badrabbit | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
406s
max time network
449s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

badrabbit mimikatz revengerat guest bootkit discovery evasion persistence privilege_escalation ransomware stealer trojan upx

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x001100000002336b-613.dat	revengerat

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000300000001e29e-335.dat	mimikatz

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe

Executes dropped EXE 14 IoCs

pid	Process
1908	7A48.tmp
4912	svchost.exe
2908	ColorBug.exe
1612	FlashKiller.exe
4256	Gas.exe
3780	LoveYou.exe
3712	MEMZ.exe
3016	MEMZ.exe
4172	MEMZ.exe
3484	MEMZ.exe
2680	MEMZ.exe
3860	MEMZ.exe
984	MEMZ.exe
4740	VeryFun.exe

Loads dropped DLL 1 IoCs

pid	Process
224	rundll32.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000235c1-812.dat	upx
behavioral1/memory/4740-820-0x0000000000270000-0x00000000008AD000-memory.dmp	upx
behavioral1/memory/4516-821-0x0000000000A50000-0x0000000000BEC000-memory.dmp	upx
behavioral1/memory/4516-823-0x0000000000A50000-0x0000000000BEC000-memory.dmp	upx
behavioral1/memory/4516-822-0x0000000000A50000-0x0000000000BEC000-memory.dmp	upx
behavioral1/memory/3660-828-0x0000000000810000-0x0000000000904000-memory.dmp	upx
behavioral1/memory/3660-832-0x0000000000810000-0x0000000000904000-memory.dmp	upx
behavioral1/memory/3660-831-0x0000000000810000-0x0000000000904000-memory.dmp	upx
behavioral1/memory/2332-834-0x0000000000530000-0x000000000063C000-memory.dmp	upx
behavioral1/memory/2332-835-0x0000000000530000-0x000000000063C000-memory.dmp	upx
behavioral1/memory/2332-836-0x0000000000530000-0x000000000063C000-memory.dmp	upx
behavioral1/memory/4740-861-0x0000000000270000-0x00000000008AD000-memory.dmp	upx
behavioral1/memory/4740-862-0x0000000000270000-0x00000000008AD000-memory.dmp	upx
behavioral1/memory/4000-863-0x0000000000520000-0x000000000062C000-memory.dmp	upx
behavioral1/memory/4000-864-0x0000000000520000-0x000000000062C000-memory.dmp	upx
behavioral1/memory/4000-865-0x0000000000520000-0x000000000062C000-memory.dmp	upx
behavioral1/memory/1688-869-0x0000000000600000-0x000000000070C000-memory.dmp	upx
behavioral1/memory/1688-870-0x0000000000600000-0x000000000070C000-memory.dmp	upx
behavioral1/memory/1688-871-0x0000000000600000-0x000000000070C000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\~~CB = "cb.exe"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
85	0.tcp.ngrok.io
143	0.tcp.ngrok.io
148	0.tcp.ngrok.io
156	0.tcp.ngrok.io
160	0.tcp.ngrok.io
206	0.tcp.ngrok.io

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/4516-823-0x0000000000A50000-0x0000000000BEC000-memory.dmp	autoit_exe
behavioral1/memory/3660-832-0x0000000000810000-0x0000000000904000-memory.dmp	autoit_exe
behavioral1/memory/2332-836-0x0000000000530000-0x000000000063C000-memory.dmp	autoit_exe
behavioral1/memory/4740-861-0x0000000000270000-0x00000000008AD000-memory.dmp	autoit_exe
behavioral1/memory/4740-862-0x0000000000270000-0x00000000008AD000-memory.dmp	autoit_exe
behavioral1/memory/4000-865-0x0000000000520000-0x000000000062C000-memory.dmp	autoit_exe
behavioral1/memory/1688-871-0x0000000000600000-0x000000000070C000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 656 set thread context of 220	656	RevengeRAT.exe	118
PID 220 set thread context of 2428	220	RegSvcs.exe	119
PID 4912 set thread context of 1420	4912	svchost.exe	201
PID 1420 set thread context of 2200	1420	RegSvcs.exe	202
PID 4740 set thread context of 4516	4740	VeryFun.exe	267
PID 4740 set thread context of 3660	4740	VeryFun.exe	268

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll	AgentTesla.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\7A48.tmp	rundll32.exe
File opened for modification	C:\Windows\System.ini	VeryFun.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 1 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	cmd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3720	1612	WerFault.exe	251

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flasher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VeryFun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ColorBug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CrazyNCS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LoveYou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2144	taskkill.exe
2296	taskkill.exe

