Analysis Overview
SHA256
65595d687ec4a653d985e5148d56db9c9f632bf55e60f40d901333b7f002735a
Threat Level: Shows suspicious behavior
The file a246516627f90bfae274929cd16ca449_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Writes to the Master Boot Record (MBR)
Reads runtime system information
Unsigned PE
Program crash
Writes file to tmp directory
Command and Scripting Interpreter: JavaScript
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-12 20:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:44
Platform
debian9-mipsel-20240611-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
96s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe
"C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.178:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 178.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
win7-20240611-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.bat"
C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe
xor f848 str.txt str.h
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
97s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe
"C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.211:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
win7-20240508-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424386932" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{80773B71-28FC-11EF-BAE0-E64BF8A7A69F} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0bbfb5409bdda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000003f9a2468be0a6e6e3666e13644e106f297b2879bc730ff244a05bb72ae7ef5ca000000000e8000000002000020000000f08d84c6deb84abbb3ffe0dd79536ed6b0a29ea8f8ce6c35684c1c2cc548e89e900000008e6deef0575091713b1520860243ac8e07133a7891871a576019f39c86d9b62bbf19253bbb73891f7cffc4a4afd1b5cb2a24cd53917e70104bd579bb9e8ccc2c17fe31248bbb7258cd9e01ba8e9afd916058ebe87542622337a3f044802c7b98d8a6fadd607e62899862a232653a1c8ec519a1adc3771d9d6b5a48475dfa185ec353f48333d8a37a5a8db1cb14d81300400000006a4ed7948fa630e08e826333b3a854bc25c438e7e545e6475c9750578bab402ce7e5682f1e7db073c718c28b1a290c2da474b3f3ed5abb920aa6f093107c3b94 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000fc690978e6911c3bb357a794398f5a9bda41e9849ac96079f1705653bed1df8c000000000e80000000020000200000009fa38e585799fb55b241be70be926ab509a6a278d2a28bf367415767cf1d25e620000000b4ea73d492cbf3c22ac9baafcc857ca4962f288f9d71bf61c6898e1a5968bb2d400000005068f62a73dc03ca506b0d463832096688e441c23436a0cf57b30314794dbaf7cb5d32002bf8ee677a83b1b167880d8ab0154139b5e09dbe71912cf7b22ff07d | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2284 wrote to memory of 2304 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2284 wrote to memory of 2304 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2284 wrote to memory of 2304 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2284 wrote to memory of 2304 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\xor.html"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2284 CREDAT:275457 /prefetch:2
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
0s
Max time network
129s
Command Line
Signatures
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /usr/bin/find | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/..md5 | /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh | N/A |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Release/Release.md5 | /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh | N/A |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Release/Release.pass | /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh | N/A |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/xor/xor.md5 | /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh | N/A |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Release/Release.zip | /usr/bin/zip | N/A |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Compressed/Compressed.sha256 | /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh | N/A |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Compressed/Compressed.md5 | /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh | N/A |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/ziBY2sRP | /usr/bin/zip | N/A |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/..sha256 | /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh | N/A |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/xor/ziEqCztW | /usr/bin/zip | N/A |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/xor/xor.sha256 | /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh | N/A |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Compressed/ziQQYV1X | /usr/bin/zip | N/A |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/..pass | /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh | N/A |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/xor/xor.pass | /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh | N/A |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Release/Release.sha256 | /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh | N/A |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Compressed/Compressed.zip | /usr/bin/zip | N/A |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/..zip | /usr/bin/zip | N/A |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/xor/xor.zip | /usr/bin/zip | N/A |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Release/zieoDanV | /usr/bin/zip | N/A |
| File opened for modification | /tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Compressed/Compressed.pass | /tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh | N/A |
Processes
/tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh
[/tmp/X0R-USB - Virus Version - Jan 2009/PackFiles.sh]
/usr/bin/tput
[tput bold]
/usr/bin/tput
[tput sgr0]
/usr/bin/find
[find -maxdepth 1 -type d]
/bin/mkdir
[mkdir -p Compressed/.]
/usr/bin/zip
[zip -r --password infected Compressed/./..zip .]
