Malware Analysis Report

2024-09-23 13:18

Sample ID 240612-zh4ljatbnn
Target a246516627f90bfae274929cd16ca449_JaffaCakes118
SHA256 65595d687ec4a653d985e5148d56db9c9f632bf55e60f40d901333b7f002735a
Tags
execution bootkit persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

65595d687ec4a653d985e5148d56db9c9f632bf55e60f40d901333b7f002735a

Threat Level: Shows suspicious behavior

The file a246516627f90bfae274929cd16ca449_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

execution bootkit persistence

Writes to the Master Boot Record (MBR)

Reads runtime system information

Unsigned PE

Program crash

Writes file to tmp directory

Command and Scripting Interpreter: JavaScript

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 20:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:44

Platform

debian9-mipsel-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

96s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 2464 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe

"C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.178:443 www.bing.com tcp
US 8.8.8.8:53 178.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

win7-20240611-en

Max time kernel

120s

Max time network

125s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.bat"

Signatures

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.bat"

C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe

xor f848 str.txt str.h

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe

"C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
BE 88.221.83.211:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 211.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\xor.html"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424386932" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{80773B71-28FC-11EF-BAE0-E64BF8A7A69F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0bbfb5409bdda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000003f9a2468be0a6e6e3666e13644e106f297b2879bc730ff244a05bb72ae7ef5ca000000000e8000000002000020000000f08d84c6deb84abbb3ffe0dd79536ed6b0a29ea8f8ce6c35684c1c2cc548e89e900000008e6deef0575091713b1520860243ac8e07133a7891871a576019f39c86d9b62bbf19253bbb73891f7cffc4a4afd1b5cb2a24cd53917e70104bd579bb9e8ccc2c17fe31248bbb7258cd9e01ba8e9afd916058ebe87542622337a3f044802c7b98d8a6fadd607e62899862a232653a1c8ec519a1adc3771d9d6b5a48475dfa185ec353f48333d8a37a5a8db1cb14d81300400000006a4ed7948fa630e08e826333b3a854bc25c438e7e545e6475c9750578bab402ce7e5682f1e7db073c718c28b1a290c2da474b3f3ed5abb920aa6f093107c3b94 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000fc690978e6911c3bb357a794398f5a9bda41e9849ac96079f1705653bed1df8c000000000e80000000020000200000009fa38e585799fb55b241be70be926ab509a6a278d2a28bf367415767cf1d25e620000000b4ea73d492cbf3c22ac9baafcc857ca4962f288f9d71bf61c6898e1a5968bb2d400000005068f62a73dc03ca506b0d463832096688e441c23436a0cf57b30314794dbaf7cb5d32002bf8ee677a83b1b167880d8ab0154139b5e09dbe71912cf7b22ff07d C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\xor.html"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2284 CREDAT:275457 /prefetch:2

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

129s

Command Line

[/tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh]

Signatures

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/find N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/..md5 /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh N/A
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Release/Release.md5 /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh N/A
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Release/Release.pass /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh N/A
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/xor/xor.md5 /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh N/A
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Release/Release.zip /usr/bin/zip N/A
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Compressed/Compressed.sha256 /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh N/A
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Compressed/Compressed.md5 /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh N/A
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/ziBY2sRP /usr/bin/zip N/A
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/..sha256 /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh N/A
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/xor/ziEqCztW /usr/bin/zip N/A
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/xor/xor.sha256 /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh N/A
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Compressed/ziQQYV1X /usr/bin/zip N/A
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/..pass /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh N/A
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/xor/xor.pass /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh N/A
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Release/Release.sha256 /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh N/A
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Compressed/Compressed.zip /usr/bin/zip N/A
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/..zip /usr/bin/zip N/A
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/xor/xor.zip /usr/bin/zip N/A
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Release/zieoDanV /usr/bin/zip N/A
File opened for modification /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Compressed/Compressed.pass /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh N/A

Processes

/tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh

[/tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh]

/usr/bin/tput

[tput bold]

/usr/bin/tput

[tput sgr0]

/usr/bin/find

[find -maxdepth 1 -type d]

/bin/mkdir

[mkdir -p Compressed/.]

/usr/bin/zip

[zip -r --password infected Compressed/./..zip .]

