Malware Analysis Report

2025-08-10 18:07

Sample ID 240507-meq5taef64
Target https://github.com/Endermanch/MalwareDatabase
Tags
bootkit discovery evasion persistence trojan upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://github.com/Endermanch/MalwareDatabase was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery evasion persistence trojan upx

Adds policy Run key to start application

Drops file in Drivers directory

Checks BIOS information in registry

Executes dropped EXE

UPX packed file

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 10:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 10:22

Reported

2024-05-07 10:53

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Otrpg = "C:\\Windows\\SysWOW64\\KBDKORN.exe" C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\KBDKORN.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\physicaldrive0 C:\Users\Admin\AppData\Local\Temp\SB.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\KBDKORN.exe C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
File opened for modification C:\Windows\SysWOW64\KBDKORN.exe C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SB.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\KBDKORN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3256 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected] C:\Users\Admin\AppData\Local\Temp\AV.EXE
PID 3256 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected] C:\Users\Admin\AppData\Local\Temp\AV.EXE
PID 3256 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected] C:\Users\Admin\AppData\Local\Temp\AV.EXE
PID 3256 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected] C:\Users\Admin\AppData\Local\Temp\AV2.EXE
PID 3256 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected] C:\Users\Admin\AppData\Local\Temp\AV2.EXE
PID 3256 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected] C:\Users\Admin\AppData\Local\Temp\AV2.EXE
PID 3256 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected] C:\Users\Admin\AppData\Local\Temp\DB.EXE
PID 3256 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected] C:\Users\Admin\AppData\Local\Temp\DB.EXE
PID 3256 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected] C:\Users\Admin\AppData\Local\Temp\DB.EXE
PID 3256 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected] C:\Users\Admin\AppData\Local\Temp\EN.EXE
PID 3256 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected] C:\Users\Admin\AppData\Local\Temp\EN.EXE
PID 3256 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected] C:\Users\Admin\AppData\Local\Temp\EN.EXE
PID 3256 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected] C:\Users\Admin\AppData\Local\Temp\SB.EXE
PID 3256 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected] C:\Users\Admin\AppData\Local\Temp\SB.EXE
PID 3256 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected] C:\Users\Admin\AppData\Local\Temp\SB.EXE
PID 4000 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE C:\Windows\SysWOW64\KBDKORN.exe
PID 4000 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE C:\Windows\SysWOW64\KBDKORN.exe
PID 4000 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE C:\Windows\SysWOW64\KBDKORN.exe
PID 2400 wrote to memory of 212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2400 wrote to memory of 212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4608 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4928 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4084 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5404 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5600 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=3588 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4548 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=3868 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=5904 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6164 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6364 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected]

"C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected]"

C:\Users\Admin\AppData\Local\Temp\AV.EXE

"C:\Users\Admin\AppData\Local\Temp\AV.EXE"

C:\Users\Admin\AppData\Local\Temp\AV2.EXE

"C:\Users\Admin\AppData\Local\Temp\AV2.EXE"

C:\Users\Admin\AppData\Local\Temp\DB.EXE

"C:\Users\Admin\AppData\Local\Temp\DB.EXE"

C:\Users\Admin\AppData\Local\Temp\EN.EXE

"C:\Users\Admin\AppData\Local\Temp\EN.EXE"

C:\Users\Admin\AppData\Local\Temp\SB.EXE

"C:\Users\Admin\AppData\Local\Temp\SB.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Windows\SysWOW64\KBDKORN.exe

C:\Windows\SysWOW64\KBDKORN.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x264,0x7ffdb24e2e98,0x7ffdb24e2ea4,0x7ffdb24e2eb0

C:\Windows\SysWOW64\cmd.exe

/c C:\Users\Admin\AppData\Local\Temp\~unins1125.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=1356 --field-trial-handle=1760,i,4905016191781728441,256372885350321130,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=1700 --field-trial-handle=1760,i,4905016191781728441,256372885350321130,262144 --variations-seed-version /prefetch:3

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 828

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 13.107.9.158:443 business.bing.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.21.17.194:443 www.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
NL 96.16.53.149:443 bzib.nelreports.net tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 158.9.107.13.in-addr.arpa udp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 149.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 13.107.253.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 camo.githubusercontent.com udp
US 8.8.8.8:53 camo.githubusercontent.com udp
US 8.8.8.8:53 64.253.107.13.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.113.22:443 collector.github.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 22.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 104.208.16.94:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 94.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.178.10:443 chromewebstore.googleapis.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 185.199.108.154:443 github.githubassets.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
NL 23.62.61.72:443 www.bing.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 aeravine.com udp
US 8.8.8.8:53 middlechrist.com udp
US 8.8.8.8:53 bemachin.com udp
US 66.96.162.135:80 middlechrist.com tcp
US 8.8.8.8:53 135.162.96.66.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\AV.EXE

MD5 f284568010505119f479617a2e7dc189
SHA1 e23707625cce0035e3c1d2255af1ed326583a1ea
SHA256 26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1
SHA512 ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

