formbook | hxxps://github[.]com/enginestein/Virus-Collection

Analysis

max time kernel
331s
max time network
332s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-08-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/enginestein/Virus-Collection

Score

10^/10

formbook he2a discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

he2a

Decoy

connectioncompass.store

zekicharge.com

dp77.shop

guninfo.guru

mamaeconomics.net

narcisme.coach

redtopassociates.com

ezezn.com

theoregondog.com

pagosmultired.online

emsculptcenterofne.com

meet-friends.online

pf326.com

wealthjigsaw.xyz

arsajib.com

kickassholdings.online

avaturre.biz

dtslogs.com

lb92.tech

pittalam.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Contacts a large (7864) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/4908-387-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/4908-392-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/3336-396-0x0000000000BE0000-0x0000000000C0F000-memory.dmp	formbook

Executes dropped EXE 3 IoCs

pid	Process
2852	virus.exe
4908	virus.exe
840	smb-7teux2sm.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
49	raw.githubusercontent.com
50	raw.githubusercontent.com

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 2852 set thread context of 4908	2852	virus.exe	94
PID 4908 set thread context of 3280	4908	virus.exe	54
PID 4908 set thread context of 3280	4908	virus.exe	54
PID 3336 set thread context of 3280	3336	msdt.exe	54
PID 3336 set thread context of 4512	3336	msdt.exe	72
PID 3336 set thread context of 2328	3336	msdt.exe	73
PID 3336 set thread context of 3332	3336	msdt.exe	75
PID 3336 set thread context of 204	3336	msdt.exe	76
PID 3336 set thread context of 3628	3336	msdt.exe	77
PID 3336 set thread context of 2848	3336	msdt.exe	78
PID 3336 set thread context of 3724	3336	msdt.exe	79
PID 3336 set thread context of 1908	3336	msdt.exe	93
PID 3336 set thread context of 4592	3336	msdt.exe	98
PID 3336 set thread context of 4264	3336	msdt.exe	99
PID 3336 set thread context of 3576	3336	msdt.exe	105

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smb-7teux2sm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	virus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdt.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133676937457001210"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\2\NodeSlot = "5"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "50"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\1\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\2 = 620031000000000009598b821000534d422d45377e3100004a0009000400efbe0959898209598b822e000000d9a201000000070000000000000000000000000000000b2b290173006d0062002d00650037005f00750064006f0074003900000018000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "650"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294935296"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 020000000100000000000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294935296"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1050"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\1\NodeSlot = "3"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "6"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000000000001000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Explorer.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3280	Explorer.EXE
3280	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4908	virus.exe
4908	virus.exe
4908	virus.exe
4908	virus.exe
4908	virus.exe
4908	virus.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3280	Explorer.EXE