Modifies Control Panel 21 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\Scrollbar = "139 251 182"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\Menu = "50 149 225"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\MenuText = "209 237 33"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\WindowText = "237 225 204"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\ActiveBorder = "91 196 158"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\ActiveTitle = "224 138 69"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\InactiveBorder = "249 13 63"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\Window = "40 190 196"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\AppWorkspace = "206 154 109"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\HilightText = "108 238 16"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\ButtonShadow = "48 62 255"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\ButtonText = "232 208 58"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\GrayText = "129 126 251"	ColorBug.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\Background = "59 71 131"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\InactiveTitle = "134 29 45"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\WindowFrame = "153 154 23"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\TitleText = "93 228 97"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\Hilight = "89 5 21"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\ButtonFace = "198 60 159"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Colors\InactiveTitleText = "152 125 138"	ColorBug.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874369"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Mode = "4"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByDirection = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Mode = "4"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupView = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874369"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874385"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupView = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000070000001800000030f125b7ef471a10a5f102608c9eebac0a000000f000000030f125b7ef471a10a5f102608c9eebac04000000a0000000e0cc8de8b3b7d111a9f000aa0060fa310600000080000000e0cc8de8b3b7d111a9f000aa0060fa31020000005000000030f125b7ef471a10a5f102608c9eebac0c00000080000000e0cc8de8b3b7d111a9f000aa0060fa31040000005000000030f125b7ef471a10a5f102608c9eebac0e000000a0000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000070000001800000030f125b7ef471a10a5f102608c9eebac0a000000f000000030f125b7ef471a10a5f102608c9eebac04000000a0000000e0cc8de8b3b7d111a9f000aa0060fa310600000080000000e0cc8de8b3b7d111a9f000aa0060fa31020000005000000030f125b7ef471a10a5f102608c9eebac0c00000080000000e0cc8de8b3b7d111a9f000aa0060fa31040000005000000030f125b7ef471a10a5f102608c9eebac0e000000a0000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByDirection = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16"	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1688	schtasks.exe
400	schtasks.exe
2068	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4444	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1436	msedge.exe
1436	msedge.exe
1100	msedge.exe
1100	msedge.exe
3852	identity_helper.exe
3852	identity_helper.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
2352	msedge.exe
4240	msedge.exe
4240	msedge.exe
224	rundll32.exe
224	rundll32.exe
224	rundll32.exe
224	rundll32.exe
1908	7A48.tmp
1908	7A48.tmp
1908	7A48.tmp
1908	7A48.tmp
1908	7A48.tmp
1908	7A48.tmp
4172	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
4172	MEMZ.exe
4172	MEMZ.exe
3016	MEMZ.exe
4172	MEMZ.exe
3016	MEMZ.exe
3484	MEMZ.exe
2680	MEMZ.exe
3484	MEMZ.exe
2680	MEMZ.exe
2680	MEMZ.exe
3484	MEMZ.exe
2680	MEMZ.exe
3484	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
4172	MEMZ.exe
4172	MEMZ.exe
3860	MEMZ.exe
3860	MEMZ.exe
3860	MEMZ.exe
4172	MEMZ.exe
4172	MEMZ.exe
3860	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
2680	MEMZ.exe
2680	MEMZ.exe
3484	MEMZ.exe
3484	MEMZ.exe
3484	MEMZ.exe
2680	MEMZ.exe
2680	MEMZ.exe
3484	MEMZ.exe
3016	MEMZ.exe
3016	MEMZ.exe
3860	MEMZ.exe
4172	MEMZ.exe
4172	MEMZ.exe
3860	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4444	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	656	RevengeRAT.exe
Token: SeDebugPrivilege	220	RegSvcs.exe
Token: SeShutdownPrivilege	224	rundll32.exe
Token: SeDebugPrivilege	224	rundll32.exe
Token: SeTcbPrivilege	224	rundll32.exe
Token: SeDebugPrivilege	1908	7A48.tmp
Token: SeDebugPrivilege	4912	svchost.exe
Token: SeDebugPrivilege	1420	RegSvcs.exe
Token: SeDebugPrivilege	2144	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: 33	764	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	764	AUDIODG.EXE
Token: SeDebugPrivilege	4740	VeryFun.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
972	AgentTesla.exe
4444	explorer.exe
4444	explorer.exe
3712	MEMZ.exe
3016	MEMZ.exe
4172	MEMZ.exe
3484	MEMZ.exe
2680	MEMZ.exe
3860	MEMZ.exe
984	MEMZ.exe
4740	VeryFun.exe
4516	cmd.exe
3660	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 5052	1100	msedge.exe	84
PID 1100 wrote to memory of 5052	1100	msedge.exe	84
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 2936	1100	msedge.exe	85
PID 1100 wrote to memory of 1436	1100	msedge.exe	86
PID 1100 wrote to memory of 1436	1100	msedge.exe	86
PID 1100 wrote to memory of 4132	1100	msedge.exe	87
PID 1100 wrote to memory of 4132	1100	msedge.exe	87
PID 1100 wrote to memory of 4132	1100	msedge.exe	87
PID 1100 wrote to memory of 4132	1100	msedge.exe	87
PID 1100 wrote to memory of 4132	1100	msedge.exe	87
PID 1100 wrote to memory of 4132	1100	msedge.exe	87
PID 1100 wrote to memory of 4132	1100	msedge.exe	87
PID 1100 wrote to memory of 4132	1100	msedge.exe	87
PID 1100 wrote to memory of 4132	1100	msedge.exe	87
PID 1100 wrote to memory of 4132	1100	msedge.exe	87
PID 1100 wrote to memory of 4132	1100	msedge.exe	87
PID 1100 wrote to memory of 4132	1100	msedge.exe	87
PID 1100 wrote to memory of 4132	1100	msedge.exe	87
PID 1100 wrote to memory of 4132	1100	msedge.exe	87
PID 1100 wrote to memory of 4132	1100	msedge.exe	87
PID 1100 wrote to memory of 4132	1100	msedge.exe	87
PID 1100 wrote to memory of 4132	1100	msedge.exe	87
PID 1100 wrote to memory of 4132	1100	msedge.exe	87
PID 1100 wrote to memory of 4132	1100	msedge.exe	87
PID 1100 wrote to memory of 4132	1100	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9afe246f8,0x7ff9afe24708,0x7ff9afe24718
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,13994740505526360699,7573324925688037630,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,13994740505526360699,7573324925688037630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,13994740505526360699,7573324925688037630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13994740505526360699,7573324925688037630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13994740505526360699,7573324925688037630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,13994740505526360699,7573324925688037630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,13994740505526360699,7573324925688037630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13994740505526360699,7573324925688037630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13994740505526360699,7573324925688037630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,13994740505526360699,7573324925688037630,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13994740505526360699,7573324925688037630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13994740505526360699,7573324925688037630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13994740505526360699,7573324925688037630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,13994740505526360699,7573324925688037630,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3416 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13994740505526360699,7573324925688037630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4332

