hawkeye | hxxps://github[.]com/Viper4K/malware/archive/refs/heads/master[.]zip

Resubmissions

17-01-2025 12:20

250117-phrxmaxqej 10

17-01-2025 12:13

250117-pdsclaxpam 7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Viper4K/malware/archive/refs/heads/master.zip

Score

10^/10

hawkeye njrat slaves collection discovery evasion keylogger persistence privilege_escalation spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.gandi.net
Port:
587
Username:
[email protected]
Password:
Chibuezemichael666

Extracted

Family

njrat

Version

0.7d

Botnet

Slaves

hom135.ddns.net:100

Mutex

d4903fdacbb79e6cd1109a741a2bc821

Attributes

reg_key
d4903fdacbb79e6cd1109a741a2bc821
splitter
|'|'|

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5024	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	spoolsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	M.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	netprotocol.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4903fdacbb79e6cd1109a741a2bc821.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4903fdacbb79e6cd1109a741a2bc821.exe	server.exe

Executes dropped EXE 13 IoCs

pid	Process
1992	netprotocol.exe
2112	netprotocol.exe
528	spoolsc.exe
2812	netprotocol.exe
4400	netprotocol.exe
3812	netprotocol.exe
3772	netprotocol.exe
1796	netprotocol.exe
3952	netprotocol.exe
2332	M.exe
4952	M.exe
3340	server.exe
4120	server.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	netprotocol.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	netprotocol.exe

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVRNT = "C:\\Users\\Admin\\dane\\smss.exe"	0a-PORNOSKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d4903fdacbb79e6cd1109a741a2bc821 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTWRM = "C:\\Users\\Admin\\dane\\0a-PORNOSKI.exe"	0a-PORNOSKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTWRM = "C:\\Users\\Admin\\dane\\0a-PORNOSKI.exe"	0a-PORNOSKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTWRM = "C:\\Users\\Admin\\dane\\0a-PORNOSKI.exe"	0a-PORNOSKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTWRM = "C:\\Users\\Admin\\dane\\0a-PORNOSKI.exe"	0a-PORNOSKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTWRM = "C:\\Users\\Admin\\dane\\0a-PORNOSKI.exe"	0a-PORNOSKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVRNT = "C:\\Users\\Admin\\dane\\smss.exe"	0a-PORNOSKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTWRM = "C:\\Users\\Admin\\dane\\0a-PORNOSKI.exe"	0a-PORNOSKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVRNT = "C:\\Users\\Admin\\dane\\smss.exe"	0a-PORNOSKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVRNT = "C:\\Users\\Admin\\dane\\smss.exe"	0a-PORNOSKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVRNT = "C:\\Users\\Admin\\dane\\smss.exe"	0a-PORNOSKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVRNT = "C:\\Users\\Admin\\dane\\smss.exe"	0a-PORNOSKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NjRAT 0.7d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d4903fdacbb79e6cd1109a741a2bc821 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .."	server.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
52	checkip.dyndns.org