Suspicious behavior: MapViewOfSection 28 IoCs

pid	Process
4908	virus.exe
4908	virus.exe
4908	virus.exe
4908	virus.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe
3336	msdt.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4512	chrome.exe
4512	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe
Token: SeShutdownPrivilege	4512	chrome.exe
Token: SeCreatePagefilePrivilege	4512	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
5108	7zG.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4748	7zG.exe
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
4512	chrome.exe
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
5640	OpenWith.exe
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 2328	4512	chrome.exe	73
PID 4512 wrote to memory of 2328	4512	chrome.exe	73
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 3332	4512	chrome.exe	75
PID 4512 wrote to memory of 204	4512	chrome.exe	76
PID 4512 wrote to memory of 204	4512	chrome.exe	76
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77
PID 4512 wrote to memory of 3628	4512	chrome.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/enginestein/Virus-Collection
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffff55f9758,0x7ffff55f9768,0x7ffff55f9778
    3⤵
    PID:2328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1856,i,8388154657501888164,16767148793778710346,131072 /prefetch:2
    3⤵
    PID:3332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1648 --field-trial-handle=1856,i,8388154657501888164,16767148793778710346,131072 /prefetch:8
    3⤵
    PID:204
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1856,i,8388154657501888164,16767148793778710346,131072 /prefetch:8
    3⤵
    PID:3628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1856,i,8388154657501888164,16767148793778710346,131072 /prefetch:1
    3⤵
    PID:2848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2860 --field-trial-handle=1856,i,8388154657501888164,16767148793778710346,131072 /prefetch:1
    3⤵
    PID:3724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1856,i,8388154657501888164,16767148793778710346,131072 /prefetch:8
    3⤵
    PID:2108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1856,i,8388154657501888164,16767148793778710346,131072 /prefetch:8
    3⤵
    PID:4172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1856,i,8388154657501888164,16767148793778710346,131072 /prefetch:8
    3⤵
    PID:3576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 --field-trial-handle=1856,i,8388154657501888164,16767148793778710346,131072 /prefetch:8
    3⤵
    PID:3264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1856,i,8388154657501888164,16767148793778710346,131072 /prefetch:8
    3⤵
    PID:592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1856,i,8388154657501888164,16767148793778710346,131072 /prefetch:8
    3⤵
    PID:2916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 --field-trial-handle=1856,i,8388154657501888164,16767148793778710346,131072 /prefetch:8
    3⤵
    PID:2412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5316 --field-trial-handle=1856,i,8388154657501888164,16767148793778710346,131072 /prefetch:2
    3⤵
    PID:1908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=1856,i,8388154657501888164,16767148793778710346,131072 /prefetch:8
    3⤵
    PID:4592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 --field-trial-handle=1856,i,8388154657501888164,16767148793778710346,131072 /prefetch:8
    3⤵
    PID:4264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 --field-trial-handle=1856,i,8388154657501888164,16767148793778710346,131072 /prefetch:8
    3⤵
    PID:3576
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\f73f985bf2f74cc1006a5e911bbd7940073809b01da2823a6bb1db85288c0926\" -spe -an -ai#7zMap1071:190:7zEvent31731
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:5108
- C:\Users\Admin\Downloads\f73f985bf2f74cc1006a5e911bbd7940073809b01da2823a6bb1db85288c0926\virus.exe
  "C:\Users\Admin\Downloads\f73f985bf2f74cc1006a5e911bbd7940073809b01da2823a6bb1db85288c0926\virus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2852
- - C:\Users\Admin\Downloads\f73f985bf2f74cc1006a5e911bbd7940073809b01da2823a6bb1db85288c0926\virus.exe
    "C:\Users\Admin\Downloads\f73f985bf2f74cc1006a5e911bbd7940073809b01da2823a6bb1db85288c0926\virus.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4908
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3336
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\Downloads\f73f985bf2f74cc1006a5e911bbd7940073809b01da2823a6bb1db85288c0926\virus.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4764
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\smb-7teux2sm\" -spe -an -ai#7zMap9603:86:7zEvent26509
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:4748
- C:\Users\Admin\Desktop\smb-7teux2sm\smb-7teux2sm.exe
  "C:\Users\Admin\Desktop\smb-7teux2sm\smb-7teux2sm.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:840
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\smb-e7_udot9\" -spe -an -ai#7zMap5122:84:7zEvent16664
  2⤵
  PID:5280

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4468

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\32b3134d-1bda-4849-b66d-8d8f09a9083d.tmp

Filesize
138KB

MD5
ba39262c6f2e5cc756641b874ff0ecbe

SHA1
0cac46076be20179ea0dff2eac1d5f14a599c3a9

SHA256
75f1d77ce18fdf624cf1a4c3a2446213e46407e8ccbedd9f7bbbb52e191afda1

SHA512
d4ed6df4d17983cf0711a3d1b597d6ec96e239fa70ae7a7b56d99fae7c5e8b167c4435c975986484e3125ef3d36c96a1ca6753be8190c55a83b92f729e177354

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
576a392c34f2ac86c57624c640a10598

SHA1
2dd2b5b137067fb16671daac34483365e12dbc40

SHA256
fdabfe51e1580a5e136a05945c47186147e66c8b5d43eda2e6d85ea91cd8cb47

SHA512
c350b78b93c4f16b9a94a9b38db6d58d67e6ea6b407c73f91a5c30c2c35cbc1713b95b37399af38a49e249e5427ee2a431e4cae1db1505aebe0940dcf7d43e61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
bc0870285ccee93902f0bdd4030552d6

