crimsonrat | 6acaae0fb470790102a338e23dfe2263f31e529288e4efe51b34bca30371cb36

Resubmissions

14-10-2024 23:47

241014-3svm6awfjq 3

12-10-2024 03:01

241012-dhzrpayhra 10

Analysis

max time kernel
1800s
max time network
1801s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12-10-2024 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MonkeModManager (1).exe
Size

217KB
MD5

1d62aa3d19462f3d5575fc54159911b4
SHA1

b37eab86c0075245fcc517a280f0705f6dffb852
SHA256

6acaae0fb470790102a338e23dfe2263f31e529288e4efe51b34bca30371cb36
SHA512

78a9501d7920920577a586396e5d9e2278a7c926448c9a98d7844db9032dbd887df90d2f389fe1754bf5a2071a19dfd5d40315624923e903ef9ef6cbb214b1df
SSDEEP

3072:V9UmbMwyLMmJx+WAE090AF23P88RiiE090HjD:Kxs/E09hWPTE09yD

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Extracted

Family

modiloader

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Userdata.exe
copy_folder
Userdata
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%WinDir%\System32
mouse_option
false
mutex
remcos_vcexssuhap
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ad49-522.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

ModiLoader First Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2900-533-0x0000000010410000-0x000000001047E000-memory.dmp	modiloader_stage1

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/400-1420-0x00000000050A0000-0x00000000050C8000-memory.dmp	rezer0

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x002400000002ad81-1712.dat	revengerat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1964	netsh.exe

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral1/files/0x001900000002ac81-498.dat	office_macro_on_action

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x001900000002ac81-498.dat

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:Zone.Identifier:$DATA	NJRat.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe

Executes dropped EXE 3 IoCs

pid	Process
2920	dlrarhsiva.exe
5684	Userdata.exe
3944	Free YouTube Downloader.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\RAT\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\RAT\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Qspt = "C:\\Users\\Admin\\AppData\\Local\\Qspt\\Qspt.hta"	NetWire.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe"	FreeYoutubeDownloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\RAT\\RevengeRAT.exe"	RegSvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Userdata.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\RAT\\VanToM-Rat.bat"	VanToM-Rat.bat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 38 IoCs

Web Service

T1102

flow	ioc
1221	0.tcp.ngrok.io
291	0.tcp.ngrok.io
582	0.tcp.ngrok.io
760	0.tcp.ngrok.io
920	0.tcp.ngrok.io
1304	0.tcp.ngrok.io
3	0.tcp.ngrok.io
31	0.tcp.ngrok.io
311	0.tcp.ngrok.io
1088	0.tcp.ngrok.io
32	0.tcp.ngrok.io
358	0.tcp.ngrok.io
650	0.tcp.ngrok.io
708	0.tcp.ngrok.io
1073	0.tcp.ngrok.io
448	0.tcp.ngrok.io
460	0.tcp.ngrok.io
642	0.tcp.ngrok.io
852	0.tcp.ngrok.io
868	0.tcp.ngrok.io
1000	0.tcp.ngrok.io
1063	0.tcp.ngrok.io
1227	0.tcp.ngrok.io
145	0.tcp.ngrok.io
236	0.tcp.ngrok.io
382	0.tcp.ngrok.io
520	0.tcp.ngrok.io
607	0.tcp.ngrok.io
645	0.tcp.ngrok.io
807	0.tcp.ngrok.io
961	0.tcp.ngrok.io
14	drive.google.com
51	drive.google.com
138	0.tcp.ngrok.io
247	0.tcp.ngrok.io
1176	0.tcp.ngrok.io
355	0.tcp.ngrok.io
408	0.tcp.ngrok.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe:Zone.Identifier:$DATA	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Userdata	Remcos.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 5436 set thread context of 5496	5436	RevengeRAT.exe	127
PID 5496 set thread context of 5540	5496	RegSvcs.exe	128
PID 5684 set thread context of 5724	5684	Userdata.exe	132
PID 400 set thread context of 4984	400	WarzoneRAT.exe	142
PID 236 set thread context of 4324	236	NetWire.exe	146

