Analysis
-
max time kernel
325s -
max time network
339s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
-
submitted
26-12-2024 20:35
General
-
Target
love.exe
-
Size
378KB
-
MD5
e83915bdfb53ea92d7c658df791ee350
-
SHA1
8491c706d9d3ea15ff499c9dd987578edaea7b26
-
SHA256
6f97b94fb0193b0a04080a069af5c0c04a47d92886379a4cb85d8905ebff93ce
-
SHA512
f91e068d35104c81109128b05592591edced18e0a07b052b847a1461f2900541fdc369630e7fc8b0950bbde8335627e3fd30cf058f00bb277d925d9f4a1daccd
-
SSDEEP
1536:SHqDZO7Obu55kNep+0Ze0fgZwRgg/JMbw3/uTh/y0qsmM4ZdyNNnttBQxLfPKgoN:SHq9O7ObPNghM42UyF
Malware Config
Extracted
revengerat
Guest
0.tcp.ngrok.io:19521
RV_MUTEX
Extracted
remcos
1.7 Pro
Host
nickman12-46565.portmap.io:46565
nickman12-46565.portmap.io:1735
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
Userdata.exe
-
copy_folder
Userdata
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%WinDir%\System32
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%WinDir%\System32
-
mouse_option
false
-
mutex
remcos_vcexssuhap
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
warzonerat
168.61.222.215:5400
Extracted
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\@[email protected]
wannacry
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Extracted
C:\svchost\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
UAC bypass 3 TTPs 2 IoCs
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Renames multiple (52) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
RevengeRat Executable 1 IoCs
-
Warzone RAT payload 2 IoCs
-
Disables Task Manager via registry modification
-
Drops startup file 7 IoCs
-
Executes dropped EXE 14 IoCs
-
Loads dropped DLL 24 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 4 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 25 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 6 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 5 IoCs
-
Modifies registry key 1 TTPs 3 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
NTFS ADS 6 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 36 IoCs
-
Suspicious use of SetWindowsHookEx 20 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\love.exe"C:\Users\Admin\AppData\Local\Temp\love.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff846bc3cb8,0x7ff846bc3cc8,0x7ff846bc3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3820 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,3301400590693939880,10466711525887600822,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3264 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\Userdata\Userdata.exe"C:\Windows\SysWOW64\Userdata\Userdata.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
-
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4g2lnogv.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES145F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE982A48B6AB14F6DA11C7F8E814157.TMP"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8xwuldp5.cmdline"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES152A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB005D0296BC64D7CB5BED89498E743A.TMP"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gthav1v-.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES15D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8252C45837E45AE98B84C1D9581D71.TMP"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tsdg4l5l.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1692.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D892288A1CB4C4CBC9278BD77524E16.TMP"4⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tsutmljq.cmdline"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES178C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc62DD750B53AC4C55B2BBEDEE6D7AEE5A.TMP"4⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vvtusa1z.cmdline"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1847.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8306E865D40C481797ED6F045A97C38.TMP"4⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jdhkjwcs.cmdline"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc853D55F37EE14FB493C863ACEA2AD641.TMP"4⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s70nzxpt.cmdline"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1980.