xorddos | hxxps://github[.]com/mandarnaik016/Malware-Vault/blob/main/infected/infected[.]7z

Analysis

max time kernel
112s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/mandarnaik016/Malware-Vault/blob/main/infected/infected.7z

Score

10^/10

xorddos aspackv2 botnet discovery downloader upx

Malware Config

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000235da-779.dat	family_xorddos

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000023631-953.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
5640	29d9976d73aabf191eafe0f8b045cc85.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023660-1047.dat	upx
behavioral1/files/0x00070000000236b0-1331.dat	upx
behavioral1/files/0x00070000000236ce-1391.dat	upx
behavioral1/files/0x0007000000023725-1565.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
46	raw.githubusercontent.com
47	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29d9976d73aabf191eafe0f8b045cc85.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3364	msedge.exe
3364	msedge.exe
2352	msedge.exe
2352	msedge.exe
4580	identity_helper.exe
4580	identity_helper.exe
3348	msedge.exe
3348	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	1300	7zG.exe
Token: 35	1300	7zG.exe
Token: SeSecurityPrivilege	1300	7zG.exe
Token: SeSecurityPrivilege	1300	7zG.exe
Token: SeRestorePrivilege	5608	7zG.exe
Token: 35	5608	7zG.exe
Token: SeSecurityPrivilege	5608	7zG.exe
Token: SeSecurityPrivilege	5608	7zG.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
1300	7zG.exe
5608	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 1704	2352	msedge.exe	83
PID 2352 wrote to memory of 1704	2352	msedge.exe	83
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 1432	2352	msedge.exe	84
PID 2352 wrote to memory of 3364	2352	msedge.exe	85
PID 2352 wrote to memory of 3364	2352	msedge.exe	85
PID 2352 wrote to memory of 4840	2352	msedge.exe	86
PID 2352 wrote to memory of 4840	2352	msedge.exe	86
PID 2352 wrote to memory of 4840	2352	msedge.exe	86
PID 2352 wrote to memory of 4840	2352	msedge.exe	86
PID 2352 wrote to memory of 4840	2352	msedge.exe	86
PID 2352 wrote to memory of 4840	2352	msedge.exe	86
PID 2352 wrote to memory of 4840	2352	msedge.exe	86
PID 2352 wrote to memory of 4840	2352	msedge.exe	86
PID 2352 wrote to memory of 4840	2352	msedge.exe	86
PID 2352 wrote to memory of 4840	2352	msedge.exe	86
PID 2352 wrote to memory of 4840	2352	msedge.exe	86
PID 2352 wrote to memory of 4840	2352	msedge.exe	86
PID 2352 wrote to memory of 4840	2352	msedge.exe	86
PID 2352 wrote to memory of 4840	2352	msedge.exe	86
PID 2352 wrote to memory of 4840	2352	msedge.exe	86
PID 2352 wrote to memory of 4840	2352	msedge.exe	86
PID 2352 wrote to memory of 4840	2352	msedge.exe	86
PID 2352 wrote to memory of 4840	2352	msedge.exe	86
PID 2352 wrote to memory of 4840	2352	msedge.exe	86
PID 2352 wrote to memory of 4840	2352	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/mandarnaik016/Malware-Vault/blob/main/infected/infected.7z
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbe2f46f8,0x7ffdbe2f4708,0x7ffdbe2f4718
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,18384949799095677888,14333065103661114235,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,18384949799095677888,14333065103661114235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,18384949799095677888,14333065103661114235,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,18384949799095677888,14333065103661114235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,18384949799095677888,14333065103661114235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,18384949799095677888,14333065103661114235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,18384949799095677888,14333065103661114235,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,18384949799095677888,14333065103661114235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,18384949799095677888,14333065103661114235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,18384949799095677888,14333065103661114235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,18384949799095677888,14333065103661114235,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,18384949799095677888,14333065103661114235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,18384949799095677888,14333065103661114235,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,18384949799095677888,14333065103661114235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1300

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap30430:76:7zEvent960
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1300

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\infected\" -spe -an -ai#7zMap3950:72:7zEvent11082
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5608

C:\Users\Admin\Desktop\infected\29d9976d73aabf191eafe0f8b045cc85.exe
"C:\Users\Admin\Desktop\infected\29d9976d73aabf191eafe0f8b045cc85.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
497a78049cc32a2bfb7041a25d2ccd2f