/usr/bin/sha256sum
[sha256sum Compressed/./..zip]
/usr/bin/md5sum
[md5sum Compressed/./..zip]
/bin/mkdir
[mkdir -p Compressed/./xor]
/usr/bin/zip
[zip -r --password infected Compressed/./xor/./xor.zip ./xor]
/usr/bin/sha256sum
[sha256sum Compressed/./xor/./xor.zip]
/usr/bin/md5sum
[md5sum Compressed/./xor/./xor.zip]
/bin/mkdir
[mkdir -p Compressed/./Release]
/usr/bin/zip
[zip -r --password infected Compressed/./Release/./Release.zip ./Release]
/usr/bin/sha256sum
[sha256sum Compressed/./Release/./Release.zip]
/usr/bin/md5sum
[md5sum Compressed/./Release/./Release.zip]
/bin/mkdir
[mkdir -p Compressed/./Compressed]
/usr/bin/zip
[zip -r --password infected Compressed/./Compressed/./Compressed.zip ./Compressed]
/usr/bin/sha256sum
[sha256sum Compressed/./Compressed/./Compressed.zip]
/usr/bin/md5sum
[md5sum Compressed/./Compressed/./Compressed.zip]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| GB | 195.181.164.19:443 | tcp |
Files
/tmp/X0R-USB - Virus Version - Jan 2009/Compressed/ziBY2sRP
| MD5 | e2aecbbeb438373e882cb5629193e642 |
| SHA1 | d97c4fbf8de9836e985d7ce7b6fe958363f116d3 |
| SHA256 | dbf2e2dcd1d411933ba8b5720e7f09e6a4c1771e72c3a2f5df764e4d18553b18 |
| SHA512 | 26f91b843da6265d1a870183ab993c57df8e5470198f4572de5cc6b64a682581e07350e3b62d6612d6d5a0f0f98ac41b3d6906a4066897043d9b8f9a97988a11 |
/tmp/X0R-USB - Virus Version - Jan 2009/Compressed/xor/ziEqCztW
| MD5 | 896742a5f71a4797bc53b321ea409224 |
| SHA1 | 690c4fdf1f7f1691edbc1bfb219636dbeee8d41f |
| SHA256 | c8113a497296a2366a64f5223dcb263a12288f17aa8278a4ad0717ca413475ac |
| SHA512 | 2c32c83d72406ebf4b5db3c4edca759696087f24877454854017386ed1656020b72cfb25e7d18d7c0b6d465939d45729e235357975ce7a6662872845a52c080e |
/tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Release/zieoDanV
| MD5 | 3b622f888f6c82615dae228d7995d252 |
| SHA1 | 4f96c0b5e5fd11a12180d6ce63fc5796872182e9 |
| SHA256 | 7b1ea2b6a007a737374d52d5bcfcf4465147c87b13d315aa11fabbb7c00d2761 |
| SHA512 | 2a68b7f820c44b279c4ba035dcce747af5cf942aab7bdab52bf31e3e72c44e658bcc50cbd023ea79e3bc7af1e29307c46c9d75d9a11e7a5fa26f13d7b299d26c |
/tmp/X0R-USB - Virus Version - Jan 2009/Compressed/Compressed/ziQQYV1X
| MD5 | 8bea09a77849b7e9667b841f80eaa659 |
| SHA1 | b3cd7671b231d63c22e7e397efef292972243c9c |
| SHA256 | 11aeaf98f734b120a43e02da113d7c9dd190c8001a8b154c7ab751049802f013 |
| SHA512 | 6a670779d69641bbe706f8d3a3fe15f488bd12382da2f59e4bda347512f5d4cd06e24973776f195a022bf4927354d5bb47ff5d713f5a0f44f36a2299863b3d94 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\bot.js"
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2220 wrote to memory of 1460 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe |
| PID 2220 wrote to memory of 1460 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe |
| PID 2220 wrote to memory of 1460 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe |
| PID 1460 wrote to memory of 3676 | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1460 wrote to memory of 3676 | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1460 wrote to memory of 3676 | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.bat"
C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe
xor f848 str.txt str.h
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3144 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\xor.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff86ae746f8,0x7ff86ae74708,0x7ff86ae74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3730555712411969118,13838363115641504693,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2928 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4158365912175436289496136e7912c2 |
