xorddos | hxxps://github[.]com/mandarnaik016/Malware-Vault/blob/main/infected/infected[.]7z

Analysis

max time kernel
176s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/mandarnaik016/Malware-Vault/blob/main/infected/infected.7z

Score

10^/10

xorddos aspackv2 botnet discovery downloader evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	0c80a0ef434aaecd6b1c888567935b97.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	0c80a0ef434aaecd6b1c888567935b97.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	0c80a0ef434aaecd6b1c888567935b97.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\Downloads\infected\0c80a0ef434aaecd6b1c888567935b97.exe = "C:\\Users\\Admin\\Downloads\\infected\\0c80a0ef434aaecd6b1c888567935b97.exe:*:enabled:@shell32.dll,-1"	0c80a0ef434aaecd6b1c888567935b97.exe

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023601-787.dat	family_xorddos

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000500000000072b-1311.dat	acprotect

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000023658-961.dat	aspack_v212_v242

Executes dropped EXE 6 IoCs

pid	Process
2244	1aeafca9c4bea73a32043a8a5343d940.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
2024	315ba5897e7724dfaae1225221d37523.exe
816	ProtectShield.exe
3948	177e77d48bdf6424eaf0bbbff2905236.exe
4908	177e77d48bdf6424eaf0bbbff2905236.exe

Loads dropped DLL 41 IoCs

pid	Process
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
2024	315ba5897e7724dfaae1225221d37523.exe
2024	315ba5897e7724dfaae1225221d37523.exe
2024	315ba5897e7724dfaae1225221d37523.exe
2024	315ba5897e7724dfaae1225221d37523.exe
2024	315ba5897e7724dfaae1225221d37523.exe
2024	315ba5897e7724dfaae1225221d37523.exe
816	ProtectShield.exe
816	ProtectShield.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023687-1055.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ProtectShield = "C:\\Program Files (x86)\\ProtectShield\\ProtectShield.exe -min"	315ba5897e7724dfaae1225221d37523.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\K:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\R:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\S:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\W:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\E:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\G:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\H:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\Y:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\Z:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\U:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\V:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\X:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\O:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\P:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\Q:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\J:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\M:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\L:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\N:	0c80a0ef434aaecd6b1c888567935b97.exe
File opened (read-only)	\??\T:	0c80a0ef434aaecd6b1c888567935b97.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
47	raw.githubusercontent.com
48	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ProtectShield\uninstall.exe	315ba5897e7724dfaae1225221d37523.exe
File created	C:\Program Files (x86)\ProtectShield\ProtectShield.exe	315ba5897e7724dfaae1225221d37523.exe
File created	C:\Program Files (x86)\ProtectShield\license.txt	315ba5897e7724dfaae1225221d37523.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	177e77d48bdf6424eaf0bbbff2905236.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1aeafca9c4bea73a32043a8a5343d940.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c80a0ef434aaecd6b1c888567935b97.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	315ba5897e7724dfaae1225221d37523.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProtectShield.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000023527-1100.dat	nsis_installer_1
behavioral1/files/0x0007000000023527-1100.dat	nsis_installer_2
behavioral1/files/0x000700000002354c-1345.dat	nsis_installer_1
behavioral1/files/0x000700000002354c-1345.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	1aeafca9c4bea73a32043a8a5343d940.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\KpPopupDlg.exe = "7000"	1aeafca9c4bea73a32043a8a5343d940.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2532	msedge.exe
2532	msedge.exe
4600	msedge.exe
4600	msedge.exe
3744	identity_helper.exe
3744	identity_helper.exe
1624	msedge.exe
1624	msedge.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2244	1aeafca9c4bea73a32043a8a5343d940.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
2024	315ba5897e7724dfaae1225221d37523.exe
2024	315ba5897e7724dfaae1225221d37523.exe
2024	315ba5897e7724dfaae1225221d37523.exe
2024	315ba5897e7724dfaae1225221d37523.exe
816	ProtectShield.exe
816	ProtectShield.exe
816	ProtectShield.exe
816	ProtectShield.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	64	7zG.exe
Token: 35	64	7zG.exe
Token: SeSecurityPrivilege	64	7zG.exe
Token: SeSecurityPrivilege	64	7zG.exe
Token: SeDebugPrivilege	6072	0c80a0ef434aaecd6b1c888567935b97.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
816	ProtectShield.exe
816	ProtectShield.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2244	1aeafca9c4bea73a32043a8a5343d940.exe
6072	0c80a0ef434aaecd6b1c888567935b97.exe
816	ProtectShield.exe
816	ProtectShield.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 1216	4600	msedge.exe	83
PID 4600 wrote to memory of 1216	4600	msedge.exe	83
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 3232	4600	msedge.exe	84
PID 4600 wrote to memory of 2532	4600	msedge.exe	85
PID 4600 wrote to memory of 2532	4600	msedge.exe	85
PID 4600 wrote to memory of 4400	4600	msedge.exe	86
PID 4600 wrote to memory of 4400	4600	msedge.exe	86
PID 4600 wrote to memory of 4400	4600	msedge.exe	86
PID 4600 wrote to memory of 4400	4600	msedge.exe	86
PID 4600 wrote to memory of 4400	4600	msedge.exe	86
PID 4600 wrote to memory of 4400	4600	msedge.exe	86
PID 4600 wrote to memory of 4400	4600	msedge.exe	86
PID 4600 wrote to memory of 4400	4600	msedge.exe	86
PID 4600 wrote to memory of 4400	4600	msedge.exe	86
PID 4600 wrote to memory of 4400	4600	msedge.exe	86
PID 4600 wrote to memory of 4400	4600	msedge.exe	86
PID 4600 wrote to memory of 4400	4600	msedge.exe	86
PID 4600 wrote to memory of 4400	4600	msedge.exe	86
PID 4600 wrote to memory of 4400	4600	msedge.exe	86
PID 4600 wrote to memory of 4400	4600	msedge.exe	86
PID 4600 wrote to memory of 4400	4600	msedge.exe	86
PID 4600 wrote to memory of 4400	4600	msedge.exe	86
PID 4600 wrote to memory of 4400	4600	msedge.exe	86
PID 4600 wrote to memory of 4400	4600	msedge.exe	86
PID 4600 wrote to memory of 4400	4600	msedge.exe	86

