dharma | hxxps://www[.]google[.]com/

Analysis

max time kernel
982s
max time network
993s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 13:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.google.com/

Score

10^/10

dharma revengerat warzonerat guest bootkit credential_access defense_evasion discovery execution impact infostealer persistence ransomware rat rezer0 spyware stealer trojan

Malware Config

Extracted

Family

warzonerat

168.61.222.215:5400

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/1780-2028-0x0000000004110000-0x0000000004138000-memory.dmp	rezer0

Renames multiple (309) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000400000001def0-2087.dat	revengerat

Warzone RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/3240-2051-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/3240-2050-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/3240-2047-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/3240-2045-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/3240-2043-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/3240-2041-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\mistdrv.sys	MistInstaller.exe
File opened for modification	C:\Windows\SysWOW64\drivers\mistdrv.sys	MistInstaller.exe
File opened for modification	C:\Windows\SysWOW64\drivers\mistdrv.sys	MistInstaller.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe

Executes dropped EXE 13 IoCs

pid	Process
4008	MistInstaller.exe
2692	MistInstaller.exe
4068	MistInstaller.exe
1780	WarzoneRAT.exe
1568	WarzoneRAT.exe
4040	RevengeRAT.exe
2104	VanToM-Rat.bat
568	Server.exe
2484	CoronaVirus.exe
5736	svchost.exe
4960	Petya.A.exe
2916	PowerPoint.exe
5968	PowerPoint.exe

Loads dropped DLL 2 IoCs

pid	Process
2352	RegSvcs.exe
2352	RegSvcs.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\Downloads\\VanToM-Rat.bat"	VanToM-Rat.bat
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\WO2S841R\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	CoronaVirus.exe
File opened for modification	C:\svchost\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	CoronaVirus.exe
File opened for modification	C:\svchost\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GGQPDAP3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ALUNAOYI\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	CoronaVirus.exe
File opened for modification	C:\svchost\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
233	raw.githubusercontent.com
234	raw.githubusercontent.com
235	raw.githubusercontent.com
236	raw.githubusercontent.com
248	0.tcp.ngrok.io
288	0.tcp.ngrok.io

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Petya.A.exe
File opened for modification	\??\PHYSICALDRIVE0	PowerPoint.exe
File opened for modification	\??\PHYSICALDRIVE0	PowerPoint.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1780 set thread context of 3240	1780	WarzoneRAT.exe	57
PID 1568 set thread context of 3592	1568	WarzoneRAT.exe	61
PID 4040 set thread context of 2352	4040	RevengeRAT.exe	64
PID 2352 set thread context of 3116	2352	RegSvcs.exe	65
PID 5736 set thread context of 5816	5736	svchost.exe	148
PID 5816 set thread context of 4248	5816	RegSvcs.exe	149

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\security\local_policy.jar	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Dawson	CoronaVirus.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Thimphu.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_CN.properties.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre7\bin\sunmscapi.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\gadget.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Bougainville	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_ja.jar.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-13.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\ReachFramework.resources.dll	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_10_p010_plugin.dll.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\PDIALOG.exe.mui	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\0.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\access-bridge-64.jar.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libnfs_plugin.dll.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.ssl_1.1.0.v20140827-1444.jar.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Efate.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\gadget.xml	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\Shvl.dll.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\wmpnscfg.exe.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yakutat.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_zh_4.4.0.v20140623020002.jar	CoronaVirus.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_hevc_plugin.dll.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\WordpadFilter.dll	CoronaVirus.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\install.ins.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar.id-AE0054FC.[[email protected]].ncov	CoronaVirus.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 6 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\MistInstaller.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\PowerPoint.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Petya.A.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerPoint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1904	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0c68a0a7cf4da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430483489"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb0000000000020000000000106600000001000020000000dd6333c857e6e9076ccafbd34e7ca513fe4b1ba270cf47f7231b1b432e5388c8000000000e8000000002000020000000399a2d0acc2649b2aa26375a738f93610971f9f40f327198f90aecac2471e40e90000000496dc1c46292cd0143ce0d7f29babc275e340f278efafe189cad1ff92f98254009f5b8b98337c658412dab38fa0a5a11f33a43e89c5a0061004cb132a31a6bdbf01a4af924ec4adc2a2a79a23eadeec5749f44192bd76bc75a1a62e7af7a630cc13e2169b0526766f1b1491cbe7c98a53a16c686b1b48c5c739567c7954a9a1897922958a764b6b28733843be1fb743f40000000b772b4e80fbcbfcc9870009a5e56ade6af2ecb89d5c0b552e1666f1de5b804e57c96c22b5be766335b1a9d73c131e166888f10e3a5b22c815da6a464a007e0dd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb0000000000020000000000106600000001000020000000b4a6520bcbba07a4038067d9f9a8a8245b34cf29a681b2873989239e380dbc8d000000000e800000000200002000000097cda46ad6500fd63616ae7a558377acfee1d3d0d2e6e4f9f1c03f2c5725698020000000b54936f11ec300bf7a6ca00704a167d2a00f943513cf89db017e11f252edffb1400000005c0117817779fe61cfdf1a0ebd588230e735a477ec1b5b19137e77857fb40b355c28f20819c85a12a04fd8e053a2a882e3cb6b0f49860a3319c83321a96e0cc4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{34A92F51-606F-11EF-8CC8-424588269AE0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings	firefox.exe

NTFS ADS 10 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\MistInstaller.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\VanToM-Rat.bat:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe\:Zone.Identifier:$DATA	VanToM-Rat.bat
File created	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\PowerPoint.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Petya.A.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:Zone.Identifier:$DATA	WarzoneRAT.exe
File created	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	firefox.exe
File created	C:\svchost\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2608	schtasks.exe
3572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1780	WarzoneRAT.exe
1780	WarzoneRAT.exe
1780	WarzoneRAT.exe
1780	WarzoneRAT.exe
1568	WarzoneRAT.exe
1568	WarzoneRAT.exe
1568	WarzoneRAT.exe
1568	WarzoneRAT.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe
2484	CoronaVirus.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	firefox.exe
Token: SeDebugPrivilege	2944	firefox.exe
Token: 33	1032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1032	AUDIODG.EXE
Token: 33	1032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1032	AUDIODG.EXE
Token: SeDebugPrivilege	1780	WarzoneRAT.exe
Token: SeDebugPrivilege	1568	WarzoneRAT.exe
Token: SeDebugPrivilege	4040	RevengeRAT.exe
Token: SeDebugPrivilege	2352	RegSvcs.exe
Token: SeBackupPrivilege	2976	vssvc.exe
Token: SeRestorePrivilege	2976	vssvc.exe
Token: SeAuditPrivilege	2976	vssvc.exe
Token: SeDebugPrivilege	5736	svchost.exe
Token: SeDebugPrivilege	5816	RegSvcs.exe
Token: SeShutdownPrivilege	4960	Petya.A.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
1972	iexplore.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2104	VanToM-Rat.bat
568	Server.exe
2944	firefox.exe
2944	firefox.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
1972	iexplore.exe
1972	iexplore.exe
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
1972	iexplore.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2104	VanToM-Rat.bat
568	Server.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2660	1972	iexplore.exe	30
PID 1972 wrote to memory of 2660	1972	iexplore.exe	30
PID 1972 wrote to memory of 2660	1972	iexplore.exe	30
PID 1972 wrote to memory of 2660	1972	iexplore.exe	30
PID 2652 wrote to memory of 2944	2652	firefox.exe	33
PID 2652 wrote to memory of 2944	2652	firefox.exe	33
PID 2652 wrote to memory of 2944	2652	firefox.exe	33
PID 2652 wrote to memory of 2944	2652	firefox.exe	33
PID 2652 wrote to memory of 2944	2652	firefox.exe	33
PID 2652 wrote to memory of 2944	2652	firefox.exe	33
PID 2652 wrote to memory of 2944	2652	firefox.exe	33
PID 2652 wrote to memory of 2944	2652	firefox.exe	33
PID 2652 wrote to memory of 2944	2652	firefox.exe	33
PID 2652 wrote to memory of 2944	2652	firefox.exe	33
PID 2652 wrote to memory of 2944	2652	firefox.exe	33
PID 2652 wrote to memory of 2944	2652	firefox.exe	33
PID 2944 wrote to memory of 968	2944	firefox.exe	34
PID 2944 wrote to memory of 968	2944	firefox.exe	34
PID 2944 wrote to memory of 968	2944	firefox.exe	34
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 708	2944	firefox.exe	35
PID 2944 wrote to memory of 560	2944	firefox.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1972 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2660