| SHA1 | 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59 |
| SHA256 | 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1 |
| SHA512 | 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b |
\??\pipe\LOCAL\crashpad_1688_LLZYDTVHYHPHUSYB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ce4c898f8fc7601e2fbc252fdadb5115 |
| SHA1 | 01bf06badc5da353e539c7c07527d30dccc55a91 |
| SHA256 | bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa |
| SHA512 | 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e300a9e7-bad5-48d3-b7d7-ae29f728aca6.tmp
| MD5 | 5ac251dcb6845c30f14c29612a870202 |
| SHA1 | b8ac247301d809b55c12d16143200d42162e692b |
| SHA256 | 5f0d0a772ed1a98fef536e916f13fcbc9ffd51a5928384d00a59dab8bf84cd09 |
| SHA512 | 7feb63ef64394693028eedaf1e1fade9530a4d998a151f324d8d7b893d62f09b06a9b0cf9790ef1221575f631043933d37afd12a462da87320b66681987c704c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0fe76f5ffbac04f9f458ab81025edc77 |
| SHA1 | 763b2fae85396cf517867c9f1f6242fd8b58ebcb |
| SHA256 | ef6aca6725866ef71043cb50df17285f781445c7bea892cd0c1514f15ed91811 |
| SHA512 | 15926eab79f3c785b9c5d252850a652cded94cd75835137db2eef159535354a219f4f77a31d10c8cecb1f0fa79035e31092261851f341cbbfbfd97a815b049cc |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
157s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe
"C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
win7-20240508-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe
"C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r.exe"
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
win7-20231129-en
Max time kernel
118s
Max time network
127s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00f0fe5409bdda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424386910" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cb629ad3e7ba3c469c86a797a83c4d71000000000200000000001066000000010000200000000fc463367963252fccdc80ca505549ecbeed96d55a184dfc7dabe9848d27f257000000000e8000000002000020000000a693af45cc8f0bda88004460ebdc52bd5fcfea254a023911e461a12db80bbe3190000000bf2f65191b7cd1762c814fd43b0e6fae6e41db951f9182c3c9ff5a2be7fa1251f13b8e2c67765d6a75af15b77c7b98a1abd7dba205f1f6da6e12c9bb1c6b4f72b94fdf34d7b05fa3b9dd815105eb9c112eb92cc4b7ff6a5eb2d16eac0b69ba40aeae802522e1fa05ff7b86cadafcba23da1c26532f28be826253eca8cf7e2776f52c84d8cf147d1b26b58bc2ef15df0240000000d023713bd1cf4796c41b9ad616963a270053b6bfc60e0486b86f3f627564a52fc00f9dd4878c2b18e85ebf36a01746041efa518d1eb41efd647222028f052808 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{80754F41-28FC-11EF-87B3-6E1D43634CD3} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cb629ad3e7ba3c469c86a797a83c4d7100000000020000000000106600000001000020000000aa843819c1429791e68d100a87e2287badf7ad68e8589db3a33e5fbbe732386e000000000e800000000200002000000044acd8cb3a2dcac7d7b43819087c741c4e2b19065bb4c943537d472efadc7d0a20000000709f0e64702858c0467edc9773486a6bf9fcd9e9b08bec1cd5b7a63e2b7e7c4d400000009a59ff015ecf6d251ebaee91e879d7b9fe2ff72b9e727b1fc5f4bfb347f8f08038c868db91e832ed682d38bd6c837a6712092bd062e0b5ad341019ff379a81f2 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2060 wrote to memory of 3008 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2060 wrote to memory of 3008 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2060 wrote to memory of 3008 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2060 wrote to memory of 3008 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\bot.html"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2060 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 88.221.83.211:80 | www.bing.com | tcp |