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA70DFBFDAAE84D0985F2FB9C60E6A4C1.TMP"4⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u5llccxv.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES19FD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc39B83280B8B44175AD77B1F2EDACE679.TMP"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-hczzmsz.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A7A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4AE6A1407BCF447A86CCF229DA7F8A2.TMP"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qazhnilk.cmdline"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B06.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDD4D42AAA574ED9BB8C61879F062A4.TMP"4⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g0rguxzx.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B93.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc257907D8CD5B4849B95CD7F8B071DEA8.TMP"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hcbw_9kq.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C10.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc48E4CC7235FD401DB771CA7CA9EA1EA5.TMP"4⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\movybahu.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C8D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD63C6AE685804F13A77B8D6EE35D9DB.TMP"4⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sigv0vui.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D48.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60CA6602A5A64330B1F6E8C4A5ACF82.TMP"4⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i4s2ru2g.cmdline"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DE5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc645EE8A541384016A0D29CF844D7D9D.TMP"4⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dueiacgl.cmdline"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1ECF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A160316F394948A584FBE0D3B0FBC4.TMP"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ai02ce1w.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FD9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB5AA705AAE9499DB58A9B637CEE157C.TMP"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zkprxavo.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2065.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF1B93636DC5486C86FA9748908F890.TMP"4⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\duqjvsz6.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2102.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC400CE683D9D4A4B85F8BBF9CB6BB06B.TMP"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wn4vv3o8.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES217F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc392FD6F7CE34435EB82AF2FD4BA14C4A.TMP"4⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pvgqbqj7.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES221B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCFDA420310C24C45BA92CA62371E979.TMP"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ig-kmgyg.cmdline"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE730.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc85E1D55BA733486DAE6ABC70C59B36F4.TMP"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\72_bot1e.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE7DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A0FA78687D34053AD5A26B4722F216E.TMP"6⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vdtsbm9r.cmdline"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc47D7C85DCF247F4BF888F84E21517C2.TMP"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\alkuayhg.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9D0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50313B137D48CC815A679155C86564.TMP"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ekf1c4eg.cmdline"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA5C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7423C690307246489B34A080F3B7BCD.TMP"6⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\no4njwvl.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB37.