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.0.1865614069\1067150996" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c84143b5-dc28-42f6-999c-aee997a4aa3e} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 1284 10ad6458 gpu
    3⤵
    PID:968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.1.1133697009\1803017353" -parentBuildID 20221007134813 -prefsHandle 1480 -prefMapHandle 1476 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {598293c0-c5c6-4103-add0-8d53676d0fcf} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 1492 e72558 socket
    3⤵
    PID:708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.2.1652871089\975484360" -childID 1 -isForBrowser -prefsHandle 2080 -prefMapHandle 2076 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b0a5e86-ebde-4aee-9f60-56314c8f98e0} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 2092 1a88c758 tab
    3⤵
    PID:560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.3.1108773296\1838491005" -childID 2 -isForBrowser -prefsHandle 2436 -prefMapHandle 2508 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a5429f0-c5ea-447c-ba02-9e576737a171} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 2376 1b604d58 tab
    3⤵
    PID:2288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.4.801642423\837576487" -childID 3 -isForBrowser -prefsHandle 2964 -prefMapHandle 2960 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f19170e-c67e-4637-b5e7-9dd40a6aa3a3} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 2976 e62858 tab
    3⤵
    PID:2396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.5.198529539\1019845920" -childID 4 -isForBrowser -prefsHandle 3852 -prefMapHandle 3848 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {36fff171-0e8f-4043-bfc1-67d1733b3a01} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 3864 1f39d558 tab
    3⤵
    PID:996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.6.1529753977\374560083" -childID 5 -isForBrowser -prefsHandle 3976 -prefMapHandle 3864 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f02f379e-4815-4276-ba3d-3fbece0d9a79} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 3964 1f39f058 tab
    3⤵
    PID:2720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.7.1107074976\1683413943" -childID 6 -isForBrowser -prefsHandle 4168 -prefMapHandle 4172 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9de58df-f8a1-4b73-b17e-0231a2290d7b} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 4160 1f39fc58 tab
    3⤵
    PID:1660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.8.1334926712\1941353039" -childID 7 -isForBrowser -prefsHandle 4532 -prefMapHandle 4528 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {89a20441-dac0-4513-987a-d0d31c7a8fb3} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 4544 231f4c58 tab
    3⤵
    PID:2576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.9.780215739\2096278863" -childID 8 -isForBrowser -prefsHandle 4052 -prefMapHandle 3952 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2987a8c4-1c16-4c6b-b187-f5cc9114ff44} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 4104 212da358 tab
    3⤵
    PID:3052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.10.1773265653\442686346" -childID 9 -isForBrowser -prefsHandle 8672 -prefMapHandle 4104 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {beb5cfc7-8527-46c3-bd3e-efb14092bdc0} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 4188 212dac58 tab
    3⤵
    PID:2416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.11.1810849271\128170731" -childID 10 -isForBrowser -prefsHandle 3228 -prefMapHandle 2884 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0a173dd-0795-45aa-8e03-1b7be5c7602d} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 3608 1dd64f58 tab
    3⤵
    PID:3424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2944.12.1876281265\957537036" -childID 11 -isForBrowser -prefsHandle 4364 -prefMapHandle 3964 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0488f59-51e8-4b82-af70-6262a0e36554} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" 3636 22dd0858 tab
    3⤵
    PID:3452

C:\Users\Admin\Downloads\MistInstaller.exe
"C:\Users\Admin\Downloads\MistInstaller.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:4008

C:\Users\Admin\Downloads\MistInstaller.exe
"C:\Users\Admin\Downloads\MistInstaller.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:2692

C:\Users\Admin\Downloads\MistInstaller.exe
"C:\Users\Admin\Downloads\MistInstaller.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:4068

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Users\Admin\Downloads\WarzoneRAT.exe
"C:\Users\Admin\Downloads\WarzoneRAT.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3563.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3240

C:\Users\Admin\Downloads\WarzoneRAT.exe
"C:\Users\Admin\Downloads\WarzoneRAT.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4106.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3592

C:\Users\Admin\Downloads\RevengeRAT.exe
"C:\Users\Admin\Downloads\RevengeRAT.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4040
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3116
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1vvsznej.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3984
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAA0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA9F.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3940
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_gji9rk5.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4068
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCADF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCADE.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2680
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q3ijftrm.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2956
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB1C.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1756
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bgluinoq.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3516
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB5C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB5B.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4044
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zresq_py.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3304
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB8A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB89.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3212
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zcicw40l.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBC9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCBC8.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2304
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fu2aible.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1640
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBF8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCBF7.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2256
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kx8sk2ze.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3236
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC46.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC45.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:592
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-ig2pki9.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1372
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC74.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC73.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1332
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vge_ddn9.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3440
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCB3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCCB2.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2632
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_fskwqm5.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3756
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCE2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCCE1.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4020
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n39txe7a.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3916
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD10.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCD0F.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3964
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1gbw2tsp.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1484
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD4F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCD4E.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4068
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kkb8gn9x.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3636
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD9D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCD9C.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1096
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fqyxrrku.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2272
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDDB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCDDA.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2736
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1sjx2ipt.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1804
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE1A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE19.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3176
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yn8cbv-o.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2056
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE77.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE76.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1820
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vxn51nzg.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2548
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEA6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCEA5.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3228
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h-u57zzb.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2972
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCED5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCED4.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2688
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rujftpzt.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1640
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF04.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF03.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2724
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mpjawfpw.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:592
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF42.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF41.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3880
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r92bgult.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3360
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF71.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF70.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3992
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gcj2cwp7.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1568
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFAF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCFAE.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1964
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:5736
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5816
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4248

C:\Users\Admin\Downloads\VanToM-Rat.bat
"C:\Users\Admin\Downloads\VanToM-Rat.bat"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2104
- C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
  "C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:568

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2484
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:1628
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:3444
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1904
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:2392

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-46022676913018288272098096019-1088635784-1199771591-18990325091996117762-1996445325"
1⤵
PID:2304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Users\Admin\Downloads\Petya.A.exe
"C:\Users\Admin\Downloads\Petya.A.exe"
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Users\Admin\Downloads\PowerPoint.exe
"C:\Users\Admin\Downloads\PowerPoint.exe"
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:2916
- C:\Users\Admin\Downloads\PowerPoint.exe
  "C:\Users\Admin\Downloads\PowerPoint.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  PID:5968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Scripting