SHA1
e18427138fbb63bed6d15b92c5ed5affffdf7f01

SHA256
8cb5fcb9964b4e2ecc057a87b4c4d69b2b4fd52b8e6bf58b01b84cef83cb6417

SHA512
ad46ece31a586170671382ca49a84651e6d1610505863dbb8abc0c3587fc6a66518da3e17056677c52669eb76f5bf290c5c2447993dac852ca19a21ac2bfbae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
ed5f4213c17629776cd75510648fc019

SHA1
ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9

SHA256
e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87

SHA512
71bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e5d3eb00c88bffa2b4608456e7c4888e

SHA1
5bdfc5b498c72d0a8259993eafef39bf01063b8e

SHA256
597c83555d2fec1d0beb21772dbbbeb2385d9abc996cb697699a3171774c1ddd

SHA512
a04958d5c356da3d897cd56051556fa7c5e85766ea27f74a4cf139ed872ad9a5cf7fce413476312a725fc0c218dd287936f79be9ecd8f7d478c07546b82367f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2f111cf2c02cb622deca9806e2a8d17f

SHA1
5101fab72c9e318d5565174809e17c7f72d795a3

SHA256
8cd506b18212ec59ecaed45df6760d2cfa0d863d9b1311f0a52bfc04b3de1a83

SHA512
f1ee9c6afbfc01a00968c44513c78984c1b527da5bd586d09d76565bda9b8ea37967319f5660f2532d27ff80098db91a5a0d157165804c8c72712fcbcb537b8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c8ad08a0eb032b598984f8e3e7191f2b

SHA1
e3e42e82c3d0fbe9a4aa471cf406bd4ff5297666

SHA256
dd72f6bd73f36e7b992b2224e32d2cfba296228247c57a2b1fd31616ad572273

SHA512
872067736526885ac0cd2b636ff208437eb4a966dfb0875ec31048ae20fbe6e503caf9c5e36c4549ced205e63878bc750c9fb68ede1203634b91429f576f365a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
50170c562741169b2c070ec385711685

SHA1
d2d475fd8eaa6102418dc2d89033d397108749f6

SHA256
be86b3ad71f5cfe0dab6cf1c85e2b45d40622128c83afb074112eca0af77fe5e

SHA512
cb0d936c85069b7b5b6dc7a6dd3c65d2e46cf31166d54dad7206aadf10d1fbc6eda7090c2086bd472a9eeb59e66276a4ec5ea6f3462517f061f523aed0e35872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fc515992f6449f8f328ae3a5365d85c1

SHA1
ed12742c3fc8f0890e429c56911055b3df946bd3

SHA256
1f047cbdb4f616c88bbf0743e91ae4afe6bed80b55368e064072e0dd868e0878

SHA512
26a89a28e68047ba75d01107b8a072e275ee18e56ceb110faad3e8422e2a49ea644bdfbbe094542039ef073c0c535e2881b532c10977ec3e31acee3ad997b03d

Download Submit
C:\Users\Admin\Desktop\infected\022aeb126d2d80e683f7f2a3ee920874.vir

Filesize
64KB

MD5
022aeb126d2d80e683f7f2a3ee920874

SHA1
b71b6d9af65c6afc4af9d546a330c097aafe3592

SHA256
bdd816b9d85947b9bd7f2462d6b177dd6dadfe83723fd4dde4eded130177b218

SHA512
e0d818f432431b8b40b303d79526001adc7f71f86a565f2dacb459094f47f3ef1711da8c3cb34d13b2bd91b69542cb079f54af952ac2697778ee2b7c5d087de8

Download Submit
C:\Users\Admin\Desktop\infected\1058d6b45a81fec42cedc802f7532e73.vir

Filesize
571KB

MD5
1058d6b45a81fec42cedc802f7532e73

SHA1
386933f8a2d7c2199f81a3e55a0b6ad30ad20209

SHA256
e7117a85e809d88e5ac81a7abc0d137b23105fa7a8c0d9870dc0e4507dd0449a

SHA512
a193bcd3c3cfaa309188913799a5e14d3df9bf841b3c9094cd49edfdbec952bfead994c872f4f79dbc760367668acb5512315b26cab3524d911efa3b60dac846

Download Submit
C:\Users\Admin\Desktop\infected\29d9976d73aabf191eafe0f8b045cc85.exe

Filesize
840KB

MD5
29d9976d73aabf191eafe0f8b045cc85

SHA1
8332c39e496873afdc4fd89210e293204b085a63

SHA256
dcf103b03ea1c41a8b40f788b2920177f0d39f27af47452b6a1b2c9fc345dd6a

SHA512
3ff3b6bb06a8c0bfd2793460e197ab45559f6176998006d711ada313bc27a16f16ee873692640b6283b77cd6ae75a8f72479780705fbe5a02a03f5a275f40002

