4d453549cb552be935a83e36a901a092d2689042

Download Submit
C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection.exe

Filesize
791KB

MD5
3f609575e9693d59253475f9e5c0ae88

SHA1
3b9f4a512b1a54c9f81d527bd0242f7f165b7d8f

SHA256
18bfbca688975457c20f549177cd1a0e75647ef2681fc4d18e5d9ab36b7e0935

SHA512
840b4c3dac797e8f34727a01d92ef26219d2e3670f72393fa9c544091d17de7bff6c4eb393114f0580339aa3bb80564f89d4792bb52e206c63f1fd5e6a980fda

Download Submit
C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection.exe

Filesize
963KB

MD5
14fd36fedc6925cf5d9c2aac11a3aabb

SHA1
38d94d29286fe0009ef0a599c6d6a7f96a0e870e

SHA256
a53467ae2d1a8f0748f4951c5d348091e44c744d34037f1dc61a7633e3353f0b

SHA512
eb82128e12bace8a8e3357b7ff7c29335d6bc2d3287fcd91df294a1717ae0ce81fe38599b714f77a6b719f42ef2293fda54c727f96b67817252e576a6998e68a

Download Submit
C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection\injectiosn.exe

Filesize
930KB

MD5
d2feb3c9a0925afc5cb61a4907b8cfcb

SHA1
f210bd7a7db630ea0ca48f0053959e0ad1ce6a5b

SHA256
7f0b10b501eeaa3c288219bf3e264562bae65c80dc3d8a0108937e15046fb749

SHA512
1463e020be2591777aaef7f55e25ef523008a7ebbe2a2b6238b9f70b5ce5e58df0e3bafa5bcd927b7370c30af31c9c3469a98f4e5396f304d849ed311f64a4c5

Download Submit
C:\Users\Admin\Downloads\SvcinjCrypter-main\SvcinjCrypter-main\injection\injectiosn.exe

Filesize
1.1MB

MD5
d9fcfe16356d78d8cf972490fb5fdf2a

SHA1
0aca6a0a1e2f7147a9aeb29e374e1fcdf0c50d03

SHA256
872b77c79be1a0243088c8ce738fa4b5dfeb617520acad2892e30e11491f9095

SHA512
b3115173a315a9cd66c90370007af0e0edd2d6ed441a4ab8029167fb3456b495d2b87d106739263819c2a270e707d2d41750665560e7d896d420abd2c5b50a0f

Download Submit
memory/1516-315-0x0000000068920000-0x000000006892C000-memory.dmp

Filesize
48KB

Download
memory/1516-314-0x0000000000F70000-0x0000000000F7C000-memory.dmp

Filesize
48KB

Download
memory/1516-316-0x000001BA23C40000-0x000001BA24168000-memory.dmp

Filesize
5.2MB

Download
memory/2392-429-0x00000000009C0000-0x0000000000ADA000-memory.dmp

Filesize
1.1MB

Download
memory/4296-334-0x0000000000780000-0x0000000000878000-memory.dmp

Filesize
992KB

Download
memory/5228-364-0x000000001BF80000-0x000000001C046000-memory.dmp

Filesize
792KB

Download
memory/5312-336-0x000002BAD9280000-0x000002BAD92A2000-memory.dmp

Filesize
136KB

Download
memory/5612-379-0x0000000007D50000-0x0000000008811000-memory.dmp

Filesize
10.8MB

Download
memory/5612-385-0x0000000007D50000-0x0000000008811000-memory.dmp

Filesize
10.8MB

Download
memory/5612-397-0x0000000007D50000-0x0000000008811000-memory.dmp

Filesize
10.8MB

Download
memory/5612-400-0x0000000007D50000-0x0000000008811000-memory.dmp

Filesize
10.8MB

Download
memory/5612-390-0x0000000007D50000-0x0000000008811000-memory.dmp

Filesize
10.8MB

Download
memory/5612-327-0x0000000068920000-0x000000006892C000-memory.dmp

Filesize
48KB

Download
memory/5612-388-0x0000000007D50000-0x0000000008811000-memory.dmp

Filesize
10.8MB

Download
memory/5612-391-0x0000000007D50000-0x0000000008811000-memory.dmp

Filesize
10.8MB

Download
memory/5612-382-0x0000000007D50000-0x0000000008811000-memory.dmp

Filesize
10.8MB

Download
memory/5612-479-0x0000000007D50000-0x0000000008811000-memory.dmp

Filesize
10.8MB

Download
memory/5612-328-0x0000000008C80000-0x0000000008C92000-memory.dmp

Filesize
72KB

Download
memory/5612-378-0x0000000007D50000-0x0000000008811000-memory.dmp

Filesize
10.8MB

Download
memory/5612-365-0x0000000007D50000-0x0000000008811000-memory.dmp

Filesize
10.8MB

Download
memory/5920-295-0x00000259476C0000-0x00000259477AA000-memory.dmp

Filesize
936KB

Download
memory/5996-403-0x000002A375DD0000-0x000002A375EBA000-memory.dmp

Filesize
936KB

Download
memory/5996-275-0x000002A3777C0000-0x000002A377916000-memory.dmp

Filesize
1.3MB

Download
memory/5996-244-0x000002A372160000-0x000002A372536000-memory.dmp

Filesize
3.8MB

Download
memory/5996-243-0x000002A3575C0000-0x000002A357686000-memory.dmp

Filesize
792KB

Download
memory/5996-299-0x000002A300000000-0x000002A30000E000-memory.dmp

Filesize
56KB

Download
memory/5996-300-0x000002A300080000-0x000002A300088000-memory.dmp

Filesize
32KB

Download