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc68FAC3B77EF94E16B4B515957F425E8.TMP"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j8jdrxlk.cmdline"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBE3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC438EF4A73444BF79B544241395BC10.TMP"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kfkdel0x.cmdline"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC8F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB471414F9169459DBE9459E13BFE49F8.TMP"6⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ggw_ohem.cmdline"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED2B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF02DDDBED6FA4FCD89ECC65F1361F43D.TMP"6⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sre5z07y.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE16.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc526B08A11BB54BC9AEC7327ED0F9A817.TMP"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ktjetbyz.cmdline"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\plqqp8ti.cmdline"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jcwjaw_v.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2998.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA64B4C3BB344A71BC2A9FAB8AF5DEED.TMP"6⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8jo4pfeb.cmdline"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BF9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA715E96C21D04E1EA5BD8D4A978CADA9.TMP"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q0-ktgsd.cmdline"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3020.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc73100C2CF42142E7AAF3CB3129426F3B.TMP"6⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nwbux-bm.cmdline"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3204.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7043B92E7FEB4EDC9DEDCDDC3EDD3BBC.TMP"6⤵
-
-
-
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat"1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"1⤵
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB901.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\rogues\SpySheriff.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\rogues\SpySheriff.exe"1⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\rogues\AdwereCleaner.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\rogues\AdwereCleaner.exe"1⤵
-
C:\Users\Admin\AppData\Local\6AdwCleaner.exe"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\WinlockerVB6Blacksod.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\WinlockerVB6Blacksod.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\WinlockerVB6Blacksod.exe SETUPEXEDIR=C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4C8F43C22E72BF34E1BE125A2F3F267F2⤵
- Loads dropped DLL
- Blocklisted process makes network request
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BC7BC3A59E3107053BD775F1B458F797 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Xyeta.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Xyeta.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 4722⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1360 -ip 13601⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\WannaCry.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\WannaCry.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 77551735245677.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- Kills process with taskkill
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
-
-
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\WannaCrypt0r.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\WannaCrypt0r.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 126041735245678.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE2⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\@[email protected]
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\@[email protected]3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
-
-
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\taskse.exetaskse.exe C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\@[email protected]2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\@[email protected]2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "mhxddduoei124" /t REG_SZ /d "\"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\tasksche.exe\"" /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "mhxddduoei124" /t REG_SZ /d "\"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe"1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ClassicShell.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ClassicShell.exe"1⤵