Download Submit
C:\Users\Admin\Desktop\infected\35e64435c1f7485c1420782ab35ed9d1.vir

Filesize
73KB

MD5
35e64435c1f7485c1420782ab35ed9d1

SHA1
1a18d6ab1ddd0b05d5669240f166325ecb779263

SHA256
9e22ea3d372e09aa76ae4636d1ba6f7d12a9cf27796c049b059a5046aa172c9e

SHA512
8cefc5efc81f8484a3150f8c1ffdaff1a4576450c89a6c84b84e8aff6b2fcede217699c39129b50efe010b97db36e65beb2c009c17832e4829013104932e5d28

Download Submit
C:\Users\Admin\Desktop\infected\3d5ab96756560f36994136c16a9838c5.vir

Filesize
231KB

MD5
3d5ab96756560f36994136c16a9838c5

SHA1
14fbd65bd365fa3b88c104e13283b0dad3c2a4be

SHA256
b8bf38171afcdf64cb96710920acc0c1bfd26253fd940936363ab1cfdda71983

SHA512
bd7a53ef05231eacbe52be046b58a8b4f85a664cb022e4ca5ba3249bcfe143542cf414c097f7650191b20de13a62eeac2467beb741cc7ec76f27fa05a8137f4c

Download Submit
C:\Users\Admin\Desktop\infected\4fad5d8d6916c143cfafd7cee28bc8a0.vir

Filesize
62KB

MD5
4fad5d8d6916c143cfafd7cee28bc8a0

SHA1
ba427d47267eaff3ab95e9f00f421d5c66089ffd

SHA256
2aea9948a90317e19d25f21544a86aa1fc4e0dcf6b42d340ab7a6a2f90102b50

SHA512
ecbdeb0f319bccfaa430d9456d111eb0c0db531faf02d61deeeec168b51b44fe18973a5c74d1c638eb761deb7785e0f9efd2b143bf2a4d148ea67e7575bbc805

Download Submit
C:\Users\Admin\Desktop\infected\5ab68ecc6f6262c76fc1875972a508dd.vir

Filesize
1.1MB

MD5
5ab68ecc6f6262c76fc1875972a508dd

SHA1
dac088cc4ef5377efcf81a325c8516e71a792672

SHA256
aff22363942228229a1b40a4581f5e0593714d553ed5f2ea7aae15612b28142f

SHA512
e0837b8ec1632bc3493d79236dba2bca402f1d77e5ad9814c5df6f8b59115f69b71189a8d345df0ad32ed01e78ac3d151741643669ddc23595d9f74b7b7731d3

Download Submit
C:\Users\Admin\Desktop\infected\5abc252c08a16448078abec3c1f311b0.vir

Filesize
53KB

MD5
5abc252c08a16448078abec3c1f311b0

SHA1
8ff0110a8c61398c8af9d21be0ae4ffdf8cab932

SHA256
8b854fb75db458cbcca911835aa878a3ef096a280a40f7f5cf263c5ed79c0b81

SHA512
b5788bbed8ccf77c8311076fce1bf3c41a075f24e2491de0e71f55649c98b4f4814bfa2ce55ebc420c75dd4b1c43afc6306359f153ef691cdc28e0d309823bbf

Download Submit
C:\Users\Admin\Desktop\infected\8604a418e5fd6ca1e08e7381e0814a20.vir

Filesize
90KB

MD5
8604a418e5fd6ca1e08e7381e0814a20

SHA1
1e01465dedc5136101b09087ad18d0e9fa7973e5

SHA256
726fc31dab1d5d4ad6dd89d75d8a722f96ec4476928671788dee4d4db889cec0

SHA512
52d8776a27d7c6187df485ebd6dda481a6ad2a81059c6115f8bbe42b6c3fa730ece5540637de95be84bd328e6337466e750eabfc98714e5ccc455e617d4becf4

Download Submit
C:\Users\Admin\Desktop\infected\8adfc3cc5e225440684e74b7f7994933.vir

Filesize
1.1MB

MD5
8adfc3cc5e225440684e74b7f7994933

SHA1
fbc72c5bc436a7565d994886e238b80731e373b8

SHA256
746fd8e299a5542658c051d08765f327f3c3e48248698a29cf57f151a282b157

SHA512
e9dda159470640c11a6832f8d6be355d90b32c9c1fa7b938b47fc37fdeb459ccb17a8edeed8e0c065f107c7b04eed4b8dea5290543564a7732d3ae8c4c57acfa