Drops autorun.inf file 1 TTPs 58 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\Z:\autorun.inf	0a-PORNOSKI.exe
File created	\??\Z:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\E:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	F:\autorun.inf	0a-PORNOSKI.exe
File created	D:\autorun.inf	0a-PORNOSKI.exe
File created	\??\E:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\G:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\Z:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\Z:\autorun.inf	0a-PORNOSKI.exe
File created	\??\Z:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\G:\autorun.inf	0a-PORNOSKI.exe
File created	\??\Z:\autorun.inf	0a-PORNOSKI.exe
File created	\??\E:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\Y:\autorun.inf	0a-PORNOSKI.exe
File created	\??\G:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\Y:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\G:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	D:\autorun.inf	0a-PORNOSKI.exe
File created	D:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\E:\autorun.inf	0a-PORNOSKI.exe
File created	\??\E:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\Y:\autorun.inf	0a-PORNOSKI.exe
File created	\??\G:\autorun.inf	0a-PORNOSKI.exe
File created	\??\E:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\G:\autorun.inf	0a-PORNOSKI.exe
File created	F:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\E:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	D:\autorun.inf	0a-PORNOSKI.exe
File created	\??\Z:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	C:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\Y:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	D:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\G:\autorun.inf	0a-PORNOSKI.exe
File created	\??\G:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\G:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\Z:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	D:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\E:\autorun.inf	0a-PORNOSKI.exe
File created	D:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\Y:\autorun.inf	0a-PORNOSKI.exe
File created	C:\Users\Admin\dane\autorun.inf	0a-PORNOSKI.exe
File opened for modification	C:\Users\Admin\Downloads\malware-master\malware-master\Mitologia\autorun.inf	0a-PORNOSKI.exe
File opened for modification	C:\Users\Admin\dane\autorun.inf	0a-PORNOSKI.exe
File created	\??\Y:\autorun.inf	0a-PORNOSKI.exe
File created	C:\Users\Admin\Downloads\malware-master\malware-master\Mitologia\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\Z:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	D:\autorun.inf	0a-PORNOSKI.exe
File created	\??\Y:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\Y:\autorun.inf	0a-PORNOSKI.exe
File created	\??\Y:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\E:\autorun.inf	0a-PORNOSKI.exe
File created	C:\autorun.inf	0a-PORNOSKI.exe
File created	\??\Y:\autorun.inf	0a-PORNOSKI.exe
File created	\??\G:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\Z:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	D:\autorun.inf	0a-PORNOSKI.exe
File opened for modification	\??\E:\autorun.inf	0a-PORNOSKI.exe
File created	D:\autorun.inf	0a-PORNOSKI.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 2112	1992	netprotocol.exe	124
PID 2112 set thread context of 2812	2112	netprotocol.exe	127
PID 2112 set thread context of 4400	2112	netprotocol.exe	130
PID 3812 set thread context of 3772	3812	netprotocol.exe	133
PID 3772 set thread context of 1796	3772	netprotocol.exe	135
PID 3772 set thread context of 3952	3772	netprotocol.exe	138
PID 2332 set thread context of 4952	2332	M.exe	154
PID 3340 set thread context of 4120	3340	server.exe	157