/usr/bin/sha256sum

[sha256sum Compressed/./..zip]

/usr/bin/md5sum

[md5sum Compressed/./..zip]

/bin/mkdir

[mkdir -p Compressed/./xor]

/usr/bin/zip

[zip -r --password infected Compressed/./xor/./xor.zip ./xor]

/usr/bin/sha256sum

[sha256sum Compressed/./xor/./xor.zip]

/usr/bin/md5sum

[md5sum Compressed/./xor/./xor.zip]

/bin/mkdir

[mkdir -p Compressed/./Release]

/usr/bin/zip

[zip -r --password infected Compressed/./Release/./Release.zip ./Release]

/usr/bin/sha256sum

[sha256sum Compressed/./Release/./Release.zip]

/usr/bin/md5sum

[md5sum Compressed/./Release/./Release.zip]

/bin/mkdir

[mkdir -p Compressed/./Compressed]

/usr/bin/zip

[zip -r --password infected Compressed/./Compressed/./Compressed.zip ./Compressed]

/usr/bin/sha256sum

[sha256sum Compressed/./Compressed/./Compressed.zip]

/usr/bin/md5sum

[md5sum Compressed/./Compressed/./Compressed.zip]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.65.91:443 tcp
US 151.101.65.91:443 tcp
GB 195.181.164.19:443 tcp

Files

/tmp/X0R-USB - Virus Version - Jan 2009/Compressed/ziBY2sRP

MD5 e2aecbbeb438373e882cb5629193e642
SHA1 d97c4fbf8de9836e985d7ce7b6fe958363f116d3
SHA256 dbf2e2dcd1d411933ba8b5720e7f09e6a4c1771e72c3a2f5df764e4d18553b18
SHA512 26f91b843da6265d1a870183ab993c57df8e5470198f4572de5cc6b64a682581e07350e3b62d6612d6d5a0f0f98ac41b3d6906a4066897043d9b8f9a97988a11

/tmp/X0R-USB - Virus Version - Jan 2009/Compressed/xor/ziEqCztW

MD5 896742a5f71a4797bc53b321ea409224
SHA1 690c4fdf1f7f1691edbc1bfb219636dbeee8d41f
SHA256 c8113a497296a2366a64f5223dcb263a12288f17aa8278a4ad0717ca413475ac
SHA512 2c32c83d72406ebf4b5db3c4edca759696087f24877454854017386ed1656020b72cfb25e7d18d7c0b6d465939d45729e235357975ce7a6662872845a52c080e

/tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Release/zieoDanV

MD5 3b622f888f6c82615dae228d7995d252
SHA1 4f96c0b5e5fd11a12180d6ce63fc5796872182e9
SHA256 7b1ea2b6a007a737374d52d5bcfcf4465147c87b13d315aa11fabbb7c00d2761
SHA512 2a68b7f820c44b279c4ba035dcce747af5cf942aab7bdab52bf31e3e72c44e658bcc50cbd023ea79e3bc7af1e29307c46c9d75d9a11e7a5fa26f13d7b299d26c

/tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Compressed/ziQQYV1X

MD5 8bea09a77849b7e9667b841f80eaa659
SHA1 b3cd7671b231d63c22e7e397efef292972243c9c
SHA256 11aeaf98f734b120a43e02da113d7c9dd190c8001a8b154c7ab751049802f013
SHA512 6a670779d69641bbe706f8d3a3fe15f488bd12382da2f59e4bda347512f5d4cd06e24973776f195a022bf4927354d5bb47ff5d713f5a0f44f36a2299863b3d94

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\bot.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\bot.js"

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

157s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.bat"

Signatures

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.bat"

C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe

xor f848 str.txt str.h

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3144 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\xor.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 4472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 4472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1688 wrote to memory of 3572 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\xor.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff86ae746f8,0x7ff86ae74708,0x7ff86ae74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2928 /prefetch:2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

\??\pipe\LOCAL\crashpad_1688_LLZYDTVHYHPHUSYB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e300a9e7-bad5-48d3-b7d7-ae29f728aca6.tmp

MD5 5ac251dcb6845c30f14c29612a870202
SHA1 b8ac247301d809b55c12d16143200d42162e692b
SHA256 5f0d0a772ed1a98fef536e916f13fcbc9ffd51a5928384d00a59dab8bf84cd09
SHA512 7feb63ef64394693028eedaf1e1fade9530a4d998a151f324d8d7b893d62f09b06a9b0cf9790ef1221575f631043933d37afd12a462da87320b66681987c704c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0fe76f5ffbac04f9f458ab81025edc77
SHA1 763b2fae85396cf517867c9f1f6242fd8b58ebcb
SHA256 ef6aca6725866ef71043cb50df17285f781445c7bea892cd0c1514f15ed91811
SHA512 15926eab79f3c785b9c5d252850a652cded94cd75835137db2eef159535354a219f4f77a31d10c8cecb1f0fa79035e31092261851f341cbbfbfd97a815b049cc