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:792
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:384

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:684

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:808
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3044
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3836
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3928
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3996
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4084
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3676
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:924
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3724
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:1068
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4492
- C:\Windows\System32\CompPkgSrv.exe
  C:\Windows\System32\CompPkgSrv.exe -Embedding
  2⤵
  PID:4224
- C:\Windows\System32\CompPkgSrv.exe
  C:\Windows\System32\CompPkgSrv.exe -Embedding
  2⤵
  PID:632
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:1448
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4408
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:4472
- C:\Windows\System32\rundll32.exe
  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
  2⤵
  PID:2824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1164
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1480
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1832

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2684

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3444

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/mandarnaik016/Malware-Vault/blob/main/infected/infected.7z
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb538f46f8,0x7ffb538f4708,0x7ffb538f4718
    3⤵
    PID:1216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,11156578011855523091,12561960648405869134,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
    3⤵
    PID:3232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,11156578011855523091,12561960648405869134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,11156578011855523091,12561960648405869134,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
    3⤵
    PID:4400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11156578011855523091,12561960648405869134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
    3⤵
    PID:1992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11156578011855523091,12561960648405869134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
    3⤵
    PID:2708
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,11156578011855523091,12561960648405869134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
    3⤵
    PID:756
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,11156578011855523091,12561960648405869134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,11156578011855523091,12561960648405869134,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4764 /prefetch:8
    3⤵
    PID:1668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11156578011855523091,12561960648405869134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
    3⤵
    PID:2996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,11156578011855523091,12561960648405869134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11156578011855523091,12561960648405869134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
    3⤵
    PID:4540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11156578011855523091,12561960648405869134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
    3⤵
    PID:2344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11156578011855523091,12561960648405869134,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
    3⤵
    PID:4544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11156578011855523091,12561960648405869134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
    3⤵
    PID:4900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11156578011855523091,12561960648405869134,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
    3⤵
    PID:1992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,11156578011855523091,12561960648405869134,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5164 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2436
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\infected\" -spe -an -ai#7zMap20664:76:7zEvent28676
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:64
- C:\Users\Admin\Downloads\infected\1aeafca9c4bea73a32043a8a5343d940.exe
  "C:\Users\Admin\Downloads\infected\1aeafca9c4bea73a32043a8a5343d940.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2244
- C:\Users\Admin\Downloads\infected\0c80a0ef434aaecd6b1c888567935b97.exe
  "C:\Users\Admin\Downloads\infected\0c80a0ef434aaecd6b1c888567935b97.exe"
  2⤵
  - Modifies firewall policy service
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:6072
- C:\Users\Admin\Downloads\infected\315ba5897e7724dfaae1225221d37523.exe
  "C:\Users\Admin\Downloads\infected\315ba5897e7724dfaae1225221d37523.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2024
- - C:\Program Files (x86)\ProtectShield\ProtectShield.exe
    "C:\Program Files (x86)\ProtectShield\ProtectShield.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:816
- C:\Users\Admin\Downloads\infected\177e77d48bdf6424eaf0bbbff2905236.exe
  "C:\Users\Admin\Downloads\infected\177e77d48bdf6424eaf0bbbff2905236.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3948
- C:\Users\Admin\Downloads\infected\177e77d48bdf6424eaf0bbbff2905236.exe
  "C:\Users\Admin\Downloads\infected\177e77d48bdf6424eaf0bbbff2905236.exe"
  2⤵
  - Executes dropped EXE
  PID:4908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1852