T1064

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.dll.id-AE0054FC.[[email protected]].ncov

Filesize
2.5MB

MD5
e0ffe65dca819cf3443afdf5d482c6bc

SHA1
6961115d19cbdebfc6d7ba0bf7f76d63affe3d5c

SHA256
0c134586b64fcb174a173ff94403435b0ce79f1d7af7c1f16e46b0f0e50e9d72

SHA512
35605ed531435a9111213c46b010d7340346024f9432bc9c28f9ef6dbf16c4eed05231164289dd9868f94a8bce61b36fc99937da8266860fc09be486422430ca

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico

Filesize
4KB

MD5
cef770e695edef796b197ce9b5842167

SHA1
b0ef9613270fe46cd789134c332b622e1fbf505b

SHA256
a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063

SHA512
95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
47a330400d71c045eceb8fbc70026c83

SHA1
d65390e91973d35ffb9f24c7ab100aa5362835cb

SHA256
5d837562e3de4eb5ef038da0515027fed33b07337d5928a51427f825024580c0

SHA512
fd305be2b883cfc6c713f0fb7bd926b89c03f1825689f91a954dd6d9484cba0cf4ee684dd7fecc7e13a99229e59311b7cd8f0af031db4d0388d3cf783b510854

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cff280c83ce1fdfd2bf0d033804f874

SHA1
0a7e7900f0bbdaeed9a7724573c768e20b2f1514

SHA256
50b2984171f592896b05887642f0c0e8d0751be888a54cf3ce745e9da1c0eebc

SHA512
982d549ddaa193573e4c660046d265abd7818a1edb70f9f98c9ace7a528df3ffbe8752c31347a6a2dbe98093e376cfb548e759c247e60662a80f43cd06d045f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf7f4211bfddacc8f53b52d2b774adba

SHA1
45ffc7f7e76afd109ee290c3d6fa8c8dec173526

SHA256
98b1a9838529e10fc3e4e6661b5a03d4606714443093d51f6f06146a6cd47d2c

SHA512
b16bffc9d469283285ae804e4da2c2f43002ec348b8bb9e96bf17d9c5fe6da1e13d2be3eeed96c213a5fd237689d3801825bd74c2610e7566ae9c43bde65fe11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b336da4bf4664271110088a3189ce86c

SHA1
db3e1d9bf579c9ac6de41d94d5a634e423186205

SHA256
8c409020993b52c0ccf4b92f6b5c110a65850142ce1e514dabc9f1356888db7f

SHA512
3e9e9fdde8d22cbe48dfd9d89517ca575c3efb1b3b3bc240a8cdc0516684d994334547362102d92e0eb98f2d13b6a52f1b9be2be50de28286a58be2452c3761b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23e822f883e7546d6dd5c8f96d6ff36a

SHA1
bc47f9a433d40019022da69c06bcd9ce9197135f

SHA256
2b55382f4319289ed716192368f3c83bab897e74acceb9e9b325276349b914dc

SHA512
395328af027c92c2f9b0b6b522a69214242aee37b85a2c83d0b4d693837a75265d39321149287aaba641c33fcee6fbf570b1bec1903f8628e40288fec890b910

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
200b125d5773ef228b312610f8faa734

SHA1
c84d30701d2fe430244ca77dd1e11d99ca9c533c

SHA256
9190f54453dc7d5aa995c81a6087d6482ad5d7f01ed61c132126898817c4fbde

SHA512
7adfb29803af9a39e1dba6bf17261e45c0c87924d5d3ee61a000785bbae79a418abc466424feed2c2c7ca63f04d62706231586124f4b3a09751890f41918f65a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c75ecda8d2381fd9dcbfe6b8cbd6e6e6

SHA1
8003627530a0b29a7c4ebe0269ba30ff3e44619a

SHA256
ca127e6ae4142f55bae956341ce0c13ecd7119c944093fe5e3c483252181d648

SHA512
848e295fac52fe8bc5c054317a63a699e4b3224339d9d011d870f748bef2344755cd313cd33504a06698b9c00b21a464adc2cde29fdcd24d3e1732f6542fa668

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ac56e3f91411c43dc362c7944017d35

SHA1
a0ecad04b6f0da9887989167acfbf1a1d4099d29

SHA256
cfd62f030c282a82e77b8c9c3458db163787dd4318c6ddae4bac1e7c1a234b8b

SHA512
f237f07ab824dbe0c01b1aa3a0c6c85954ffca2360e41d937039d1d937917b5d56e8ae9919bddac4eb3ba3ab19690ecfba361c22b59a40b836b4dababfabd03b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbbf3c7b3327362c31f976f7a4959200

SHA1
b1e7f8d2389f5c15c3d335201b4e9e6aca7212df

SHA256
00808a9037e0686dd47afe533eac3d395b2a1986e31e9a9e7a599714014a8acd

SHA512
7a258e2ccedfddfa9fb3052fbb0f83bf9e0616115a4ebd3752b195675e568166f0de681a7c97cda04e5c1721c18786d9968c93d637423f1b66fe1bca79cfed83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
707818f41062d68cbf7b874a536ec234

SHA1
1e7d78435e751787ee08959cb56cb1728c649abf

SHA256
bc57e906a6f0e9e83b224fc4e8a43af7e19941df51fa9d1b5a6dfb9267777ab1

SHA512
b9f774371dadbc9f71ab2abbdf61b1beed6bbc707e95ea3fa76d71fbc56f0d7644c0d4d1748a0bb45f78a54f5ed675628a9e2ba5a675e037fadbd00bf17386d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f53a2f3a1c3542146d8dce52aedea1b

SHA1
666150d280e8a5e70ea4ba2f8f715aa510e6fd78

SHA256
986f94a82fb468a8d174150a49800ce1b5fe956afa4d3ae24a334d9d0b96c606

SHA512
a2c9a90b356d573f78f112d3e1937f6ba1305d09f749bf8ab50bbac0395295ec79b47f5ac9da699127cbb3e3d6999b2f0bbbe81c973eb3356f34235544df2a10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c841b0b9751376f8909e86736528c3d

SHA1
fecc8ec5f18d9cea8a4869a2c8099f85ec1a4a2e

SHA256
b3dd4ec12ba29fe630919f491b253e129337599eec434fa05a30da4cd3d92c56

SHA512
89ba88bfbb9b9d4987c237f929e5da8bdb8603fa96472ef1958bcfa7c7ff39cbb5a19c620f1ba1f979fd902916f338436e78409258a1a8145c75eb74a9b5fa0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f2042dc44009dc27b1a47a09656d213

SHA1
0782cbde296bf2883496d2bbb48143bc0755c0cd

SHA256
698bae1f552783219facf7a3879a784f735eb81a4f7db86b1838502dcb343964

SHA512
fa3d9f32c6807302e16531b071a5a2304035a5e61a08a3f569701259e623b1e8ef85f24ec97ce9da1a7f293621be633b242039e04f4fc64e182bc0b420036f6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbe2f9c13ca4373e0f6baf361dc37b20

SHA1
69b986c59785fadfefea8aad4804d3ff4d7fe707

SHA256
7c0620aad7b6aeaeccd297b2a4f3e07c9c2e4c05496cf9fa3a09beed84b05be4

SHA512
ceaa57fa706a9ef14ee8714681b21dd2f8396b437877f99fa6acac33afe983501af053f4a3820a362d623309f1aeaff5c5d14445f29b232291f4f0ca47fbb058

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22a39a613f11012c08c54b0ff93e7961