| BE | 88.221.83.211:80 | www.bing.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab31EC.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar3394.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 136eb8d324f348f89ac465160a91f9a7 |
| SHA1 | 9f9083a0803751f860c3e842442ffc3807c78f1a |
| SHA256 | 5c996bf02d7359bf891c27c6c62ced8a857d8c068c5348a8f975fffe2feca0d9 |
| SHA512 | bdd079dfd01b29c779747f64e7c887a2d8f5d630cbab33f897884ed43dcc3403d21d508ceeb8df6dee2a2b8b672b8892b41b4f7319f1c1d5a1a35ab408cbd9a5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 30dff1249cc3ae79a685666cd856b456 |
| SHA1 | 9d8fd9920cf834d231a04e4b664f6860d7d66ceb |
| SHA256 | 81ab7c669db9e711ec58744765c7bcdcf78305f3e70a0725845342131f8a3714 |
| SHA512 | 45ddf8457ddc3077afaf90a883b7f95d7ffe9660143064ff8903f664244ea21004baeb49057e2d99ecbaff9fc5f8d4e6e47d4bc4226d0bfed250039efa59cab9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
| MD5 | da597791be3b6e732f0bc8b20e38ee62 |
| SHA1 | 1125c45d285c360542027d7554a5c442288974de |
| SHA256 | 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07 |
| SHA512 | d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 117f73805f47e9d19fd18bb48f156193 |
| SHA1 | b50e4e7d2b8008756cdb33cb2d35fffb4d95e897 |
| SHA256 | 7238129325eec529a70821ba6554c8fbcf93b5ccd857e0a3dfbb6cedb14177e1 |
| SHA512 | 24f6908a24bf60004dfacf29f5d5b17347d7f9d602d9738d5c19f79050da85b12cd41d58e8a35290663af758d39c538930a258e70af9ed11452dce50b09e9187 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 08ce9b5ef7232e8367e5450c5c566e3e |
| SHA1 | 1041528d8d25cdc409f1097b1e9dcf66c92f7da7 |
| SHA256 | b43630f73c451b24f53007a80b76f87382f76f78ba0dc3228dd2a18259a070fe |
| SHA512 | 03d0ff9aec28909a479f0bdc6200b8b0eb88e74035a691b68857793d4936c8d2af36ce7850fecc3787984390f3490a48cf442532453e4e498094f2afd5f72f98 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5661f5eb761b5e69b08de734f730a2ea |
| SHA1 | 8536c3f9a9fb2a47b35e41a942ac1665b0841ed7 |
| SHA256 | 5c3c58b1755195953c837cba56edb4966c86c97848c76be23948b9c91e9660ea |
| SHA512 | c99e18ff1907295b110cf0defe12b0ab0e6a5ff4c05d4420bfbaa025044f583d0b41047e1eb5881413cb777423e9c8b85f7a1c24cf5f3340ea34b75351437eb8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c170e7741a4ebac0de692db8ebf4b32f |
| SHA1 | 4e90b4307210fc8a053885b8cda1011e3cf01f28 |
| SHA256 | b64c1d2a9d7daa4844fcf78e813ec9ec222561d8629fc697158d5a24461229bf |
| SHA512 | 112221b247ae1e5616a2209f6e581d0d56f6162eba23f63498524dc57f4763b3c7877c2fc7fbff3d7527a98b9455cdfee519bc602cc809f528d75d190f7d368f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 31bcb3dc03941e5143f2d060385bd205 |
| SHA1 | 7874a3f6b3903c07b44f57e22e2786eeba515d24 |
| SHA256 | ef759420a0d4e02f76ec735b25c30c940b13c0c63995d7dcd60c9e708c801dd6 |
| SHA512 | 4242afb724d0c8594e0fffd7aa10c974e33cc1d508662d746cf6bcb205d9939c3ba227489fff2bbcbd7f63d3ced88ec79a61b9c352d419220cb61b715d9451c6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b34996a0a7db878ebfd345872e843fac |
| SHA1 | 1126faffe6fb835ff394ce1f27f7df767d3cdbee |
| SHA256 | 648b02ced4c73610728ebb7d7dd85d3a192f28335c27493ea5d4d70d112972fd |
| SHA512 | 67bd2cdc40e3978eb5a459fb7df29367c291c6712bfd4177d706f05d9aa9d9fc3fd48b353a7f2a1445862a6081adc95455f37bc6a4345fa7ab650d78f3b967cf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c70a0c6263fadf65270bfb18014f9ae5 |
| SHA1 | 63ed9fe6516185b264b2b60db97ed67767cb7435 |
| SHA256 | b97c5d54be016eb33479e61ab419dcd6b68b1cf3f6abaa96b7a27ecddce055d5 |
| SHA512 | ee145ee39ba7382b312027021ffb09f6f20cff0e9c7cbacd6fed139d46648c1a20aeb49298c4233abccfeff748c3531b27ab725c2f09b10481c3f0e6fcb3a2c1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 66468966e9776e8b93ebb54f9cc97a22 |
