hxxps://github[.]com/Endermanch/MalwareDatabase

Resubmissions

10-12-2024 16:09

241210-tl51wazlb1 10

10-12-2024 16:09

10-12-2024 16:06

10-12-2024 16:05

09-12-2024 15:24

Analysis

max time kernel
117s
max time network
127s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
10-12-2024 16:06

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

7^/10

defense_evasion discovery evasion trojan upx

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DB.EXE

Executes dropped EXE 5 IoCs

pid	Process
3932	AV.EXE
3656	AV2.EXE
4088	DB.EXE
3092	EN.EXE
1360	SB.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DB.EXE

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tsa.crt	AV.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ac4d-446.dat	upx
behavioral1/memory/4088-455-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3092-471-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/4088-469-0x0000000000690000-0x0000000000723000-memory.dmp	upx
behavioral1/memory/4088-468-0x0000000000690000-0x0000000000723000-memory.dmp	upx
behavioral1/memory/4088-465-0x0000000000690000-0x0000000000723000-memory.dmp	upx
behavioral1/files/0x001900000002ac4e-454.dat	upx
behavioral1/memory/4088-487-0x0000000000400000-0x0000000000445000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EN.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MalwareDatabase-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3640	msedge.exe
3640	msedge.exe
888	msedge.exe
888	msedge.exe
1752	identity_helper.exe
1752	identity_helper.exe
4604	msedge.exe
4604	msedge.exe
4832	msedge.exe
4832	msedge.exe
4088	DB.EXE
4088	DB.EXE
4088	DB.EXE
4088	DB.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4088	DB.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe
888	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 244	888	msedge.exe	77
PID 888 wrote to memory of 244	888	msedge.exe	77
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3120	888	msedge.exe	78
PID 888 wrote to memory of 3640	888	msedge.exe	79
PID 888 wrote to memory of 3640	888	msedge.exe	79
PID 888 wrote to memory of 2980	888	msedge.exe	80
PID 888 wrote to memory of 2980	888	msedge.exe	80
PID 888 wrote to memory of 2980	888	msedge.exe	80
PID 888 wrote to memory of 2980	888	msedge.exe	80
PID 888 wrote to memory of 2980	888	msedge.exe	80
PID 888 wrote to memory of 2980	888	msedge.exe	80
PID 888 wrote to memory of 2980	888	msedge.exe	80
PID 888 wrote to memory of 2980	888	msedge.exe	80
PID 888 wrote to memory of 2980	888	msedge.exe	80
PID 888 wrote to memory of 2980	888	msedge.exe	80
PID 888 wrote to memory of 2980	888	msedge.exe	80
PID 888 wrote to memory of 2980	888	msedge.exe	80
PID 888 wrote to memory of 2980	888	msedge.exe	80
PID 888 wrote to memory of 2980	888	msedge.exe	80
PID 888 wrote to memory of 2980	888	msedge.exe	80
PID 888 wrote to memory of 2980	888	msedge.exe	80
PID 888 wrote to memory of 2980	888	msedge.exe	80
PID 888 wrote to memory of 2980	888	msedge.exe	80
PID 888 wrote to memory of 2980	888	msedge.exe	80
PID 888 wrote to memory of 2980	888	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffca7a33cb8,0x7ffca7a33cc8,0x7ffca7a33cd8
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,17666406533034622092,9602849238878735587,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,17666406533034622092,9602849238878735587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,17666406533034622092,9602849238878735587,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17666406533034622092,9602849238878735587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17666406533034622092,9602849238878735587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,17666406533034622092,9602849238878735587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17666406533034622092,9602849238878735587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17666406533034622092,9602849238878735587,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,17666406533034622092,9602849238878735587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17666406533034622092,9602849238878735587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17666406533034622092,9602849238878735587,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17666406533034622092,9602849238878735587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17666406533034622092,9602849238878735587,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2624 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,17666406533034622092,9602849238878735587,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2620

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ana.zip\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
PID:4188
- C:\Users\Admin\AppData\Local\Temp\AV.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3932
- C:\Users\Admin\AppData\Local\Temp\AV2.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3656
- C:\Users\Admin\AppData\Local\Temp\DB.EXE
  "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- - C:\Windows\SysWOW64\cmd.exe
    /c C:\Users\Admin\AppData\Local\Temp\~unins9546.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
    3⤵
    PID:1944
- C:\Users\Admin\AppData\Local\Temp\EN.EXE
  "C:\Users\Admin\AppData\Local\Temp\EN.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EN.EXE > nul
    3⤵
    PID:1320
- C:\Users\Admin\AppData\Local\Temp\SB.EXE
  "C:\Users\Admin\AppData\Local\Temp\SB.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8edacf82f8bfee028d6119d7728147d4