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ColorBug.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ColorBug.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\DesktopPuzzle.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\DesktopPuzzle.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'3⤵
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /f /r /t 03⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa399e055 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
6Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD536fb997cd915ba26123e1e42b3476c04
SHA160711e98d4d9fe38e3f9a6a3f1c49a3ecebc891c
SHA2560f68fb3e905b1dc976406381532feea59effd21194b0dc8faeb9403c12fcddfa
SHA512d5310a4c72e156b2725df71251b053f88554a45d97d34657dc1faba9d741ad251b4a63fd04409cae9e9f66b0e569045c8cd5e2912be0c81c406d7ee312ddfd94
-
Filesize
978B
MD5f3a273865c8de9467601cad567fa7de5
SHA1656bcf64d0896c795c05ffc2c7cf15e2dc2cb8d1
SHA25610be0d76e3c7ac20c753839673f4bfa0964bbb112094ab5363b19ad7bf458dc7
SHA5128cc8e9eee38c3e79055ffc7fca3b4f369e4641a89d8d7f720c16077f75030bdfe575f231dd112fef100605e03bb80c5afc321b4bfaddae5b2bd10b69d01b69be
-
Filesize
4KB
MD5602ddd0c457eb622800ec2b65d1a3723
SHA1e322f2927b3eb868f88f61318589cdbc9b5e4554
SHA2566491b2ebfda073e601f99be125c6ce0c4a72162e0995c673605c673581023a82
SHA512eb0cd42b7178ee205af959b3b811bf85c44343c2e3ead6678ece7bc340fd0efdde3067a583649d12aa2123b555a4cc2a7be7a587fb2874a9f9aa666093df782b
-
Filesize
4KB
MD5bb4ff6746434c51de221387a31a00910
SHA143e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA5121e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1
-
Filesize
4KB
MD528d98fecf9351c6a31c9c37a738f7c15
SHA1c449dee100d5219a28019537472edc6a42a87db2
SHA25639445a090b7ce086d5efb4ac35add13672fac9bf40eb481b54fa87302a3f45e0
SHA512f5c2458348347798304393fdb5c77f4f7ed7245c0d4c7594deb0113262828cb8e210e7b48a4aa7c4d2fe1e31201b4e326cd60a6f9d4e3ba1a7fbef322dde0971
-
Filesize
168KB
MD587e4959fefec297ebbf42de79b5c88f6
SHA1eba50d6b266b527025cd624003799bdda9a6bc86
SHA2564f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9
-
Filesize
152B
MD55431d6602455a6db6e087223dd47f600
SHA127255756dfecd4e0afe4f1185e7708a3d07dea6e
SHA2567502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763
SHA512868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829
-
Filesize
152B
MD57bed1eca5620a49f52232fd55246d09a
SHA1e429d9d401099a1917a6fb31ab2cf65fcee22030
SHA25649c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e
SHA512afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8
-
Filesize
67KB
MD569df804d05f8b29a88278b7d582dd279
SHA1d9560905612cf656d5dd0e741172fb4cd9c60688
SHA256b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608
SHA5120ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e
-
Filesize
62KB
MD5c813a1b87f1651d642cdcad5fca7a7d8
SHA10e6628997674a7dfbeb321b59a6e829d0c2f4478
SHA256df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3
SHA512af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
25KB
MD5d458599825f1991b12515799ea5c21ef
SHA1473f5e31b20136c270cb4c53b4ccdc8ea75b1afc
SHA256095bf74a4d0ea0c8abbb03e1371ed4c85d26e49d7218796934b784a08138e90c
SHA512dccc6fe06a766f706441638487424e5d11648b2fa549dfd0f2282d5d2dfa554a2e4190de01397402c49c4e394676afb8a3a3def150ea066fbe8b86d3a7bd7e3f
-
Filesize
30KB
MD5535cc1ffb7ea68fd860eb8f6138756bb
SHA1a282f287862c71c67cf62d4b827877c4e4fa7b7d
SHA256a986e3317f3ae48b136f81a345a992dbc4f0800c08786c563ee86ae71135df51
SHA512c1a719f4ed8f87b5ce4d4a96d4a6f9a75e757fc3d20dd13f6b96795b60135681c492b958168b0219d8bcd81c2a4f943f6d1b5ad5f9071acc10fba4068e3bf91e
-
Filesize
3KB
MD59ebd6b4142c99e834d6275ba3f4fd991
SHA19eda3e890879acd51f17a0b070a05e7f19dcd40b
SHA2569450488f512890baf5cd72a0a27f7f0ed9e61edadeee9e3f0ec7404dfe98e03f
SHA5129bfd15f25403c947f14a3f255dca7e833f1c16b4bc0b4bcaded7547ae1180d39371b5478f720119e3d6c03ffaec32d827fac71cc1998bf6d9bf1c879e43ea4f3
-
Filesize
3KB
MD57429b1f0b8b6be8ab1ebbfbf85b933af