SHA1
cad50373b456e5d4762bca6bea88d00370633922

SHA256
af216f6ea7e7f65317ccfea86c9de898442f746092b8f360411d8ffb5e77421e

SHA512
adf582a9ca5328a5f4fb53d44fff34cf4852b75f6bad88546d6a2b466b2fbd3b8e020d71513d167eea653141915304b8743fa239a38011b6cd669f69203f3758

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
372a9939fc598b8e34b02dc875b9cda5

SHA1
d9d60ad45897683202fd2b1144b3a585e6ff1409

SHA256
394133022ddb545717520658cac7cdf32ef79e634169c5b33c5edc71f4d9cf66

SHA512
e86af43f14ab9438e9bf80fd671bd350e4dae95505c88fcca5f43ddfd06e784e11965cecc1605dd7250953a0d8b684f7f564f1474fa4f04437b8e7e25847a35b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f209351275e998e5a65aed513f95f0a7

SHA1
c5f789397b37281ba5dc6f7e3dd4260e22a2b718

SHA256
96a986df87e8a922f2da74ddebd739521814358a004c2c2ab5fac8afe118325c

SHA512
0e146a0735c34567d39d004bc54f89fa68e7b78ac871585d4dee35c05503ce496c411407a0664c55f70debd9d717d62e4c7165345fc3a13bd2b42789351b0406

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f6e699ca7e093f237683c728ac22daa

SHA1
f4623cccd706b77b4755b6a01f272a0ef18dbf42

SHA256
0c43c50eb90ed401267d8dbb60f1736cf5fa5f0ab95484f61c4c37e390a6e97a

SHA512
329d50d8078f1e20971955162fe05fa4c6bc1f826f9094e59997fb3b1b94ac95410e42d6c31eff22a23967f85054e63e44d3396d60df4bda8a243d6321a16712

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
897872b364fcc621cd18e7638bf7696e

SHA1
f1984a3b04d3259f2cfd8acaf9f17539d668d37a

SHA256
81e41db3f7e38e8bf28f40b4ba595850770c7794412dc0a7e7645ff7c4ce811f

SHA512
2f7289a55e04a86b0ab6183bf0a4b97d6363548e8c56df4b0f5e9a90385a173117945531577f67093d91d320a3fb1d63602d6362457110252ae746598812c45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\3EIIJQUF\www.google[1].xml

Filesize
99B

MD5
9ee6abe1de1c899f127f0d7836321d49

SHA1
77209b8e35f525c4121edefeeb1b4b12708669fe

SHA256
e491148591d2aca63b9cd9ba38cf0818da2df4d8ac75662eb072a470b7f0e460

SHA512
006e9b5b3a98cbca4c8a0d611a3fdfa46153d3e6d56bb43812c3a762410d36fc36b146fab47ba868b0d415c5c7b95d4363d23e95ef8130f2be2332339d7e2afa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ivwlua0\imagestore.dat

Filesize
5KB

MD5
55f853301e6470ea0ca486fb18316279

SHA1
2b61d4415c860c970a3bf2adc943e128c84d7fa0

SHA256
4b793107cdb4fabd12c6cb7494870d397d4d075202531b7318948ac4ef6f62e0

SHA512
b63243b075e1169ab79001d8256e92fb50fe69c1a883b29eee34473dbf490625acf67c9946758b689cd1ba9accdfd88a3aa9d2f65d1299213e1d1a18392703b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0E1IWGZ4\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\recaptcha__en[1].js

Filesize
537KB

MD5
70306d36ce9dbcbd8e5d1c9913a5210f

SHA1
04949ad636f8cd09bf91059bc4aaf1973c92a15f

SHA256
1425b3dc4e809e5488aae10e2eb2511f652c6a9c3845c98c3fe69f07fe0c9e2b

SHA512
a7f00ba83fee80e7f2006c9e1f0121e2e515f4956182924e67c95a8c5522f30735f7bf4a6f7dcf3cbd29a685e967b1c4ddfd72d7f1f4cefbe55326becdacb275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YW15VCHK\styles__ltr[1].css

Filesize
55KB

MD5
4adccf70587477c74e2fcd636e4ec895

SHA1
af63034901c98e2d93faa7737f9c8f52e302d88b

SHA256
0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

SHA512
d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\39ptzwfm.default-release\activity-stream.discovery_stream.json.tmp

Filesize
40KB

MD5
bc08cab8191af0833bc2b80320b2c1db

SHA1
23490a9a721e5c51ac21b8ed71e7629a8da8b7b3

SHA256
85a7c26fe8b7bbd5363a24731fe6596671529b790652b2001c78a8f576521b7a

SHA512
f81db4cff04f606cd9cde42aa9ce01828939c5fb95460a11bfe049d4cf95a4932074429bb535d117f6c2d1a41021413b6f0fad5811212d21dc3d388427d49382

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\39ptzwfm.default-release\cache2\entries\0A73C6E23F02820E5C7F05AD9890531BF91D87DB

Filesize
60KB

MD5
1e12aaef1a8d275c7fd0515bdcbce71a

SHA1
be6e64289bccbfed6ed8a7cb66a43ff265296c3d

SHA256
465c0833dd5cb13256ef0a1ff29794d308e353272159691f5118b85241aa23a4

SHA512
d687830782448e9b7252d75bbeeafdf046dcbe156fee1bbfe661bebcbb6f941cdd5ec4cf6cdf6a2054a4a57953713a0d8f8f44790ff868c821c231e31f712587

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\39ptzwfm.default-release\cache2\entries\46C625DB4964C00323A8EF4C60828B52A454EBB4

Filesize
666KB

MD5
45ab9b804d62fbfa4222e91dc972836e

SHA1
44639c4cdf9dd57f75814e04b1a83d57458cbc78

SHA256
beaf668b12de17b570d6c94adb7d9668c1d3ece7e9dbf035c0f7c77983531f59

SHA512
01990cb10c444c5b09b6a359dfb4e033a4f69f9641390e9c2758b3a77991e18e67c41abddd34e968be02acb58047d4b3ab4b2ffe3cf2bb48dcf5d6d7f42d5cba

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\39ptzwfm.default-release\cache2\entries\4BCF7D608B2663D7D1515223C0F13E5D72484770

Filesize
14KB

MD5
ebf902ba1f354d92eaabfb216837ff1e

SHA1
a33e8e89833e4a7a4682e103fed5b3ac013b5c86

SHA256
a228d8f9d2ea62b87ea4b2c7fbe26d44e1bce8c4d5fe1583f7153f235e10d168

SHA512
d39b792f73cacf55d5af2613548e895dd1212d938f62797e334bbf68d36eb1b09106d709e3219e5d6ffd5acdd000e5a5c034faf76b39feba77b09cd31bdf010a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\39ptzwfm.default-release\cache2\entries\78C5602AD9B870C6C4D381677456A348D0186FE6

Filesize
55KB

MD5
fd778150a05f4e40ded7e0e559cbf4ae

SHA1
5cdc32710222772ec1f8f937a1fa8321507e0e70

SHA256
83bfa75d288e97a5c39348b39a7f7cb0d48c9f293ae719b140f777b737f47a62

SHA512
ac00c07942a13e986554195304ff29226f353da9bec1a71fe6f3574ecb89e870a8c21d3276ebbc303c3ef54393ae3eb4fa8704a264a5a7e9314c63ef258f5ab5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\39ptzwfm.default-release\cache2\entries\971254C7341460E85C93D0821B91E9985A0B32D6