C:\Users\Admin\AppData\Local\Temp\AV2.EXE

MD5 014578edb7da99e5ba8dd84f5d26dfd5
SHA1 df56d701165a480e925a153856cbc3ab799c5a04
SHA256 4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529
SHA512 bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

C:\Users\Admin\AppData\Local\Temp\DB.EXE

MD5 c6746a62feafcb4fca301f606f7101fa
SHA1 e09cd1382f9ceec027083b40e35f5f3d184e485f
SHA256 b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6
SHA512 ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

C:\Users\Admin\AppData\Local\Temp\EN.EXE

MD5 621f2279f69686e8547e476b642b6c46
SHA1 66f486cd566f86ab16015fe74f50d4515decce88
SHA256 c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38
SHA512 068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

memory/4000-34-0x00000000001C0000-0x00000000001F1000-memory.dmp

memory/4460-42-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4000-33-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GB.EXE

MD5 fe731b4c6684d643eb5b55613ef9ed31
SHA1 cfafe2a14f5413278304920154eb467f7c103c80
SHA256 e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496
SHA512 f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e

C:\Users\Admin\AppData\Local\Temp\SB.EXE

MD5 9252e1be9776af202d6ad5c093637022
SHA1 6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8
SHA256 ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6
SHA512 98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

memory/4000-60-0x0000000000520000-0x00000000005B3000-memory.dmp

memory/4000-59-0x0000000000520000-0x00000000005B3000-memory.dmp

memory/4000-56-0x0000000000520000-0x00000000005B3000-memory.dmp

memory/1236-61-0x00000000018C0000-0x00000000018D0000-memory.dmp

memory/4460-63-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3464-64-0x0000000000400000-0x0000000000464000-memory.dmp

C:\Windows\SysWOW64\KBDKORN.exe

MD5 a796780f3083f3d98d1e660015d07428
SHA1 fc79a558c98a64aa151f506a147f8131f62caec0
SHA256 b085e424ae43356a42f9a30cf9d68dd6ce4c0404f5781a700d1e18c81b8fb46c
SHA512 d9875aa63332dc2a12605c27ea35fcd6c5a2ce9453c242ab1ae30800c3214e5573f61038b85ba14168ff0f51372968744b8fc09b887af424bf22aa989e21b2e6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ee08c726ac4e2999fe95093475f9592b
SHA1 0d147f536546e0f057c992baca80ada4d364238e
SHA256 b71871bbdd8a94c9f3339de607046dd441a821e37c67d32fdb9710b23453ec35
SHA512 426c92b002a6b7ae6cb01fbfe7091f42484eb61c5354c11b369330372fcf8de60da569e8f2cd3f1995be0d0d70a0f88ebc5cf3fce8c63689a948c97631e9a0d0

C:\Users\Admin\AppData\Local\Temp\AV2

MD5 d5ddc6a8454e9f5798ab83586db20364
SHA1 3dae9586cc2e42f0b0a5342a5235addefa07a9fa
SHA256 dc2620fd367ad103afc7073053caca5e5c3bd865ec11b22e0a350790f5773406
SHA512 6c7bccacfd1be24d32fe8cf62d27725e5877cdf8136e37405ef8ded346d23b5c05954e185fd7224b128ee4f5215614aa61d416612a9f67bf1ff3d8798dc68408

memory/3480-80-0x0000000000570000-0x0000000000571000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 def6145b0bbbc4ac9defa1910312f7d2
SHA1 06b52011ec650d10389808395f9889581402a6cd
SHA256 a0189643725002123bc648e1e9bf571b06577db9b8edea3cf54eab2d779df5f3
SHA512 3c39d1bfec076c6aa6d3a0787c78742a4c4259a018069f02a3842606fb85518b95067320310756881ab0d7f5b0305325402b10902497e01e5431384f0e6f0b75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a233d97d406915e79d3b672ea8969f61
SHA1 f58c3928d994a21fe54f6878971c189f8bf6fff9
SHA256 bfc65c3df545aa799856bca6c7d44551c8306ea5acad3e3f88ab8ca5e2993d1b
SHA512 e6623e193bf03286510fd0ffc0174e9b0a6c2dc749ea7e7907783519679d60c7e761dc9cbbea287c3c31004ec9a67b5ec9930896bd058ef2e84913f59cd39285

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d4979ddc709e21dddeb3e15482085154
SHA1 3b7d391936cfd76330104a8b6101bf1cd5f996e2
SHA256 3d7582a8ff9c98481f069304bdc138d2e01697dd91c6f92604826ab7e0925c19
SHA512 43cb57707b5f0fd99c11566ce279eda55015b4e8f8db1b72b3a9137fb797261022dcb5624e9c7482c63e76eb81ae90ec00d9fdd36ab1f2b3eda40168698b09b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9ff0f0f4362bf737ccb8d7af26abf466
SHA1 edaacf8ad0fefe049885f221ad4153ab0389ed03
SHA256 1eb6c6cb661e25bb5a291df8cfb5db1a550c358a88436c8d03586ce99d36266a
SHA512 850c35da8a49ae53fab7ae5f915a846023f28aae1eecef0a4a0b7ecacf560912dae9d1ccd78dcce0a61eef6a12f985e65683a90a45bfc1add4f53333e448321c