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Spyware\AgentTesla.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Spyware\AgentTesla.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:972

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\RevengeRAT.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:656
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i7as709l.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4948
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC14.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE51F3DED7355493B8569B4756BB22E9.TMP"
      4⤵
      PID:3268
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gusyk81i.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2260
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCCF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6A35BA40C7A74A37869734C0F3DA5AFC.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4356
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1oly8ewf.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2008
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD6C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA426C4C5330242029093E9C88E4D9F55.TMP"
      4⤵
      PID:3720
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\boq5zcuc.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4608
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE27.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E493887288143439E726C10F262590.TMP"
      4⤵
      PID:2040
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nxwkq5wd.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3244
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBEC3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc35715807684644F3996340A0B5A18CD7.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2264
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3-x2j3rj.cmdline"
    3⤵
    PID:2228
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA32B869624D425A9532982A1DE043A9.TMP"
      4⤵
      PID:2328
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\st5bpgwr.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1460
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFBD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc254CF2B63186487395D097E854F66AC1.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2496
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nkihgm31.cmdline"
    3⤵
    PID:3220
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC02B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc33860D0CE7794BAA9E8A84A7158D1B.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2544
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sbnfwc51.cmdline"
    3⤵
    PID:316
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC098.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7D7CEAABD2864F71BAAF9CEB2C181B39.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3644
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\onv-hvdl.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4624
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC106.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc57794C8CDC814D258A99CCB8847AD1FA.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4224
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hq05z-m6.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3972
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC183.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB19371D3E68F4F38A0D1AA2BD913ECBC.TMP"
      4⤵
      PID:4524
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fexjevoq.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4032
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD24EACE65A3740C9B3EBD2E5E52B79.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4356
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ahbup2ye.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3912
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC24E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3430627C0B84557A5EF342CA0397461.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:8
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e8q1wlb5.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1932
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2BB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5178695B8B6C4C348E45F2A6C587431.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4292
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4v3pou8f.cmdline"
    3⤵
    PID:4004
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC348.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc74EA9C58C2374E72A32ABC16C19F272E.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4956
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bowu8efo.cmdline"
    3⤵
    PID:2264
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3B5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9FF4FC71F2942D3B1A8BFF44BEDAD5D.TMP"
      4⤵
      PID:3120
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s0zhkzxq.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4396
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC451.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc807935396BB04ACF853E7E2CD7A02159.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1240
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bd5irzgx.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2528
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC49F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB576B15D7335445A9E9C23207A5CC03B.TMP"
      4⤵
      PID:3564
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zknrfqpe.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1940
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC54B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc76C3013EB1E845C7BBD32FF4417122.TMP"
      4⤵
      PID:4744
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q5j8pzkt.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3220
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5D8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc502148A4D9204D9F9138CCCCCF15B4BB.TMP"
      4⤵
      PID:2712
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\duoc6xqf.cmdline"
    3⤵
    PID:4140
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC655.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc31BCB9262E0B4E049BB3CD67F3EA1ABA.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3520
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:4912
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      Drops startup file
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1420
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:400
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_kfpr-l4.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4068
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DA1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc46587825B9C647D6B7282D59F4711A6.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zqme2k18.cmdline"
        5⤵
        
        PID:2248
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E0E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4BC6985DFA97426BA71D98A4AAD851.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xtctb_mx.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E5D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc190A651A4CE34091BCCCCAEB3A65E2FB.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3720
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wq3n7m02.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3080
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6EBA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8547F76FACA34C26B6AF9FA9BCCDB30.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4608
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ikjwas2i.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F18.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB9EA705846DD472EA9D8C661E44F26F5.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3712
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hqpmsybb.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FA5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc47ACE79B428A4A2CB0A3C8F842335DE1.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dntiekjb.cmdline"
        5⤵
        
        PID:2624
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7002.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc48A6399AFB2A4E68B8DE82174337A513.TMP"
        6⤵
        
        PID:3832
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\edcj1zwq.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7051.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2375215BFA454FDB8DB9E797ED4D2A92.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lu1e2eos.cmdline"
        5⤵
        
        PID:396
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES709F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B65E34F895143B1B83C5B4AD323B448.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dyg6d1ve.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70FC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc62F5ABF41F864921B92FCC45337DD99.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4224
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ajm8lzw2.cmdline"
        5⤵
        
        PID:4364
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5F714BE727BA4E218159A25D2160BADC.TMP"
        6⤵
        
        PID:4276

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"
1⤵
- Drops file in Windows directory
PID:4348
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:224
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2180
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1480408007 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1512
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1480408007 && exit"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 18:56:00
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2592
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 18:56:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1688
- - C:\Windows\7A48.tmp
    "C:\Windows\7A48.tmp" \\.\pipe\{68062B22-885F-4266-8FE2-3FC3EAA9BE97}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1908

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Email-Worm\Anap.a.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Email-Worm\Anap.a.exe"
1⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Flasher.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Flasher.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3204

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\CrazyNCS.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\CrazyNCS.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1108

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Trololo.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Joke\Trololo.exe"
1⤵
PID:4564
- C:\Windows\system32\taskkill.exe
  taskkill.exe /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- C:\Windows\system32\taskkill.exe
  taskkill.exe /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2296

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3b8 0x3c0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:4348