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001800000001db0e-288.dat	upx
behavioral1/memory/2332-289-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2332-330-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/3340-333-0x0000000000400000-0x0000000000452000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netprotocol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a-PORNOSKI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a-PORNOSKI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a-PORNOSKI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netprotocol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a-PORNOSKI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netprotocol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hotbest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netprotocol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netprotocol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a-PORNOSKI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netprotocol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netprotocol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NjRAT 0.7d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netprotocol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a-PORNOSKI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3540	msedge.exe
3540	msedge.exe
2144	msedge.exe
2144	msedge.exe
2268	identity_helper.exe
2268	identity_helper.exe
4308	msedge.exe
4308	msedge.exe
1992	netprotocol.exe
1992	netprotocol.exe
528	spoolsc.exe
528	spoolsc.exe
528	spoolsc.exe
528	spoolsc.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
528	spoolsc.exe
528	spoolsc.exe
1172	taskmgr.exe
1172	taskmgr.exe
528	spoolsc.exe
528	spoolsc.exe
1172	taskmgr.exe
1172	taskmgr.exe
528	spoolsc.exe
528	spoolsc.exe
1172	taskmgr.exe
1172	taskmgr.exe
528	spoolsc.exe
528	spoolsc.exe
1172	taskmgr.exe
1172	taskmgr.exe
528	spoolsc.exe
528	spoolsc.exe
1172	taskmgr.exe
1172	taskmgr.exe
528	spoolsc.exe
528	spoolsc.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
528	spoolsc.exe
528	spoolsc.exe
528	spoolsc.exe
528	spoolsc.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
3812	netprotocol.exe
3812	netprotocol.exe
3812	netprotocol.exe
3812	netprotocol.exe
3812	netprotocol.exe
3812	netprotocol.exe
3812	netprotocol.exe
3812	netprotocol.exe
528	spoolsc.exe
528	spoolsc.exe
528	spoolsc.exe
528	spoolsc.exe
3812	netprotocol.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	netprotocol.exe
Token: SeDebugPrivilege	2112	netprotocol.exe
Token: SeDebugPrivilege	528	spoolsc.exe
Token: SeDebugPrivilege	2812	netprotocol.exe
Token: SeDebugPrivilege	1172	taskmgr.exe
Token: SeSystemProfilePrivilege	1172	taskmgr.exe
Token: SeCreateGlobalPrivilege	1172	taskmgr.exe
Token: SeDebugPrivilege	4400	netprotocol.exe
Token: SeDebugPrivilege	3812	netprotocol.exe
Token: 33	1172	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1172	taskmgr.exe
Token: SeDebugPrivilege	3772	netprotocol.exe
Token: SeDebugPrivilege	1796	netprotocol.exe
Token: SeDebugPrivilege	3952	netprotocol.exe
Token: SeDebugPrivilege	2836	taskmgr.exe
Token: SeSystemProfilePrivilege	2836	taskmgr.exe
Token: SeCreateGlobalPrivilege	2836	taskmgr.exe
Token: 33	2836	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2836	taskmgr.exe
Token: SeDebugPrivilege	4120	server.exe
Token: 33	4120	server.exe
Token: SeIncBasePriorityPrivilege	4120	server.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe
1172	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2112	netprotocol.exe
3772	netprotocol.exe
2332	M.exe
2332	M.exe
3340	server.exe
3340	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2864	2144	msedge.exe	81
PID 2144 wrote to memory of 2864	2144	msedge.exe	81
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 4740	2144	msedge.exe	82
PID 2144 wrote to memory of 3540	2144	msedge.exe	83
PID 2144 wrote to memory of 3540	2144	msedge.exe	83
PID 2144 wrote to memory of 1080	2144	msedge.exe	84
PID 2144 wrote to memory of 1080	2144	msedge.exe	84
PID 2144 wrote to memory of 1080	2144	msedge.exe	84
PID 2144 wrote to memory of 1080	2144	msedge.exe	84
PID 2144 wrote to memory of 1080	2144	msedge.exe	84
PID 2144 wrote to memory of 1080	2144	msedge.exe	84
PID 2144 wrote to memory of 1080	2144	msedge.exe	84
PID 2144 wrote to memory of 1080	2144	msedge.exe	84
PID 2144 wrote to memory of 1080	2144	msedge.exe	84
PID 2144 wrote to memory of 1080	2144	msedge.exe	84
PID 2144 wrote to memory of 1080	2144	msedge.exe	84
PID 2144 wrote to memory of 1080	2144	msedge.exe	84
PID 2144 wrote to memory of 1080	2144	msedge.exe	84
PID 2144 wrote to memory of 1080	2144	msedge.exe	84
PID 2144 wrote to memory of 1080	2144	msedge.exe	84
PID 2144 wrote to memory of 1080	2144	msedge.exe	84
PID 2144 wrote to memory of 1080	2144	msedge.exe	84
PID 2144 wrote to memory of 1080	2144	msedge.exe	84
PID 2144 wrote to memory of 1080	2144	msedge.exe	84
PID 2144 wrote to memory of 1080	2144	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Viper4K/malware/archive/refs/heads/master.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff86db546f8,0x7ff86db54708,0x7ff86db54718
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,14671033533545632506,16436164171473352742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,14671033533545632506,16436164171473352742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,14671033533545632506,16436164171473352742,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14671033533545632506,16436164171473352742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14671033533545632506,16436164171473352742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,14671033533545632506,16436164171473352742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4176 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,14671033533545632506,16436164171473352742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4176 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14671033533545632506,16436164171473352742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14671033533545632506,16436164171473352742,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14671033533545632506,16436164171473352742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14671033533545632506,16436164171473352742,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,14671033533545632506,16436164171473352742,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14671033533545632506,16436164171473352742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,14671033533545632506,16436164171473352742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,14671033533545632506,16436164171473352742,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 /prefetch:2
  2⤵
  PID:3172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4168

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3076

C:\Users\Admin\Downloads\malware-master\malware-master\Hotbest\hotbest.exe
"C:\Users\Admin\Downloads\malware-master\malware-master\Hotbest\hotbest.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1044
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3076
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2304
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iprq_kql.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3356
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc91605C6E257B42368657EE21B670C3D1.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4852
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2112
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -f "C:\Users\Admin\AppData\Local\Temp\Mail.txt"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2812
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -f "C:\Users\Admin\AppData\Local\Temp\Web.txt"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4400
- - C:\Users\Admin\AppData\Local\Temp\spoolsc.exe
    "C:\Users\Admin\AppData\Local\Temp\spoolsc.exe" -n
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:528
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3812
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3772
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -f "C:\Users\Admin\AppData\Local\Temp\Mail.txt"
        6⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -f "C:\Users\Admin\AppData\Local\Temp\Web.txt"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1172

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\malware-master\malware-master\Killsight\wordmacromalware.Killsight.txt
1⤵
PID:4008

C:\Users\Admin\Downloads\malware-master\malware-master\Mitologia\smss.exe
"C:\Users\Admin\Downloads\malware-master\malware-master\Mitologia\smss.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1156

C:\Users\Admin\Downloads\malware-master\malware-master\Mitologia\0a-PORNOSKI.exe
"C:\Users\Admin\Downloads\malware-master\malware-master\Mitologia\0a-PORNOSKI.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
PID:3316

C:\Users\Admin\Downloads\malware-master\malware-master\Mitologia\0a-PORNOSKI.exe
"C:\Users\Admin\Downloads\malware-master\malware-master\Mitologia\0a-PORNOSKI.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
PID:4508

C:\Users\Admin\Downloads\malware-master\malware-master\Mitologia\0a-PORNOSKI.exe
"C:\Users\Admin\Downloads\malware-master\malware-master\Mitologia\0a-PORNOSKI.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
PID:4008

C:\Users\Admin\Downloads\malware-master\malware-master\Mitologia\0a-PORNOSKI.exe
"C:\Users\Admin\Downloads\malware-master\malware-master\Mitologia\0a-PORNOSKI.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
PID:808

C:\Users\Admin\Downloads\malware-master\malware-master\Mitologia\0a-PORNOSKI.exe
"C:\Users\Admin\Downloads\malware-master\malware-master\Mitologia\0a-PORNOSKI.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
PID:748

C:\Users\Admin\Downloads\malware-master\malware-master\Mitologia\0a-PORNOSKI.exe
"C:\Users\Admin\Downloads\malware-master\malware-master\Mitologia\0a-PORNOSKI.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
PID:2596

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Users\Admin\Downloads\malware-master\malware-master\NJRAT\njRAT 0.7d\NjRAT 0.7d.exe
"C:\Users\Admin\Downloads\malware-master\malware-master\NJRAT\njRAT 0.7d\NjRAT 0.7d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2628
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
    3⤵
    - Drops startup file
    - System Location Discovery: System Language Discovery
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4952
  - - C:\Users\Admin\AppData\Roaming\server.exe
      "C:\Users\Admin\AppData\Roaming\server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Roaming\server.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4344
    - - C:\Users\Admin\AppData\Roaming\server.exe
        
        C:\Users\Admin\AppData\Roaming\server.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5024

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\malware-master\malware-master\NJRAT\njRAT 0.7d\nj_users\KHALED_PC_Future_22A4A3B1\PASS.txt
1⤵
PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0a-PORNOSKI.exe

Filesize
1.6MB

MD5
c14240799b42bb8888028b840d232428

SHA1
e42d3933a959f55983141a568241cd315ae60612

SHA256
0e69c2a9fc7bac1133becbdbcee3d3c48aaece55efa7abd42071009098c29f7b

SHA512
ae515275895c9a741b422c63feea725f150f5b28c1d9da635933a9b1b523d40230d319b1b53ad1a7a27fa39625244862b2ce89e8fc2da7a48303c032bbcfb591

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
255B

MD5
d11edf9e08a127c768843acea41d0bc5

SHA1
ff1af9b39de4a3f547407fd9864ffdd2bb6c7354

SHA256
217e4d9d1412e45abf7a653f72a5ab8b53bc8fc6f377f52a042668a41abc7478

SHA512
92c3f0def567b0e2f2523ed25eb9d4abff06070b8be744fea4a6678f25f292439d7bc0c8015eaa6281b7f43149eebb3d3821cd6d6436598481113694b11ddea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
363bca4743dac39f7d7b9fe4ac83dc55

SHA1
cde69d01fa5c83d94f4e069b3ea418f246f8873b

SHA256
3d8e598ee18815617d998e1cc7c32be7f4c5cccd9e0f7697c8b6d9c579f059a4

SHA512
940fd3988b688de284ba2af2f8edf92f0151cc178f66bd23124118309a3da55fea920515d4daacf3a2ab6fc149d780c2267317b45369d3726253027102511069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
74ca24f53a165166cf317eb0f5667a7c

SHA1
aec9cd7c8179b65c377fba491bf09f0e098b5ef1

SHA256
1c91f169193b67565ea0e0c3291b1beb0891c07c64f60f28ea7760d0bb2e6947

SHA512
e113340e87267667a5ad27afc2f6c4112835a4c2175af14d4146bace5ea9fb1ca94751ab14b0bfb7eaf1ef0a1a2a71d7031963608f4540d18f875ba6bf24db6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
19190be405a2a72e158d22f680db99ba

SHA1
42e58bacc8c6f7ab095f283929817d63831b8f09

SHA256
f83c147a1919f04dbfe22c779bececc647f710f8fcb856c7821b1bfd4a86312e

SHA512
7cc701165478dc79713dde122ec32a95b0db535e48f5117e58d4c65c1e7e9fe6f5638edb65a53fcc86780db9d41aa8dd529b15adb3317c21f1c87c0c4f3e4d4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3fa3c52cc789dcb6be1c252d057323ff

SHA1
95018b3fca5acd64802790f137787b1f2e243faf

SHA256
ff9c304996d2eef05605ea62e3ce4382826fd58fe1cb1f38ffd8ea2b7bb891fe

SHA512
456308b53d96c4812e30c4f0ff70b52aa293a1554bae0f518ef3e6af60f3aeaa274675cfbb365fef6225cad40aa5b932ebb1743109a0e96005687a31982eee50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.ex_

Filesize
67KB

MD5
d65ba9b2e11f53293a12183eb9e6b1a1

SHA1
b61b3b8df3e90114b5b62532b0f5902fe5c46420

SHA256
196d391a4a946c759ca71ac0f22febd5da2a973e05cd6e64004a15f58cf8d3fe

SHA512
8bbd1c97e96e9acd49e939dee1df555929fde2d18de9004a1a78588feba3617ab5873a21cec658461b13e78596caa380750c4a38a2f9f53c5cba7e980d71aef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe

Filesize
104KB

MD5
7bae06cbe364bb42b8c34fcfb90e3ebd

SHA1
79129af7efa46244da0676607242f0a6b7e12e78

SHA256
6ceaebd55b4a542ef64be1d6971fcfe802e67e2027366c52faacc8a8d325ec7a

SHA512
c599b72500a5c17cd5c4a81fcf220a95925aa0e5ad72aa92dd1a469fe6e3c23590c548a0be7ec2c4dbd737511a0a79c1c46436867cf7f0c4df21f8dcea9686cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe

Filesize
133KB

MD5
4618ec5961dbe5d5dc70f36867dfffb7

SHA1
c59105578dc2e4b8d72033609eb61947eda8289a

SHA256
fe84e674500a1d3efb18f8484f9a2bdb923aef33234dfaa0a22677de1f20ec91

SHA512
dfb450fc22303121ebe76134c5a5723cad4d7f488e637e7ffec393f2996327e344ce02ed892dbea822c08f669d90e6edea8b9c8389bab8a10f00f236365ad547

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mail.txt

Filesize
267B

MD5
c114ca9951083036225f8685229961c5

SHA1
87c68a210524e95f774cdfff35385cf966c11c9c

SHA256
6f5af57d51603a4f304a1cc68c3baacb3344d265f5fce727b1bb19340ff5dd02

SHA512
68b3df07358f38bc8083fd705d114cfe81209083fbf38ad69389149e84a2ae51a32cb334735aa1ff97d054f9a0fcbc60245eece267d5e286f92f5f4e795c0011

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES39B8.tmp

Filesize
1KB

MD5
12bc2acf450e55939c91e27004aeb804

SHA1
ef35bfa5a9af3c0056f69b19e34dd2273e28daef

SHA256
18af9e82bbc728f67fefb3c58e306b3c61bfb0fc7ca6dd9f683efa5127a5a491

SHA512
f1762f71c931210a46ade92f0d7481bbf6a3fd4287e9bc44d68edfae9be0f0b156605baf84b29e38d6fca3234fb1b228df522460bae5e017e88197be7eae9b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.txt

Filesize
1KB

MD5
9c1715c2a639cecb8a114fdef98576ab

SHA1
10550b01b63fdbf522692368cc1cfad959d316fc

SHA256
157335cc4e376428b4b384fe2b890af55a2ff5f28d90a55e63eb544e8d375cb9

SHA512
c73d9dc8a31ad5d41efee3ee0cda852a27c27a411334b206f79779dabdffaedffc22578b8ad8f13fc5ab37a4680bc4e6a3ac34e87a12503fd7eb5e73d54efaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iprq_kql.0.vb

Filesize
3KB

MD5
e40446114fd3a07083f484e14fcba4c4

SHA1
086fcf1aac441cbb6f59fa079b506aabb94a493c

SHA256
ec6b3348f5b776c8adaba5b50714667f393c693d1839bccf01385f7094d6c9ac

SHA512
4143d482b15938b44505f5e5ecba5c0080f83d8c29b84f4e93819afd5da1bf37327f16911ff1ace253b9167c514bf5422f1c85fa72cdbe7892180fe22e9b5cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iprq_kql.cmdline

Filesize
224B

MD5
c6bdba26b59cd5aa3acc5ceb5166d6d6

SHA1
c6fd3c4b59e64cdc02ee76c01aefeb1d34906a8f

SHA256
e7597108accc11f2190bb9ae42f1fda318c107658349be4b98d1fb46ff157228

SHA512
c3f8419f8c33ae80c48a4d56138c530180b0cba45afd330ef2c66e5e2a211d62daca41dd768b5804b77cf60e55d6594858838c602fb7189de6c6bba19045f459

Download Submit
C:\Users\Admin\AppData\Local\Temp\spoolsc.exe

Filesize
8KB

MD5
0dc8a6575a4b1dacd19e0730770326a7

SHA1
9dabc9d1fa155d7cf1eecb0eecaf2132e1b46ca4

SHA256
c967982f30a78581cea0852b6390013c254599d013920496a0d8ee0e2993797c

SHA512
9a9d3604801fc511c3d96f2f5d2c785bb7927259e4a56144d355fe58e959900ea1f1ef9199d198481da5855e7371d07b51b8eed8b1d99a6ea94fd70d97c8b264

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc91605C6E257B42368657EE21B670C3D1.TMP

Filesize
964B

MD5
52d9c8ba23ef6a3c6542be3c34f9adbf

SHA1
3bf7b4f0ba7ac08798c5f5c52d119f79c26017d3

SHA256
e7c06aca847231b51e5303b631cf78f34cd2fcb074a239267bc737258f6a5e9b

SHA512
6dc22e583b418ca4da2cb996f3bc1e18127d3849ca3fd175f580d34768e32eb12a3f4675a2a346b324e72845b870d42fa6397d2aeab305dd08a2eac9f3fe57a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe

Filesize
572KB

MD5
6c9177754244a999e36b838622c8b3a4

SHA1
449df07d92f65d20dfffb60124e6123c5a85c491

SHA256
dcb7d0214c7253a6acfe023f50e9bdf6f7586e15935037ef85f93024fa1115d5

SHA512
4ff43bc990248d5fd043551244e00daf0988b973246b234413ef82d9a9a74c822353ddb00235709e594c9211e7df692fae73e9a6be8d024b1b661ba0f8d59b34

Download Submit
C:\Users\Admin\AppData\Roaming\pid.txt

Filesize
4B

MD5
a29d1598024f9e87beab4b98411d48ce

SHA1
612d9ec34bddce122042db4c143e86dca655bc15

SHA256
44c59909f17c296d6f2ec4a53efac3a951add75aa67616d9c5d9d2f5fbb44f04

SHA512
6bdfc7ffdab6e7e60bfd2247c39cb9e1a09b867e979431dc5b504522df6c34b24dc74c9b09da3d29ac631fa227588a78ee56c01c8bbb72fdc1964467772a3ca2

Download Submit
C:\Users\Admin\AppData\Roaming\pidloc.txt

Filesize
76B

MD5
69275d427c2c6d00d029ffb971798f3e

SHA1
1f7c3f5f55c97cc3013bae5ed4d10d526c147e9e

SHA256
3a6f6356af22109ac68f3a13ef149c8ddbb5457cbfd0f867a6600e196121c5b6

SHA512
012fa24d8d75f6a3a4ec43628077a9454809bfadba3e00ae5a6da2fcf10a77fd24d349f46bb7a054e9e9084eb8f70a51080affaf879c38fb7c55dc3e75b74980

Download Submit
C:\Users\Admin\Downloads\malware-master.zip

Filesize
47.0MB

MD5
5eba758ab6c01a378d8f67c30e327cba

SHA1
5e0040767b9093e337ee6384f8a2830ddf2a0f76

SHA256
5d8e8e31e5529bf443f5d654a21bc0ec836520348ee91b185eb1477d67258bd6

SHA512
e4a8b7760cd6e8f02ae54f9f3b0b9980a9fef6a820ccdd1a5821aefbca8469887c33e346ea216575ccca003aa0c85fd51b7317a0552124dfd8c29e469fbd3d2c