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4448-1710-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/4448-1723-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2320-1725-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/712-1727-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/3156-1728-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe	FreeYoutubeDownloader.exe
File created	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini	FreeYoutubeDownloader.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LoveYou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreeYoutubeDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Userdata.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArcticBomb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlueScreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5400	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	MonkeModManager (1).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	MonkeModManager (1).exe
Key created	\Registry\User\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\NotificationData	MonkeModManager (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	MonkeModManager (1).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	MonkeModManager (1).exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	MonkeModManager (1).exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	MonkeModManager (1).exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	MonkeModManager (1).exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	MonkeModManager (1).exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	MonkeModManager (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	MonkeModManager (1).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	MonkeModManager (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	MonkeModManager (1).exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	MonkeModManager (1).exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	MonkeModManager (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	MonkeModManager (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	MonkeModManager (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	MonkeModManager (1).exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	MonkeModManager (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	MonkeModManager (1).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	MonkeModManager (1).exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	MonkeModManager (1).exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	MonkeModManager (1).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	MonkeModManager (1).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	MonkeModManager (1).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	MonkeModManager (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	MonkeModManager (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	MonkeModManager (1).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	MonkeModManager (1).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	MonkeModManager (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	MonkeModManager (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	MonkeModManager (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	MonkeModManager (1).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	MonkeModManager (1).exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
5808	reg.exe
5264	reg.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe\:Zone.Identifier:$DATA	VanToM-Rat.bat
File created	C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:Zone.Identifier:$DATA	WarzoneRAT.exe
File created	C:\svchost\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5400	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3520	msedge.exe
3520	msedge.exe
4144	msedge.exe
4144	msedge.exe
3780	msedge.exe
3780	msedge.exe
1080	identity_helper.exe
1080	identity_helper.exe
4092	msedge.exe
4092	msedge.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe
1252	NJRat.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1252	NJRat.exe
32	VanToM-Rat.bat
5496	RegSvcs.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	MonkeModManager (1).exe
Token: SeDebugPrivilege	1252	NJRat.exe
Token: SeDebugPrivilege	5436	RevengeRAT.exe
Token: SeDebugPrivilege	5496	RegSvcs.exe
Token: SeDebugPrivilege	400	WarzoneRAT.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: SeDebugPrivilege	5840	TaskILL.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe
Token: 33	1252	NJRat.exe
Token: SeIncBasePriorityPrivilege	1252	NJRat.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3944	Free YouTube Downloader.exe
3944	Free YouTube Downloader.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2708	MonkeModManager (1).exe
32	VanToM-Rat.bat
1452	FreeYoutubeDownloader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 744	3520	msedge.exe	84
PID 3520 wrote to memory of 744	3520	msedge.exe	84
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 700	3520	msedge.exe	85
PID 3520 wrote to memory of 4144	3520	msedge.exe	86
PID 3520 wrote to memory of 4144	3520	msedge.exe	86
PID 3520 wrote to memory of 2912	3520	msedge.exe	87
PID 3520 wrote to memory of 2912	3520	msedge.exe	87
PID 3520 wrote to memory of 2912	3520	msedge.exe	87
PID 3520 wrote to memory of 2912	3520	msedge.exe	87
PID 3520 wrote to memory of 2912	3520	msedge.exe	87
PID 3520 wrote to memory of 2912	3520	msedge.exe	87
PID 3520 wrote to memory of 2912	3520	msedge.exe	87
PID 3520 wrote to memory of 2912	3520	msedge.exe	87
PID 3520 wrote to memory of 2912	3520	msedge.exe	87
PID 3520 wrote to memory of 2912	3520	msedge.exe	87
PID 3520 wrote to memory of 2912	3520	msedge.exe	87
PID 3520 wrote to memory of 2912	3520	msedge.exe	87
PID 3520 wrote to memory of 2912	3520	msedge.exe	87
PID 3520 wrote to memory of 2912	3520	msedge.exe	87
PID 3520 wrote to memory of 2912	3520	msedge.exe	87
PID 3520 wrote to memory of 2912	3520	msedge.exe	87
PID 3520 wrote to memory of 2912	3520	msedge.exe	87
PID 3520 wrote to memory of 2912	3520	msedge.exe	87
PID 3520 wrote to memory of 2912	3520	msedge.exe	87
PID 3520 wrote to memory of 2912	3520	msedge.exe	87

C:\Users\Admin\AppData\Local\Temp\MonkeModManager (1).exe
"C:\Users\Admin\AppData\Local\Temp\MonkeModManager (1).exe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe41f43cb8,0x7ffe41f43cc8,0x7ffe41f43cd8
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,11441114617917587722,10484792714680578270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1748

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"
1⤵
PID:880
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:2920

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2900
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:236
- - C:\Windows\SysWOW64\Notepad.exe
    C:\Windows\System32\Notepad.exe
    3⤵
    PID:4100
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    PID:4324

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NJRat.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NJRat.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1252
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NJRat.exe" "NJRat.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1964

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004DC
1⤵
PID:4932

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5136
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5168
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5328
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5400
- - C:\Windows\SysWOW64\Userdata\Userdata.exe
    "C:\Windows\SysWOW64\Userdata\Userdata.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5684
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5712
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5808
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      PID:5724