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4444
- C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\ColorBug.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\ColorBug.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\FlashKiller.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\FlashKiller.exe"
  2⤵
  - Executes dropped EXE
  PID:1612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 244
    3⤵
    - Program crash
    PID:3720
- C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\Gas.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\Gas.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4256
- C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\LoveYou.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\LoveYou.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3780
- C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\MEMZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3712
- - C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\MEMZ.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3016
- - C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\MEMZ.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4172
- - C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\MEMZ.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3484
- - C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\MEMZ.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2680
- - C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\MEMZ.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3860
- - C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\MEMZ.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:984
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:4468
- C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\VeryFun.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\VeryFun.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:5008
- C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\Whiter.a.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\Whiter.a.exe"
  2⤵
  PID:3108
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe C:\Users\Admin\AppData\Local\Temp\~snF50.tmp
    3⤵
    PID:3436

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:4900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
- Modifies registry class
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1612 -ip 1612
1⤵
PID:972

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
PID:3056
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  PID:2436
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 984 -ip 984
1⤵
PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Scripting

T1064

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico

Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\239b0745-b4ff-4f0e-92bc-c3d90df955d7.tmp

Filesize
10KB

MD5
5414f2420dd26c9aa2cd24f2f763ce24

SHA1
70f633ec67134f27af65e3c84490d5b5e1b6e66d

SHA256
de1c5d9d470f4a4c06aa2c2888a3fadbc0d9f64aff2d7228a55cb858858b7428

SHA512
bd87874737e70b424ded9339924104ff8ddea0d319951c4e4b24fc8600ab33dd2ced71b679a27bd05515e51cb7d8b2d233b97b038a7b93960ef1bdd11e8edef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3430a85bee160175e2f1f9beefc5ce2e

SHA1
6a663cc2536c1c58f334e4568f9ffb6c7ec12946

SHA256
690b8ce79ffc00b018a9b21015645a68258a16b5df1363f06d4be076427e9e62

SHA512
6ca77e1bb23d193b5585ba73101e3c196316219032f38bb058e99150ca2c546843f8d65ef1e8d0572e2d48a74721655f34040779642fbe52dda50584dceb9ad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
463f615865d92339eb68e23cb603e539

SHA1
1caff5854dcc2665be53c36fafe53602f39fbadb

SHA256
a71ea36b4801d34a72d4cf2e6697acb39eb69abbf866461cc64d84133710759f

SHA512
f77f957a18753ea34c90d48bc81ed4a6ff65a8c42036d2ebc622ea4e5bb7a4d76eb1e9e6367d765edba69e83c973dac2670a97cbee3f95d08259ef667cc8b5a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff678f018a8372422f6308eae85000f4

SHA1
aeae3b4d7170fed33a473d522969bacb19c2b581

SHA256
380425f823a35089949cc9cc94908b70420e06d53c9992d0cd6eb1c8f76161e5

SHA512
473ffae2e934f1f4126debc89a027069a9969b507d7bc42e4d9bc0f62d3d8fc65bd2e00b9c35fff13902ad51bf1a21f9a00f8c35b425af52442daa422542eeb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b020b9eeacf047a97361bff1662c2802

SHA1
26065dcb53ebb38e74bdba49c3263943b6d5c2fd

SHA256
93f02bbd1e0162e1823ae0b3772b78781919fd85cf6d7da029f2f4b34064e4f9

SHA512
9eb8e0af7dd3d34ec0af5c357a027a00931ab90ac1791f3c4d64122f96a155e50fa9a0fff8ba0834c8ec8ae6c44d430da213974504ccd92da6ec402e47d898b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bfd1fb1ef9bc543cf3dc133f1449d2cc

SHA1
2cb37e919b6e83b6d0512183a30d29d7a25aff89

SHA256
1ad28b70a33c98ff7ca35691f83e47a02449b17a6106443ca51ed0c38b1b699f

SHA512
89f642ffbec75c4edd4f8cb889756dbe77e31d6ed28e9af60160d5342b98184b094d1ce1dcf1148c4662a4f69a48950ae417e9d097ee07d6e47863d927929fb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5e7453.TMP

Filesize
1KB

MD5
cacdaefd1ebf1c6c9ee3d0c54af8de22

SHA1
7b82cb03f038359642c066ee91d9519eb9cd8bab

SHA256
501e01ac558217f194d85da77109f9cbad3c33bb9fd35db9222a653bfb5b8835

SHA512
655b975adb2156bbdcc62135f907bfcd79f5c746cf55727f920aa76d2367ef5c49c495bcea5e73263c9b068ac198a2666d8c679827d2148a55276a4c5e21b455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d6b7c590d74df849a83bf24849087b1f

SHA1
26f85812ebafeaa65c703a3c26af7c5aba6915bd

SHA256
479e5ec3dda5d5677c4879b6208838f4a1b78b85f1a2c5f7cefe0609b87a7a83

SHA512
d326bf1881587e033230344463cab5689269c0f0f297baa49b6b516d7996b58d6289ab224a979b83202e55bdf9a40b890aba01874aad956e83d2a21e312d2cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1oly8ewf.0.vb

Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\1oly8ewf.cmdline

Filesize
253B

MD5
3a9d2ae594a4990976b2acee15c0bb1c

SHA1
7cc7b6035e2f1a68067db886b7e63335cb062534

SHA256
effb42b17e37334757438f5f49e09587c4c3243ff6d5cd4a91c57a591b7b6f67

SHA512
3c9c8d09c67d13c5a22f7106360bf1aae9ab7664efdb55bc740afeb0dec87f5c62391c36a65316963ce909808f5f07924e6c2666c3a3513fd0bce4d978369490