Download Submit
C:\Users\Admin\Desktop\infected\cb75be331a7b5cb54bae9db9f4ca643d.vir

Filesize
977KB

MD5
cb75be331a7b5cb54bae9db9f4ca643d

SHA1
789ccb024361d7a4911dfc77bf1c93442491c3c9

SHA256
8366aea8087a354cbd178f920770b35d785f988ec3649bb7e282d1e3272a6b77

SHA512
d16e503bb8434c324976747b9f90092fafdaafcc877c588b18c8d1c14c9d813552389dea496a1b2cacaea4e2ebfdec6a630c68e44c645d1a25da9076e6f4c32f

Download Submit
C:\Users\Admin\Downloads\20ca1f8c5fcf963fbbb10b527d041847.vir

Filesize
252KB

MD5
20ca1f8c5fcf963fbbb10b527d041847

SHA1
e6444518f375bc8d874d221d7f5661e80f740662

SHA256
393ecb019a145a62b32efee66c6086943945e869f848b42d4c72f4a0d3fe3ba3

SHA512
a0a78c8ef3793fb631ca3da1cbd49f517c360301d07db352228ceb30458db520402bda28784ebf6371592743f16e3dcf5034997c01806ff71b7b6bbef58d93a6

Download Submit
C:\Users\Admin\Downloads\2a6db6ab86ab610982ba517dfcc73d91.vir

Filesize
420KB

MD5
2a6db6ab86ab610982ba517dfcc73d91

SHA1
06969d60c0c153f4a4cfcd32417d02498948c019

SHA256
88384f143df60d5ae4a2fcee570d867754c292efd96f2bb90581e8af7ac6bb58

SHA512
09fa8e1ab24953595a26f4c9575265b8b953a9492145d75f0a3a09e4e62210ff65dd30f02335f4111e27d523368a7a8f5f24ddfeec8e8b1bed77020dc3798651

Download Submit
C:\Users\Admin\Downloads\2ab252c9b35bb25faabb4312f5df87ec.vir

Filesize
156KB

MD5
2ab252c9b35bb25faabb4312f5df87ec

SHA1
b6e17906d46b5c72f20851d665bff0bd3e7a89b2

SHA256
ef488003dd1a25457db9362cdd4b0747e441f7e8da37053b0318a0e205f575f0

SHA512
7dfc7b04d63489718eda236faaf65fbdeac0b76777ba2316e7526d973c605117b543629a260172b7b801b995bd9a6ee7bd1bc1ed709f000181dd4a2445dd2d7c

Download Submit
C:\Users\Admin\Downloads\558b05e59b333aef5224e1da7d03f2e9.vir

Filesize
120KB

MD5
558b05e59b333aef5224e1da7d03f2e9

SHA1
d68e616cbf0b22680de34c4d3615cbfc866176bc

SHA256
55120454e6afa0416c07b905d38434768542cd93b36279bcdbc0a894854b7d11

SHA512
5ccffff98ac76452c802ff92cd566fff0ede3312ab2fcf5e379906c20412c56d4f6a5be71c2bf9f2cec90ec718fcef3bdfc321e6b969e556692c5f3b2d1d3fa9

Download Submit
C:\Users\Admin\Downloads\6567ee3c90682ce956df2af88ac6d0d0.vir

Filesize
61KB

MD5
6567ee3c90682ce956df2af88ac6d0d0

SHA1
b907e266b4af7cdd5fe96488cc365fc4e41e31f6

SHA256
63bc229bdc039252c49a63b31d8c3a73542535c51153e408de55c8490a3ce24d

SHA512
23fa8de59c14c2abeedf6ba16dbcb15bc0f1a065335bdb57fe8cd42005197c5cba748af3ebea39f61c74583c45479d88895b93e797145af8a3de5a8e93929acf

Download Submit
C:\Users\Admin\Downloads\6fdb9a5243232703b13cadc5cccfa253.vir

Filesize
288KB

MD5
6fdb9a5243232703b13cadc5cccfa253

SHA1
694d077a54a46daee4880633a38e0804fca88060

SHA256
16f97b141fcce54f677ab3c97901059705244b5e09f5c353b3ae99bfd9c8aa45

SHA512
929df3212c7e7222008e8e944e5a778582aa09c18e0afbaf4fa45bfda617dfa0d8a9a9381c4ab0ae7b7c75168b295483930326e0a7ffe2e3fb7957dab4a05e67