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1464

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ProtectShield\ProtectShield.exe

Filesize
751KB

MD5
c4cff103d7f12b02b9646ad790e38857

SHA1
a9523b9eba7944e6d8646fc171d331144edf43ee

SHA256
337ed0906df8a97ca698da0c44499150908139e72223a647bf75204393519d1e

SHA512
018d4aee418a4177619f44e45623529e50305eb70ef7fad7459bc4ec75201054d4cbd5f3f7e69537d15b50ddc667cf622537204dccd492bf3d034f76f7e07a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
cd94734cbba82c0fa55ea086db0c2659

SHA1
873b8d2da0b7cbb031c77e627f2be8dcf06008cf

SHA256
f74c28a8e56de10168822ea471fba269d217476a1417de6c96845d1030ef6fe8

SHA512
657fd1fb203aef05253cfc498c7571be5525b1850a89ab43f09ab15bec3f3529d5bd538ec4a802abf7b49a4904043e3b554f69d9f7a1d56cf70689d199bde639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
e51401bdf1eae288a9ba5d952ebb3aa9

SHA1
5effd82fee8231e1294fd404dd1f10caf5c41fd2

SHA256
a08ea4c022c5207583d92dedf27194f6d81335b90bef42e90132333220a52fa2

SHA512
f777e86f2eb64d2c31afba76f544f9a65392b0d77de18e16d6a2b5534f43febc083f757d37c0719b29b556c5f73b1238c0857ee7b9a6e18c0c9c99ca54133edb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c70e1f56f149bef61f692377c8309f34

SHA1
5e5846e7a6746a56b569ab8bf59dbd8427b55bc9

SHA256
0a0f613fec0fc38e1277954b763e1f74fb6457e0e0e3f6c4da49f233ff811a3f

SHA512
03b00ebee8f873303075ca53fe98c065d123d45678470a78843c24bc0080c15db2d5bd0e8eff6806f5b9c853b8eb6415e385ddf9c506bd1fc85183c76e361057

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
64609fcffdeb3ffb8e079488772ae307

SHA1
7e2b5322ef7061858f9d72296efe80ab81a4d53a

SHA256
fac34c71088bb95e9b611108b834afc6f78de6ce9e4c438c56d0c93532e595f8

SHA512
7ae2a690a47e69860b71ce858bcf77174bf9327d0adf8246562e9d75b47a1d2fc634bfeed08ce0b0e94b18872442d90194e0fd097cf04baaea8595ecfb047aad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f43709240138fceb33305f8ba7f9fea9

SHA1
b3be072d453c80131db651315a8ee18ac9c77662

SHA256
4d5587006f36c36c6ea5c5775b653b5c7718f3fe951d8f653c558a9da79a7d91

SHA512
e29506f65d5b22e3e3df4f9ed8a6e91ff68072bf8f36fbba5dabb51721a90578ae9d298fe4877e6d697b79d1c33a902b59cfdfef34619b873d8f8c8351833a55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
19a01973d1536840b4c18b5bfc766e91

SHA1
1595429b7f82772477840c875eacaf3b3b15adb1

SHA256
4be25f9b4301c48ab2326583a5d3a82f32efdc339645c234607d208d285ec9ee

SHA512
f8456e7918acc6fe772f87ffed929667aa87383a896c9adc105d806115673d2151afd5ea5393bcdd45f6187998f800478e74da00e77c9a47d9976f24f455f360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
16d2c3d7d6552fadf5876cfa170fc20f