Download Submit
C:\Users\Admin\AppData\Local\Temp\3-x2j3rj.0.vb

Filesize
376B

MD5
7a8e43324d0d14c80d818be37719450f

SHA1
d138761c6b166675a769e5ebfec973435a58b0f4

SHA256
733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909

SHA512
7a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715

Download Submit
C:\Users\Admin\AppData\Local\Temp\3-x2j3rj.cmdline

Filesize
267B

MD5
589959e6943063c45127a8587d486705

SHA1
7d2178d8da4e51236885748b34bee53360bc593c

SHA256
f053b6b815a847727db23fed0aef5c8c48b4538f6571aa37c6a72efbf2690cad

SHA512
3fb67e3c043dafd860e41961a79a41d9b81a7ae9fbbfa9c5cd77b4c0bd154a425dfb100cd590c0c589778427dcd0c6bd87e25a7b69a2a405a50d79736e613363

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC14.tmp

Filesize
5KB

MD5
932a33312e237c6c5fb0d691d4893f80

SHA1
1d764b6fe79296802d14bade99a94c132e001c2b

SHA256
24f734a73d2e894798171a550e8db043c3145534fb796759642fd98d424ef1f8

SHA512
3c0b1326a8c41bc8dd139564d6f145955f9069d108713787b173252af1eb770d46222ef9b76b321e333a84ecf9d8243716ec21b8ea6fc0eb118176728c0ac5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBCCF.tmp

Filesize
5KB

MD5
6c460f7a3f4ccbd5cb19b804170da9be

SHA1
ba0056b19f3f6d73291b66fed29fbe760b87e95a

SHA256
c466b4b8f2de9e2d19001ba7cf8efbf6849e427fe7045a11107068e6e60810a2

SHA512
7f175d49dbeae6095081f6f340580ed1063fcfd3c3260380128d0d67d3b47c68b7409d5131a745920ec9059cbc0200ba1c66859a24de75030bb621277c52edc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBD6C.tmp

Filesize
5KB

MD5
de19284f3288a62de30e6270921a7aca

SHA1
7d5bfee1966b380c1e13ddba2a9a549a5c2ee547

SHA256
10c052be476f11f06754dae263a9c4179d4d1572189eb097e4ed788f94bded0d

SHA512
3f4d7e1caac1e1a97bb4e1c86ca2ca1cf7ba4cdd0b258068c3559eb511005739e9f87032093258085b023e54c6f9d9502220131a8ca546609c870524038021da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBE27.tmp

Filesize
5KB

MD5
e1b0ecb9dac677e7e0881ac268bf4b75

SHA1
2c99538a068051e5251507bbf92993cc5bfed267

SHA256
91b2256cb803d7357cd484e23977d4f3d7214644008d986c9b403b9f9b5631c5

SHA512
c0580a6efc4943453b789bab16664081e57ca438508226dad01d0ff6eddea8ba46895c2b514e3f301ee63ea2adeb3e11493ed2d15a47ec136372700317ef279b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBEC3.tmp

Filesize
5KB

MD5
9ddd6ab6c87d9bf3eb804fb736aa4ca4

SHA1
42277ec052fc320d739ae75262263d97bd7139c7

SHA256
fa23bcdd01c7e5aa44a826582f4f94136e0af53cb05e12642b466b0d372f4bb4

SHA512
788ba4c43685437e402031bbdc2cf9c79173eb91ca751bb62d70256de593404a8f6837fdf7ecaf648af35671454d018120c214167988cd09129252a309402eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBF40.tmp

Filesize
5KB

MD5
81b6692fc8439ba96adb2fd49cf5289a

SHA1
2232296e8ebf0264011818450fef0d168f107984

SHA256
4a06356d9dce861c15a902b8aa6c79c9103394adfd817ed5ff8e2ed28395a208

SHA512
ef70e6bcf6a9c8ac4ae01d947950513c89e2166249d073b1053f8692e08ce43ef0a5eb486a8245638dd185b3b4fb2a685daca344bce6d8dceaa1566e602a534c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBFBD.tmp

Filesize
5KB

MD5
4185aa71253533e7f1e1a6ef5a47059d

SHA1
9706798d219b1a27255cc66b14aec1878623816c

SHA256
4702aa8aee79bf2813ece78bb2620c5d2c610a80111c9b7fed11a905947b04fd

SHA512
9e04bc6a15defcf40ef03379aa2df31f0b2c2630397023efd257b9536627f4a809d4705104cdc8ad8a9f248f972bf6af7275aa0a51f169106e07b124c9674bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC02B.tmp

Filesize
5KB

MD5
73b47b8ba9aef97c42e561798796925b

SHA1
eb2f49d5811bd84c9af0c1d8baee7850178d98c7

SHA256
c6b1dc61c7a771f3eef8f148dd140f5245503ee5cb87f62a9dfc70c16e4fa626

SHA512
a9cddd6671532bdceefad99926935494f0ae766856e8daa657249298bf7275d4bbd71faf2fe5ece3a66a473a050c5c973ad1a7eaedaa7f7f6186456ff49ce28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\ColorBug.exe

Filesize
53KB

MD5
6536b10e5a713803d034c607d2de19e3

SHA1
a6000c05f565a36d2250bdab2ce78f505ca624b7

SHA256
775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de

SHA512
61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\FlashKiller.exe

Filesize
4KB

MD5
331973644859575a72f7b08ba0447f2a

SHA1
869a4f0c48ed46b8fe107c0368d5206bc8b2efb5

SHA256
353df4f186c06a626373b0978d15ec6357510fd0d4ac54b63217b37142ab52d3

SHA512
402662eb4d47af234b3e5fbba10c6d77bdfdb9ff8ecfdd9d204f0264b64ea97fc3b5c54469f537173a26c72b3733550854749649d649bc0153c8fe3faacc50a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\Gas.exe