SHA1
00c61d3c44bab616cefa04f37ea7161bdc29cd8c

SHA256
44ceaed62beb994fe3452fc754fddcd6af87d88e4c0b44c1aba35739d7d21664

SHA512
923667de8badb664a2f74b911a77c646be20bc93b5747180ac79d63c5ee9dcf8aeb89721f987492fdf937c3271b3fc64ec2aca86c373c8290bb5f8c49f6c12d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
72d8b549c047805a5315df059bb1539a

SHA1
3df3770c14379441be3be79eac28f5a1344cdada

SHA256
beb758c4229b5c555242bde07bb5e88edd0d43be725dd68c8a4f33e6eddf10f6

SHA512
0bee533bd41e2226f9e971c9e4b75dee9d8d8ea545bc8a119d3a3c31bbea9f4c30b0ae3dcb58cfeca103ec4880171d2d63c676ac7a4a71b990e4a5ad376fe4fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
499a4ca7f809f594ccfc830105c2e149

SHA1
fcb9ecdb081d347c522e2fc4f1b35201e99deb38

SHA256
b1a7631958a34a76bac6d1771b79c0dbc893d1eedb581a17a12ee55e5b365a5c

SHA512
8955fafa719245381109b1e2aed7b1c3f2a494082ce051b0ac2ec078ad2705220f2604d4b62a4936f6e849ce00c9ed50eda018129770029701385e44c60c39b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a4a8d82cf64e661bcb724e336f0eadf2

SHA1
3ffd687a469c7df8cc80091d6c557ef2955c296d

SHA256
00168d1f7c1afca79258886b15d3014ca0869f33006ed79c0a915a2d1ccd04f2

SHA512
e2086e2d779a59446de45d25b394ebd5e683d899c0b26eeac786a957075447cbdcf08f316b04e2bcbf9626b067add5511621440a69b3a0d0b2e16c2c3d8a088c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f2a2f39b0e943ab5be395350a0864fff

SHA1
7191a4048bdc72c5a00951757122a6ec81534e28

SHA256
4cc39e592c7291e314a2a8d6c3685828def30669823520746593c7e2c68ff0ae

SHA512
0e6d039d835cd6d91725649de8e9f23c534014aa8c9a699db0c736a516a176095739ead7130107a36032a0f58202eacc2279d47918afc6a886d2ffcadc2ccce9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
914cc7831ad8b4c2c5e9b1f0ed888d7a

SHA1
8aa91d0c4db242f4d842007a9a18f3db535b4654

SHA256
0c572b61ad8d6233deb2064a24e4a02f510c53a497526ab8145cc6eef273a163

SHA512
8a83c8e9fc3d577a35ed72833400a29f199ecf7d303ce6a38e7203a7764f761ab8d941a2d32a599c062703b47cbaed2bc2efb428c33c8a72e154f5f0eb3ad2d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8a71351aea20d23374aa7abefa8d2470

SHA1
802827f8a2d7a1b8c877476992507ebb6fcb6995

SHA256
8b3d746c675482e88d0a71c021967787a84bd98171e54fcabf0e4900cb740000

SHA512
2680872257271ae77a609af61f175be66f4fcec07b5f5695c4e7123466ab73edcf34c0f5b9689137c3d2bbf0f841bfc4add930401fa89ba9568b2eef81412c94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5a446aa79b50368f569ff0c27b9b2f76

SHA1
24516ce8ae7ba758db88c8c356b30a557d700c62

SHA256
20cc21660176849d26ac1ea2049a9fa23ef879a0311d13aa5d5c9f12545c03d8

SHA512
082147defba0774253d7849a50cdd4fbf230fe0e1c9e8da3b7a1d50e154f1e210c71403551689f8ea9b13d25835e595b57cedb5ad298293045429ee23cb71af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cf75.TMP