| SHA1 | 91286e1df1ff74b7a94fff6f39beb95366e6d45e |
| SHA256 | 8c6764cf6932765de5815da6b46d3feb24c53b7adff31a98a5e6c1ab2ce7551e |
| SHA512 | 86d9c6c5862c1a42fff21053e3dcdf1cb6e1c7e48b9aa2705022e7b4c4e1e646640dbb6ae36cd291b0e7a9d90628e026952b73f76feab9bee8cfffe80e030fe2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 11b3aefd8252218fe15e95255b39530f |
| SHA1 | 148cd4f046885373aee5b4512f3c31fd33183e2a |
| SHA256 | f7e2c2defb578180fea4da56428df283a6fd4eaaea90f3667a819d98c7aa4565 |
| SHA512 | 089c5d37cc1297942475688e8b2fcaa6b6c0f58ab0ceeac78cb0fa85982a8170a5adc188b7d4b8eba7ce53fcf073193d4e45ab1b1e104cdbcc81d52319b5ae9c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0179fd12c6fbad3e0abee02504e76f76 |
| SHA1 | 1a7fe15a82e511fc6bf9e334d53862458c5e27e5 |
| SHA256 | ce47d96a78ebb7d18574efd31f9cb7d93129d0e1b8a6f1a4dab72765521d6a30 |
| SHA512 | 09c4ae69b2f216c364180e045e09a4991c190c2a80cac2182de8c72a37300232d349f14b8bf4a3e6298d7b5f5485e633328e4017ea674109e3a966dd1bd8e240 |
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
win7-20240419-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\as.bat"
C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe
xor f848 as.txt as.h
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
win10v2004-20240508-en
Max time kernel
135s
Max time network
138s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2520 wrote to memory of 932 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe |
| PID 2520 wrote to memory of 932 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe |
| PID 2520 wrote to memory of 932 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe |
| PID 932 wrote to memory of 3636 | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 932 wrote to memory of 3636 | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 932 wrote to memory of 3636 | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\as.bat"
C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe
xor f848 as.txt as.h
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
win7-20240611-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe
"C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\xor\Release\xor.exe"
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
win7-20240611-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe
"C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\scofield-usb.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
debian9-armhf-20240418-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:44
Platform
debian9-mipsbe-20240611-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
win7-20240611-en
Max time kernel
140s
Max time network
120s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe
"C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 284
Network
Files
memory/2788-0-0x0000000000400000-0x0000000000421000-memory.dmp
memory/2788-1-0x0000000000250000-0x0000000000280000-memory.dmp
memory/2788-2-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/2788-11-0x0000000001CD0000-0x0000000001CD1000-memory.dmp
memory/2788-6-0x0000000000890000-0x0000000000891000-memory.dmp
memory/2788-10-0x0000000001CE0000-0x0000000001CE1000-memory.dmp
memory/2788-9-0x00000000008A0000-0x00000000008A1000-memory.dmp
memory/2788-8-0x0000000001CC0000-0x0000000001CC1000-memory.dmp
memory/2788-7-0x0000000000880000-0x0000000000881000-memory.dmp
memory/2788-5-0x0000000001D20000-0x0000000001D21000-memory.dmp
memory/2788-4-0x0000000001D10000-0x0000000001D11000-memory.dmp
memory/2788-3-0x0000000000240000-0x0000000000243000-memory.dmp
memory/2788-13-0x0000000001CF0000-0x0000000001CF1000-memory.dmp
memory/2788-12-0x0000000001D00000-0x0000000001D01000-memory.dmp
memory/2788-14-0x0000000000400000-0x0000000000421000-memory.dmp
memory/2788-15-0x0000000000250000-0x0000000000280000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
53s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe
"C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\Release\x0r-p.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3028 -ip 3028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 560
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/3028-0-0x0000000000400000-0x0000000000421000-memory.dmp
memory/3028-1-0x0000000000580000-0x00000000005B0000-memory.dmp
memory/3028-2-0x0000000000600000-0x0000000000601000-memory.dmp
memory/3028-13-0x00000000022B0000-0x00000000022B1000-memory.dmp
memory/3028-3-0x00000000005F0000-0x00000000005F3000-memory.dmp
memory/3028-12-0x00000000022A0000-0x00000000022A1000-memory.dmp
memory/3028-11-0x0000000002280000-0x0000000002281000-memory.dmp
memory/3028-10-0x0000000002290000-0x0000000002291000-memory.dmp
memory/3028-9-0x0000000002260000-0x0000000002261000-memory.dmp
memory/3028-8-0x0000000002270000-0x0000000002271000-memory.dmp
memory/3028-7-0x0000000002240000-0x0000000002241000-memory.dmp
memory/3028-6-0x0000000002250000-0x0000000002251000-memory.dmp
memory/3028-5-0x00000000022D0000-0x00000000022D1000-memory.dmp
memory/3028-4-0x00000000022C0000-0x00000000022C1000-memory.dmp
memory/3028-14-0x0000000000400000-0x0000000000421000-memory.dmp
memory/3028-15-0x0000000000580000-0x00000000005B0000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
143s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\bot.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| BE | 2.17.107.107:443 | www.bing.com | tcp |
| BE | 2.17.107.107:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-12 20:44
Reported
2024-06-12 20:46
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\X0R-USB - Virus Version - Jan 2009\bot.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc2ac46f8,0x7ffdc2ac4708,0x7ffdc2ac4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,12288824179871827647,2844476689991824384,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 439b5e04ca18c7fb02cf406e6eb24167 |
| SHA1 | e0c5bb6216903934726e3570b7d63295b9d28987 |
| SHA256 | 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654 |
| SHA512 | d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2 |
\??\pipe\LOCAL\crashpad_3892_VUGVDFNVBGFEJJWW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a8e767fd33edd97d306efb6905f93252 |
| SHA1 | a6f80ace2b57599f64b0ae3c7381f34e9456f9d3 |
| SHA256 | c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb |
| SHA512 | 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 44b16a8d37c2adfde65316afe2a8c101 |
| SHA1 | b794849f2cca65b18719814ebc7eddd64ef5b13f |
| SHA256 | bcc57bbb527ece570348ef27ec3a192f830523706777edf79f51823ca456537a |
| SHA512 | d7ae30c1ac92d968405c7284f062ee328a2737eb8c6a029f6ba0ac3bbc2b190c06add5f2f91305197bdd0da16d5ed218dd6867b52a40fcc004f7b9bdd606cdc8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 81ad67fa7919cf0246443e3261bd7e1d |
| SHA1 | d108e2b9b220657d3c32c67226b78a429567609a |
| SHA256 | d8b9b99a8eeb24bec92491127194cd8ef47e9cb0d3555bc5c938178cca388bdf |
| SHA512 | 3c6f951af3916709eca7b5bf2bdfbf56cec2a6ee2b7992cee68f4c9a0a7cc0cf02b327c95af0e9650720eb0c75e188b02e323009f92a80b0bcd64843add2aa98 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f4ab7135b1261f48517444f894386322 |
| SHA1 | a11064c85ab8be01b2fbfbadd6cbdb11d193ea8e |
| SHA256 | cd7b383e38e82497e0f4a4e872e2dfd358debf101e1d4191616b3bdca97b7a36 |
| SHA512 | ae6962c6962674c1f8ae9c2d3949c1201fc63b8fb9dc0007a2e72596b69b16541deffcdcb541246613aa281570e840574694e96a0b0dbd9a5eca8880273133ad |