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5436
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:5496
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5540
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m6ezmwfw.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4792
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2452.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3651FAD6E9E46A58DEF5F9CAB3AF615.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3420
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hok6bp2q.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4352
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES24EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc46E8609C41BC4D2ABDE6D257581CF6E7.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1732
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-031yr1h.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES258B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D11FA4F54F345F8B2DD428A21E44D30.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2032
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8p5oejix.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3476
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2617.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAAE2495CD1154275B146E24852B15493.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4528
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ejwkxqdj.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3796
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES26D3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6CD39A0EE66A4287AA40F13B82A97A95.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2456
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4busxjj7.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5224
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2750.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0D32515FDEE41C793FCC1E9FD72C48D.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5440
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hwifdvby.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5588
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES27CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc143D5CE8DFF9422AAE490F6421A9610.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5840
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lslxa95v.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5960
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2879.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC360E178B896410C8742FBBDC2868AE.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:480
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\thyis-d4.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6004
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2905.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB1D098E74C44043BFB30E22ED354.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6100
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kensigqj.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4708
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29A1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB30DA0189148A59A5F953FCD1B9CF.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:880
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4xua95eu.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5268
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A4D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC8D0DD7060D14591BFB796E9AB64A36.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5148
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bytkzvhl.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5468
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2ABB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF2426C8AD3BF4F9FA4A83443383D22EF.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5608
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8owybuhi.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5696
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B67.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9372D9DD867D4BEAB5AB56E6B011512C.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5732
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1xxnwor9.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5812
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C03.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3BDC58EE586B4504988F4D38A1C92F4E.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2212
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lqzqndjx.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1864
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C80.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc968647252B2D468492BAD228A21FE071.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:884
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ze1wooof.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D0C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc46F4E39FDAFF4E74AA7BF2691F4AF967.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4164
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ri6zxloa.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:424
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DD8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc377FB8CC7763463E891247BE30126128.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1656
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u_wmy07z.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5004
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E55.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc66EAFF30339149A696C57740441AEAB3.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5672
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iobc4htw.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1936
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EF1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C9B7AB34B2F4AB498D8D6268519B0B6.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1600
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y97jnuyn.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3260
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FBC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4E2A0C40F80B426E96D7EE37F613E23.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4764
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h_hzgzeg.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2572
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3058.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC3A86E94420D46C987EC498CE2DAA.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:348

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:32

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:400
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB93.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4984

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4448

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2320

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe"
1⤵
PID:712

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe"
1⤵
PID:3156

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FreeYoutubeDownloader.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FreeYoutubeDownloader.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1452
- C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
  "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SendNotifyMessage
  PID:3944

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\LoveYou.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\LoveYou.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5816

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\TaskILL.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\TaskILL.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5840
- C:\Windows\SYSTEM32\mountvol.exe
  mountvol c:\ /d
  2⤵
  PID:5648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
602ddd0c457eb622800ec2b65d1a3723

SHA1
e322f2927b3eb868f88f61318589cdbc9b5e4554

SHA256
6491b2ebfda073e601f99be125c6ce0c4a72162e0995c673605c673581023a82

SHA512
eb0cd42b7178ee205af959b3b811bf85c44343c2e3ead6678ece7bc340fd0efdde3067a583649d12aa2123b555a4cc2a7be7a587fb2874a9f9aa666093df782b

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico

Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\ProgramData\svchost\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

Filesize
4KB

MD5
28d98fecf9351c6a31c9c37a738f7c15

SHA1
c449dee100d5219a28019537472edc6a42a87db2

SHA256
39445a090b7ce086d5efb4ac35add13672fac9bf40eb481b54fa87302a3f45e0

SHA512
f5c2458348347798304393fdb5c77f4f7ed7245c0d4c7594deb0113262828cb8e210e7b48a4aa7c4d2fe1e31201b4e326cd60a6f9d4e3ba1a7fbef322dde0971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d91478312beae099b8ed57e547611ba2

SHA1
4b927559aedbde267a6193e3e480fb18e75c43d7

SHA256
df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043

SHA512
4086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7145ec3fa29a4f2df900d1418974538

SHA1
1368d579635ba1a53d7af0ed89bf0b001f149f9d

SHA256
efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59

SHA512
5bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f092b4854ec76d675d55113450c5428c