Filesize
1KB

MD5
b487a65967db8f24679dc5f95139abfb

SHA1
5c60474acf5e7515d67cb4c92b38fe01c983b28f

SHA256
b26f567d41dbe9c03b55621f3c968ddc3700c148fec10948b5e4d3a18f17a89d

SHA512
7f00c44e95391f19dd2827b7f033e242a0dfaef840d9fa919ccc29d8c696e347efc413291c13eb07f6aceee5cec05589b822b226bb00967aa6223d847ba150be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c68395d1e0e3f89d767cc8d0c0c5ce01

SHA1
aca191021e019da5525407e3be8bd9d76430697d

SHA256
7d786365c55acd9adf3cc3fae151a7f6a74d172cd563311ae215932615c42ae6

SHA512
f90f185dd63ae22e3ac613d04b61c952a9a8ccfcfeed86a34063f6a8ad600c07223cf5986998150dad396fdcac59d6db73c629c63a7da248e67e7dc3c85fd03d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f49eed9f06c99150cfeb56f5d39c7f46

SHA1
58079ef266b407e65046f829fb6ffa06e7a8ccd6

SHA256
00a64f4daf13d8afb6c666c6cafe16c1c537c315551a71c26b16e929df871715

SHA512
904550d0980d6235d2b49c52b81a67e2e04a16d4f1e93e88d3b64ec8b616e372a28da82f3dc990fb55d55f1de426598e82e8f7568e2eafbfc63a1b3a1cc04fca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e38749d88fcc454a5891f7d61a4df8ab

SHA1
c6bbd19c47d260b50341b59ee5c0f1d20b09886d

SHA256
5dbe670420b57cc4188ac5f359dd63847e6b42b96a52825aeff65f21723a212c

SHA512
47a94385668241f0cf57525060733496ed7b75604d235c22edc4161780ee8d4d179d5307040f090fd895d35b954d425a02de4a90247c26c75f65c967155f49c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
695ba187af8e1a5f3363a04eff0d18c6

SHA1
23ba7848b41b273d1d965f15da98541b52616659

SHA256
42e56b4bacb52f71d1de34729fb7b216cb343cade1d8d8aab8d2ca1f8e1328a6

SHA512
bada4e88fb89077b2d7ddaf5d21eee85d4f43db6697774e1719ad5a7f500a31039a6f9dd085478687607eb30e0ecccb76e5450daebc5e610ab9e94199172dc75

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV.EXE

Filesize
1.1MB

MD5
f284568010505119f479617a2e7dc189

SHA1
e23707625cce0035e3c1d2255af1ed326583a1ea

SHA256
26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1

SHA512
ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV2.EXE

Filesize
368KB

MD5
014578edb7da99e5ba8dd84f5d26dfd5

SHA1
df56d701165a480e925a153856cbc3ab799c5a04

SHA256
4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529

SHA512
bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB.EXE

Filesize
243KB

MD5
c6746a62feafcb4fca301f606f7101fa

SHA1
e09cd1382f9ceec027083b40e35f5f3d184e485f

SHA256
b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6

SHA512
ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\EN.EXE

Filesize
6KB

MD5
621f2279f69686e8547e476b642b6c46

SHA1
66f486cd566f86ab16015fe74f50d4515decce88

SHA256
c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38

SHA512
068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB.EXE

Filesize
149KB

MD5
fe731b4c6684d643eb5b55613ef9ed31

SHA1
cfafe2a14f5413278304920154eb467f7c103c80

SHA256
e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496

SHA512
f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SB.EXE

Filesize
224KB

MD5
9252e1be9776af202d6ad5c093637022

SHA1
6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8

SHA256
ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6

SHA512
98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\~unins9546.bat

Filesize
49B

MD5
9e0a2f5ab30517809b95a1ff1dd98c53

SHA1
5c1eefdf10e67d1e9216e2e3f5e92352d583c9ce

SHA256
97ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32

SHA512
e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42

Download Submit
C:\Users\Admin\Downloads\MalwareDatabase-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\SysWOW64\tsa.crt

Filesize
1010B

MD5
6e630504be525e953debd0ce831b9aa0

SHA1
edfa47b3edf98af94954b5b0850286a324608503

SHA256
2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5

SHA512
bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2

Download Submit
memory/3092-471-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4088-455-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4088-469-0x0000000000690000-0x0000000000723000-memory.dmp

Filesize
588KB

Download
memory/4088-468-0x0000000000690000-0x0000000000723000-memory.dmp

Filesize
588KB

Download
memory/4088-465-0x0000000000690000-0x0000000000723000-memory.dmp

Filesize
588KB

Download
memory/4088-487-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads