crimsonrat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
300s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 17:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

crimsonrat remcos revengerat guest host evasion persistence rat stealer trojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Userdata.exe
copy_folder
Userdata
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%WinDir%\System32
mouse_option
false
mutex
remcos_vcexssuhap
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023607-366.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x001000000002362c-637.dat	revengerat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe

Executes dropped EXE 3 IoCs

pid	Process
4240	Userdata.exe
3028	dlrarhsiva.exe
4616	svchost.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Userdata.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
79	0.tcp.ngrok.io
136	0.tcp.ngrok.io
139	0.tcp.ngrok.io
146	0.tcp.ngrok.io

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Userdata	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\remcos\logs.dat	iexplore.exe
File created	C:\Windows\SysWOW64\remcos\logs.dat	iexplore.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4240 set thread context of 4620	4240	Userdata.exe	125
PID 3560 set thread context of 2880	3560	RevengeRAT.exe	131
PID 2880 set thread context of 2596	2880	RegSvcs.exe	132
PID 4616 set thread context of 4336	4616	svchost.exe	201
PID 4336 set thread context of 4792	4336	RegSvcs.exe	202

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
4452	reg.exe
3356	reg.exe
4660	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3044	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3904	msedge.exe
3904	msedge.exe
3592	msedge.exe
3592	msedge.exe
4444	identity_helper.exe
4444	identity_helper.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
1476	msedge.exe
1476	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4620	iexplore.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3560	RevengeRAT.exe
Token: SeDebugPrivilege	2880	RegSvcs.exe
Token: SeDebugPrivilege	4616	svchost.exe
Token: SeDebugPrivilege	4336	RegSvcs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4620	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 4648	3592	msedge.exe	82
PID 3592 wrote to memory of 4648	3592	msedge.exe	82
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 2252	3592	msedge.exe	84
PID 3592 wrote to memory of 3904	3592	msedge.exe	85
PID 3592 wrote to memory of 3904	3592	msedge.exe	85
PID 3592 wrote to memory of 4552	3592	msedge.exe	86
PID 3592 wrote to memory of 4552	3592	msedge.exe	86
PID 3592 wrote to memory of 4552	3592	msedge.exe	86
PID 3592 wrote to memory of 4552	3592	msedge.exe	86
PID 3592 wrote to memory of 4552	3592	msedge.exe	86
PID 3592 wrote to memory of 4552	3592	msedge.exe	86
PID 3592 wrote to memory of 4552	3592	msedge.exe	86
PID 3592 wrote to memory of 4552	3592	msedge.exe	86
PID 3592 wrote to memory of 4552	3592	msedge.exe	86
PID 3592 wrote to memory of 4552	3592	msedge.exe	86
PID 3592 wrote to memory of 4552	3592	msedge.exe	86
PID 3592 wrote to memory of 4552	3592	msedge.exe	86
PID 3592 wrote to memory of 4552	3592	msedge.exe	86
PID 3592 wrote to memory of 4552	3592	msedge.exe	86
PID 3592 wrote to memory of 4552	3592	msedge.exe	86
PID 3592 wrote to memory of 4552	3592	msedge.exe	86
PID 3592 wrote to memory of 4552	3592	msedge.exe	86
PID 3592 wrote to memory of 4552	3592	msedge.exe	86
PID 3592 wrote to memory of 4552	3592	msedge.exe	86
PID 3592 wrote to memory of 4552	3592	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa007e46f8,0x7ffa007e4708,0x7ffa007e4718
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,17681520451854379766,5361612521689790128,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,17681520451854379766,5361612521689790128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,17681520451854379766,5361612521689790128,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17681520451854379766,5361612521689790128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17681520451854379766,5361612521689790128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,17681520451854379766,5361612521689790128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,17681520451854379766,5361612521689790128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17681520451854379766,5361612521689790128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17681520451854379766,5361612521689790128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,17681520451854379766,5361612521689790128,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3500 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17681520451854379766,5361612521689790128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17681520451854379766,5361612521689790128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17681520451854379766,5361612521689790128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,17681520451854379766,5361612521689790128,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,17681520451854379766,5361612521689790128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,17681520451854379766,5361612521689790128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:1992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5044

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3060

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:3840
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:4452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:3044
- - C:\Windows\SysWOW64\Userdata\Userdata.exe
    "C:\Windows\SysWOW64\Userdata\Userdata.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    PID:4240
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:3516
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:3356
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:4620
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:4188
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:4660

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3560
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:2596
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wwwcrpyi.cmdline"
    3⤵
    PID:3344
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE23E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc51B75EE6971A4C28ADBA4676BE7C7BA3.TMP"
      4⤵
      PID:384
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b5rerin4.cmdline"
    3⤵
    PID:2320
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE319.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC2A7ED90BBF84464AD2D59F89A47B88.TMP"
      4⤵
      PID:4740
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\90ergecj.cmdline"
    3⤵
    PID:3456
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D3CE1AA13854B7F831961DD9D9559A1.TMP"
      4⤵
      PID:4520
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cvfj42ay.cmdline"
    3⤵
    PID:1904
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE471.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8841ABBE5B14D90BC5E6A8DBECB841F.TMP"
      4⤵
      PID:3708
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bb8e5064.cmdline"
    3⤵
    PID:4764
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE50D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4157DBFAE091403C86E3DE879816CB93.TMP"
      4⤵
      PID:4336
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sk2mimjm.cmdline"
    3⤵
    PID:5068
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC90EF415DE643528DF39B7A5815BB31.TMP"
      4⤵
      PID:208
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5jehaol2.cmdline"
    3⤵
    PID:4440
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE684.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF410075F1E743E0B4DF3AED25A5B1B.TMP"
      4⤵
      PID:1072
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ercipmle.cmdline"
    3⤵
    PID:4548
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE730.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB498E64DB78D45199644708185696E80.TMP"
      4⤵
      PID:3476
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8jblwa8b.cmdline"
    3⤵
    PID:384
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE7CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A563EAE5D264D58ACB9E8795809791.TMP"
      4⤵
      PID:4956
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5v2mpmrt.cmdline"
    3⤵
    PID:4740
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE888.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc61D366CB562D43F9904EAECD77A86DD4.TMP"
      4⤵
      PID:2312
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ftivzkrl.cmdline"
    3⤵
    PID:1168
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE962.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc929C5AE1F444CC4A44E7499D53F9E94.TMP"
      4⤵
      PID:3160
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ldw4kbyv.cmdline"
    3⤵
    PID:4120
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA1E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1667270D7B36418CAB138CC1592D3DE.TMP"
      4⤵
      PID:1096
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6km1154i.cmdline"
    3⤵
    PID:2888
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA9B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBFF7E73BD7B14B9997A1B620B43D42C1.TMP"
      4⤵
      PID:3336
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z6uhgxqb.cmdline"
    3⤵
    PID:3528
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB37.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E8979AEF0BC4FAFA74FD9878F4330.TMP"
      4⤵
      PID:2336
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kufneufr.cmdline"
    3⤵
    PID:2032
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBE3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc92C1820845A4405EA24BF2AB8AE24EC.TMP"
      4⤵
      PID:1636
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1h6fshr4.cmdline"
    3⤵
    PID:4432
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC8F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2BEEBF73DFAD44AE9E796F8B88FCC07F.TMP"
      4⤵
      PID:4100
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3xswsquv.cmdline"
    3⤵
    PID:3116
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAD00EBB3F8664CF19A6A51581DD8831F.TMP"
      4⤵
      PID:4992
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q4n2dsss.cmdline"
    3⤵
    PID:180
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDC7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc83663FDB86044EA29483FA2C9F795DD8.TMP"
      4⤵
      PID:4516
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hc8fxazx.cmdline"
    3⤵
    PID:4856
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE64.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc196B3269967D47688EDEB425339A1FED.TMP"
      4⤵
      PID:3840
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pqr3o0qq.cmdline"
    3⤵
    PID:3172
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEE1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB175D9385AB465BB8FEDE6BE99E5A39.TMP"
      4⤵
      PID:5024
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ryncrie_.cmdline"
    3⤵
    PID:3560
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF7D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc363B35F9DBA46628EA0EB3C5A4A79BE.TMP"
      4⤵
      PID:2664
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4336
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        
        PID:4792

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"
1⤵
PID:3304
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:3028

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"
1⤵
PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico

Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a27d8876d0de41d0d8ddfdc4f6fd4b15

SHA1
11f126f8b8bb7b63217f3525c20080f9e969eff3

SHA256
d32983bba248ff7a82cc936342414b06686608013d84ec5c75614e06a9685cfe

SHA512
8298c2435729f5f34bba5b82f31777c07f830076dd7087f07aab4337e679251dc2cfe276aa89a0131755fe946f05e6061ef9080e0fbe120e6c88cf9f3265689c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f060e9a30a0dde4f5e3e80ae94cc7e8e

SHA1
3c0cc8c3a62c00d7210bb2c8f3748aec89009d17

SHA256
c0e69c9f7453ef905de11f65d69b66cf8a5a2d8e42b7f296fa8dfde5c25abc79

SHA512
af97b8775922a2689d391d75defff3afe92842b8ab0bba5ddaa66351f633da83f160522aa39f6c243cb5e8ea543000f06939318bc52cb535103afc6c33e16bc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a1db3c7fd8956cd71167ef63f7de05ad

SHA1
bcbe654bf3af1ee21fab6f3ba7519fb7db7f8afc

SHA256
6f0e90818ee48222c788b9de20494523cece9eca8d0ec016ca4e9593f61a25fe

SHA512
7f89258f58ac317d3115838c732086a0fcf1cc4d81bc8975facab04811c4a84fb0e8b96170c9db245503c7045e3a0a43505415eb4f9801f2600162fce9fc51ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
a6d346f58cbec0a6e4015327b25f1537

SHA1
750056e65a8b1c20b1a6051f5adcdf35821a6ac1

SHA256
1a715b1b5b62ef83ca8c62a18eddb3b5b6b738be2c654ab7a38cf22fdc8bea56

SHA512
74e563217a28cd6427739731f51ba2e35ee060c8ae6959d458d06a0416e17ffc6a49f8d0bbcb8d17cef144a45c36eb9f3b92305389ab0cfc5043f530d9f28d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
32e4c9fc468d34a0db77ba52d7fd0e65

SHA1
4e67f42a3918d77deecbf287bca2a1044396ddb5

SHA256
59c2a950ce3a95ff69b5d868398eca0867653ba69c8eb24ea8d49b5a11ec26a6

SHA512
7bda39b45d0715b1de2c1750fcfb635a05bfd0856354bddfa87acf7b7f9fdc982d50d9534ce52af9e43718db99d6368821a07f112d2fe6aae8062b4489cd886e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2d7d2de8037dcbf9f2e493b3c3bb25ae

SHA1
247662af19a14f260df08f44bb6e47d69a5b6143

SHA256
7b424695c63da4ad124091a34f298a7ba3c1775ebf4f8a5440ced40430042d7b

SHA512
d57f2d005316204900bea0352df0552a41e046984a7d4e165d2083d9276f5f7488426ba6f991cc0754953f08d65f031f00fa1e75495afd75957b0286040890c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a73158deac8f5269aee0b1f1fa63e06f

SHA1
c5e30e0296b2fb5ec015453e350a1195c96304ee

SHA256
8188275c4ee85319c28e5d88b7e3ef6f485b5c308bff86902cf58f08d5a685da

SHA512
9c6aa18c1f153ecdf5d80778744b6eff0873a8f3931bd9887da5728b5adca181a22412c5401482ab2dd299f27dce2e54cce7d7bfd906e812ffedac99b776172a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c902b60bba199727365d214336ee5e21

SHA1
4d077acea00a236f433a8cda3c991aa6ef6db112

SHA256
a52243937536065e98329ac0858651d9393cfa1712a37e2b5d7f046ea6b9b8ea

SHA512
1aa6cb208bc3d1133a37ee5dffdfe70ec04f08aaa5eadd3f32b7bf877e58c2c57858c1b91acbaf8605b1eb372fea0b01ac244f1529a6750a97c77bba45cd056e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a8fba5d422b7897659e537b44aad53f8

SHA1
bf00cb67112189ae99034cec44f78eefa63f8bd3

SHA256
a2b1363c1906bd35fca9f4c73b3e29e8c6e35dbe2b715fd4bbf82b43abed885b

SHA512
009f4249b9b5c3a0c643854da327ad85592e3f1686c0785623427efac12f71b95b6adff8ed23542b8d468d157b5784a2fc6ac96051218a973d9217e8276c62e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584447.TMP

Filesize
1KB

MD5
0f744817e571996c5c96e7c2b398b3f6

SHA1
b99f0b81fcee103ba22306e6e9a12ab11c8a64f4

SHA256
2de3ff4e25d55f1b4c69d7e8ad45a49a4e3529edc94271e0d2c1e1a2b94dcde7

SHA512
18a07f423d3ac119e2cabecc69f3f2df8db5963a2be5bb73d46e05690f110d4a960a2362c8a367da4938fb9ba19b2ed16cdc69bab976883f07f69c83580b7ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
56f5ec01685acf601d7457b45a0a8dea

SHA1
f105ba83ebfb368938748a7a346c7c65e2181b38

SHA256
bfe050c7f8af2d9f5fbee9c66cb6835a5f242dc634af79dbaf0ea70472117fc4

SHA512
b244b09269ea9d64f311b9e2271e46407924bdfb95fe8a3715709336d56f84885d1423c4b40249b51e7da843d511961a25b11495b2f5ac65dbabfe0f39c37c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8a1483682d16c9e21bced65a3debb32c

SHA1
d6170da6bf13c37fe8083ca6acddf1759580ce7d

SHA256
6384c9d84a68d3968528e1f223cf09c3a9e3720c0534cbff5e40c74ae289a8d2

SHA512
95d2beef193e6ebdc0182d2f18c47e0088d588c941aba8713c609fd56d9ebe148f03ac128bc7fe562967b7b89ebf5b6d35146d3ad9f8f0b22de68fe16588d5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\5jehaol2.0.vb

Filesize
373B

MD5
7d0d85a69a8fba72e1185ca194515983

SHA1
8bd465fb970b785aa87d7edfa11dbff92c1b4af6

SHA256
9f78b435099106c2c3486c5db352f7d126b3532c1b4e8fe34ef8931c7b8968d5

SHA512
e5ef339dc329dbba2ab06678a9e504aa594d2f21ade45e49bccd83a44a76dc657f5f44dcf368f4d112bb3b01af2e577a487c6078751943770e90780fad202989

Download Submit
C:\Users\Admin\AppData\Local\Temp\5jehaol2.cmdline

Filesize
261B

MD5
224d14f8f744444156fcd4ca0db13cd4

SHA1
0c3a18ad1ad71b8cc5a5c67dac3b89dc1501fac3

SHA256
c4644b752919d99b813a41c5960eb0a5c38e8e6889931115059ea5754848db1e

SHA512
929493fb75cb4709ed4834eefde6297bd3c0f6740d376d221e94382fdbf07d8042937d592724619953d83a7ec3959be654654a6123e93211cabd299dfb0552ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\8jblwa8b.0.vb

Filesize
375B

MD5
085f35c737b484465e1799359126ee1c

SHA1
f51feaf15af726cb9cbc151cd86b9913e428abcb

SHA256
940fb15c66dc34a66b192569ec3588a11285af4f7230c27d54191dcff5dd5b1e

SHA512
8314ec82f79a6dbd1e946be25984635c149ef6689e33d8010680f5bdf3bc8803bc14d8dbaa92717fec261d7f27e8f87384478130c3fe5ee37f3ec84fa2bf1402

Download Submit
C:\Users\Admin\AppData\Local\Temp\8jblwa8b.cmdline

Filesize
265B

MD5
b71e9e49edbe46814d0380b059fc03b5

SHA1
5639e9d62b6ca52e7b3b88d097cbfb02fe733a82

SHA256
39f5a1e5c6b42c4dc5286db120fa2b644176b8442e127ec31e7c9fff7842b05d

SHA512
875a54ee1ac31f7f66f216b80e730e16547f39e87d40442bd0d73fa61dc74f60236fb35838e04021bc7b9a2e34ac53fa1cb585f0eb5e61aa2ebe99524390e984

Download Submit
C:\Users\Admin\AppData\Local\Temp\90ergecj.0.vb

Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\90ergecj.cmdline

Filesize
253B

MD5
c460cd627a2545aee702cd2afe4185b8

SHA1
a6ea57cefa356326cf77dfca298164c08374962a

SHA256
9bee55a4c6ea5a9b5c9e9faf63fd4d6b42cdb85d7ee4808e1cd605ee6b8f7b41

SHA512
37c1b93e45626cd871bdffb75fcc94cc1e692e70c24a5bfaeb4b5addef3e1bf3c780e4fd379e1fb5196a84b1c8ee9decc68f33aecebbd57f0251d1135e0e9ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE23E.tmp

Filesize
5KB

MD5
6eae67671217dbc22d68166197779a48

SHA1
d0a9c58a6f255393fbad147d2075dff21dff646a

SHA256
4daf33bbed1b9775725fff7648f4eb0bc07f5c6131b564f77fd556b733650b22

SHA512
5accc3ec48d4e02817e4c95185a239c2d5e568cc3cf8e55f3f20bcde4b95e115453dfaca9691e1b75ee96237f8e36863ee363f54c07439e5bfed0181a56790e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE319.tmp