SHA1
fe2030e3f9b514807c8750eaef1d71a8303258ac

SHA256
572dca079be2da32eaf88190b1555232fd0a051767eb9ffb7a30d93da9f6712c

SHA512
ed9ae1f66b6f081e3c6e6653f3f03a02a3c5e36e781a4a3dcd8b452ed756a5c9138ceb561d0dd847c98a4ec7fd3c01d492ba6627ee7d790196307dc1d84530d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581373.TMP

Filesize
1KB

MD5
bca1901b7b1fc36b195653bf68220527

SHA1
979bd1e2edb9fa2903e56965749ca20b799123b3

SHA256
76b26abd6b33d3fdb44f82aa0e70a0c98851fda3abdd0150709be421e6c5f74a

SHA512
b4fcb9b83176ad3a6ecd7df84255ca5050edeba32fe0a8c4598db3db6ec0e2069f111f955fb8149711027f0080fed67e8118f47c62937d21ce8c947618f71597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
57ff5a52f78c055288c13a36a3c0b25b

SHA1
0af49029d9c582c8f66f23b329ba08fa76ee5e46

SHA256
e4b0f2d924212644980a32517c0ffc83fd209722113d3bea58ca918b6c0c1fdb

SHA512
7a31718672566d76f9a26fa14eb5ddd583698919015359c575f1179d107533edb7cceb4e17de6bed30ad5b9416024a501e6a01ef8e5121dcb45002c2cbef5fe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b4fb75ed01dcf497ea0c0d24bad27c46

SHA1
4df28d3bbee0c152c4453a590e689208410aa940

SHA256
a6585d9ba6fe1c1aafb500e65e59ea1b0271765ab233fee07e84cb094ac381c1

SHA512
17de770e08f75f697e5dd6d396376a56e7907e4d7af813aef3379402d7274ef10ec3d67cdcbaba85caf2a044810249fdb5a0bd8a33969431ecf379aa115ecc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuE7B7.tmp\InstallOptions.dll

Filesize
14KB

MD5
0dc0cc7a6d9db685bf05a7e5f3ea4781

SHA1
5d8b6268eeec9d8d904bc9d988a4b588b392213f

SHA256
8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

SHA512
814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuE7B7.tmp\LangDLL.dll

Filesize
5KB

MD5
a401e590877ef6c928d2a97c66157094

SHA1
75e24799cf67e789fadcc8b7fddefc72fdc4cd61

SHA256
2a7f33ef64d666a42827c4dc377806ad97bc233819197adf9696aed5be5efac0

SHA512
6093415cd090e69cdcb52b5d381d0a8b3e9e5479dac96be641e0071f1add26403b27a453febd8ccfd16393dc1caa03404a369c768a580781aba3068415ee993f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuE7B7.tmp\ioSpecial.ini

Filesize
704B

MD5
04cdffd6fabe1d8d3135e44fcc6f2305

SHA1
dcb4d2d3bfa29b45da85c6f85857c0c44ddbc7c4

SHA256
3598ec6cad99aab5e6fddd9bf3f851700adb523f03ba0356a680b0a7a9f3baaa

SHA512
1313c3456235520a9cd6d900ca378d7b99db63f11f8979a12971a4cbf81fdf40f7dfacdcff3eb1cdd14d3dbff9571341f49dc7473bcd8564a5ee8b0934be49d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuE7B7.tmp\ioSpecial.ini

Filesize
817B

MD5
3403bb0fd109b593e4b4af1f4e3e85cc

SHA1
519ba50e90c23190f41ef40fdca33671d6debc42

SHA256
bd97209c9a03f4a86c48882060ca91e5cb608c81eaed9d7a50cd5ffa36391a7e

SHA512
c7b0209c711aadfc705d3ca9622e2f993b81a3de01a27d99d15b9071e8029b903df6940376d62c508c4d47a435aa8d9eecdb76313c961f3152883eea9fd0e7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuE7B7.tmp\ioSpecial.ini

Filesize
845B

MD5
c503d2e824036b69bbaa51d77c79efad

SHA1
140c07c5b236ce7879ab9d9357487f60ddcd7e8d

SHA256
a677add3d3e4cd6dff8360f94595e075993d87bb5e135b93850b843cd813ef1d

SHA512
ad2efcdb24630ee3d2dcd63737ed3322d85f111c1fc07fede07ec7da2bf92ed9bee0efc2de7e30b8f792135157f2245af65a16b36cd5cb40bcaf433e5e3219c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuE7B7.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz828B.tmp\Banner.dll