Filesize
1.2MB

MD5
db938452b2adc1aa9db24f74b6497f6f

SHA1
90f30c248f9f5d277bac977c2501002232825676

SHA256
534819bc0d80d952ea25fadf1b47dde1a8cf98e03b3dd6d2f658a702fde22731

SHA512
4b7ebd979d3d3184a4d5d4fde4340e53d5dbf21811bd3ec836afe5a256588615959435081487f25c54d526cbc1a4a0f227de68ad7402f113d0cd555cfafbc89c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\39ptzwfm.default-release\cache2\entries\98AF737DD946CA3B37F8CD63EC1E1756F57F2E19

Filesize
36KB

MD5
f991a775accb526a436a529bb168c802

SHA1
8792b8a07fb3c8db48f81c163b862f3617962823

SHA256
303438ac6d467eff3b594c5f068cf39b1e0d58a674d9a35274d34d75cd9280df

SHA512
533f0d9d55ba3f052c0d52f5931851cd3c4853a70e8dbdfbc19e3d35e787a46bb4372796999bdf0034b4fe1a4323d0528eb30a81c2bc06c05837ad16a16bf082

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\39ptzwfm.default-release\jumpListCache\90yTJt0u0rUhvG8tZLSSOg==.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Temp\-ig2pki9.0.vb

Filesize
375B

MD5
085f35c737b484465e1799359126ee1c

SHA1
f51feaf15af726cb9cbc151cd86b9913e428abcb

SHA256
940fb15c66dc34a66b192569ec3588a11285af4f7230c27d54191dcff5dd5b1e

SHA512
8314ec82f79a6dbd1e946be25984635c149ef6689e33d8010680f5bdf3bc8803bc14d8dbaa92717fec261d7f27e8f87384478130c3fe5ee37f3ec84fa2bf1402

Download Submit
C:\Users\Admin\AppData\Local\Temp\-ig2pki9.cmdline

Filesize
265B

MD5
ae7e4ba81a5f30fe8bdc75180e0e774c

SHA1
b96dda3d1a73ae04f620b22c496c73018c1c9c83

SHA256
3ec4289177fac32c1f19ecb25bac1e1d62cf1d3e1e1e00733731b957dd4ff84b

SHA512
932bf18f5351a082e724deaf084638d32fde4ccdd0bec7371ef82f78caae46caff8fb5cbe1d5f1fa280490a5e87c6a8069ad2b2ece6cf9d1b911ef9f282bcc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vvsznej.0.vb

Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vvsznej.cmdline

Filesize
253B

MD5
90648ce88f9f008886b738039032c068

SHA1
a9cd9ff92693397884e83a07fb86afd86490c783

SHA256
5d15b54f64af1983ceb70b2bea7276429d953a76c14d7e6c0018f3c50c7c919a

SHA512
f0a4e341286c8b776ce536f8d0cf870fa7c6e0737d02610dc7063b9795cc32c1a82a9424cb17d52373f0ff3601c2034b0046ece035a7dabc7a941c833376dff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6E1F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCAA0.tmp

Filesize
5KB

MD5
0bf39da6439cd9a9bc7af2fe91700ebe

SHA1
46d483ec6ec8809bb725ea78629651b29d0065fe

SHA256
bad7256b00952684d714b84b0311a26df3e352e9e606ea9773df7bfd6c9448f9

SHA512
0f44a43d3a8651036597aa8809145ebb90edeb12e85e1d17d77bd4753111d830a7e7aced7d0bf7b2af4d967ed05960c305810743c8712548805bf09b3ed01cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCADF.tmp

Filesize
5KB

MD5
15c653c00f830b44ff0fb09167dc61e8

SHA1
6cb96912c23a5afeca03f54b443c04b68ead1bcb

SHA256
3a7f95e103ba010807d81a51563d205f8e4364671e0106de822d1f02dac606ea

SHA512
2217b4d625f478e3969ae8e89d8e5d3cdea26df6f5c5de5f79056aa4f8f96dcf7528056676f5077e74d390457384dea9c97288783d079aeb51272ba270d069d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCB1D.tmp

Filesize
5KB

MD5
d8b293bbcdcece0142357c5350cb8852

SHA1
da80169c09423aef5ed9bc81374b3adffc9f6035

SHA256
19f4196dbf47f198a3d4793a63f48de0d22d82d4f8a22d4689bf027bcd1c2b0e

SHA512
304c3bf9afef3253c3b72dfc28e6730dc1b14f9069abf0d3d864c80a32ed8e307390bc564088e58db54c6e3be35bf6449e58de30e737caee15f4672c64ec2f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCB5C.tmp

Filesize
5KB

MD5
4ba9c206ca3d0882c36ed5ce8c256d6f

SHA1
8ea6cde83dec63ba9c595badd3f9bbbd6f6e0ae8

SHA256
b814ac5282a4adbacbc7c115ee9058008bd74913bedf04ddcac0bbfa287522ed

SHA512
d2cc5f47942644f55401f68802394bfc3c4e74e26e571aa1be3fb55dee4501df5cb57b59d90f85fd5f1d9e61d4d07948ac7c03df41a1fbd796233b452564af65

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCB8A.tmp

Filesize
5KB

MD5
1266151d2dadbd12aa40dc0439711e71

SHA1
9eeb38cbe72961b056cf2e289cd9dfc7646852c2

SHA256
4ad046a57a6896e29a6f33eef43f27bcd89793f839e31f916eec54712d4d29f7

SHA512
6826a5860c6249a2c349d4a66fa8a13b1146b5706c979cf6693c6b1ade4ff36d75bd41d301256ef89d9995e3e09ce643cc0e652ce9e27d04b92813c252d0922d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCBC9.tmp

Filesize
5KB

MD5
efb1c47dbc4a94259c398a97956e39e8

SHA1
64b1f73c76a44eda7752255a15b94117edde94e7

SHA256
4572c8f45dcd7f3a014ac069047357c0aa3bf99ea7578aba13011b6eff12cae6

SHA512
7061cd487e1b3bc86da5339a73ad53d05947cfb96780a54e594058ef9db5aee980a16a72431b3a790d285aca83273720a5c9698773b362d702f9b6b5eacbfcfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCBF8.tmp

Filesize
5KB

MD5
c3d8045bfc0f64b882265d54a28a8ab9

SHA1
698d01d915fb1490f47336c8245fb333c3a4455e

SHA256
a21577a12f11fa0d7b74416784dcbfdc7a0808d6f78079ebbebad94fad830fdb

SHA512
d6e752cf428fa33f82205f5ae535785ad6c4c01f78d9dcbc0fd8d01c5156c0f7fdbbd15e485c8d37b2d2333649c18e91245de2f8f22d9f6700aaef193f30c4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCC46.tmp

Filesize
5KB

MD5
e0457d3264932c59d396c74c9ee3f295

SHA1
92bfcb97714a1e552b0e05d627e175924819b76b

SHA256
8cad6ad0f07f74e8652224751e2eaaba85afe35db90a4a789b04d27fdc0d1374

SHA512
563944e531f72b09078070c7256b35b3a04deb9c7fb3614cb712947d0e133838d479a3d9634df9e46de5d63e261b272bc84a2c3d0e11dd9edf63f84dedb8d3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6E22.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_gji9rk5.0.vb

Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_gji9rk5.cmdline

Filesize
224B

MD5
3d847d12e91ec89e06355c92236599ac

SHA1
7e11c87709657c0342df35999000120ea25e5a56

SHA256
0a0e6fae4bab217fc6b155cdcf6cd2d3c6b1958c32835f850a6ca598ef63a7ad

SHA512
969e8779442a1e996b6246fe7e5ca231b30ccc4c8ea5fe61823181d8314da04ce67d500925eb3ed13b6fa89cfb8ef9fd3e6b18b07b0c4a6936648143c8d1f6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgluinoq.0.vb

Filesize
355B

MD5
6e4e3d5b787235312c1ab5e76bb0ac1d

SHA1
8e2a217780d163865e3c02c7e52c10884d54acb6

SHA256
aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706

SHA512
b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgluinoq.cmdline

Filesize
224B

MD5
e62bae8af3a78854cf561d6a1924611b

SHA1
287585bb412b48e547d23088b668b3b23bfdf840

SHA256
407892ce47b6f9fdbc3c15cbd739cf984fe766a6ea63fb1e76bb85a8f3c0f5b4

SHA512
a5e33b6cd7b7d000c98b024e4613a4f9f1586dd63a78f00da4611825bbe36e9b6426eeb3871b286c5b99fb746750e58f31ca3e9258caa4d54e8b924f9da828ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\fu2aible.0.vb

Filesize
373B

MD5
7d0d85a69a8fba72e1185ca194515983

SHA1
8bd465fb970b785aa87d7edfa11dbff92c1b4af6

SHA256
9f78b435099106c2c3486c5db352f7d126b3532c1b4e8fe34ef8931c7b8968d5

SHA512
e5ef339dc329dbba2ab06678a9e504aa594d2f21ade45e49bccd83a44a76dc657f5f44dcf368f4d112bb3b01af2e577a487c6078751943770e90780fad202989

Download Submit
C:\Users\Admin\AppData\Local\Temp\fu2aible.cmdline

Filesize
261B

MD5
d1e75d6ad383f7f42ca4e11be1691343

SHA1
326c267c8a20c765632cb7b540d4e2c11c1eda4a

SHA256
081cfe516055b784215f24949488631898b08361b55e51d249ea79f18ae8b2a2

SHA512
2bcf96f63e894b503b3eeb2b5209eb903671c13bf3e084169f3eff0eb3d937d1549ff3d6d643c93f648fb1159f19ee0f1e7d885d5eb518d980cc45ab2aab510c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kx8sk2ze.0.vb

Filesize
376B

MD5
688ef599a13c30230d9c00287511e084

SHA1
496834103ac52660dd8554590a2f92cbda8ab759

SHA256
9ce0d8e22177e91d78bf3e578b8b5f0d22d724ae17931195de2e3b5b46255051

SHA512
0f244536f83308c7db23337dadcef882fd258954d7e3c8a5f3f66ee0861fec0cd6ea7b3310db65a306de380da410af1e8e4041fabbc917b6af4b94d9424cec8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kx8sk2ze.cmdline

Filesize
267B

MD5
407f1359c1df1602c5bf7945ab532074

SHA1
2f0bc66b19375e88e7f5a65a49e7be24e3a44f73

SHA256
f541a44940b462d51249e6c15ba5da3df83118e8800554237ae45c14d41bb0e7

SHA512
d298a25e2373a9d6a94ce248f684a12d3a5a6e907bb36574205c4db9f96a9949932360eee0225c62f9bd2160396db66a7f02d950ac0d0aa39999034e107955c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
39B

MD5
7b3afea60421bbb95c700f49165bf550

SHA1
ba0e7a079884966f14c04789008a1b3ba2253d9e

SHA256
3f331c4de18b623e9ce3d32ad470bfdf8769642693b453e8d9af9b258ca28c7e

SHA512
c96097c961a643b99c2148f29df5338cce83042704cbfd55e9d4aef3f723b0a93d7fc893c3ec1ff031890e21f4912dd63f09391c944fe46f79d0fd7b46b8187d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-18467

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\AppData\Local\Temp\q3ijftrm.0.vb

Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\q3ijftrm.cmdline

Filesize
253B

MD5
b4dbcc94665581dbfa619a9165aab0ba

SHA1
8f9857705343d7370c84890e381cc3571eb9d786

SHA256
257cd54823efa73e0e7868925706d11c98ba1b5a1a17798c2dafea98d3d71249

SHA512
a0e67cb7484eda96d43d21b282bf6bc9aa336a33191a0f00210e217b121c8b255de8fb64e1d365c18c081f2981278b956ba08ac323a5f40018e44c7e53fcbbee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3563.tmp

Filesize
1KB

MD5
ac3d04bf09d323168c2ac9792cf150b0

SHA1
29203b00e6ccf8dd6c80d9381b147520171fd102

SHA256
48f6b0bbd31c177a8b501b4552a53c3593882aa7bb6b4fce8a37d78cf47f43c4

SHA512
141caf107a74f826641705ca7a44762061dea60cadd4f0cf11bfb00ba2ad9e1465db693fc2e8e0adf93fb801147bc10d2f7d4e8de54dd0ac9d08394e1a0ba4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCA9F.tmp

Filesize
5KB

MD5
955c29e6642db6b23d9ca8d18903794f

SHA1
2a12553a01cafeaf83d2f52febb424af00e649bd

SHA256
6839c94e5031c8646f5d3db534b41c09076e93cae238d1337aa8a1d41ad741f5

SHA512
30eaed32fb99fa62ef8883c4b6e34678175cf8ce24a953d80e43ef67a68f79e9a59996ea3cb4465c6f6d6e0b03a0fab1b241c1d21430bedc49e3e757293fe296

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCADE.tmp

Filesize
5KB

MD5
d7d67a3915a3aae053cb2867a77fd9fc

SHA1
829757b4c84456ea3771deb6988e77bfc3ad117c

SHA256
d1d578383b3b0b42856bef5deb0fc8cd2406e1f9bc8f6818b2c719a66e6d8093

SHA512
bb877e96798c34921c613aaa44e424593a791f450a10e254e5a643ec774d527178c7b36bf91cf683e712d893e8e321c8ecafc6a2521f148200f769c9ce2d78be

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCB1C.tmp

Filesize
5KB

MD5
666d582d0f49759982ad0b7cea623a35

SHA1
54f28f61b9f4ae52dcce4ee9eb8ac0b8d7809ba8

SHA256
b890a7bcccc09c2d2577b944bb32e3419d70458e5ecd02f2f846325b86bef862

SHA512
29d157e897c2e0547cf105ebee1dca1eabf410ef364fb807055e2dfc79bae4be60ae2d8f012ca02eb37696b335fa0eaffafa1db7a032b80945fcabf954b18d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCB5B.tmp

Filesize
5KB

MD5
1efc3dabeb7009b6007394dd082dfd86

SHA1
a410d235b0cf2733a2ebccc1215dc6d0302a2540

SHA256
6185bd2851899871047c82a55a8019a7f3435270e8e93bc06aa3dc757ff55846

SHA512
25cf1e8e4a81fc324e1b0324c41f67381ca47760a9cd64b52111286f4ce2b02228db5c5e948586201628ba0a6b8fc73597b216ecfe3b74f072c3ba9c0e7e3bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCB89.tmp

Filesize
5KB

MD5
a4da846ea032d0e25d23ca969a569fe4

SHA1
facf679f92a929a6fd914bb43f7b52e6536b6802

SHA256
329ca0161ca179613635d25604e61a249ba4f1b762f5672bfe27c3bb9a7f47d3

SHA512
3255e2339afa13b7e0f1d74572712bcb87ee7366859b3161bf2570b57a9738c1d195a14a7f784849e1ce2233f31b048c393c07f854c0a7a9fb037693d941f8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCBC8.tmp