SHA17f9e3d34ab4f06e95604332bcba21627074f3732
SHA25696fa5a3718dbd82d5d8eb4e73b57cdccb8cab6331a6d419a9041cdff5dfe227e
SHA51210662fb70118ff1dadbb6b51c1a410f9c9306efebaa89d0a9904aa81f69c2088f36050dbf027a8e6a8ac3faaaaaa0930a99a03dc25762de49805bf309f1d2097
-
Filesize
1KB
MD578067659be7b1482d90307c170a31c43
SHA1a2dccf1c046e9bc25aaaab945cfa46af4fe738b5
SHA25633733e4b7c26d33a73785acff6a835a7a8f7785c47413be61d563ec0da26b056
SHA512c82a0999b1a475f528728975c71edfd101e3187fcc7532d5f594860e679f6c4c7384c20969661b9d11e93bd7b03f77605acc381269f2248834993a394c870bf3
-
Filesize
1003B
MD52f552bbfa7a169eb50efa5e8973b7c3a
SHA122df8f37282aa5072442bf5634a92e799868331c
SHA2560e6769f7c2f39ffe9888e9cde4dae3929125a0c5641b8044ece727b1758658f1
SHA5121ce4d61e9663dd2ff16d659d5ef446428728871923aa6aab9c955c1feb82c8d33f154403620280f792c66c2143b8d78f9cdd0784b85b3654938f13dedd4e0c66
-
Filesize
6KB
MD58c50c98603c2f2dc75956ff9668e2784
SHA197bb60126f9086979ca6df235308c8828717b1a0
SHA25627e1ca12cfccec131cd38b98116d685b2a2aa53311c84a517373d18a7ae0162c
SHA512ed5d35b3eba53b31d9f4fc1b73fb6c0f4baf77b06c4815a763e9abf203f365062cc3ed333c78f5bc5b3366c00d5694dd34c8254f1dc4903a59da5cc90f745308
-
Filesize
6KB
MD5798af90adf26dc9254de7d8f02c3cd23
SHA1643c3c298160de4a665d346d542846deca1b0a2d
SHA25642de8787a74552a3197df744aacdd709d67f94d74f3fd6ed2ba97ba934180208
SHA51263bf34d49ca6c3ab6e5172c0666536fba301c9231bbcf532abbecd74baf512387f79131d1ffd7f91e483c787490449c24b1a316c08f76906399b5b7f463104b3
-
Filesize
5KB
MD597652f0ef25c30dee863d00680e80c9f
SHA1a5d27677e385fdfe9b2173d4bffc0f681cf0c4d1
SHA256725a89efa4fd004d790af8f2111ec59272e9c08daad9befac786463015fe0cc4
SHA51212ee49c666a146e0e7c335e18c5f0ddb74e6f698401e96e49b40185980257a5966d1836b86021d1268ca98333e8fcbf70aae38b03b06494906224ca5c435ca46
-
Filesize
6KB
MD5b710d87cf40398cb7f61ae94ae31e714
SHA15663dbd42136a2e94fc07ac38dc4458ca89f470a
SHA25603556443fa3df351107ccae18b35050ae20fb2e33474f4aec9ab9906d8051983
SHA512feff11b79d92103f0e6c23690e48daaca6404847a148696003c140160207964128d52e7f3ba0bc9a24a4b84bdc1a0faf496d7cd1df636d4f4b97c64a01ad39f2
-
Filesize
5KB
MD5623d58938eb0b7213662ad5e0482a535
SHA13cd8bd70d5e0cea5980a5097a4b4dd9c8a438df2
SHA2562bc60dcbdce2dc540abb517be23146e5728c9c130cda8e18ca98b9e55ce01e46
SHA512e856a053fd8a5638110f5d7069f6a725b12cab57e6139233ac7e6b518241eadea2b328eb7029c1a78014d70eae47453318333878a1085340d9cc50bf4161bd37
-
Filesize
1KB
MD55be3baec34290c3e29694a96ff9a2634
SHA1d3f5eb9c8e7960c391cd40a563f87bceb86613b5
SHA2567a3b4aaff86a5414c67d96c820532aef964af7fda20a11174f8799a0c6b63949
SHA5127e12646e4c46dbf557e79ba5b352e5de948ffbd4eb748e52faa7c16c479039b00ba9f8ad09f8d24303dd6bc623f44e6ef14b683f9e5e4d7b549e5f12bce7a9f3
-
Filesize
1KB
MD5bf8ea53c9cda12dfb2e739af7cd40742
SHA156dd25adbe32857b5169029e0f402768e14e7525
SHA256aaad2a25ab61ab536397ba2a2869515b92e5316003ad06c81f96d0c76e3f3f91
SHA512a7184e2ca33958f171242690e68aa155b0dcfb31545b8f4fdea5f9bc3b8a4901cd61d433bb85c22e1b425a6aae3979266d0980c4ed4a4d4247922abf5857dfed
-
Filesize
1KB
MD50ddb65a52c348c1c3dc4545ba03205bf
SHA1f651de0f41c65e8e775d20dc02c45acec7e14191
SHA256522c76c4869845bafa6ddd2d60b8648647a2ace1fbf9a28acb72524b8489f1f1
SHA512c8eed1ac27be127168ed40aa2658d4501d7504cec7ba8fa2377b3f7c3c68122ddd9a27d70c1a1aa86cc90d306f17ed2d6f8e796776c75d457f42e9c523efaa7b
-
Filesize
538B
MD5ebe4d441cdfe8d03416989bcedeec7be
SHA16e321cae8e3f884ec05ba71a5ac09e8f78e47a0c
SHA25698a6e37b652d184c69733a81d678d90dc57e16b892a1fddd360da3b34baad1d6
SHA51269e809c71b604ccc224dd77d6dc28dde3000bc0e6325907982c82827c3dc02517ffd18589b5282501bbb01ba07559150803bf921b52e256b4acd304ced1f97cc
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5d8faa99f558059bd9ceb903236bfdb17
SHA1cdec513c4824138bb1f44b93ea1fa0576fcb7964
SHA256359129eaea73cf02d7dc8fcf18f326b71e3942489ef83531085954ecabdab1c0
SHA51277f951fcd447790baec441cb50c61e362e6c4dac8d96ec91aa888ac05ce2530db0d74a9dbc89d148af57a86d72714835ef2a907966e6fe2ce88cf41056423ecd
-
Filesize
11KB
MD50ac27a3ccc598b6eedb8e5a90194743f
SHA12e60df6c4f5c1ffec78e8bac7cf228b947623c5b
SHA256fd97405b27beea63397ee6f951bff082522b5867edd7789eb68e1a71ca4d155e
SHA512458d20591a7a3e0812d65f17946011e303af451d1e26db8f4f24546a73c09c842a1fd9548e6a061af2eb29eb3555bd0a3375c1ab1b44a5e3af1f9b644937c2e3
-
Filesize
896KB
MD582213fad1d1aadbac5d8ad945cdde1d4