SHA1
d6812b6cf4b304c13fa29aea2d4a9a846eb36836

SHA256
e4e762f602a98609cf85fdf80d321f32b5216ad654395e6ce4b3fd89520b5ef3

SHA512
fa230a90ee65213b8e8097fbe81fb9d44f51fa1908412e06e006714e3e936a886b81de0678d8db2ba41c51e831143f21b23a3b2b0282a573cf61e621451413b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
02a1a8573138822920297b0827779a40

SHA1
92f40b105a833560f3d743f8100d82ea63870914

SHA256
85a23029ceeb11024d16b637ae119480309a23ff892043fab21f7597ce3b7005

SHA512
3fb4b532af181a6fd46577fe9b2ceb253a79617839d53445039d74b7677d05a9fef0576aa81d433abb6f56415680937922b4cdd8012722fb5573f2d03cd5a593

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1d7e84ae2c4bfb2a2fffca1beadf8729

SHA1
f1186a2ee31faad51f125124843be1d82fe8b17c

SHA256
5f8a4b04a9c0868d68aa730a0c9040e59bd33a7d4886742015a6fa3125aaf20a

SHA512
32853f823d0c0ef7c921160fddccb081442f1752696a61efd9fa6f1609cda0ed7aec2a19b739cf5c2caa6af3c050b4db3a3e3ab1356271fa710d77a14dbaa30e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b8d985edce17a1582eb24408b31f1551

SHA1
67a77f4cf71ad4e67478c531c6fedab66503ff78

SHA256
011e617d9fe832498c3885ac3824f96dc68a050b6a65e600a96ac82d93146ea6

SHA512
caa5e9d50100472da3bad7713477add57aaa191315c515902de1534521b4fc2b315433d391e96e658f679f5e1f667bf4f4ff9bb9e73e9ae9e6bcc5fec3102a60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
aaf97ee4bccd138ace6abcb47cebe47f

SHA1
c76fca32034bcf8b3cf723c9762ea14e8caafbea

SHA256
7bc2d5622bc46660ec993df957f9fe3d5dd9bee05ee71ae22e0ed532edeeb8db

SHA512
fd84277ef8d7650d15a3f86e12ee4fd4afb34eece9352e5f4ca54fa132d02e9ddec6bcc5e568b4c1c8eca0c635102fce35050b7dec020d9c33f09867b6513682

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bf8c6fced2245ad4f4460e4b1c013011

SHA1
b1e3ffe0c6c52be3a0efae1bdcb68e2e8096f95e

SHA256
ef1983e1dd32db6c8577b1fc2f11a5f0c6860bb85dab9b9dd65f70e4c0fb3403

SHA512
e7093b3dd074ebcd4bf3887e4188fa239d156ea1ed871606afa015992a1657c2ee3cfa762842ce03ae8c4fea4ed8105445142e8c4162cb586c29d74a1800c51b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
daa685a1a563e71cf236b7a9af4589e1

SHA1
2755e081782e4d88eaf43ae78d4f62ae62d5213e

SHA256
da02b3b0c2c8df9e6ef0851e5eeec45ddd6021096f347d0df075c2a8c89447f7

SHA512
ad44daa479566c85223ddd92d62fee8f390b159542027923becd0c24b168f473be0e4dd096fb66563d099dd2f45518db738f0cd8d55e231bbb7c1bb0b36137d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8c4f560feace564ef47d0d2105fa5c76

SHA1
da61634f863a7ac8092448f0f5a8cc3ea2ce5d53

SHA256
7120ed7fe6984e8f35b51f4610190fa26bda8464419c8dba39097b07cb6f94dd

SHA512
a1d0addce3cd56a3e1196561800d499c104070fa69f925c14e00443f429b0fa3e53037854184bf8c8d4e0ef1eaba03ec72abae143e086c161e525acd908b0e8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
95f0c85d495bdbef31c8e101c867cab9

SHA1
7fbcb234de7e0227a510089c71fac72cd4359586

SHA256
5a7c37c737b6f0b38987ce82254b46768f3028f3eb488558eaf646cb79529f83

SHA512
7e3455957b41d957579a671b397821b2d9c372f15106d5cd0adbeb2f4e2147358612fb8839cf5d06282c3073d782cf10e20a6f8683b7447a0da494affed47a77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
aa2e6a34dc271d1dd82f221451b78899

SHA1
99dff70f01370468999272f5352d9a8de6435ce0

SHA256
b188f759c76f5c68739057d20ea4d72e9d377379692e984f1b3e20d908edd390

SHA512
bafb1623b7576bd3cc73e014586011be9c392f663ce0aa4966d97422d772d22682fbf965730fcf20d273be33d92f6668d5567d8fb39f0ce85a3a6142565aeaaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8eeaaa3ad8648c04768897e2bbfc7bba

SHA1
badcf4145d206db510f37226003c14bb9fdeac82

SHA256
088983ab93558b1afeaf8f8b785f95f17040b83cbe34784fc98504b0e747a6f5

SHA512
d59b1013e026789815d5a56e4297baa446e409e92eed5199f346168108f72ca3ad38b0d199d808d864553bd71fbdb5c3fb7d3dc69dce8ecd136c64e3b39a49a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9c0b71a2ab03e6f2b0fae46a8d297e78

SHA1
f509b11c71d3410148a5fa387b2f2b79529fdd85

SHA256
812d77d4eb7e139aa42a04be0e125203252af0b13d384f37a79ea548eceddffc

SHA512
ee10bc2a6f736a3ab163f1861d853d7f9e6f3406139899548ea1c8cef2cd21453f1a66d490071044c212ca9097e89ac0e08c701721acf0b547941c5f946fe88d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
99045fdeb05804cbd1821d9c23fcabc1

SHA1
626b9e12867281ebd971b9f787859203ea39f27a

SHA256
4e960d8772494e6285e7f0a8d3237833a7e1efbe301a9be0ce543559c669da9e

SHA512
823a529b582b290a52ff6af2f9dfecc4af12b8c1cbedd9f5d1e5121675702d2c929b0296ccf72e03cf378b53e540b17600e587fe76e8bc5d68af1d4cbd7c0dbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4dfd1a79453ccb486d3f6e01fea9d557

SHA1
36c75cf33c8de9f660119564ff92857f009d2477

SHA256
18e1aee21f4604faac522e20059f0abbb89d12d2f05217d168ad0fe80a7eec3c

SHA512
e55161b221769123217a172ae845858ccf704cd51d77cd87b7ae3f9cb5134050f2622b292ce9b39e47631c31174f8e050a76a00a47efe82a90f53f2aa2d70eed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4b4f7cd1db0d673bc37511f83e4bc7f0

SHA1
ebe69b6308dd0f0425c914a5c79cc22698e94249

SHA256
6ad02cff51b06f01cad259b59705c5c64f26ea95a03bde4c417ab3d4fbacc1dd

SHA512
272de1222940c808668033ee73c2d232d0343829a9ee664df1a34a348b3224578230227540b00da540b513cab951209946906b42f40e56625c1bae9642406608

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0a53c5976bfc385179ba8a9326860ace

SHA1
630a78553f1ddbd3775f9928d56911555a7dc382

SHA256
f19ae56aa5b32187bdd43eb7588f530261c39c0f5d227cbaa79e763941d50f1e

SHA512
188384b8430f619247448f165d015c087de17e1340f579e7e8f3273a1a757d4c2816be6383cf5af95af4f0c995df39183f8ad250075bbdd128a4d293a80f1bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3226d271b1db8460a29e5cb6e48e8f16

SHA1
b4d1ec9e60ef5388d0bb3b6fc4122fcc60fdc8b0

SHA256
4a076d4d4d22362c0658a8722b4d135a6832da2c2c61c7887e2e804874939e3b

SHA512
34d8fb21a6d656a4ed965acfb15c4fd87c4dbb5f997ccc105cd7143db16c25811e4bff8d62ef8a48e380b079597eca00d23269ad217a9353f66d2c3493d4a19a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9788a62ea62b81ad8d5f9e9ca1923b75

SHA1
61ac737e0a90d29d758d4b643b7b42fd0b0d86fd

SHA256
28a7eac3d6afc3850b5f63a97ccf4ebf68a098f7d987ddc327a5873f3f83927d

SHA512
bdaa089ca4dad12b1641da813c82c5940eb93c8e1f42b1a6d4d80ed2e9361424b53766e9938e03d81398c10afa42526749b871a0ce48bd1322a7094139132351

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b3191517433f7a4de9f4eac5c8d2f7b8

SHA1
9cc504aa9b22855924fca24ec5cfacb3fde758f7

SHA256
f360de0666b6a02a4617eb89d8d4aba5a4d7bf33068e78e0363370e9eca582da

SHA512
68d3f14f39d7f2b4ecf1be1f3aa660260db7b3b166fdb7cb7992cea4c58906b40b30546fcfd8ca3c674cf6bc7e0e23d9cd6ad840f50a18c66f821184c110adbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
75dd429d1903fa0997564d08d2738b99

SHA1
fcadb857b194bd44ac20d27d5e82ce80e87a0131

SHA256
9703a9734e4aa27dd2395bdb1fefd0f02020f10145ba54ccab8ebc5f5dfcec9f

SHA512
e8520829f06b6684d9c2ba09f155f2c26cf1a3c17c2f1ef95bcae020e727f898af32acc0f482dfe80a509f0cdd43ed2b7ca2137792d11786f3fa05d5f1db2b34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f407a1b5fa0a5c3d9c6881f0547c9cd3

SHA1
f9bcf1610d8838ab4e242004145b9b109aef9506

SHA256
f74e60cf241626927ab8d71b22ef84e89df5a0191e5062b6315a0a71cde15597

SHA512
57fcb743c7a0429000cfe5d1ca1a75d68f73b58ba6df725f47bb5aad372e7b1e705a69984740d7081e5d8082faaf7336dfb4be0a59c228b088dbe25031dd3b62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
c04126ce27188d60ba8645ad0efa93c7

SHA1
28658d235644cf705d0e8aab035f88d509729843

SHA256
4632610bbd1ec010ed15e33047da2b5547601e8b6b366353fb974d5144ac4a07

SHA512
21e73f4bf9df7bc1bd7ba3c0f96b0ccbeda36e5311a1617930da67c1c4eabb034385e95b5765425cec2bae1ffa9b0c902230b9d53f03474d7c90d299b992dc59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
177KB

MD5
e995a940b97e3b5de01c9e8c2f1ff4a6

SHA1
d404e89a4ffbbe35d8bfc63820624a6bb202cf8f

SHA256
6d0af10abd2a6738b1f77bf18fc8ce148d4323ed34a49ad06a8a4828a4bf0542

SHA512
9b72a68d5eb4c1d78d34e48702429797154e6c33c5b99a17e6548c8666ef1488c3b464e089e56cc5bcfcf40f57abe8e4f6beaf744f2e59ef7c7fd1764167977a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
137KB

MD5
defd0d680f55a5de594ebaa9c855be8b

SHA1
49d56969fbf9ae532ec6fbb2320f62b7b7c5eddb

SHA256
af95d68c89a6c655dd6d4a2595e9678c9fb8214fca15052f15966930bf24bc33

SHA512
a07ad3d2d403be6ccb9330e217081fefcdb0babdc40e2b4ed3a801b6cd3c05ffdc88c56dc1b1111ffdb0f051b5b9a3a4ceaaf3ee7dd775710c9b86eed354b8cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
d3f6e0d1523964c771d03030f3d85453

SHA1
8aa48c036b2e37b2c9c4639af8d5bb5471bedbbc

SHA256
c8094efdd1d3aa46aa7c98780f4c22bb90da855730f9a6f9fb1c49800a39a5f6

SHA512
f8992ef5b0ddbfa38cd86f9837833c83acd5e9268ac9b013ef481d1763ae69a35a05ebf371386b0743fabda03a9c56e22617701e4a1d42d53feb13e08d6f7d8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58ef5c.TMP

Filesize
98KB

MD5
86b093f56638f2fd90bf364d81188296

SHA1
6b48d3dd51babc9ab9dda75e3b6f406421facfbd

SHA256
5c1fefb658a57c39c9f8b27c210cf382b117ff6749f6ed36788a36bcef122caa

SHA512
fdf02c8541443e0a1d0420b655cf5a04b5a36f7b4ff7973d15d067661ff4524db1f27f77ff7b79fa195480cc3f6d0e0b54f8e69d5d19f204d063e49973fcfeb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
9KB

MD5
9e8e91cc728474d7dba9ae3605b278c6

SHA1
4b10e1073bcd48009aa6a13921468aed4aa571ed

SHA256
1314e6dd1a0e3edc47b8ac9dce447d44a81606a6e97f25ea1bd07e7ba028f168

SHA512
eaf66cdacf045e19c5b981baa699b1daa6d215ed4076a420ee58be446ed6f22d3d222f1fa54eed0f5342cd42adcc0ea29cdfb5f9aed89699b42dd9f434edbeae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
10KB

MD5
168e5ada8abd16c4ca112fb56a5783e9

SHA1
ef625b7f7fff7a4c75edb2649bac8f2f72a17a45

SHA256
1068d9a497291cc496bb11eff8a2fe64302236e0df28634ff4cc1a7c741fbad6

SHA512
ae3e3703f43cffb38fef6a1205f513ff02bda189830132eca8ffb0270ede71d4294c16183832b139ad764bd44da105405d013c1dd5452d4c4a036d37fb7fc33b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
10KB

MD5
2682a4a45fc4e07e5cffdfeb21eaa1cb

SHA1
3e326a288806653498501a45df6d318e865db827

SHA256
4a4e957509a0467ede0424ed0ebf4f62a8b635cc305734a455d7b19e775c2b7e

SHA512
ba54cd025c4d9041b4d465d37179cf581d8ffb0b2bb9f9a391dd5f1e987e2b71bff540e21809fdfe1055792c74056300f762f1d792966437950fc33f639248c1

Download Submit
C:\Users\Admin\Downloads\f73f985bf2f74cc1006a5e911bbd7940073809b01da2823a6bb1db85288c0926.zip

Filesize
610KB

MD5
e0a770e5c5ed4903c32ff47a6d71b85d

SHA1
78a4ea91f7b2d5fc9ca21b5249c7cc6a35c0217e

SHA256
49dbd49df7b81076508c33ef47f629612f801d233f3df079b0bdd62310e64c6f

SHA512
4950f62cef2a5a1df37724e7086f410face15554d1be007f91b60b043a198d72553b3e79111639ba2db42cebf173b8c6194636444c82c5aa20a5e139c4bd8106

Download Submit
C:\Users\Admin\Downloads\f73f985bf2f74cc1006a5e911bbd7940073809b01da2823a6bb1db85288c0926\virus.exe

Filesize
713KB

MD5
d0b54047b4e7e283113ab512d979fa6d

SHA1
4333396278663f2b0b8136e8004d527cb7f61aa9

SHA256
f73f985bf2f74cc1006a5e911bbd7940073809b01da2823a6bb1db85288c0926

SHA512
a7acd56514f6bac88cc20e007cd8f3f14e7a2ebcdfe0a7e34d4db319af28abd9cc63f83936cc5ed3a685368ab61a1ec47486e561429b4a3e2aabd13b9660a8b1

Download Submit
C:\Users\Admin\Downloads\smb-7teux2sm.zip

Filesize
31KB

MD5
c28e52d6f37f64d79d4f43fbde9c300a

SHA1
c55ff6edc8b7d6f03032226fd9cd4daa416b97e3

SHA256
542189e321cb0c3a7d0b25ebdb4d9926e0770e49c30791264855b0b9152a95ab

SHA512
f60b247d92fa8e5b1c4e009dff64d32309c9d77343428fc3686885ea409644808d7302428447c23c4dd6137ea326f072628a2df6f5e8e19a729824afd8cc51b9