Filesize
4KB

MD5
91c9ee5005ac6cb4ec79a3b039b4c8df

SHA1
95a9c018b501b6697beca846a33955909c3f97be

SHA256
05838c8f81efbb98679010158f29cefd88a34fb1fe5d603e839dd406235ddf29

SHA512
41cc45a64fbe64cd83e704e87193004245f5d29f4f880921d041e5f2ceec86ca0653146e6477642eba73875b9d5f0d773b540436b19e4797def9c15d7618474b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz828B.tmp\CheckRunVirtual.dll

Filesize
32KB

MD5
a0cb8030c255059749db3bffa0c78956

SHA1
8d945131c91a4bd99f53758d75691349cd4127cb

SHA256
bcd19389fd4e58e552fc45c4222eae3aa70f0e7e1573b2afc8e7ad433f131398

SHA512
b9ad84d528b7b4f95c1ee1b315bc7d76ff3c093e99bbc6b806517742320cd3a592ceb4ab407e1e003b3476e4ee5bc608029c102244ede5fee7fded8ac21e15d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz828B.tmp\DialogEx.dll

Filesize
21KB

MD5
2015bb43ab225bebd66bf474df424155

SHA1
3179aae8019577c720bafca7d126574d837ece00

SHA256
0af63a42fb77e2e31eccaea6953c86a461fa1fa82b2471e3493ee66f3e864f3e

SHA512
66567cb93231cfec913463cfc47343844931251ba8e83df0bc67d2ee42fd6fb2eb8d468c9e1af6d2a087701f2e9eb22f0f41bc573f2a471110c422bd54c0815e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz828B.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz828B.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz828B.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz828B.tmp\ToolTips.dll

Filesize
4KB

MD5
9a0da2692764bb842411a8b9687ebbb7

SHA1
5c3a459faa08a704bdf162476897ad4580ae39bd

SHA256
28aeaa48c929188a0d169887cc3f16370741467ae49e1db59763f030710a6bbb

SHA512
814d686617df4fe9f50a93dac9428babff3a14836aa27b4666976379ec3fafcab65fd82d8886998fa65e7b59dc192ca067cf8b4cdeb8ef551812912d80dab8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\oli6E8F.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\Downloads\infected\0c80a0ef434aaecd6b1c888567935b97.exe

Filesize
410KB

MD5
0c80a0ef434aaecd6b1c888567935b97

SHA1
ad6730df896f7bb0e4379b8ac543c704f70f8292

SHA256
bb7850028720aace62daf55e8ba0bcf0b1040ebe20f3035873e9fd7130ced767

SHA512
7a8b601b6d027c0f017a620aa117c7183c05170aa6f90c4a2a177ad82b938f00b181007d69eea128b4ee738b2397a2448e2a33801daa102bfdf2b39f1917e6de

Download Submit
C:\Users\Admin\Downloads\infected\1aeafca9c4bea73a32043a8a5343d940.exe

Filesize
1.8MB

MD5
1aeafca9c4bea73a32043a8a5343d940

SHA1
bc0eaf0e3c7a16359c0624fb149ca39227f7891f

SHA256
01630abb94b6fded3504e4c1f6b124950fe4d4c8481c46f04363166e52ec6b7e

SHA512
68e8d09bc73112e0ab28bf36f3aacf84c859ff9852b4d44de6b70523dd0570637a5c152933794512e966ce2f38fd985f29300da44e927201e99e8d69f4e43143

Download Submit
C:\Users\Admin\Downloads\infected\20ca1f8c5fcf963fbbb10b527d041847.vir

Filesize
252KB

MD5
20ca1f8c5fcf963fbbb10b527d041847

SHA1
e6444518f375bc8d874d221d7f5661e80f740662

SHA256
393ecb019a145a62b32efee66c6086943945e869f848b42d4c72f4a0d3fe3ba3

SHA512
a0a78c8ef3793fb631ca3da1cbd49f517c360301d07db352228ceb30458db520402bda28784ebf6371592743f16e3dcf5034997c01806ff71b7b6bbef58d93a6

Download Submit
C:\Users\Admin\Downloads\infected\2a6db6ab86ab610982ba517dfcc73d91.vir