SHA1b756fc899f8953848095580fc986b2598e00ac2e
SHA256bb0850cba1b16053bb843978d4b50d0730be8d8306fb47d43cc7b2a22d948d40
SHA51209a8e61607dec1a9d1eec4ac8a1afc055715997805420f8f6f3b97ab4599be2e2b91f74c51b45bd69a22eccc1cbdaf74ee620d7b135d467a16c123d840568b0e
-
Filesize
896KB
MD5677b74bfc94e6c582f1268ad2fe8668f
SHA133e2851f7add6ddfb6c00594561f491e500ddb23
SHA256785adf45f1a4707173e0c8285dd8bc7497e652261ad70b7454315e453afc6afd
SHA512462c25259ad6ceb4fdb2383cbb1e0a0e127c7cf5df630456465732f9681183322ebd62c62d393d1f34d7ade076189812155ef2c456042ce731a5f146ee025905
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
14KB
MD57b7a75b9919c946c44f9c22d1fccffd9
SHA18197eebf9758bd8850c002daacdbd7b4df1ac469
SHA256024a3bb4f67c451312d7af5db9cad21ee4b7c32f141a566d52e0598335d709be
SHA5125b0f8ac4d71bd6789cef1559a95e8b3a22a722973ea33ccd7663e5d8594b98f6dcfb865a457a7d7065cd77ec7c31c01c37457f5593ec5f89e6b202c7c727a169
-
Filesize
369B
MD5e4a08a8771d09ebc9b6f8c2579f79e49
SHA1e9fcba487e1a511f4a3650ab5581911b5e88395d
SHA256ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6
SHA51248135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1
-
Filesize
253B
MD50e775c7e5983739c4115edfa4d607505
SHA10cd9eec89c5b71de47564cf1d39d82d176243e7c
SHA256e3acf79460ceea484872a3d5f48dd38c3c47667420583461eb57e6d3337d5c72
SHA512f766e36d2742d0e9f23d053caa57b89778775448227291d2ae2cee7c7cd07df1dcfd00398af19f7765a8f34a66dcb57b0d5ca8835a508c0db53a5de3a24a541a
-
Filesize
355B
MD5acd609faf5d65b35619397dc8a3bc721
SHA1ba681e91613d275de4b51317a83e19de2dbf1399
SHA2564cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518
SHA512400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c
-
Filesize
224B
MD5fc302a7f273c563c63a5d0a94a22d097
SHA1ae3fc47071f06ddefaaff4b9f0f9bf2180dfc766
SHA25639d9e4d3bf9509b66246fb06bddbebd107bd1edbaa0bd16ab8c0664029e69fea
SHA512705352242f937e9f6662fd49e6d279148fcc1e0789333809d140a14bf200b359020108708d8ca751c80fc06cab8ef9907be598007bbb7d317c1749cab1c60a06
-
Filesize
84B
MD54d8bafaff075cfd78f08e96492f0748f
SHA1734f21d589e13ee4fe7911eb6e22a983aa6e9d36
SHA2560c3e47ed477bc9f3e8e05fb52b375238a08a4f9677c18b7031f52e52b2a25452
SHA5123fbca7799f8db77aa9483d84c269425d2a81266493b0ca0f5b851c6cdff17fddb287b8cbdf50b4459a50104ad4da8dd3b22d27e0ac32350b21f3cc9a783d1afa
-
Filesize
84B
MD5ec9c0b103df8c7e2a3b48ab9e355f1a6
SHA1ebdf44dfe2c0ba1d254fee4dd1029ec22b24bc96
SHA256d2acd6ed576fa300ecf4780203a24edcfa8e85865f2c41df8d677351c6b2780e
SHA512bce0baf3b4c7c8c55477df3b8c97207eadb24f7dbbc5854937ffd52823a3b2ef543f11801db6d0c45c9f63dc66b0ffb0b21c375eb41b950fc82bf1f9ba5b37fa
-
Filesize
4KB
MD5fcc061570d680f39f1b578c54609cbd0
SHA16f53d9b5a651e84dff2e0dec559a13ae3779383f
SHA2569c73c7a0daab297f44d8458675502a251c7002548d00be467fb9e32a79e389e6
SHA5124a86616c641b69170de9b3552987534093aea9d20176375886b53cb5c238d85a241e45ff85ba45567e05fa80f73fa2aaec05e97495ca0f10033cf66d8a00301d
-
Filesize
5KB
MD5ed7a3cc8753ccf71fdc8acf73d6792d0
SHA1237804d80da3139484a4108cf6b775e860e62608
SHA256008b73d81008cf8150f13a2a99f4a03203acea8cd09f4f8d9470f3901a3116b7
SHA5122e16e151f64a2ff457ff0a56833268afaac82fe27110bce563a1722ae3f8df9c845791a8d76994843afe817049c99781df16075d12fa9f11d6cccb346dfbfb85
-
Filesize
5KB
MD584244325358db4b5657cffb8a82f9b6f
SHA14abdd8b2970f9fe0ee24f4a08356121eb2864abf
SHA256c96c3171efd555bd8eb9bfef109b3926efffbb47f88f8febcfebcc39dc8a07e7
SHA512262b27c6b03d6f3f42f9a0800c8f9520e6947171e1a22bc91bbbeab38d9e52d652de20e2bb9358d5554487c89b32f6561344160426b29e235b7fc938fb64fb21
-
Filesize
5KB
MD5a3c872e11b94a53053fe14d09fa02873
SHA1975879b6c98f6718d8e932f2e036d756676a6237
SHA256110cd76ab2e24b692ad494919ddaac953734bc62b10cd3589a9ac96055faeca8
SHA512ca4ea74ab91789a355bbeaa9f622f54ff69f4f8e67d7342c08d0086d473d2b3e005d782a0039e3f88a3b9e73f46b6b51915e45b5d0a1964a1c995928ccb1da8e
-
Filesize
5KB
MD5561be69478294a117a7c317d6ad59c11
SHA138a0c1ce2aa9676f0dc14a15e53b6a51185e1e0e
SHA256447d3f33794a632dd33968facb77b06a943e34a2e162038f819694d9a95b5eb0
SHA5126909ef576be498eab3cc082c7e7007fc440ff6c672a1099c6bc283706fddc9dd25ae9e4af4689a277848813881045501c49af014509eef122f8e826d023ce319
-
Filesize
369B
MD583f6067bca9ba771f1e1b22f3ad09be3
SHA1f9144948829a08e507b26084b1d1b83acef1baca
SHA256098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231
SHA512b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19