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

157s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 1596 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe

"C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE
PID 1964 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe

"C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe"

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

win7-20231129-en

Max time kernel

118s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\bot.html"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00f0fe5409bdda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424386910" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cb629ad3e7ba3c469c86a797a83c4d71000000000200000000001066000000010000200000000fc463367963252fccdc80ca505549ecbeed96d55a184dfc7dabe9848d27f257000000000e8000000002000020000000a693af45cc8f0bda88004460ebdc52bd5fcfea254a023911e461a12db80bbe3190000000bf2f65191b7cd1762c814fd43b0e6fae6e41db951f9182c3c9ff5a2be7fa1251f13b8e2c67765d6a75af15b77c7b98a1abd7dba205f1f6da6e12c9bb1c6b4f72b94fdf34d7b05fa3b9dd815105eb9c112eb92cc4b7ff6a5eb2d16eac0b69ba40aeae802522e1fa05ff7b86cadafcba23da1c26532f28be826253eca8cf7e2776f52c84d8cf147d1b26b58bc2ef15df0240000000d023713bd1cf4796c41b9ad616963a270053b6bfc60e0486b86f3f627564a52fc00f9dd4878c2b18e85ebf36a01746041efa518d1eb41efd647222028f052808 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{80754F41-28FC-11EF-87B3-6E1D43634CD3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cb629ad3e7ba3c469c86a797a83c4d7100000000020000000000106600000001000020000000aa843819c1429791e68d100a87e2287badf7ad68e8589db3a33e5fbbe732386e000000000e800000000200002000000044acd8cb3a2dcac7d7b43819087c741c4e2b19065bb4c943537d472efadc7d0a20000000709f0e64702858c0467edc9773486a6bf9fcd9e9b08bec1cd5b7a63e2b7e7c4d400000009a59ff015ecf6d251ebaee91e879d7b9fe2ff72b9e727b1fc5f4bfb347f8f08038c868db91e832ed682d38bd6c837a6712092bd062e0b5ad341019ff379a81f2 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\bot.html"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2060 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 88.221.83.211:80 www.bing.com tcp
BE 88.221.83.211:80 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab31EC.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar3394.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 136eb8d324f348f89ac465160a91f9a7
SHA1 9f9083a0803751f860c3e842442ffc3807c78f1a
SHA256 5c996bf02d7359bf891c27c6c62ced8a857d8c068c5348a8f975fffe2feca0d9
SHA512 bdd079dfd01b29c779747f64e7c887a2d8f5d630cbab33f897884ed43dcc3403d21d508ceeb8df6dee2a2b8b672b8892b41b4f7319f1c1d5a1a35ab408cbd9a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 30dff1249cc3ae79a685666cd856b456
SHA1 9d8fd9920cf834d231a04e4b664f6860d7d66ceb
SHA256 81ab7c669db9e711ec58744765c7bcdcf78305f3e70a0725845342131f8a3714
SHA512 45ddf8457ddc3077afaf90a883b7f95d7ffe9660143064ff8903f664244ea21004baeb49057e2d99ecbaff9fc5f8d4e6e47d4bc4226d0bfed250039efa59cab9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 117f73805f47e9d19fd18bb48f156193
SHA1 b50e4e7d2b8008756cdb33cb2d35fffb4d95e897
SHA256 7238129325eec529a70821ba6554c8fbcf93b5ccd857e0a3dfbb6cedb14177e1
SHA512 24f6908a24bf60004dfacf29f5d5b17347d7f9d602d9738d5c19f79050da85b12cd41d58e8a35290663af758d39c538930a258e70af9ed11452dce50b09e9187

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08ce9b5ef7232e8367e5450c5c566e3e
SHA1 1041528d8d25cdc409f1097b1e9dcf66c92f7da7
SHA256 b43630f73c451b24f53007a80b76f87382f76f78ba0dc3228dd2a18259a070fe
SHA512 03d0ff9aec28909a479f0bdc6200b8b0eb88e74035a691b68857793d4936c8d2af36ce7850fecc3787984390f3490a48cf442532453e4e498094f2afd5f72f98