Download Submit
C:\Users\Admin\Downloads\malware-master\malware-master\Mitologia\autorun.inf

Filesize
114B

MD5
791c22422cded6b4b1fbb77e2be823bb

SHA1
220e96e2f3a16549228006b16591c208b660b1bc

SHA256
3354db19957d91b855470eb17ce933e4f10066ea25478a10b69a27e8fbca6f60

SHA512
b5f9bd9ca51efc9e8166ca1604d511e36e99fc02ccfd3e686f1dfec7bf777fb0f7b6492bdd1b75640790893857c69cfcf254fd6f6e0ff2839241b94f8c9e0b87

Download Submit
C:\smss.exe

Filesize
1.7MB

MD5
8be846798bb140858d4f8e5017b5690d

SHA1
fc27e85ad2441582644cbb04aebfd18faa7bdc4c

SHA256
2062694652a5d8a4b61c43c3c82f99f249c27f054d4a93cb690738e7b235abc2

SHA512
e7abbf1abc1fa79b4336c928e28c598a0575270302f1ab1f823decefeb523b077fe7df82e15b801d4dc6d7dfe72b9d13888bfd23aa59b848f1c532446a78d71c

Download Submit
memory/528-132-0x000000001BAB0000-0x000000001BB56000-memory.dmp

Filesize
664KB

Download
memory/1172-149-0x0000020A98C70000-0x0000020A98C71000-memory.dmp

Filesize
4KB

Download
memory/1172-152-0x0000020A98C70000-0x0000020A98C71000-memory.dmp

Filesize
4KB

Download
memory/1172-143-0x0000020A98C70000-0x0000020A98C71000-memory.dmp

Filesize
4KB

Download
memory/1172-145-0x0000020A98C70000-0x0000020A98C71000-memory.dmp

Filesize
4KB

Download
memory/1172-150-0x0000020A98C70000-0x0000020A98C71000-memory.dmp

Filesize
4KB

Download
memory/1172-151-0x0000020A98C70000-0x0000020A98C71000-memory.dmp

Filesize
4KB

Download
memory/1172-155-0x0000020A98C70000-0x0000020A98C71000-memory.dmp

Filesize
4KB

Download
memory/1172-153-0x0000020A98C70000-0x0000020A98C71000-memory.dmp

Filesize
4KB

Download
memory/1172-154-0x0000020A98C70000-0x0000020A98C71000-memory.dmp

Filesize
4KB

Download
memory/1172-144-0x0000020A98C70000-0x0000020A98C71000-memory.dmp

Filesize
4KB

Download
memory/1796-186-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2112-117-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2332-330-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2332-289-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2812-135-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2812-137-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2812-133-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2836-273-0x0000017ABB090000-0x0000017ABB091000-memory.dmp

Filesize
4KB

Download
memory/2836-274-0x0000017ABB090000-0x0000017ABB091000-memory.dmp

Filesize
4KB

Download
memory/2836-268-0x0000017ABB090000-0x0000017ABB091000-memory.dmp

Filesize
4KB

Download
memory/2836-278-0x0000017ABB090000-0x0000017ABB091000-memory.dmp

Filesize
4KB

Download
memory/2836-277-0x0000017ABB090000-0x0000017ABB091000-memory.dmp

Filesize
4KB

Download
memory/2836-276-0x0000017ABB090000-0x0000017ABB091000-memory.dmp

Filesize
4KB

Download
memory/2836-275-0x0000017ABB090000-0x0000017ABB091000-memory.dmp

Filesize
4KB

Download
memory/2836-266-0x0000017ABB090000-0x0000017ABB091000-memory.dmp

Filesize
4KB

Download
memory/2836-267-0x0000017ABB090000-0x0000017ABB091000-memory.dmp

Filesize
4KB

Download
memory/3340-333-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3952-217-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4400-160-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4400-158-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4400-156-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4952-298-0x0000000000400000-0x00000000008B0000-memory.dmp

Filesize
4.7MB

Download
memory/4952-316-0x0000000000400000-0x00000000008B0000-memory.dmp

Filesize
4.7MB

Download