-
Filesize
253B
MD576c052cf1afc33ffecdcb4c4d5d1747e
SHA138f08989d69c22a6331399cf50c8c908d33059df
SHA256c99cfc417fb431383b5c5c5a8f6e67cbed1f75dd0dd47bb1655d072dc0d6be42
SHA5128f46b192c165199fd1444695aab3addc7a76e41d348e9aee6d5eb192aa4360f2c605d7cdea7931afded0a11802227432927e04f628ba412f8d0d8496d6792b70
-
Filesize
187B
MD508d2e4a2d9e2c22025fc369cc551ca6c
SHA1fbb518fd33cf1c752f762dc43d904cacad3aec00
SHA2560e7dc72dce87f7448c7e65dfdae1ffebec653e4f066807a94993feb1039787bb
SHA51292993473f027749718df243d6ac9480c1607cf908b3b01fc7dd92bd6afe4b8f3b0ae17c79fc75ed79c52cf79fc5f7bdc1814a4d132fd80202d80ba6539577686
-
Filesize
1KB
MD58eadec610e1257c2c95dc0a114c8a1a8
SHA171535fc3b41b7ccdcf2a707b672beb1bf9a0a03c
SHA2568a457eff5b84287b1112d2e91d68c6b7ce6927cdf2914ea211959e9ee4914892
SHA512e9003796720756884994085a9e818779c6f1fd148816e1a46fff5e399d85f5e51e4053406e89868406eb74882b52d9cfd801fe897a947b2e22e12a56bddff245
-
Filesize
355B
MD56e4e3d5b787235312c1ab5e76bb0ac1d
SHA18e2a217780d163865e3c02c7e52c10884d54acb6
SHA256aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706
SHA512b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8
-
Filesize
224B
MD5f7582b17aab3b91f7cca76ee15d34910
SHA1101b2dafe9700b45749e45ab53b34f0bafa6a001
SHA256ffe5eca330cd48237a4f9c38878ff5f1dc7220d53136d4b2b1114c98a8cd4dd2
SHA5126ac789ed35e71e86dbccd1357a8f91f6ccc8da5648d4a2f286edcbb0240905acbe9326ac13cd8cb8e8babfe9ce696c43e1ed46670a67f0dac1a2630c1c8b9212
-
Filesize
373B
MD5197e7c770644a06b96c5d42ef659a965
SHA1d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc
SHA256786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552
SHA5127848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7
-
Filesize
261B
MD50fc91c6233f5379f1f5eca9607d7058e
SHA15c5e91a603f319cad97e706e73e858e8484a74ac
SHA256b214802caf94a06276646d392b29e8ad8fc22836875fdfdd73433196abc25ad9
SHA5124709b2df6a6e50a1aa5ecbd5233310e3be5d19465ba223c637f8a25fe6a8a26f89dca9aae5dc4adfa494aa4ececb1510e4ae215884a5d2eb59e306db6a0e6fa2
-
Filesize
91B
MD5de97f8c7f4f066b79ad91c4883cc6716
SHA192cc8bf74888ea1151d9fd219eb8caee02978556
SHA256a99f5d4f9a3cff36d5fa6ce75c5aa651448860ee1b29111bd8ad96eca85b05d9
SHA512cfc7ab2465cce5b7bd5a8ed8ba0b632afc3f1b74f70f1d799f858d2271afbbbb3b37697e1074d6f85aabb4748745566d72ec68bfb2e90d312879875406efd0f3
-
Filesize
5KB
MD5d56475192804e49bf9410d1a5cbd6c69
SHA1215ecb60dc9a38d5307acb8641fa0adc52fea96c
SHA256235e01afd8b5ad0f05911689146c2a0def9b73082998ac02fd8459682f409eee
SHA51203338d75dd54d3920627bd4cb842c8c3fefad3c8130e1eeb0fa73b6c31b536b3d917e84578828219b4ffd2e93e1775c163b69d74708e4a8894dd437db5e22e51
-
Filesize
668B
MD53906bddee0286f09007add3cffcaa5d5
SHA10e7ec4da19db060ab3c90b19070d39699561aae2
SHA2560deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA5120a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0
-
Filesize
676B
MD585c61c03055878407f9433e0cc278eb7
SHA115a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA5127099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756
-
Filesize
5KB
MD511cb9aba8820effebbb0646c028ca832
SHA1a64d9a56ee1d2825a28ce4282dac52c30137db96
SHA2562a1e197c5f17c60b3085782d3c8c97bd9aa2ac1e3a4a721122c0b5ec56d276c8
SHA512d227b39d5d67c18703730fd990ac41077321054d4f24198cafbc0b7af1ed6c72e7ef7eb626fb558f9407e11b5b9f0d194237400d248a80560d715c88971ad375
-
Filesize
5KB
MD5abeaa4a5b438ffa58d07d9459e5c1d6c
SHA169631de7891162dd4840112a251f6531feae7509
SHA256ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd
SHA512c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4
-
Filesize
644B
MD5dac60af34e6b37e2ce48ac2551aee4e7
SHA1968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA2562edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA5121f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084
-
Filesize
5KB
MD584e9754f45218a78242330abb7473ecb
SHA13794a5508df76d7f33bde4737eda47522f5c1fdd
SHA256a979621de3bcabf9a0fa00116bcd57f69908b5471341f966c2930f07acfee835
SHA51232b51e82e505e9124fa032bfd02997de6d6f56e0c0dfb206aec2124199048168ec0f7927a0a289f4653662bdeb5089d91db080019a9556491ef111df99b12623
-
Filesize
4.0MB
MD51d9045870dbd31e2e399a4e8ecd9302f
SHA17857c1ebfd1b37756d106027ed03121d8e7887cf
SHA2569b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA5129419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909