Download Submit
C:\Users\Admin\Downloads\8b71967467522258a92a8d5dd734d565.vir

Filesize
120KB

MD5
8b71967467522258a92a8d5dd734d565

SHA1
5b40b3789f5fd3ba26493fd7a6b4c46848941914

SHA256
ee9a580245ff7bf4465b122a2bc3ef9c731daeb06897ea34579c009bc9fe988b

SHA512
81d669c56464d2c3c302360bbeafa5a7443e20c3cd4dfb80cc3cd28b736434d2b66789bed02571c4ff62a91e82bc811edf38202a4f3fa135e5075550d2035450

Download Submit
C:\Users\Admin\Downloads\8d1d6e7c36bc9c97338a71c862dc52a0.vir

Filesize
153KB

MD5
8d1d6e7c36bc9c97338a71c862dc52a0

SHA1
ea0cd6c2983a4fda97302cf338b3fbac20a3cc1e

SHA256
636f404892310f7f7cbffd013d5ebd5895b309af2b0bb18814e52c5548e4d4a6

SHA512
fe89091867ddfb2e9b8a94edaf5c5d56d61fffa5dd9f604013ebfd19498625d5d0a8c7db0ae4c215bbe00c2c6682a90137abc91de24c89d16dbcd0f961194923

Download Submit
C:\Users\Admin\Downloads\8e300a75d4dc0bb5ad7ca16f3b982c4d.vir

Filesize
1.5MB

MD5
8e300a75d4dc0bb5ad7ca16f3b982c4d

SHA1
acb3a0014a41c7002507281fa203051c2bfd6df7

SHA256
0e6b7297e0d268689c958889a39733a7367e6836eadd82c475f577f26b64d7de

SHA512
f0f5b84911bf027b2af783d10b23e2711a43fa7492dc7058d0a64bc109f06ed5f4f32c82bea73861c3786956783c7bd73cff5d1c359729a1a672dbb5312c725b

Download Submit
C:\Users\Admin\Downloads\a99c10cb9713770b9e7dda376cddee3a.vir

Filesize
611KB

MD5
a99c10cb9713770b9e7dda376cddee3a

SHA1
1f1dd4d74eba8949fb1d2316c13f77b3ffa96f98

SHA256
92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86

SHA512
1d410a7259469a16a1599fb28cb7cd82813270a112055e4fbe28327735a2968affbfdcba0a2001d504919e5ef3b271f40c45da6291be9c5f97c278418b241b79

Download Submit
C:\Users\Admin\Downloads\cdb1365059c0e4973843dc0d0955bfbc.vir

Filesize
3.0MB

MD5
cdb1365059c0e4973843dc0d0955bfbc

SHA1
eaa991e3a9c57302f31ac5faba09d7f00f65c8b6

SHA256
1a880b81f53f4c162e7c90d098c185da9cc936988f0ea4fdb278c661d68f9996

SHA512
17d136b87efde90b50daccb84bd85dd09706af14ee5a2a963655ec2df06aa3173915ccb479010098061dbf079c716197d6a311eff3b0c722daf46c00295af4eb

Download Submit
C:\Users\Admin\Downloads\d11cb523b9e2dcedff41c5346a48cc1f.vir

Filesize
180KB

MD5
d11cb523b9e2dcedff41c5346a48cc1f

SHA1
ed5458e2e82effe7c2eef1123956e108ed71c4e1

SHA256
7b86c29435cd174c8ac5bd80e5b77206d0fb7f95774e85ff407e644e0f46fae3

SHA512
28a4e41a729cef7f16a82595e9c69b70c0836a44c66b7381facb904a2845f403a53b39e1ed76ccaef6571eed029f158c343486f2f16b6b1103623efadcd852ed

Download Submit
C:\Users\Admin\Downloads\d1955d1092f0615321bc60e5abd0d8cd.vir

Filesize
2.6MB

MD5
d1955d1092f0615321bc60e5abd0d8cd

SHA1
7e6d20b24d216628f0e7f81015a4f518af075575

SHA256
e1c0d8c1dddbf7cab773d14a60e8e342456a7c80f4b8cc7630927824506819a0

SHA512
cbf7c61868f9a97bc2aa2dc3b72f0227024e7bbf1d0e0c6f899408e6e7fd9202912c817a32bb6d917f1caa27be7c1749eb4681f91edefcfe41a31ed87fc57b14