SHA1
13627449a29b9d685a8a595bca764bfbf9cca085

SHA256
7b5e5cee076242205008cb9cf60f0c4b3c98054490f26b361cd6a71888f47b4f

SHA512
a83a170e14104e0aad1ff22edb828261afecd6b468366aff08d7f2dc683b966e3cd543ac997d93b1346c6003ae40f876e62b9fc713870f097e1d4193373b8ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
865B

MD5
fa9f4066f0e2dc5972cf2383df838417

SHA1
cf6c68fe8a493b66646c709411ec6fb0741c63b8

SHA256
f4dce03e2761d89fb2902b4068306d7e0b2e19d740832a65bf567d4e6f8877b6

SHA512
ac64662a66ecc17c58773a452775dd9c59e6d6556742c8f14e21f51f8db454423c127eb398e19cd49b559510a4e4761e467d785874077dfaddf2d62e625bbeb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
865B

MD5
636ed1ba0463aa3514a74f070093d15d

SHA1
3f6797cc0842f129b8488fe0a1527f548ff7366c

SHA256
83e064cd4330157940f33bcd90c72d16da258f6e476465150fad451a4e7c52c8

SHA512
b16c0bab7f0e8a2d87b34c0832004aa943e0fbdfa6672aac8f7304470b55a406b1c2d8c15474640f12d7062ddb8322f545780d2a30623dc6aa8f208c1ff85dfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0e4aa7139b56e389edd24d704728dd97

SHA1
9ece0c37347b18eb253b98468dc10120bcc186e7

SHA256
5516d622f7e4e546145bd7c69716bd09a65edb2454837375192623e9f91a9c9f

SHA512
fc6b584d2a617647d4e3013814fd2a3c8be55ef67f694871c5fad6edf0aeedf25349a2f674580423be22c1f6d3a8e8fc53472ac7cc179ff989ee4c118c739de1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8b471e1877d4d2bb2869fb9b27eaec1b

SHA1
e6aca879589674d5a214074a5d27194185f49c78

SHA256
2ab6f91c0e2c73cc762c28539ce857f14aead0a005775ef36d716596ae145920

SHA512
bf39a351872118220dfb9927e89fbe33f03eb293510e0c8d0f30b091dfae22362352547630cba919c27130d4196d71bca27bc157534fb8d659c65b5786b1287f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
42bbce2c61fa83d33d81085d726a8284

SHA1
8a82555f5765b66c175f27c654a2a695e08c7050

SHA256
019409121e2322dbc2e5561111f99286a086004819c83d0593b2dae2d79055ae

SHA512
effe64ffba5ff4518d8d173769ef7f62dacd3f71806513551cb9d5c9601f7dec4727d5244137cc06a80e57be9200a5b2c6c1246bf5ac858f042de73c369fdc60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6e77756e51e2c39aee0fd58f0fd02ece

SHA1
f050d3f5f3eddfdb6d6aa694d1a5a41e03a64bf0

SHA256
ff697dabdce157621f2ee965f3453f44f523c2d3348e10fb03e8d34ce5206e95

SHA512
4e28d071ebbca1f5a0f20e1702d412661201bbf7ed0f25593d100d7c4acabef7de569e89e1819ad86b47b55cfa7b766fd518ffbb75b41e926a6240ac28eeadd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5e6983a1f494f2a679311cb2fbf840b9

SHA1
322e6e4f3b42a4412bdac8266d5929932ebee95b

SHA256
05e5bc13b4b5d3c6a60364ab52710786c738064c70ab50a7c0ae08c3b94d27e1

SHA512
3664872aed29259ff1a690866c2bef618f576691bc1c50a1c9604c48c98825f0cebdb0a3170a6082578b6a5bbaeb49b5fa5d02521beba75b8c0cc1185bac66ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4c8b38371052196f81880054e43e4454

SHA1
67d86f49d2b4e0d6cdccae097ed771f06ff5f576

SHA256
2141c1bdeda347b0c0c243c9bae92cedd7b63c0c40e3e98c557caf5e4a5f014b

SHA512
f281a868dffe6da88671895f1b69bb6836d686cf78cca93e656dfa79cf064590e498d318014e20af99ebbaa879a23512349b74317787253d24bb22658eba5bad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b01ed901-c7db-4a67-9e12-f553868422b7.tmp

Filesize
11KB

MD5
dba26307e1315fd57313e365bf0aef1f

SHA1
0aa687178eb93f9c0f9faceaf9a938ea741a1a5d

SHA256
16780f8af74164cb0e4d5fd8370be9d5810c2abc808c77acc2d6dbe1f5e9ed21

SHA512
6c5e8563da5a548399510af732cec0c8dd993825e89a246320efd975e3e884078d51af58ef071dce3b9673fa4beaddc2d4e820794b125f59e741cf6003a2e242