Filesize
420KB

MD5
2a6db6ab86ab610982ba517dfcc73d91

SHA1
06969d60c0c153f4a4cfcd32417d02498948c019

SHA256
88384f143df60d5ae4a2fcee570d867754c292efd96f2bb90581e8af7ac6bb58

SHA512
09fa8e1ab24953595a26f4c9575265b8b953a9492145d75f0a3a09e4e62210ff65dd30f02335f4111e27d523368a7a8f5f24ddfeec8e8b1bed77020dc3798651

Download Submit
C:\Users\Admin\Downloads\infected\2ab252c9b35bb25faabb4312f5df87ec.vir

Filesize
156KB

MD5
2ab252c9b35bb25faabb4312f5df87ec

SHA1
b6e17906d46b5c72f20851d665bff0bd3e7a89b2

SHA256
ef488003dd1a25457db9362cdd4b0747e441f7e8da37053b0318a0e205f575f0

SHA512
7dfc7b04d63489718eda236faaf65fbdeac0b76777ba2316e7526d973c605117b543629a260172b7b801b995bd9a6ee7bd1bc1ed709f000181dd4a2445dd2d7c

Download Submit
C:\Users\Admin\Downloads\infected\315ba5897e7724dfaae1225221d37523.exe

Filesize
1.3MB

MD5
315ba5897e7724dfaae1225221d37523

SHA1
8164e098ea9feec6c2a56c28ec7686c381443d94

SHA256
92b09424c788d8112ec11b0a023d22c4a660038e8ab0d5fb4ed437062a4e6e11

SHA512
01384dcd9750e3d79ac56407549e7627db29906ad6aa91877552652b0089b872e0c8166d335f9dfd96c368fc4b1739dc0debd9b027a44aae02cb756e8dde5063

Download Submit
C:\Users\Admin\Downloads\infected\558b05e59b333aef5224e1da7d03f2e9.vir

Filesize
120KB

MD5
558b05e59b333aef5224e1da7d03f2e9

SHA1
d68e616cbf0b22680de34c4d3615cbfc866176bc

SHA256
55120454e6afa0416c07b905d38434768542cd93b36279bcdbc0a894854b7d11

SHA512
5ccffff98ac76452c802ff92cd566fff0ede3312ab2fcf5e379906c20412c56d4f6a5be71c2bf9f2cec90ec718fcef3bdfc321e6b969e556692c5f3b2d1d3fa9

Download Submit
C:\Users\Admin\Downloads\infected\6567ee3c90682ce956df2af88ac6d0d0.vir

Filesize
61KB

MD5
6567ee3c90682ce956df2af88ac6d0d0

SHA1
b907e266b4af7cdd5fe96488cc365fc4e41e31f6

SHA256
63bc229bdc039252c49a63b31d8c3a73542535c51153e408de55c8490a3ce24d

SHA512
23fa8de59c14c2abeedf6ba16dbcb15bc0f1a065335bdb57fe8cd42005197c5cba748af3ebea39f61c74583c45479d88895b93e797145af8a3de5a8e93929acf

Download Submit
C:\Users\Admin\Downloads\infected\6fdb9a5243232703b13cadc5cccfa253.vir

Filesize
288KB

MD5
6fdb9a5243232703b13cadc5cccfa253

SHA1
694d077a54a46daee4880633a38e0804fca88060

SHA256
16f97b141fcce54f677ab3c97901059705244b5e09f5c353b3ae99bfd9c8aa45

SHA512
929df3212c7e7222008e8e944e5a778582aa09c18e0afbaf4fa45bfda617dfa0d8a9a9381c4ab0ae7b7c75168b295483930326e0a7ffe2e3fb7957dab4a05e67

Download Submit
C:\Users\Admin\Downloads\infected\8b71967467522258a92a8d5dd734d565.vir

Filesize
120KB

MD5
8b71967467522258a92a8d5dd734d565

SHA1
5b40b3789f5fd3ba26493fd7a6b4c46848941914

SHA256
ee9a580245ff7bf4465b122a2bc3ef9c731daeb06897ea34579c009bc9fe988b

SHA512
81d669c56464d2c3c302360bbeafa5a7443e20c3cd4dfb80cc3cd28b736434d2b66789bed02571c4ff62a91e82bc811edf38202a4f3fa135e5075550d2035450