Filesize
5KB

MD5
f039d48c1767e0e4303ba43ffe355c97

SHA1
2e92eb77d16962623212f004480717303db5101e

SHA256
e78a94663d6c227a309e24b0952ee7ec52c49fe817a02f29516b36d24d465acb

SHA512
4a5e0e693827cbf1a742f71e8b6395382cdfee797ee1e8b0b3fb9e4132e593da9cc532a5cb0b2e9d660d2eefc29f6b0bba849792a6385100348d18cda0950ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCBF7.tmp

Filesize
5KB

MD5
abeeccd127afe60188318600ec0e2795

SHA1
adc607f07fc09053d796abf25095c76b361436f2

SHA256
d1df4661c37810b6e6d906cad05c9e45c42a080f2b832e56c9e08316a35f6792

SHA512
7a6ff2db0e83b9b6d24210fb9a44ea3e0345221f656f46290841bf352edac16dc5a4cb4e8a914ef60c6ca507e6bd5eb1e169ea187feedb7b3050022567dc0ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCC45.tmp

Filesize
5KB

MD5
55e078852806b5d83533794483a09a7b

SHA1
ed79aa8f044b59bdef3c7091acab59f92543227c

SHA256
be654a24194cd1ffca4dd20466530905c4f208bbfe0f464746d6784bb56e60fe

SHA512
632b637781498756bbffa5b267d80ed155f6b89a2842a9691f7cf302ec8ddc1b360d1f4202661b666fd01a1335c6d0ef2f2c69a10c5ff15f086156f2eb031068

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcicw40l.0.vb

Filesize
376B

MD5
7a8e43324d0d14c80d818be37719450f

SHA1
d138761c6b166675a769e5ebfec973435a58b0f4

SHA256
733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909

SHA512
7a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcicw40l.cmdline

Filesize
267B

MD5
64894b567e89ae4d44a057141613f208

SHA1
728f591eb36939834b6d9dca9ea98cbf6469d6d7

SHA256
a8d3d9f09d7da5e605c3b2538a20c225ac0257029e1389ef5657c58dd0ebcf6d

SHA512
66184b846fe5649dc6f29ea454725c4e611e86f7691329f70dc06c2eca6513eeffd670f023682b82c3f7ba60363eab0e307f2d01ecc6f689fe2e840508a43774

Download Submit
C:\Users\Admin\AppData\Local\Temp\zresq_py.0.vb

Filesize
373B

MD5
197e7c770644a06b96c5d42ef659a965

SHA1
d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc

SHA256
786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552

SHA512
7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zresq_py.cmdline

Filesize
261B

MD5
f754ead03ce17eb7fd0eee1398484022

SHA1
0821e6b5893b5873483f6a2bd5e15f4d071d1ebe

SHA256
dd657e7ff9a34ccda4969b1c7f0e51e8acc04532aac9106172cca547b5c91e38

SHA512
d2339adb92c0826d79e411f9ff618471833c10ad0883af8de76a72fcd59d5906df064f10d60e4f12bad6b7d45a985de245ca86a28a4f52ca0d5e79d81d95cd55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
62e07941f2eb87e02742f01ca585b113

SHA1
9482588f020e2b9d9f12e4fcf39450d8c01d3185

SHA256
516d169e5c84a428148ba29efbbae7a41853774a00f79f46407fedfd14f79f35

SHA512
52571fb3b0b879183c8e342fee2e2453975f9172e198fd509bb6af14627aadc1e6aa11d3914a63abcaa5d95f4c70c976ce01fbda9604c998d06c87f717516f88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\pending_pings\9a088451-c327-4c80-90c6-754eba788910

Filesize
745B

MD5
6c16da0482b17e588860b2e2d1d36b86

SHA1
682a9dc7be78218ecf9291c1d7371edfd62b5ff0

SHA256
b3c9b50c45db9ea337cabd183ca207c21b35dbf18ec659dec1f62cbb39684edb

SHA512
28223d1deecdb8d522d4f0691b0510855bc504c38c20fe4f4e3ac7768a84da5d9d00b88c7d04b692285e296561db9b134775a6e48bd826616f0e9507105c8a8f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\pending_pings\fbc57364-e7d9-4be8-9205-74d0c1a0e9eb

Filesize
11KB

MD5
f2e991ca4d40359c0ae01fede9f4e128

SHA1
08d7bc127e774e9e9bec8d0a46245781a74c907e

SHA256
8820a6b8fd78bf8ddea933c2bbdf118b80b475ea9ee10eb46647e012e4aa1cc3

SHA512
0b4ec864693215e1a18c8c7fda8bc8b5cc815bdb0ca23c0914231f50950cfb54580ee5922304ecb948811eaf0e87355769c5492ef1c865e99c7f889276c52f3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\prefs-1.js

Filesize
6KB

MD5
4b6d6a080af6baccb2c5fb46484caa2d

SHA1
5bd0e1b27dab330880755eb7262d256f5c2bc0eb

SHA256
a95460c1040e099f1a5aa99fa7d2a4687495287bdcb49a35a16d078f8d25f555

SHA512
7a88bc8cc6dce91cd8c21a44b2589c0fe8955f0fb30419a1ea9459d86e80f908d32c3fc6930305d3c2a3962185272b4ccdd458e9964e54d5cd117fb09b5e4f0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\prefs-1.js

Filesize
6KB

MD5
31848c7739dc6acde9cb5eb5e10959b4

SHA1
cbbc953197f2aa9ffcf16721af368b5db0f7f1a3

SHA256
277e9d2138b30f46bc64dc2ff6abb08351922e5884f779d571e74f634f23c0e8

SHA512
a546d63c44f22df87cc2dc02435cca5a4342f3f4a78867f751d3d07724e43850c80ae30b99a817fcda40439ca5491aa705b2a545c563adf744000a86dec42c68

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\prefs-1.js

Filesize
6KB

MD5
c157537d2767dd2c2a8cbfcbf8a801fa

SHA1
5dcb91a689a6200bb7c889cdcbc71984d23f53f6

SHA256
c9967c2e6b40ac6d49e6ed368c5d9391285d8e2f04b7dcad7a61df5ae7d79191

SHA512
bed00f381701e5b10a8d2f8c5124bce17b0452eaf07d56b5450de02834d59ddb9d907a359223a685a6b01243cd2a2ea98b9ad61a267506bb5a260f2119f4c828

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\prefs.js

Filesize
6KB

MD5
6f2dd2b76f235b1aba700ea5e5fa9ae9

SHA1
6a0a2256b19194f51b19fee1333564a55e2ead14

SHA256
3ede0c4290fe0556b57d0497054a843d34d69525874933ddd5b6afa50e7794eb

SHA512
d207a38d7fabbba54e6a7b65aef04b020bbabc74621b51c7791a1fa55c013e0f235aa774c5322c9bb0c77519079c09ddbc8b3fe0bde8ae26217c586f859de1b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
65260e91f77f0ae88835dfe1ea8d9a2f

SHA1
094b2fb6129ca21641c9663eac7df52fb3553b4b

SHA256
af52d795529efcb6ea81a00570422101df871d591308c59b91265662c0b7a670

SHA512
f77214a34646233a12d612f69ecef22bea6b840a144cef916454bbf9478369024721cdfd15cce36f87d6e81aef2518c3939d3b82616dda7b7b0d228f826db875

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
7aedfc51d249f91ee8bd6035d5a7f588