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5661f5eb761b5e69b08de734f730a2ea
SHA1 8536c3f9a9fb2a47b35e41a942ac1665b0841ed7
SHA256 5c3c58b1755195953c837cba56edb4966c86c97848c76be23948b9c91e9660ea
SHA512 c99e18ff1907295b110cf0defe12b0ab0e6a5ff4c05d4420bfbaa025044f583d0b41047e1eb5881413cb777423e9c8b85f7a1c24cf5f3340ea34b75351437eb8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c170e7741a4ebac0de692db8ebf4b32f
SHA1 4e90b4307210fc8a053885b8cda1011e3cf01f28
SHA256 b64c1d2a9d7daa4844fcf78e813ec9ec222561d8629fc697158d5a24461229bf
SHA512 112221b247ae1e5616a2209f6e581d0d56f6162eba23f63498524dc57f4763b3c7877c2fc7fbff3d7527a98b9455cdfee519bc602cc809f528d75d190f7d368f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31bcb3dc03941e5143f2d060385bd205
SHA1 7874a3f6b3903c07b44f57e22e2786eeba515d24
SHA256 ef759420a0d4e02f76ec735b25c30c940b13c0c63995d7dcd60c9e708c801dd6
SHA512 4242afb724d0c8594e0fffd7aa10c974e33cc1d508662d746cf6bcb205d9939c3ba227489fff2bbcbd7f63d3ced88ec79a61b9c352d419220cb61b715d9451c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b34996a0a7db878ebfd345872e843fac
SHA1 1126faffe6fb835ff394ce1f27f7df767d3cdbee
SHA256 648b02ced4c73610728ebb7d7dd85d3a192f28335c27493ea5d4d70d112972fd
SHA512 67bd2cdc40e3978eb5a459fb7df29367c291c6712bfd4177d706f05d9aa9d9fc3fd48b353a7f2a1445862a6081adc95455f37bc6a4345fa7ab650d78f3b967cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c70a0c6263fadf65270bfb18014f9ae5
SHA1 63ed9fe6516185b264b2b60db97ed67767cb7435
SHA256 b97c5d54be016eb33479e61ab419dcd6b68b1cf3f6abaa96b7a27ecddce055d5
SHA512 ee145ee39ba7382b312027021ffb09f6f20cff0e9c7cbacd6fed139d46648c1a20aeb49298c4233abccfeff748c3531b27ab725c2f09b10481c3f0e6fcb3a2c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66468966e9776e8b93ebb54f9cc97a22
SHA1 91286e1df1ff74b7a94fff6f39beb95366e6d45e
SHA256 8c6764cf6932765de5815da6b46d3feb24c53b7adff31a98a5e6c1ab2ce7551e
SHA512 86d9c6c5862c1a42fff21053e3dcdf1cb6e1c7e48b9aa2705022e7b4c4e1e646640dbb6ae36cd291b0e7a9d90628e026952b73f76feab9bee8cfffe80e030fe2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11b3aefd8252218fe15e95255b39530f
SHA1 148cd4f046885373aee5b4512f3c31fd33183e2a
SHA256 f7e2c2defb578180fea4da56428df283a6fd4eaaea90f3667a819d98c7aa4565
SHA512 089c5d37cc1297942475688e8b2fcaa6b6c0f58ab0ceeac78cb0fa85982a8170a5adc188b7d4b8eba7ce53fcf073193d4e45ab1b1e104cdbcc81d52319b5ae9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0179fd12c6fbad3e0abee02504e76f76
SHA1 1a7fe15a82e511fc6bf9e334d53862458c5e27e5
SHA256 ce47d96a78ebb7d18574efd31f9cb7d93129d0e1b8a6f1a4dab72765521d6a30
SHA512 09c4ae69b2f216c364180e045e09a4991c190c2a80cac2182de8c72a37300232d349f14b8bf4a3e6298d7b5f5485e633328e4017ea674109e3a966dd1bd8e240

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

win7-20240419-en

Max time kernel

122s

Max time network

126s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\as.bat"

Signatures

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\as.bat"

C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe

xor f848 as.txt as.h

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

win10v2004-20240508-en

Max time kernel

135s

Max time network

138s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\as.bat"

Signatures

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\as.bat"

C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe

xor f848 as.txt as.h

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe

"C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe"

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

win7-20240611-en

Max time kernel

118s

Max time network

118s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE
PID 2540 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe

"C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

debian9-armhf-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:44

Platform

debian9-mipsbe-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

win7-20240611-en

Max time kernel

140s

Max time network

120s

Command Line

C:\Windows\Explorer.EXE

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe

"C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 284

Network

N/A

Files

memory/2788-0-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2788-1-0x0000000000250000-0x0000000000280000-memory.dmp

memory/2788-2-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2788-11-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

memory/2788-6-0x0000000000890000-0x0000000000891000-memory.dmp

memory/2788-10-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

memory/2788-9-0x00000000008A0000-0x00000000008A1000-memory.dmp

memory/2788-8-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

memory/2788-7-0x0000000000880000-0x0000000000881000-memory.dmp

memory/2788-5-0x0000000001D20000-0x0000000001D21000-memory.dmp

memory/2788-4-0x0000000001D10000-0x0000000001D11000-memory.dmp

memory/2788-3-0x0000000000240000-0x0000000000243000-memory.dmp

memory/2788-13-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

memory/2788-12-0x0000000001D00000-0x0000000001D01000-memory.dmp

memory/2788-14-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2788-15-0x0000000000250000-0x0000000000280000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

53s

Command Line

C:\Windows\Explorer.EXE

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe

"C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3028 -ip 3028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 560

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3028-0-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3028-1-0x0000000000580000-0x00000000005B0000-memory.dmp

memory/3028-2-0x0000000000600000-0x0000000000601000-memory.dmp

memory/3028-13-0x00000000022B0000-0x00000000022B1000-memory.dmp

memory/3028-3-0x00000000005F0000-0x00000000005F3000-memory.dmp

memory/3028-12-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/3028-11-0x0000000002280000-0x0000000002281000-memory.dmp

memory/3028-10-0x0000000002290000-0x0000000002291000-memory.dmp

memory/3028-9-0x0000000002260000-0x0000000002261000-memory.dmp

memory/3028-8-0x0000000002270000-0x0000000002271000-memory.dmp

memory/3028-7-0x0000000002240000-0x0000000002241000-memory.dmp

memory/3028-6-0x0000000002250000-0x0000000002251000-memory.dmp

memory/3028-5-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/3028-4-0x00000000022C0000-0x00000000022C1000-memory.dmp

memory/3028-14-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3028-15-0x0000000000580000-0x00000000005B0000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

143s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\bot.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\bot.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
BE 2.17.107.107:443 www.bing.com tcp
BE 2.17.107.107:443 www.bing.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 107.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-12 20:44

Reported

2024-06-12 20:46

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\bot.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3892 wrote to memory of 4992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 4992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 2696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 4488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3892 wrote to memory of 1268 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\bot.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc2ac46f8,0x7ffdc2ac4708,0x7ffdc2ac4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 /prefetch:2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

\??\pipe\LOCAL\crashpad_3892_VUGVDFNVBGFEJJWW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a8e767fd33edd97d306efb6905f93252
SHA1 a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256 c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA512 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 44b16a8d37c2adfde65316afe2a8c101
SHA1 b794849f2cca65b18719814ebc7eddd64ef5b13f
SHA256 bcc57bbb527ece570348ef27ec3a192f830523706777edf79f51823ca456537a
SHA512 d7ae30c1ac92d968405c7284f062ee328a2737eb8c6a029f6ba0ac3bbc2b190c06add5f2f91305197bdd0da16d5ed218dd6867b52a40fcc004f7b9bdd606cdc8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 81ad67fa7919cf0246443e3261bd7e1d
SHA1 d108e2b9b220657d3c32c67226b78a429567609a
SHA256 d8b9b99a8eeb24bec92491127194cd8ef47e9cb0d3555bc5c938178cca388bdf
SHA512 3c6f951af3916709eca7b5bf2bdfbf56cec2a6ee2b7992cee68f4c9a0a7cc0cf02b327c95af0e9650720eb0c75e188b02e323009f92a80b0bcd64843add2aa98

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f4ab7135b1261f48517444f894386322
SHA1 a11064c85ab8be01b2fbfbadd6cbdb11d193ea8e
SHA256 cd7b383e38e82497e0f4a4e872e2dfd358debf101e1d4191616b3bdca97b7a36
SHA512 ae6962c6962674c1f8ae9c2d3949c1201fc63b8fb9dc0007a2e72596b69b16541deffcdcb541246613aa281570e840574694e96a0b0dbd9a5eca8880273133ad