Download Submit
C:\Users\Admin\Downloads\infected\8d1d6e7c36bc9c97338a71c862dc52a0.vir

Filesize
153KB

MD5
8d1d6e7c36bc9c97338a71c862dc52a0

SHA1
ea0cd6c2983a4fda97302cf338b3fbac20a3cc1e

SHA256
636f404892310f7f7cbffd013d5ebd5895b309af2b0bb18814e52c5548e4d4a6

SHA512
fe89091867ddfb2e9b8a94edaf5c5d56d61fffa5dd9f604013ebfd19498625d5d0a8c7db0ae4c215bbe00c2c6682a90137abc91de24c89d16dbcd0f961194923

Download Submit
C:\Users\Admin\Downloads\infected\8e300a75d4dc0bb5ad7ca16f3b982c4d.vir

Filesize
1.5MB

MD5
8e300a75d4dc0bb5ad7ca16f3b982c4d

SHA1
acb3a0014a41c7002507281fa203051c2bfd6df7

SHA256
0e6b7297e0d268689c958889a39733a7367e6836eadd82c475f577f26b64d7de

SHA512
f0f5b84911bf027b2af783d10b23e2711a43fa7492dc7058d0a64bc109f06ed5f4f32c82bea73861c3786956783c7bd73cff5d1c359729a1a672dbb5312c725b

Download Submit
C:\Users\Admin\Downloads\infected\a99c10cb9713770b9e7dda376cddee3a.vir

Filesize
611KB

MD5
a99c10cb9713770b9e7dda376cddee3a

SHA1
1f1dd4d74eba8949fb1d2316c13f77b3ffa96f98

SHA256
92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86

SHA512
1d410a7259469a16a1599fb28cb7cd82813270a112055e4fbe28327735a2968affbfdcba0a2001d504919e5ef3b271f40c45da6291be9c5f97c278418b241b79

Download Submit
C:\Users\Admin\Downloads\infected\cdb1365059c0e4973843dc0d0955bfbc.vir

Filesize
3.0MB

MD5
cdb1365059c0e4973843dc0d0955bfbc

SHA1
eaa991e3a9c57302f31ac5faba09d7f00f65c8b6

SHA256
1a880b81f53f4c162e7c90d098c185da9cc936988f0ea4fdb278c661d68f9996

SHA512
17d136b87efde90b50daccb84bd85dd09706af14ee5a2a963655ec2df06aa3173915ccb479010098061dbf079c716197d6a311eff3b0c722daf46c00295af4eb

Download Submit
C:\Users\Admin\Downloads\infected\d11cb523b9e2dcedff41c5346a48cc1f.vir

Filesize
180KB

MD5
d11cb523b9e2dcedff41c5346a48cc1f

SHA1
ed5458e2e82effe7c2eef1123956e108ed71c4e1

SHA256
7b86c29435cd174c8ac5bd80e5b77206d0fb7f95774e85ff407e644e0f46fae3

SHA512
28a4e41a729cef7f16a82595e9c69b70c0836a44c66b7381facb904a2845f403a53b39e1ed76ccaef6571eed029f158c343486f2f16b6b1103623efadcd852ed

Download Submit
C:\Users\Admin\Downloads\infected\d1955d1092f0615321bc60e5abd0d8cd.vir

Filesize
2.6MB

MD5
d1955d1092f0615321bc60e5abd0d8cd

SHA1
7e6d20b24d216628f0e7f81015a4f518af075575

SHA256
e1c0d8c1dddbf7cab773d14a60e8e342456a7c80f4b8cc7630927824506819a0

SHA512
cbf7c61868f9a97bc2aa2dc3b72f0227024e7bbf1d0e0c6f899408e6e7fd9202912c817a32bb6d917f1caa27be7c1749eb4681f91edefcfe41a31ed87fc57b14

Download Submit
C:\Users\Admin\Downloads\infected\d872770d3857a675142f706098e45fe8.vir

Filesize
1.0MB

MD5
d872770d3857a675142f706098e45fe8

SHA1
22ac9e35784e8804a1631556bbfca4801a92b322

SHA256
4f5ad84afbc4c814cac687912c528bbb0b6b926f94a0d7352fdd72c503bb6c61

SHA512
3c55158a2fcf92e20d2498c76c12ae887380b6b6293a83992e5c60e5df2c140b06b45c2f367de79fa961e5cfc8f46ed2c472d70c6fc0c5eb26263dfa7b11ab75