Download Submit
C:\Users\Admin\Downloads\smb-7teux2sm\smb-7teux2sm.exe

Filesize
56KB

MD5
f024ff4176f0036f97ebc95decfd1d5e

SHA1
010c623120a373b1a8e6d9339540e0cfe745b574

SHA256
7b2f8c43b4c92fb2add9fce264e92668dac2530493c51c5d6b45dcb764e208ed

SHA512
d52ddb217f3a6bbaa7bde6c9a268720bf7d055796dafa7687a06533507727a05ec45a0dc08d8b3e3149ddc53bb4f6c1cffce2ce71f80d05b49177a390995fd50

Download Submit
C:\Users\Admin\Downloads\smb-e7_udot9.7z

Filesize
10KB

MD5
b26de71f61fa6530ee2b614d1b1c1d40

SHA1
d0501430bbe913025c8b9b6bdbd7670508551d20

SHA256
fd39137c11daf4d8c11cd8694e25573eb840db8e9f7f17266708b49d955c2d4c

SHA512
9d33678452a08708f03ae8aaaf8d3cf35a9d1e28c777a74a7b174d72641bf3b487d11b1b781d2790e77113f705553105b2cb980afc9a5c9471ecf5b59836a082

Download Submit
C:\Users\Admin\Downloads\smb-e7_udot9\smb-e7_udot9.tmp

Filesize
32KB

MD5
6be1469c40cc9ed1f511f16329dd5517

SHA1
0452c7919790930df7f0755e221ef8a9910848a0

SHA256
a1c3eca09d4f390a729baf3f30db068ff12cb29e170337223d58696428a2fc61

SHA512
ef485e69bb9c9b48dac4b560a82e7a325399005b7e63db88fedcea888107c70d4a6ff6c9cabb6398966431e9c53fcbcb08f5595fa3e17f8319e1742750935208

Download Submit
memory/2852-386-0x0000000009110000-0x00000000091AC000-memory.dmp

Filesize
624KB

Download
memory/2852-385-0x0000000006A80000-0x0000000006AF6000-memory.dmp

Filesize
472KB

Download
memory/2852-384-0x0000000005420000-0x0000000005432000-memory.dmp

Filesize
72KB

Download
memory/2852-382-0x00000000053E0000-0x00000000053FC000-memory.dmp

Filesize
112KB

Download
memory/2852-381-0x0000000005300000-0x000000000530A000-memory.dmp

Filesize
40KB

Download
memory/2852-380-0x0000000005200000-0x0000000005292000-memory.dmp

Filesize
584KB

Download
memory/2852-379-0x0000000005700000-0x0000000005BFE000-memory.dmp

Filesize
5.0MB

Download
memory/2852-378-0x0000000000750000-0x0000000000808000-memory.dmp

Filesize
736KB

Download
memory/3280-397-0x0000000009460000-0x00000000095E8000-memory.dmp

Filesize
1.5MB

Download
memory/3280-413-0x00000000070C0000-0x0000000007232000-memory.dmp

Filesize
1.4MB

Download
memory/3280-559-0x00000000042B0000-0x00000000042C0000-memory.dmp

Filesize
64KB

Download
memory/3280-561-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/3280-562-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/3280-564-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/3280-567-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/3280-565-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/3280-566-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/3280-570-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/3280-574-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/3280-573-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/3280-577-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/3280-576-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/3280-575-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/3280-580-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/3280-581-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/3280-582-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/3280-583-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/3336-396-0x0000000000BE0000-0x0000000000C0F000-memory.dmp

Filesize
188KB

Download
memory/3336-395-0x0000000000DD0000-0x0000000000F43000-memory.dmp

Filesize
1.4MB

Download
memory/3336-394-0x0000000000DD0000-0x0000000000F43000-memory.dmp

Filesize
1.4MB

Download
memory/4908-392-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-387-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download