Filesize
5KB

MD5
c985d77160280fbdd423ac9606d240ab

SHA1
9a4f89fdea4aef1c2cbd7121e8a1fc6625945ed5

SHA256
5b98e1a590c48348216d105369f7e118053d5820ff9cf46f39f70e9001f09241

SHA512
4de5b7085d0ae3b17f0f9327741dedfb66556bc921524ec9615d65a5dd52f7b3ca5f2fb217e42761af496fc89ec52b81663ea5ef717d93d19f5c26e7eea50a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE3A6.tmp

Filesize
5KB

MD5
ec3d670ef3fae6e08c8a4a6fafe7cb2f

SHA1
0501bb64720de147b4faa3e24910d304590d5042

SHA256
9b7a7ccdb2a65b9eb3fdc171b8d2d5a285b8ba95733890465b23b7bbeb1c7f5a

SHA512
4d573014afd7a52a8cff03bdbecca2c72741f5865fc35c574565f5862090574b2fad3ccc882ece3eb64311f1a3dff9413105a08165e34c8085dbafc468b13be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE471.tmp

Filesize
5KB

MD5
336cedd1416e56a6fa71751a142f9acb

SHA1
378ba5223d74acf2304fdb0230dae8acac7f5b41

SHA256
0db3e5c021ab228cc593160b44d6dfdb4f0fe76870f48482d356fadc07dd7dcf

SHA512
2ff2d5bcace5ae155d7c5e939400f2e4b6f55167513cbfcc4e2d1b52d1f64b43dcfdba7fba4805c9432c60ca4cec04cc9fb4b6679477512e7d1c94b0772415ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE50D.tmp

Filesize
5KB

MD5
f89f06ef89e715173d24b1c759ecab9f

SHA1
67e38969f5e194d538cefcb59c25d5953be0bb3f

SHA256
f862f27512d10e7d3e16bdd8fd09d3e57c1bf18b927eba5b1c0fa830e4d8552f

SHA512
03c96b91bab0f7f4b7aa312f814da1c2a87ec392f164787c21d89a1c9e6ec30bfa6a77aae5cbbd164dcef333d768b2819665b82696d4ccf904f8049e55be720e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE5C9.tmp

Filesize
5KB

MD5
7e003f36522403b064446c8626b6c7dd

SHA1
5e2e67b4eb6fb6f3a1413e0a6aeed4463a572c97

SHA256
db66744bde1e62e3b01be511867484c3c186a664980083f711a232a492b16c5e

SHA512
d8fdaf546269480ece8de2845c553e69bdf9621e10905fb672d1b1508fd4f0a8b8fea0bec10526d6c44a01a8e3bb1b57584ad57866ed4c7284431f5fd3109da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE684.tmp

Filesize
5KB

MD5
5246fdca4adce4ecd3b5bf14534d95cb

SHA1
ff499d8e6885b6b6f2981557e0195225dfd8c458

SHA256
03d2a0d6595a5c6e8dbebe4e0592c6ba8ceadf3e27d191a0cb02cf20e600b61f

SHA512
5c5a98fa60d848112d91e6778c034187fffb9d9ee753b660c268813d13b28d73abe15ab4918b536c56a92277d8eb7048b62425f2ce47e3b9869ec890c7a22746

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE730.tmp

Filesize
5KB

MD5
4f8798b9732a6cc9a7fde7706fb1deb9

SHA1
a53260425ec343f7ec991a6089eaa3abdb182ede

SHA256
02552eecdae9289cfac817ed8a09b89d6ece93f92fb533b920a301d36b3b73ff

SHA512
7602d6ef432091bf8c6a0c64047a0d848b38257fc2baaaa2f51ff90bea2ff3895edb615333a754f6ee30dc42866928531d6fed1b1c11b55eacb17396e9cc72b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE7CC.tmp

Filesize
5KB

MD5
50e670b0399154e0dbc3505dc6faadc8

SHA1
32896b46579ceb79a1aa0670dd9d3869ce544489

SHA256
0f453321eb269f2a0092b78611c88c82ee39458dff75bfbe0e20224ef1cae041

SHA512
6809147d7f8d9a888931670c4b4f722aca6ffee4d142c5c89bb3ab5567b35ba8bfe5c24e630b89e14b70762c47ee77b67ad5f7243d1cadd15c2c573144a0e69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5rerin4.0.vb

Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5rerin4.cmdline

Filesize
224B

MD5
682a3a08e38ea61b850ed6df48ed8c4b

SHA1
90967c3199a9cb56d298c751eeafca9b5f22911a

SHA256
acccdb009da1a7ef0df3cbec7e4ee8d69f73e8f4cefd00dbc7b35b30d5fa4c29

SHA512
0c51a5e623db34e4191be3bfdbd19d697b176ed97385f243d20c17b73d662d54a0982fce67d0f3aa5b2b43b91a4418006167f327cd2893653b797cb5038545b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb8e5064.0.vb

Filesize
373B

MD5
197e7c770644a06b96c5d42ef659a965

SHA1
d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc

SHA256
786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552

SHA512
7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb8e5064.cmdline

Filesize
261B

MD5
63fc8d7d7f8d60f97a690fc4a51e2cc2

SHA1
68ad5eee95e3960cd08770fc1bf5f2146b027eb1

SHA256
9e8dc698456eab1ef3461d2b59cf01b94e1324741d2b2b040fc217e73339eec1

SHA512
167677ae89a7ca5c28018917d0cf79fb62bffa71970bfc14b748f4c9b05f0b1167414a50a4acb10e8a42929330f33eb0f21ab6ee1a564bbe3313ec438093c701

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvfj42ay.0.vb

Filesize
355B

MD5
6e4e3d5b787235312c1ab5e76bb0ac1d

SHA1
8e2a217780d163865e3c02c7e52c10884d54acb6

SHA256
aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706

SHA512
b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvfj42ay.cmdline

Filesize
224B

MD5
30b45d56f5b83b242e6d6fee14a8b429

SHA1
cbaf5a4375d402ee71ff268c03c207f791b12f66

SHA256
3468a2e7c1a140d340d1c812720d36b60d154ef44aebe3562bda8a53c3cdeee7

SHA512
2e8ea232d2b1f37e97f307ed63bfadf6fd6a27296f88d842a150a56e2636469633f0ae178e9e7b224e21800d6d1a3d7d257bf24881bf00f1bac7e866ad492c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\ercipmle.0.vb

Filesize
376B

MD5
688ef599a13c30230d9c00287511e084

SHA1
496834103ac52660dd8554590a2f92cbda8ab759

SHA256
9ce0d8e22177e91d78bf3e578b8b5f0d22d724ae17931195de2e3b5b46255051

SHA512
0f244536f83308c7db23337dadcef882fd258954d7e3c8a5f3f66ee0861fec0cd6ea7b3310db65a306de380da410af1e8e4041fabbc917b6af4b94d9424cec8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ercipmle.cmdline

Filesize
267B

MD5
a4ef63a549f6dcdb435f9b6614cc8aba

SHA1
51b9c49245e2c83f3285cffe6cca43d4beec5d7f

SHA256
5bcb67b4e57b8289bbf79260296463a7bdabe86ca8631c0464735ff41c555930

SHA512
f5c75195490a73f6f63997cba440b4b055b6081a53c8d63fc9419563579fe334d4f0705cd4d4915340db751f58be1e1b285d4119a0251e84fde409cb99b405b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
187B

MD5
08d2e4a2d9e2c22025fc369cc551ca6c

SHA1
fbb518fd33cf1c752f762dc43d904cacad3aec00

SHA256
0e7dc72dce87f7448c7e65dfdae1ffebec653e4f066807a94993feb1039787bb

SHA512
92993473f027749718df243d6ac9480c1607cf908b3b01fc7dd92bd6afe4b8f3b0ae17c79fc75ed79c52cf79fc5f7bdc1814a4d132fd80202d80ba6539577686

Download Submit
C:\Users\Admin\AppData\Local\Temp\sk2mimjm.0.vb

Filesize
376B

MD5
7a8e43324d0d14c80d818be37719450f

SHA1
d138761c6b166675a769e5ebfec973435a58b0f4

SHA256
733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909

SHA512
7a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715

Download Submit
C:\Users\Admin\AppData\Local\Temp\sk2mimjm.cmdline

Filesize
267B

MD5
887854f303deb3f228a1b21309184537

SHA1
3bee124ef19c8f3f2b36b5f18e4271da40917ca0

SHA256
c03451b9ead4597306403b98f985a20c23a978c4f0701747cdd60b0cb56d4643

SHA512
6b3dbb25c67936c2cba52b91cec49c7bb452ddc25038b4ce9b37f73b13b2075094ad89cca0884e4cce1a2f5622b07df56d7dacf25d35a98ae57658e592d28898

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
91B

MD5
de97f8c7f4f066b79ad91c4883cc6716

SHA1
92cc8bf74888ea1151d9fd219eb8caee02978556

SHA256
a99f5d4f9a3cff36d5fa6ce75c5aa651448860ee1b29111bd8ad96eca85b05d9

SHA512
cfc7ab2465cce5b7bd5a8ed8ba0b632afc3f1b74f70f1d799f858d2271afbbbb3b37697e1074d6f85aabb4748745566d72ec68bfb2e90d312879875406efd0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4157DBFAE091403C86E3DE879816CB93.TMP

Filesize
5KB

MD5
2f97904377030e246bb29672a31d9284

SHA1
b6d7146677a932a0bd1f666c7a1f98f5483ce1f9

SHA256
7e033003d0713f544de1f18b88b1f5a7a284a13083eb89e7ce1fe817c9bb159f

SHA512
ddf2c3a3ec60bed63e9f70a4a5969b1647b1061c6ff59d3b863771c8185904d3937d1f8227f0e87572329060300096a481d61e8dc3207df6fe0568da37289f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4A563EAE5D264D58ACB9E8795809791.TMP

Filesize
5KB

MD5
0534350659e80f4ec327247e33318612

SHA1
3ef80ddb7cb63d08a55b591fe6a0dff38d5d8623

SHA256
31fbacb6c44df54110e9f62b86a3607cc88a1fcedae4375cd7f3fa749c352311

SHA512
0424c2b9f5f7f9a0f97538729631e255679e4dd129b70b5cfb9eaf49b6f1583586e5147586eea04307e05275cd8511837a9adcf52c35bd86cc7cfca2d2d90301

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc51B75EE6971A4C28ADBA4676BE7C7BA3.TMP

Filesize
5KB

MD5
249d49f34404bfbe7ed958880be39f61

SHA1
51ec83fb9190df984bf73f2c5cd1edc0edf1882a

SHA256
fcb5a4d24f24fbeaf4dc9d8e29f2701b2bb71411acb13c4fa67fe7025892912b

SHA512
082f47f59b9184dd6c88f64214e10b82656a09c5a5cf3f0eccbf7935505db473eeb9a395cb5b59ec5009e731f2aa1891670c94ff6315a0b2d4fcc0392cff0e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9D3CE1AA13854B7F831961DD9D9559A1.TMP

Filesize
5KB

MD5
d01de1982af437cbba3924f404c7b440

SHA1
ccbd4d8726966ec77be4dbe1271f7445d4f9b0ce

SHA256
518d9922618db6eea409cee46b85252f0d060b45c2f896cb82eeca22eb715598

SHA512
a219cd3df17bcf16cb57bdeea804e206a60be50084e2cb99d6d5e77d88957d79535d110b34735a4b549d3fcae528cdff8bfa5286582028ef22e8b4d60e146878

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB498E64DB78D45199644708185696E80.TMP

Filesize
5KB

MD5
852ad787d5b62a59d1a85e31224eb42e

SHA1
3f9125530ba96a8d00a2acd6650bd952efbcbfc4

SHA256
5c0fea62e1b6f98b0a2fe87cdb1569ca9c8836cefd8c14d351f95a08ebb4aa46

SHA512
71737f2f3a7b86c54b465aa36d27b42844693b113d207726ba24a4d3c803ba93094d7417d4eea7a0f3f5e5d5f5a74cc34694c5706690287e7b575ad0819be560

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC2A7ED90BBF84464AD2D59F89A47B88.TMP

Filesize
5KB

MD5
abeaa4a5b438ffa58d07d9459e5c1d6c

SHA1
69631de7891162dd4840112a251f6531feae7509

SHA256
ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd

SHA512
c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC90EF415DE643528DF39B7A5815BB31.TMP

Filesize
5KB

MD5
5fb831248c686023c8b35fa6aa5f199c

SHA1
39760507c72d11c33351b306e40decaad7eb2757

SHA256
d062acbeea69acb031b014cff19bed988cf9df34c230ee23d494457461b41908

SHA512
2244f84bff19e1f43a245569d03712ab62a9655bc6f3eb4ae78ca3472ddfc6ad7950dc76d10cdc1c7b2235a9045582554c200e93c3cd34c18e494ed60dd3b3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE8841ABBE5B14D90BC5E6A8DBECB841F.TMP