Download Submit
C:\Users\Admin\AppData\Local\Temp\-031yr1h.0.vb

Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\-031yr1h.cmdline

Filesize
253B

MD5
dc37741668e3ef441355d1a0a63575aa

SHA1
5f12a5b75cd4de67c9e7ad5c1899a7c5d02971db

SHA256
9f174465d776162f093b5b09e230c5ac08ff6cf04c2a46cc123431439af197fd

SHA512
57f67e7df2b88da14c109f4a1f65846966a2a10b46725556de051a6030cf9776b042805f294c10435761cdec612a47a42daac4780699e253a96e026f49c82ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4busxjj7.0.vb

Filesize
376B

MD5
7a8e43324d0d14c80d818be37719450f

SHA1
d138761c6b166675a769e5ebfec973435a58b0f4

SHA256
733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909

SHA512
7a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715

Download Submit
C:\Users\Admin\AppData\Local\Temp\4busxjj7.cmdline

Filesize
267B

MD5
6cb3b1241a63e292fdcc0b754cfc1fdd

SHA1
51d830fb9c1c6d655c450c21f9ac750f69c2193b

SHA256
0540beabb20cc02f268b3f3e263ce1e94d08ceec696f1fb4d75ce445dde94b7a

SHA512
0e3cdf9c6dab88408f8a17e11cb9d98666719b0cc1dcff076c03faee5e78015e14e46b76e202f6ad9ad59f0afc4f5d66d64e7caafc93210379b2c0898019064b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8p5oejix.0.vb

Filesize
355B

MD5
6e4e3d5b787235312c1ab5e76bb0ac1d

SHA1
8e2a217780d163865e3c02c7e52c10884d54acb6

SHA256
aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706

SHA512
b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8p5oejix.cmdline

Filesize
224B

MD5
62f16074e6dae9799d94295bdfa5a65f

SHA1
fe7b166b776e7e196b52f0e898694fda7a97ff2e

SHA256
139e1a64a748b1b7ad11d0b52d8d34e06578fa51b8dcbf3cfd82a5cc9e0db5a7

SHA512
477c008a0ff30b95a9bf9367312e5099480c46f1af97fce0a6d2da4c5f62d69c233b7a9b518ac1fd875cbd8a37f141911c69baca68ebc8851fccf65696eedf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2452.tmp

Filesize
5KB

MD5
507022c55fb6093ec8e27b4dd4cd0806

SHA1
99c9082fba5c843a3d0e268b71b71d15a94441a3

SHA256
f5f0306755ddce1b0ab18db62337c60251888dafa10a93cb0711fdc79b232b7d

SHA512
786dc4adf081809c8a580e466694b284c04cf0c6b07f7c8dab14d810467c7c22247d0fc44570d635b63019591a42401e213ef152d16c709bf39783cd1ba79638

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES24EE.tmp

Filesize
5KB

MD5
ebcdec95f9e1266f18b82a7c37e9b4c4

SHA1
67971049e5c8bea871466734db2c41be558312b1

SHA256
cdd2d7f843d59eed46b3398593aef7245e1c40abfbea3b82d0b70c9417d9b81a

SHA512
465d664a8c88bae88a09558868834a9e9e65dc7e867e19fd755c2cebf8e0f49644a55a79f1b4ba331e86303c9186e97657b6bc83a67d84ab529d55530de2392a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES258B.tmp

Filesize
5KB

MD5
66639d1d1ea9ada28a4b0c796103e448

SHA1
d3570c6902e14c7f49bd24c05f802270beb1b414

SHA256
d6b5936088fab5350729a0b271b46759f56eb5ae67e4b8122cce08cb53a8d7c6

SHA512
0780615586d0540ca9d9b1040c915c8b5ef5e85e1ca78be5de29ca969f377a4d6f4ae00037046b34c9d4e1ffd1ae63d87b1570f2df3b3c93c425c484861fcf87

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2617.tmp

Filesize
5KB

MD5
29cba7272e9bbf264f1d620b5c56106c

SHA1
13eb07a48849cd4ccdd76a47acbcdbb716d7dba6

SHA256
33d0f8f2e7931aecb926863707c76678f5b28a0f754d6a56595c36ab16b69c55

SHA512
0372dd7102d71d1f6463e74da8959d58ee3c85c0f3baec57a873fba32283c44b634c1ba65708c242717dc22ea9e5b1bb6e4194ea92268bf8ee736bd4da0c4000

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES26D3.tmp

Filesize
5KB

MD5
d0f4fc9749c46b3d5c34a9edec2fc8f0

SHA1
4119d89d5e7e1da314403682d912f809478189d5

SHA256
4cef428df940741c9ef494390fce33f38bebf380edc357acc3712218bdf8378b

SHA512
50c6a93ec49623c50cd916813c0025815cd0889cef975f2dbfdcb2e3a2a7eaea5af37cd5a1bda25c0261ce38a1c0c0dbae4da72e8a8862e36e004a279b0e2a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2750.tmp

Filesize
5KB

MD5
d5759472d1dd24c1b902996f5b025cf4

SHA1
0c8e5aca2367559bf622b2471c01fb56f0f1d140

SHA256
39515395538cf03b2ae45a16268fa4cf5e476b68046d6155d20a1dd4f5011dc7

SHA512
5c7e2ab18eaa9cbc78fd56878ba19187d88adea86faec8439641424701d62485bf80f60095ec03572f182769401d9737edf80c8b9efeabb00449830eca48640b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejwkxqdj.0.vb

Filesize
373B

MD5
197e7c770644a06b96c5d42ef659a965

SHA1
d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc

SHA256
786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552

SHA512
7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejwkxqdj.cmdline

Filesize
261B

MD5
cbf9687f20708d6f171f4620f1013cf4

SHA1
005d33fa77ecc2e03aa8a4f713b0b626aabd3f01

SHA256
abdfaa1dbde879b8a04e23ee858d926a5f467d9179de8d60795e7aa12815c6c8

SHA512
64c79368982a0f0690935f3624e213b2f2d56b128cdb2f93aa0e76952fd17dae7ea2257c67a68664d3735cdf64c5b1617897777534ce651750e0c9bf32d4e8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hok6bp2q.0.vb

Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hok6bp2q.cmdline

Filesize
224B

MD5
1850ad2243f41eef693906c554f0e236

SHA1
a932551da64cb928204495bf23ce29b282a1ea3e

SHA256
e48736ff09be441e78a3dd1b159c96ef7a05e54ba0d40a3625e3b8141919968b

SHA512
64a5a645b531b94c0a540729c06eeac9e3a7188b65ffef7c3c7bad2b33380edfbbff887c88f88a5d6146584785d3e3c355c854f08be81751870e6382846560b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwifdvby.0.vb

Filesize
373B

MD5
7d0d85a69a8fba72e1185ca194515983

SHA1
8bd465fb970b785aa87d7edfa11dbff92c1b4af6

SHA256
9f78b435099106c2c3486c5db352f7d126b3532c1b4e8fe34ef8931c7b8968d5

SHA512
e5ef339dc329dbba2ab06678a9e504aa594d2f21ade45e49bccd83a44a76dc657f5f44dcf368f4d112bb3b01af2e577a487c6078751943770e90780fad202989

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwifdvby.cmdline

Filesize
261B

MD5
14552f500326ef2dc1667c6590a2160a

SHA1
17236a45cf7f695283b75650b52265958bf0d02e

SHA256
73d0eef3c8ae1574e6b25a10799c8eae8a7bf3ad47f1cc3530db922a30f41110

SHA512
4b36ffc4f7cf5d137b8a6efa75576804c4b007beaa9f3968a8f8383794bda702b5854b12fef330762c3ad94d2c13a9f85efd19693ba3611dd3bfd65c3ed1e671

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
187B

MD5
08d2e4a2d9e2c22025fc369cc551ca6c

SHA1
fbb518fd33cf1c752f762dc43d904cacad3aec00

SHA256
0e7dc72dce87f7448c7e65dfdae1ffebec653e4f066807a94993feb1039787bb

SHA512
92993473f027749718df243d6ac9480c1607cf908b3b01fc7dd92bd6afe4b8f3b0ae17c79fc75ed79c52cf79fc5f7bdc1814a4d132fd80202d80ba6539577686

Download Submit
C:\Users\Admin\AppData\Local\Temp\m6ezmwfw.0.vb

Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\m6ezmwfw.cmdline

Filesize
253B

MD5
c01b77b85fda5860f4757a917cd73efa

SHA1
0d6e461430d986971073da6bbcc680c5ac106425

SHA256
27eadf7de44b1137bf86803d487d7054b04ba22587ee79b09e467b805ab4f701

SHA512
ee75d09fadfbb1f23cc2bdc6818949dc4fb21c770e4a9bca99892fc89b743ba2323499cc4e96aee6b1c414d0bc7f9c4fe02e1a341d0280c14df9220f70d81cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCB93.tmp

Filesize
1KB

MD5
d243a4c28549185970b9724e06f2d229

SHA1
454cd1f3cccb368cfaccab068e09c5548d1a3b62

SHA256
bf9d46c251aa7108df5a81e65c60de2a82d64c472b51417580ebcf910867d347

SHA512
c2c38e34748012b285088ce4efe487caa76462e6f6bb34daf50f9125439d7fac96d09285351fa54b190aebf19eb2e41af1c55be159227cf0bdb52f11701b405f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
91B

MD5
de97f8c7f4f066b79ad91c4883cc6716

SHA1
92cc8bf74888ea1151d9fd219eb8caee02978556

SHA256
a99f5d4f9a3cff36d5fa6ce75c5aa651448860ee1b29111bd8ad96eca85b05d9

SHA512
cfc7ab2465cce5b7bd5a8ed8ba0b632afc3f1b74f70f1d799f858d2271afbbbb3b37697e1074d6f85aabb4748745566d72ec68bfb2e90d312879875406efd0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc46E8609C41BC4D2ABDE6D257581CF6E7.TMP

Filesize
5KB

MD5
abeaa4a5b438ffa58d07d9459e5c1d6c

SHA1
69631de7891162dd4840112a251f6531feae7509

SHA256
ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd

SHA512
c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6CD39A0EE66A4287AA40F13B82A97A95.TMP

Filesize
5KB

MD5
4a0d9970022b9e7d0066dea49c7639f4

SHA1
6a576f471355762c7dec0b258fa8268c06b352d4

SHA256
b9fc51192ec614b38899c981eb6cfe47429047df1af56226e87da01f95089cc9

SHA512
92bcbbbbade44c91abe5bc4b4633892036b19ea6b0c5007a98ddc102aa41dca5d83568a9a243060a9a5153fea77bf7a56c7612d80881341358b1dcf190d42c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8D11FA4F54F345F8B2DD428A21E44D30.TMP

Filesize
5KB

MD5
11cb9aba8820effebbb0646c028ca832

SHA1
a64d9a56ee1d2825a28ce4282dac52c30137db96

SHA256
2a1e197c5f17c60b3085782d3c8c97bd9aa2ac1e3a4a721122c0b5ec56d276c8

SHA512
d227b39d5d67c18703730fd990ac41077321054d4f24198cafbc0b7af1ed6c72e7ef7eb626fb558f9407e11b5b9f0d194237400d248a80560d715c88971ad375

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAAE2495CD1154275B146E24852B15493.TMP

Filesize
5KB

MD5
d56475192804e49bf9410d1a5cbd6c69

SHA1
215ecb60dc9a38d5307acb8641fa0adc52fea96c

SHA256
235e01afd8b5ad0f05911689146c2a0def9b73082998ac02fd8459682f409eee

SHA512
03338d75dd54d3920627bd4cb842c8c3fefad3c8130e1eeb0fa73b6c31b536b3d917e84578828219b4ffd2e93e1775c163b69d74708e4a8894dd437db5e22e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB0D32515FDEE41C793FCC1E9FD72C48D.TMP

Filesize
5KB

MD5
0d43c4212c75578ea7eeb11e292cb183

SHA1
30b2ba3ad685b03fe365fd5a78801f039c8cd26c

SHA256
c6eb948ff4f2359dce5d80890ea50516c48a6599fd522744ec0dcb5da8da7495

SHA512
1adc9f10811af124048c36c9f41b48c3e777b6807aa61f148f52448d79d3eaac533fe4b9e7f887c6ab64cf99e9664113dd7fbc98353a1b57fb98db1d7f865b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD3651FAD6E9E46A58DEF5F9CAB3AF615.TMP

Filesize
5KB

MD5
84e9754f45218a78242330abb7473ecb

SHA1
3794a5508df76d7f33bde4737eda47522f5c1fdd

SHA256
a979621de3bcabf9a0fa00116bcd57f69908b5471341f966c2930f07acfee835

SHA512
32b51e82e505e9124fa032bfd02997de6d6f56e0c0dfb206aec2124199048168ec0f7927a0a289f4653662bdeb5089d91db080019a9556491ef111df99b12623

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe

Filesize
183KB

MD5
3d4e3f149f3d0cdfe76bf8b235742c97

SHA1
0e0e34b5fd8c15547ca98027e49b1dcf37146d95

SHA256
b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a

SHA512
8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff

Download Submit
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe:Zone.Identifier

Filesize
92B

MD5
c6c7806bab4e3c932bb5acb3280b793e

SHA1
a2a90b8008e5b27bdc53a15dc345be1d8bd5386b

SHA256
5ba37b532dbb714d29f33e79dacb5740096fd1e89da0a07b9b8e6b803931c61a

SHA512
c648be984413fdbaeb34808c8164c48b5441a8f3f35533b189f420230e5e90605c15fde2ce0d9fe42e9755c594dd1ef32de71a24016277ad2cef2f9afcf0ad93