Filesize
18KB

MD5
e7af185503236e623705368a443a17d9

SHA1
863084d6e7f3ed1ba6cc43f0746445b9ad218474

SHA256
da3f40b66cc657ea33dbf547eb05d8d4fb5fb5cf753689d0222039a3292c937a

SHA512
8db51d9029dfb0a1a112899ca1f1dacfd37ae9dec4d07594900c5725bc0f60212ab69395f560b30b20f6e1dffba84d585ef5ae2b43f77c3d5373fe481a8b8fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\LoveYou.exe

Filesize
22KB

MD5
31420227141ade98a5a5228bf8e6a97d

SHA1
19329845635ebbc5c4026e111650d3ef42ab05ac

SHA256
1edc8771e2a1a70023fc9ddeb5a6bc950380224b75e8306eb70da8eb80cb5b71

SHA512
cbb18a6667b377eb68395cfd8df52b7d93c4554c3b5ab32c70e73b86e3dedb7949122fe8eea9530cd53944b45a1b699380bf1e9e5254af04d8409c594a52c0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\MEMZ.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\VeryFun.exe

Filesize
3.0MB

MD5
ef7b3c31bc127e64627edd8b89b2ae54

SHA1
310d606ec2f130013cc9d2f38a9cc13a2a34794a

SHA256
8b04fda4bee1806587657da6c6147d3e949aa7d11be1eefb8cd6ef0dba76d387

SHA512
a11eadf40024faeb2cc111b8feee1b855701b3b3f3c828d2da0ae93880897c70c15a0ee3aeb91874e5829b1100e0abafec020e0bf1e82f2b8235e9cc3d289be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp2_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Trojan\Whiter.a.exe

Filesize
56KB

MD5
799b57227561238a7d7a284c5568c1ad

SHA1
f62ddd138ab15b67a2207438b38414fd236d5278

SHA256
fe974c995cfb27e8c91123081986847f6d3d4252b6a8d1e1385c558f2aeb7057

SHA512
2a6de3d751f9b74227bfd7069b989175ebd81548af6e1f4bf87f63cf9e0a69ec6cbbac5b837dd80e7effdf7f648c2c768124257d347f1a0d394a0dd9a5552f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\boq5zcuc.0.vb

Filesize
355B

MD5
6e4e3d5b787235312c1ab5e76bb0ac1d

SHA1
8e2a217780d163865e3c02c7e52c10884d54acb6

SHA256
aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706

SHA512
b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\boq5zcuc.cmdline

Filesize
224B

MD5
a0aeb47d10f159f42bc026d4d476c2bc

SHA1
dc69240f9ad0bcef31c9e53166b8b99880e38630

SHA256
c6bd909b191a125b90656f8b09a69ddc0f8f1dbc7a9879f519bf4fe94e6ec5df

SHA512
02ffe8f6c97c4ddab02fd5967419caf40b0bfc4648548f82eb2d9d5374f3d2caadbe962fdb528339c84cba414aff459073e3b1caa84e9d7ca81b262113c3182f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gusyk81i.0.vb

Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gusyk81i.cmdline

Filesize
224B

MD5
c23b1f466f32fb475d5ea457a1868585

SHA1
d145ca1d89d475ba2dd037dc680c6c22de2a6d36

SHA256
5b1aaad95756c194e4348596086ab4cef1107cc4081352f42056e8a7feb5a174

SHA512
8d85e9c6eb1dcdac0d690ae99237f0bab99828807825b3041c5eb2131697fb8e71b93bc9012308c39a83c8d3a11e4053fd84fbee7a1fdb68297c85842843f609

Download Submit
C:\Users\Admin\AppData\Local\Temp\i7as709l.0.vb

Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\i7as709l.cmdline

Filesize
253B

MD5
d06aa902686e67ec8e15ea0c354be5de

SHA1
3da1438f454830776a02ad4f653757698776eca8

SHA256
9b2dcbe64f36b2e129fcbd4b2da42b7e46314d68cd68dfa66431eb0be2445d2e

SHA512
f31f14d4e7f47e6381c70b6e49a6274c62c1173707745ed73904ee44893a57e5dcb97f018a9720057fa4e2677c81f5b1dc07b769abe00cda55a47d3bcd43a5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkihgm31.0.vb

Filesize
376B

MD5
688ef599a13c30230d9c00287511e084

SHA1
496834103ac52660dd8554590a2f92cbda8ab759

SHA256
9ce0d8e22177e91d78bf3e578b8b5f0d22d724ae17931195de2e3b5b46255051

SHA512
0f244536f83308c7db23337dadcef882fd258954d7e3c8a5f3f66ee0861fec0cd6ea7b3310db65a306de380da410af1e8e4041fabbc917b6af4b94d9424cec8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkihgm31.cmdline

Filesize
267B

MD5
e655d021e9277db3f5f0e6575e00ec5a

SHA1
4b293d0f71f4c6d81a21e56992f9bba60214fed7

SHA256
45c85bb6c5034f549a6b80cdfc0e61cc94d6c9fa5614e0fd7ff35577cfb3c674

SHA512
56d2abb8a05877384cb4b89bd2f066bcbb96434144c5cbf2ea5c40c61b1b87bb39c8cdfa405fd19d4f3311fda0bbbf94ab04618d5ff145cae47dfaa805d3c64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nxwkq5wd.0.vb

Filesize
373B

MD5
197e7c770644a06b96c5d42ef659a965

SHA1
d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc

SHA256
786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552

SHA512
7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nxwkq5wd.cmdline

Filesize
261B

MD5
7f1e9beb14be979fafbd181150b81967

SHA1
90a9b442674070e2ce0ebf95fa53c87ffa5d7aa4

SHA256
07f5593d745a4198e3146f2fda20bce11b692d6251467f52e7e89bd179885309

SHA512
adf0b2a441df43062c2ccbe8f00f29d940ac156035a689cc4983153911d0cc90a887a351e98050c7f11413c6f115c9411176f124f03acab5ed9bd740c83f32c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbnfwc51.0.vb

Filesize
375B

MD5
085f35c737b484465e1799359126ee1c

SHA1
f51feaf15af726cb9cbc151cd86b9913e428abcb

SHA256
940fb15c66dc34a66b192569ec3588a11285af4f7230c27d54191dcff5dd5b1e

SHA512
8314ec82f79a6dbd1e946be25984635c149ef6689e33d8010680f5bdf3bc8803bc14d8dbaa92717fec261d7f27e8f87384478130c3fe5ee37f3ec84fa2bf1402

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbnfwc51.cmdline

Filesize
265B

MD5
90a39acff63948890027ab0366e54b1b

SHA1
589b874f18810ba0fb69faa01dca8f9f03facfc4

SHA256
9eb655085b9016e01b05775f82f3d9b187d5eb15bde67fd43cd55d07e41593a7

SHA512
02294ec3e2e1644aed398bb3be42bd58e8458236cab6f84690dee40f4ee002f6179c5a908faf16ad5dab53ea79bf19bdfbfdb4da26daaf409f31c13c5dc2821d

Download Submit
C:\Users\Admin\AppData\Local\Temp\st5bpgwr.0.vb

Filesize
373B

MD5
7d0d85a69a8fba72e1185ca194515983

SHA1
8bd465fb970b785aa87d7edfa11dbff92c1b4af6

SHA256
9f78b435099106c2c3486c5db352f7d126b3532c1b4e8fe34ef8931c7b8968d5

SHA512
e5ef339dc329dbba2ab06678a9e504aa594d2f21ade45e49bccd83a44a76dc657f5f44dcf368f4d112bb3b01af2e577a487c6078751943770e90780fad202989

Download Submit
C:\Users\Admin\AppData\Local\Temp\st5bpgwr.cmdline

Filesize
261B

MD5
e613ff4479d53faea0416258da98b55c

SHA1
f74c3356096914da9616935eae093b1121b74e37

SHA256
cc28114584b12f5ae150a0b3baf7e220dc159b750b8560d4cda502d70eb57615

SHA512
af18f05bcb9edf70ef996e2ad75d8471efa7cbce0d46abd0e7d426149bd92c0911b207522ba08f57e36ef8c7a8118f62fae1c78dd18a5b20fdd957f477368d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
110B

MD5
57f66d90840dcf1c1b4da1dfc895b9ff

SHA1
441dc041a555cd23b6fe9a1d0e34733d60c23788

SHA256
58a6f88962d92f9877ff7397fa686779170c765c64a4bc64e05611ffce16f9fd

SHA512
15e9e221b8a86b24c783ecd15bedec24f409b81f807572f88b494c45b3bcff03e9d22a0a156fd8b6187ce89d1dc00ebdc32f15b26a424b50a82cf753fad54686

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2375215BFA454FDB8DB9E797ED4D2A92.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc254CF2B63186487395D097E854F66AC1.TMP

Filesize
5KB

MD5
2f824fea57844a415b42a3a0551e5a5a

SHA1
0e0a792d5707c1d2e3194c59b9ed0b3db5ce9da4

SHA256
803a596fd573096225dd07568b8b459d2fbbfce03fa60ca69d05d7d92b64c5ee

SHA512
7ec7ea88364f2e18747192ac2913f326a6ebb19c64be4ae9fc4f811d31deb5dc3b0b83d46814ddb836b36ac57e70c9b63be0cc4c84e6e958acf2512c57877008

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc33860D0CE7794BAA9E8A84A7158D1B.TMP

Filesize
5KB

MD5
852ad787d5b62a59d1a85e31224eb42e

SHA1
3f9125530ba96a8d00a2acd6650bd952efbcbfc4

SHA256
5c0fea62e1b6f98b0a2fe87cdb1569ca9c8836cefd8c14d351f95a08ebb4aa46

SHA512
71737f2f3a7b86c54b465aa36d27b42844693b113d207726ba24a4d3c803ba93094d7417d4eea7a0f3f5e5d5f5a74cc34694c5706690287e7b575ad0819be560

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc35715807684644F3996340A0B5A18CD7.TMP

Filesize
5KB

MD5
2f97904377030e246bb29672a31d9284

SHA1
b6d7146677a932a0bd1f666c7a1f98f5483ce1f9

SHA256
7e033003d0713f544de1f18b88b1f5a7a284a13083eb89e7ce1fe817c9bb159f

SHA512
ddf2c3a3ec60bed63e9f70a4a5969b1647b1061c6ff59d3b863771c8185904d3937d1f8227f0e87572329060300096a481d61e8dc3207df6fe0568da37289f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6A35BA40C7A74A37869734C0F3DA5AFC.TMP

Filesize
5KB

MD5
abeaa4a5b438ffa58d07d9459e5c1d6c

SHA1
69631de7891162dd4840112a251f6531feae7509

SHA256
ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd

SHA512
c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7D7CEAABD2864F71BAAF9CEB2C181B39.TMP

Filesize
5KB

MD5
0534350659e80f4ec327247e33318612

SHA1
3ef80ddb7cb63d08a55b591fe6a0dff38d5d8623

SHA256
31fbacb6c44df54110e9f62b86a3607cc88a1fcedae4375cd7f3fa749c352311

SHA512
0424c2b9f5f7f9a0f97538729631e255679e4dd129b70b5cfb9eaf49b6f1583586e5147586eea04307e05275cd8511837a9adcf52c35bd86cc7cfca2d2d90301

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8547F76FACA34C26B6AF9FA9BCCDB30.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9E493887288143439E726C10F262590.TMP