Download Submit
C:\Users\Admin\Downloads\infected\d9985f2669dadd11b529f6492198bde0.vir

Filesize
2.8MB

MD5
d9985f2669dadd11b529f6492198bde0

SHA1
401cde3ac2615da2ac121a297a79877e133ceacd

SHA256
227471b4cc68a25874e21e585bdcdf4e42905a291f293f8c549499df0a6cda56

SHA512
a2b53bcb111f326e5475013a0b5babfb95e2edbecabd7bd8120618cbb74a14172e39e5d0db2af6fc6776ec25992fc36634485c177a4f40ae84ec5a2d622c5c84

Download Submit
C:\Users\Admin\Downloads\infected\dad3b507b3519774672e6221a254f560.vir

Filesize
138KB

MD5
dad3b507b3519774672e6221a254f560

SHA1
6a7715c7615db96a73d41f32d0298a476c54d46c

SHA256
64fe980df1cb38cdd29a1d27b70719241b3052281795fd1654638ff47e37aa27

SHA512
85691b29b64b985d0e55872e52e6de7069a9f60b9f4ff1a7795c90290ae9bf06c9379dc857685041635ebbef50ac5e3160cd74ca2bde49037d5e92ee1a198264

Download Submit
C:\Users\Admin\Downloads\infected\deace9a9a08bd89616a9cc3ca1bac700.vir

Filesize
745KB

MD5
deace9a9a08bd89616a9cc3ca1bac700

SHA1
3ed1cf370a297fb653a8331ad370ba6f9f8c919c

SHA256
29a0b87b8495891215d3f7f2d9a7299ff5ad1c78aeecd078a4ee22c67abca3a5

SHA512
695612512c2e6eefe24610cd1f7271e79a4173d8a0046da14a5f90b847717b468211f4ef0bbf361fea954ff1491afc42ebe71f64d54fb269a3bbd7210f2fb30c

Download Submit
C:\Users\Admin\Downloads\infected\f77f8f2151012a32813ed0181c205882.vir

Filesize
560KB

MD5
f77f8f2151012a32813ed0181c205882

SHA1
6d652b36b38fc352060050f2608975749aae32b5

SHA256
dbd4052fc52d018d93db9ace8d02f3642320305677e070516fdcbf7effa34d82

SHA512
feec9974d0f5f3dc927d22b075d3dc7a3f7d33ef24d111be7d428a287dc3d604f14714a81144eb8ade7677d68a79c474083c2838e2c7735132dafdf4face5581

Download Submit
C:\Users\Admin\Downloads\infected\f9d77633d4548da678bd382fb41d33c7.vir

Filesize
484KB

MD5
f9d77633d4548da678bd382fb41d33c7

SHA1
18da4ee8292d3c3ef91a27ea3812802ab91a001a

SHA256
736e213b45a7a12511b3a7ce3aba2510996802ab14ede208817e85eb38e14f1b

SHA512
f8f965383b7e706ccbc959ecdc6365abc6a415c560b0e8bd9dd913b4e53116565779d89ea9f079775aae434d0682399b104bc3beb99962bc9ea05470a215dfa3

Download Submit
memory/816-1577-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/816-1597-0x0000000002230000-0x00000000022A3000-memory.dmp

Filesize
460KB

Download
memory/816-1594-0x0000000002230000-0x00000000022A3000-memory.dmp

Filesize
460KB

Download
memory/816-1595-0x0000000002230000-0x00000000022A3000-memory.dmp

Filesize
460KB

Download
memory/2024-1351-0x0000000002110000-0x0000000002183000-memory.dmp

Filesize
460KB

Download
memory/2024-1350-0x0000000002110000-0x0000000002183000-memory.dmp

Filesize
460KB

Download
memory/2024-1592-0x0000000002110000-0x0000000002183000-memory.dmp

Filesize
460KB

Download
memory/2244-1194-0x00000000054A0000-0x00000000054A9000-memory.dmp

Filesize
36KB

Download
memory/2244-1120-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2244-1113-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/6072-1325-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/6072-1315-0x00000000020D0000-0x0000000002143000-memory.dmp

Filesize
460KB

Download
memory/6072-1309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/6072-1317-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/6072-1318-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/6072-1319-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/6072-1333-0x00000000020D0000-0x0000000002143000-memory.dmp

Filesize
460KB

Download
memory/6072-1332-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download