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CobaltStrike.doc

Filesize
86KB

MD5
96ff9d4cac8d3a8e73c33fc6bf72f198

SHA1
17d7edf6e496dec4695d686e7d0e422081cd5cbe

SHA256
96db5d52f4addf46b0a41d45351a52041d9e5368aead642402db577bcb33cc3d

SHA512
23659fb32dff24b17caffaf94133dac253ccde16ea1ad4d378563b16e99cb10b3d7e9dacf1b95911cd54a2cad4710e48c109ab73796b954cd20844833d3a7c46

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.doc

Filesize
7.3MB

MD5
6b23cce75ff84aaa6216e90b6ce6a5f3

SHA1
e6cc0ef23044de9b1f96b67699c55232aea67f7d

SHA256
9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15

SHA512
4d0705644ade8e8a215cc3190717850d88f4d532ac875e504cb59b7e5c6dd3ffae69ea946e2208e2286e2f7168709850b7b6e3b6d0572de40cfe442d96bba125

Download Submit
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

Filesize
153KB

MD5
f33a4e991a11baf336a2324f700d874d

SHA1
9da1891a164f2fc0a88d0de1ba397585b455b0f4

SHA256
a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7

SHA512
edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20

Download Submit
C:\Windows\SysWOW64\Userdata\Userdata.exe

Filesize
92KB

MD5
fb598b93c04baafe98683dc210e779c9

SHA1
c7ccd43a721a508b807c9bf6d774344df58e752f

SHA256
c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4

SHA512
1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f

Download Submit
memory/32-1400-0x0000000001480000-0x0000000001488000-memory.dmp

Filesize
32KB

Download
memory/32-1402-0x000000001EAD0000-0x000000001EDE0000-memory.dmp

Filesize
3.1MB

Download
memory/32-1401-0x000000001C950000-0x000000001C99C000-memory.dmp

Filesize
304KB

Download
memory/32-1399-0x000000001C6F0000-0x000000001C78C000-memory.dmp

Filesize
624KB

Download
memory/236-534-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/236-535-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/400-1420-0x00000000050A0000-0x00000000050C8000-memory.dmp

Filesize
160KB

Download
memory/400-1417-0x0000000004FA0000-0x0000000005032000-memory.dmp

Filesize
584KB

Download
memory/400-1415-0x0000000005550000-0x0000000005AF6000-memory.dmp

Filesize
5.6MB

Download
memory/400-1403-0x0000000000190000-0x00000000001E6000-memory.dmp

Filesize
344KB

Download
memory/400-1418-0x0000000004B50000-0x0000000004B58000-memory.dmp

Filesize
32KB

Download
memory/400-1419-0x0000000005390000-0x000000000542C000-memory.dmp

Filesize
624KB

Download
memory/712-1761-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/712-1727-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/880-499-0x000002E07C820000-0x000002E07C83E000-memory.dmp

Filesize
120KB

Download
memory/2320-1725-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2708-1-0x0000022CC0B60000-0x0000022CC0B9C000-memory.dmp

Filesize
240KB

Download
memory/2708-5-0x00007FFE30520000-0x00007FFE30FE2000-memory.dmp

Filesize
10.8MB

Download
memory/2708-4-0x00007FFE30520000-0x00007FFE30FE2000-memory.dmp

Filesize
10.8MB

Download
memory/2708-2-0x00007FFE30520000-0x00007FFE30FE2000-memory.dmp

Filesize
10.8MB

Download
memory/2708-3-0x00007FFE30520000-0x00007FFE30FE2000-memory.dmp

Filesize
10.8MB

Download
memory/2708-0-0x00007FFE30523000-0x00007FFE30525000-memory.dmp

Filesize
8KB

Download
memory/2900-533-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/2920-532-0x0000019113690000-0x0000019113FA4000-memory.dmp

Filesize
9.1MB

Download
memory/3156-1728-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3944-1760-0x000001EDEF2F0000-0x000001EDEF31E000-memory.dmp

Filesize
184KB

Download
memory/4448-1710-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4448-1723-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5436-1387-0x000000001B740000-0x000000001BC0E000-memory.dmp

Filesize
4.8MB

Download
memory/5436-1388-0x000000001BC10000-0x000000001BCB6000-memory.dmp

Filesize
664KB

Download
memory/5436-1389-0x000000001BD30000-0x000000001BD92000-memory.dmp

Filesize
392KB

Download
memory/5840-1762-0x00000000001C0000-0x00000000001CE000-memory.dmp

Filesize
56KB

Download