Filesize
5KB

MD5
d56475192804e49bf9410d1a5cbd6c69

SHA1
215ecb60dc9a38d5307acb8641fa0adc52fea96c

SHA256
235e01afd8b5ad0f05911689146c2a0def9b73082998ac02fd8459682f409eee

SHA512
03338d75dd54d3920627bd4cb842c8c3fefad3c8130e1eeb0fa73b6c31b536b3d917e84578828219b4ffd2e93e1775c163b69d74708e4a8894dd437db5e22e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA426C4C5330242029093E9C88E4D9F55.TMP

Filesize
5KB

MD5
d01de1982af437cbba3924f404c7b440

SHA1
ccbd4d8726966ec77be4dbe1271f7445d4f9b0ce

SHA256
518d9922618db6eea409cee46b85252f0d060b45c2f896cb82eeca22eb715598

SHA512
a219cd3df17bcf16cb57bdeea804e206a60be50084e2cb99d6d5e77d88957d79535d110b34735a4b549d3fcae528cdff8bfa5286582028ef22e8b4d60e146878

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB9EA705846DD472EA9D8C661E44F26F5.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBA32B869624D425A9532982A1DE043A9.TMP

Filesize
5KB

MD5
5fb831248c686023c8b35fa6aa5f199c

SHA1
39760507c72d11c33351b306e40decaad7eb2757

SHA256
d062acbeea69acb031b014cff19bed988cf9df34c230ee23d494457461b41908

SHA512
2244f84bff19e1f43a245569d03712ab62a9655bc6f3eb4ae78ca3472ddfc6ad7950dc76d10cdc1c7b2235a9045582554c200e93c3cd34c18e494ed60dd3b3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE51F3DED7355493B8569B4756BB22E9.TMP

Filesize
5KB

MD5
249d49f34404bfbe7ed958880be39f61

SHA1
51ec83fb9190df984bf73f2c5cd1edc0edf1882a

SHA256
fcb5a4d24f24fbeaf4dc9d8e29f2701b2bb71411acb13c4fa67fe7025892912b

SHA512
082f47f59b9184dd6c88f64214e10b82656a09c5a5cf3f0eccbf7935505db473eeb9a395cb5b59ec5009e731f2aa1891670c94ff6315a0b2d4fcc0392cff0e98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Windows\7A48.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/224-318-0x00000000005E0000-0x0000000000648000-memory.dmp

Filesize
416KB

Download
memory/224-329-0x00000000005E0000-0x0000000000648000-memory.dmp

Filesize
416KB

Download
memory/224-326-0x00000000005E0000-0x0000000000648000-memory.dmp

Filesize
416KB

Download
memory/656-308-0x000000001C3A0000-0x000000001C446000-memory.dmp

Filesize
664KB

Download
memory/656-307-0x000000001BED0000-0x000000001C39E000-memory.dmp

Filesize
4.8MB

Download
memory/656-309-0x000000001C450000-0x000000001C4B2000-memory.dmp

Filesize
392KB

Download
memory/1108-624-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1420-621-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1612-761-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1688-871-0x0000000000600000-0x000000000070C000-memory.dmp

Filesize
1.0MB

Download
memory/1688-869-0x0000000000600000-0x000000000070C000-memory.dmp

Filesize
1.0MB

Download
memory/1688-870-0x0000000000600000-0x000000000070C000-memory.dmp

Filesize
1.0MB

Download
memory/2332-834-0x0000000000530000-0x000000000063C000-memory.dmp

Filesize
1.0MB

Download
memory/2332-836-0x0000000000530000-0x000000000063C000-memory.dmp

Filesize
1.0MB

Download
memory/2332-835-0x0000000000530000-0x000000000063C000-memory.dmp

Filesize
1.0MB

Download
memory/2428-312-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2908-650-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2996-860-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3204-806-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3204-623-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3204-774-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3204-866-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3660-828-0x0000000000810000-0x0000000000904000-memory.dmp

Filesize
976KB

Download
memory/3660-832-0x0000000000810000-0x0000000000904000-memory.dmp

Filesize
976KB

Download
memory/3660-831-0x0000000000810000-0x0000000000904000-memory.dmp

Filesize
976KB

Download
memory/4000-865-0x0000000000520000-0x000000000062C000-memory.dmp

Filesize
1.0MB

Download
memory/4000-863-0x0000000000520000-0x000000000062C000-memory.dmp

Filesize
1.0MB

Download
memory/4000-864-0x0000000000520000-0x000000000062C000-memory.dmp

Filesize
1.0MB

Download
memory/4516-824-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4516-823-0x0000000000A50000-0x0000000000BEC000-memory.dmp

Filesize
1.6MB

Download
memory/4516-827-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4516-822-0x0000000000A50000-0x0000000000BEC000-memory.dmp

Filesize
1.6MB

Download
memory/4516-821-0x0000000000A50000-0x0000000000BEC000-memory.dmp

Filesize
1.6MB

Download
memory/4516-826-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4564-625-0x000000001C440000-0x000000001C4DC000-memory.dmp

Filesize
624KB

Download
memory/4564-626-0x00000000013F0000-0x00000000013F8000-memory.dmp

Filesize
32KB

Download
memory/4564-627-0x000000001C5A0000-0x000000001C5EC000-memory.dmp

Filesize
304KB

Download
memory/4740-861-0x0000000000270000-0x00000000008AD000-memory.dmp

Filesize
6.2MB

Download
memory/4740-862-0x0000000000270000-0x00000000008AD000-memory.dmp

Filesize
6.2MB

Download
memory/4740-820-0x0000000000270000-0x00000000008AD000-memory.dmp

Filesize
6.2MB

Download