-
Filesize
183KB
MD53d4e3f149f3d0cdfe76bf8b235742c97
SHA10e0e34b5fd8c15547ca98027e49b1dcf37146d95
SHA256b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a
SHA5128c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff
-
Filesize
92B
MD5c6c7806bab4e3c932bb5acb3280b793e
SHA1a2a90b8008e5b27bdc53a15dc345be1d8bd5386b
SHA2565ba37b532dbb714d29f33e79dacb5740096fd1e89da0a07b9b8e6b803931c61a
SHA512c648be984413fdbaeb34808c8164c48b5441a8f3f35533b189f420230e5e90605c15fde2ce0d9fe42e9755c594dd1ef32de71a24016277ad2cef2f9afcf0ad93
-
Filesize
1010KB
MD527bc9540828c59e1ca1997cf04f6c467
SHA1bfa6d1ce9d4df8beba2bedf59f86a698de0215f3
SHA25605c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a
SHA512a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848
-
Filesize
126KB
MD53531cf7755b16d38d5e9e3c43280e7d2
SHA119981b17ae35b6e9a0007551e69d3e50aa1afffe
SHA25676133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089
SHA5127b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd
-
Filesize
396B
MD59037ebf0a18a1c17537832bc73739109
SHA11d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA25638c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA5124fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
933B
MD5f97d2e6f8d820dbd3b66f21137de4f09
SHA1596799b75b5d60aa9cd45646f68e9c0bd06df252
SHA2560e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a
SHA512efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0
-
Filesize
240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
Filesize
3.0MB
MD5fe7eb54691ad6e6af77f8a9a0b6de26d
SHA153912d33bec3375153b7e4e68b78d66dab62671a
SHA256e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA5128ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f
-
Filesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
Filesize
1KB
MD598081fe704d57eaa51d40735af966752
SHA15489baf626527b5b1a9308d625b65819ef35ff0c
SHA256acbff86408da00a9a7901789035556e18b35e2e666dcd56347c8507e3abc9935
SHA5127002a45a3c8cfdad99f01dc3848b0d1d884f323f1437cbb9774029cffe417c5a975c49bdb116e6e46c17c239c6b2775cca55f319cb80f0c72527dd92e2a4b9a8
-
Filesize
503B
MD52adeac5ab6bb41c6d48e2429229883bd
SHA13c27257a087dc283aa0f8c25598403e153977e45
SHA25654635469097bafed46e767336a2ba71f25e22b92aa29852db255d6970562049b
SHA512ad34a27d609565f1a3ffd000a54e4c055dbcdd328b9c07b8d7a98cfbf6131bfd21208ffcbbc53d998f556cc9fe220d51fa254a63a30474033a6a340034f48cde
-
Filesize
1.4MB
MD5c17170262312f3be7027bc2ca825bf0c
SHA1f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c
-
Filesize
180KB
MD5d552dd4108b5665d306b4a8bd6083dde
SHA1dae55ccba7adb6690b27fa9623eeeed7a57f8da1
SHA256a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5
SHA512e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969
-
Filesize
88KB
MD54083cb0f45a747d8e8ab0d3e060616f2
SHA1dcec8efa7a15fa432af2ea0445c4b346fef2a4d6
SHA256252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a
SHA51226f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133
-
Filesize
92KB
MD5fb598b93c04baafe98683dc210e779c9
SHA1c7ccd43a721a508b807c9bf6d774344df58e752f
SHA256c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4
SHA5121185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
983B
MD5cfb19215676de5c93ebfaf2ba54395bf
SHA1ed7c4e132fb457e954aa86fd8755512b791a4a39
SHA25610a476c89cec3c71ebfb2023e49c09825ee30a4fe3a1c33a93445f10b787e5fe
SHA512a2862628206efe53a4d1ef30ddcb466fcb558cc9d44be42f2b8157b38de2321d90730d92ed53acfd1580be117b9076179f0932976ab993a7fb4c390415b7b3c0
-
Filesize
392KB
-
Filesize
664KB
-
Filesize
4.8MB
-
Filesize
92KB
-
Filesize
624KB
-
Filesize
3.1MB
-
Filesize
32KB
-
Filesize
304KB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
624KB
-
Filesize
344KB
-
Filesize
584KB
-
Filesize
32KB
-
Filesize
160KB
-
Filesize
5.6MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
64KB
-
Filesize
184KB
-
Filesize
48KB
-
Filesize
6.8MB
-
Filesize
2.1MB
-
Filesize
3.0MB
-
Filesize
2.1MB
-
Filesize
520KB
-
Filesize
136KB
-
Filesize
520KB
-
Filesize
3.0MB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
136KB
-
Filesize
476KB
-
Filesize
112KB
-
Filesize
3.0MB
-
Filesize
2.1MB
-
Filesize
3.0MB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
6.7MB
-
Filesize
224KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
260KB
-
Filesize
260KB