Filesize
5KB

MD5
d56475192804e49bf9410d1a5cbd6c69

SHA1
215ecb60dc9a38d5307acb8641fa0adc52fea96c

SHA256
235e01afd8b5ad0f05911689146c2a0def9b73082998ac02fd8459682f409eee

SHA512
03338d75dd54d3920627bd4cb842c8c3fefad3c8130e1eeb0fa73b6c31b536b3d917e84578828219b4ffd2e93e1775c163b69d74708e4a8894dd437db5e22e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF410075F1E743E0B4DF3AED25A5B1B.TMP

Filesize
5KB

MD5
2f824fea57844a415b42a3a0551e5a5a

SHA1
0e0a792d5707c1d2e3194c59b9ed0b3db5ce9da4

SHA256
803a596fd573096225dd07568b8b459d2fbbfce03fa60ca69d05d7d92b64c5ee

SHA512
7ec7ea88364f2e18747192ac2913f326a6ebb19c64be4ae9fc4f811d31deb5dc3b0b83d46814ddb836b36ac57e70c9b63be0cc4c84e6e958acf2512c57877008

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwwcrpyi.0.vb

Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwwcrpyi.cmdline

Filesize
253B

MD5
8a0419be31a87688bbddfb8f4ab8b98d

SHA1
904ac5db68e3ad1e71b1167b16cda52b85c84be2

SHA256
20237e342ca9bb1e83f99da128762ccc35853b590fcf8f4d5c9e46cb2b24de00

SHA512
ebaabe6d46f10bfc819aeb28fb7262817c3316e12387d2827b7cc7d3ae4c4f00aa3f7c209b3bcbda05535174dcbe0185c364c6b2ea412b1a1ff5c7c408b7acf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Windows\SysWOW64\Userdata\Userdata.exe

Filesize
92KB

MD5
fb598b93c04baafe98683dc210e779c9

SHA1
c7ccd43a721a508b807c9bf6d774344df58e752f

SHA256
c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4

SHA512
1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
66B

MD5
0c316e9c078c840dc345ec25ceb3e4a4

SHA1
fa8b31d5651a120b72b557ddec3116b6a5e8a559

SHA256
4b48e04f0d7f757d14133ee19b580276aa396f8d59c62dd9dfb8ab8141f3ab79

SHA512
6c9c8b6a210bc11676d3723552c71270b6a134a4d96739084806af7a094339305fbe35b81aa638711c9e3a3cfa3bc3d2977f7ee40800d48c489101cfedf767b9

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
199B

MD5
3110d034d09fea58c20ceb67d2ae75a0

SHA1
4df3fcae9ee8960d062ee7a1e27b64710750df24

SHA256
f1c0b77a028a557c2378bf17bd48e0ea2b8de153325fb4bcb3fd9186de39ec84

SHA512
fcb69787c973748ebe962cdbc0a436f7d3d1934f3aa3c645fe163f4a505151c7f0f0d9bd1c8d51788c2bdece0656a72aa2e742f153dd79210130feef688cdf0c

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
249B

MD5
ed3f9cab90414cd7e47bc527785ae198

SHA1
7b04e52ac93f3c07cf33ce3868c89606dd3e84e9

SHA256
87dcecbe19fe4480766496194fee810edae6a9c194451eec00d5403eb9fa4732

SHA512
228f46c2d97e681116dbca4e7b9c9f06e99fd081649e01f95f5e1963a22e67cf3823a800cda69075d9461ed9bf8a4287bb09b53e4008e8216b28aec1192598bb

Download Submit
memory/2596-340-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2880-339-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3028-375-0x0000022E6D620000-0x0000022E6DF34000-memory.dmp

Filesize
9.1MB

Download
memory/3304-343-0x000001C7BB2F0000-0x000001C7BB30E000-memory.dmp

Filesize
120KB

Download
memory/3560-336-0x000000001C680000-0x000000001C726000-memory.dmp

Filesize
664KB

Download
memory/3560-335-0x000000001C100000-0x000000001C5CE000-memory.dmp

Filesize
4.8MB

Download
memory/3560-337-0x000000001C860000-0x000000001C8C2000-memory.dmp

Filesize
392KB

Download
memory/4620-332-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download