Download Submit
C:\Users\Admin\Downloads\d872770d3857a675142f706098e45fe8.vir

Filesize
1.0MB

MD5
d872770d3857a675142f706098e45fe8

SHA1
22ac9e35784e8804a1631556bbfca4801a92b322

SHA256
4f5ad84afbc4c814cac687912c528bbb0b6b926f94a0d7352fdd72c503bb6c61

SHA512
3c55158a2fcf92e20d2498c76c12ae887380b6b6293a83992e5c60e5df2c140b06b45c2f367de79fa961e5cfc8f46ed2c472d70c6fc0c5eb26263dfa7b11ab75

Download Submit
C:\Users\Admin\Downloads\d9985f2669dadd11b529f6492198bde0.vir

Filesize
2.8MB

MD5
d9985f2669dadd11b529f6492198bde0

SHA1
401cde3ac2615da2ac121a297a79877e133ceacd

SHA256
227471b4cc68a25874e21e585bdcdf4e42905a291f293f8c549499df0a6cda56

SHA512
a2b53bcb111f326e5475013a0b5babfb95e2edbecabd7bd8120618cbb74a14172e39e5d0db2af6fc6776ec25992fc36634485c177a4f40ae84ec5a2d622c5c84

Download Submit
C:\Users\Admin\Downloads\dad3b507b3519774672e6221a254f560.vir

Filesize
138KB

MD5
dad3b507b3519774672e6221a254f560

SHA1
6a7715c7615db96a73d41f32d0298a476c54d46c

SHA256
64fe980df1cb38cdd29a1d27b70719241b3052281795fd1654638ff47e37aa27

SHA512
85691b29b64b985d0e55872e52e6de7069a9f60b9f4ff1a7795c90290ae9bf06c9379dc857685041635ebbef50ac5e3160cd74ca2bde49037d5e92ee1a198264

Download Submit
C:\Users\Admin\Downloads\deace9a9a08bd89616a9cc3ca1bac700.vir

Filesize
745KB

MD5
deace9a9a08bd89616a9cc3ca1bac700

SHA1
3ed1cf370a297fb653a8331ad370ba6f9f8c919c

SHA256
29a0b87b8495891215d3f7f2d9a7299ff5ad1c78aeecd078a4ee22c67abca3a5

SHA512
695612512c2e6eefe24610cd1f7271e79a4173d8a0046da14a5f90b847717b468211f4ef0bbf361fea954ff1491afc42ebe71f64d54fb269a3bbd7210f2fb30c

Download Submit
C:\Users\Admin\Downloads\f77f8f2151012a32813ed0181c205882.vir

Filesize
560KB

MD5
f77f8f2151012a32813ed0181c205882

SHA1
6d652b36b38fc352060050f2608975749aae32b5

SHA256
dbd4052fc52d018d93db9ace8d02f3642320305677e070516fdcbf7effa34d82

SHA512
feec9974d0f5f3dc927d22b075d3dc7a3f7d33ef24d111be7d428a287dc3d604f14714a81144eb8ade7677d68a79c474083c2838e2c7735132dafdf4face5581

Download Submit
C:\Users\Admin\Downloads\f9d77633d4548da678bd382fb41d33c7.vir

Filesize
484KB

MD5
f9d77633d4548da678bd382fb41d33c7

SHA1
18da4ee8292d3c3ef91a27ea3812802ab91a001a

SHA256
736e213b45a7a12511b3a7ce3aba2510996802ab14ede208817e85eb38e14f1b

SHA512
f8f965383b7e706ccbc959ecdc6365abc6a415c560b0e8bd9dd913b4e53116565779d89ea9f079775aae434d0682399b104bc3beb99962bc9ea05470a215dfa3

Download Submit
memory/5640-1953-0x0000000000130000-0x0000000000208000-memory.dmp

Filesize
864KB

Download
memory/5640-1954-0x0000000005220000-0x00000000057C4000-memory.dmp

Filesize
5.6MB

Download
memory/5640-1955-0x0000000004C70000-0x0000000004D02000-memory.dmp

Filesize
584KB

Download
memory/5640-1956-0x0000000004D10000-0x0000000004DAC000-memory.dmp

Filesize
624KB

Download
memory/5640-1957-0x0000000004BE0000-0x0000000004BEA000-memory.dmp

Filesize
40KB

Download
memory/5640-1958-0x00000000025A0000-0x00000000025B8000-memory.dmp

Filesize
96KB

Download