SHA1
f4ac60275d73f46514cd2e1119e13ad0f4de7749

SHA256
1b70ebc5d3e0b89df7e75ce7c787588d2f39b8416c358d69a6f3d028e63e288b

SHA512
cb5770e9dff888dac39acdb8a4aa125b4c4bba093fe6eac2c7a9f31395481c5840e752872ea7e3bd9e2b9cc4eaaf1dcb2b7d2d5cc59acb1fb43f7456705c5579

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
e3bbbeb37640a7609e026437dc883b38

SHA1
a1392e1bd6d0131ac333951f025ba8d3f0c35e31

SHA256
3bd8df681cbd4ceb2e7318961dd46b98217797eb86a85a96276c2b6ffefe1b9b

SHA512
d61611b37c21fca765773c5469db0fe834ccad83061c60c6b6b3db40bab7fdf41cbbb6bfb5ddcca782b1305d1a47ea582b87eb7dfc70026395f83366a5c5ae0c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
39aa5e70dd5544192ecd6ff01ac09f15

SHA1
f86ef49d47950522e2f54f07ff3369b07726a642

SHA256
1bb7867150ffd6e1d842d7b3847879639832d61d8bba98e916ceaedd27e3f213

SHA512
bbc70d36637d2eb3e1e58ea221413decca85c2b50aae7060fecb50010c7b28204046fef7e4aee916231be39a86116c9c314d8279ca6c86218d31b1e78fa33768

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
62057b75f23afa38cac536c678755449

SHA1
7c29e6eb69ec523870c21c5de5f388199f69c6bc

SHA256
020435851458c6a2207918444fcd7e71537a654587e164cc8839f9a56e3c0f4c

SHA512
32111d8a8ded5adb28fd7b046d6fc7cdf81b1e0d856c32d575b93a79c753d0b7d691271f659fa1101e5e8943d271b4a34b54f944074d7e2195c9e1959964fc85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
d357a83ba984b6da3296473cf39761e4

SHA1
87176185afad649b205c978397d6a337fbcfc4fe

SHA256
201b9ac2bc3c6cb27ff834327df40a67a55d97f751086e8ef3097b1c6398bfea

SHA512
143297ddc0ca33f2f23bd11e4aecf53ec3adf8a51c9c0d2ce09a979aab67e8c0af8b9d6e319a6889b6e6f61aa207f7e44cf61b9f8d2d911165a257aa9545afa6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
1fd300a487907001a65c44134395edfd

SHA1
0922b2ef967f0c90b0dd878c0fb9e70616292e2b

SHA256
a7c8a2f642fc78fb036bc563388afaf2db4424b01fdfefa8afefb6dfdecee21d

SHA512
75f060c73e09c10d452a08672588c3471c669abc74523c4383018a6dc699bb12815fba4dff563172068d248977711b9a69da43e826af5036b196256bd3cd0689

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
b3365e2d9f855e74c9c503255b806177

SHA1
9e4c7fa6d3066e086b705ff7f5f29022c525d3d8

SHA256
246f1184e9f9f79e384632a9a7c235b241863e1cfb31d3a4662c5038c4671909

SHA512
6e9a7b910ff005ca451f50406c58a09bd3acaf68a24468231c0fe4ae8600b21779f361cd8820e832efce26bc13101d9d368e9bf3954bd0b28ecc7b99a252ee1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
6ea00f6dd382575041f76085178b59e2

SHA1
3612cc8e6a41215289e9ca8531ab4040d7008c9a

SHA256
19a773b2866eb435b715555cb48ad980f45b97bb98878e083982dcc7d21103b4

SHA512
57d91605446a1348b6e56483f8ff2bb4d9748a650bdb21f4482d8f2b0dd7823eb328dd2b883f9e916bb20a8b2487dced9b1efb87db773bb983ccac931d32becc

Download Submit
C:\Users\Admin\Downloads\MistInstaller.exe

Filesize
83KB

MD5
8813125a606768fdf8df506029daa16f

SHA1
48e825f14522bd4d149ef8b426af81eec0287947

SHA256
323060680fed9a3205e3e36d2b62b7b5b6c6e6245e4555dcc733cf6ef390f41c

SHA512
9486a027029a27cbf0424760625c08d73aa62e28e45081751c5bada7c07ca05b4e44239da7774cf4f76298fb6b71769ae62595ae439b470c8308d39e1b2289d8

Download Submit
C:\Users\Admin\Downloads\Petya.A.exe

Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\Downloads\PowerPoint.exe

Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
C:\Users\Admin\Downloads\VanToM-Rat.bat

Filesize
183KB

MD5
3d4e3f149f3d0cdfe76bf8b235742c97

SHA1
0e0e34b5fd8c15547ca98027e49b1dcf37146d95

SHA256
b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a

SHA512
8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff

Download Submit
C:\Users\Admin\Downloads\VanToM-Rat.bat:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit
C:\Users\Admin\Downloads\WarzoneRAT.exe

Filesize
321KB

MD5
600e0dbaefc03f7bf50abb0def3fb465

SHA1
1b5f0ac48e06edc4ed8243be61d71077f770f2b4

SHA256
61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2

SHA512
151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

Download Submit
C:\Windows\SysWOW64\drivers\mistdrv.sys

Filesize
14KB

MD5
fb021609c5635e3afd5d65384f83a77e

SHA1
f2783bdb8c969e6a156438834873fbe59ed1a5d3

SHA256
40fd2d7e99c37b89bf8145000ed30479aa6d0a7c82d28eebb00d2377d0ac9f17

SHA512
f8e9f93c35a8837a454fa82578c02a4df3079bb03500cd023e4f1bd6ed5acd8cdbed19b5a5d3a930304f593410607060390b03de790d378060ea56cd1b767a33

Download Submit
memory/1568-2055-0x0000000000DF0000-0x0000000000E46000-memory.dmp

Filesize
344KB

Download
memory/1780-2016-0x0000000070DEE000-0x0000000070DEF000-memory.dmp

Filesize
4KB

Download
memory/1780-2053-0x0000000070DE0000-0x00000000714CE000-memory.dmp

Filesize
6.9MB

Download
memory/1780-2017-0x00000000008E0000-0x0000000000936000-memory.dmp

Filesize
344KB

Download
memory/1780-2018-0x0000000070DE0000-0x00000000714CE000-memory.dmp

Filesize
6.9MB

Download
memory/1780-2019-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/1780-2028-0x0000000004110000-0x0000000004138000-memory.dmp

Filesize
160KB

Download
memory/2352-2111-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2352-2109-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2352-2116-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2352-6211-0x000000006DCB0000-0x000000006E0BB000-memory.dmp

Filesize
4.0MB

Download
memory/2352-2114-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2352-2499-0x000000006CC60000-0x000000006D4C4000-memory.dmp

Filesize
8.4MB

Download
memory/2352-2498-0x000000006D8A0000-0x000000006DCAF000-memory.dmp

Filesize
4.1MB

Download
memory/2352-2497-0x000000006DCB0000-0x000000006E0BB000-memory.dmp

Filesize
4.0MB

Download
memory/2352-2113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2352-2107-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2352-2115-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2484-2392-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2484-2522-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2916-14057-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/3116-2117-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3116-2126-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3116-2128-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3116-2129-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3116-2119-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3116-2121-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3116-2123-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3240-2043-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3240-2038-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3240-2045-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3240-2047-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3240-2050-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3240-2041-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3240-2035-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3240-2049-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3240-2040-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3240-2051-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3592-2072-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download