crimsonrat | ff9bcc893b22e1df006c80a1925e066b630cccfa1d9474ba965ab95d59902018

Analysis

max time kernel
143s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06-01-2025 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Design sem nome.png
Size

19KB
MD5

0398b690fb992b2fe7e0f69bd23009e1
SHA1

013884660655b1ce068a7fbe6a34c7d30b4f4c01
SHA256

ff9bcc893b22e1df006c80a1925e066b630cccfa1d9474ba965ab95d59902018
SHA512

dc684e45b63cf6d3ef5fda4fa022bf5b75644ec58fbfc9a8c62d68117df251351e0aef8fa379169afc8d533f3719c220839f9478eee52f40fb399dd31e3c7c72
SSDEEP

384:Pgxn8UgxVMAPnpwizvpYN5R7fyvUodyZFfKRCrt7Kw8EXEJoqr:o2ZXnpwuK0UodyZNKRct7KU4ok

Score

10^/10

crimsonrat darkcomet defense_evasion discovery evasion persistence ransomware rat trojan

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000400000000f4c4-625.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet (1).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Sets file to hidden 1 TTPs 4 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3624	attrib.exe
4868	attrib.exe
2284	attrib.exe
1864	attrib.exe

Executes dropped EXE 5 IoCs

pid	Process
3600	Blackkomet (1).exe
1976	winupdate.exe
1352	CrimsonRAT.exe
856	dlrarhsiva.exe
2088	000.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\G:	000.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
40	raw.githubusercontent.com
3	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	000.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet (1).exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet (1).exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe:SmartScreen:$DATA	Blackkomet (1).exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier:$DATA	Blackkomet (1).exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet (1).exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\Wallpaper	000.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Adwind (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Blackkomet (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\000.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blackkomet (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2976	taskkill.exe
3936	taskkill.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Blackkomet (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2499603254-3415597248-1508446358-1000\{44D1220E-50A9-4F29-A839-33127B408612}	000.exe

NTFS ADS 12 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 555307.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\000.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 667658.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 487791.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 132636.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CobaltStrike.doc:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 158696.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 355722.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Adwind (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Blackkomet (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 980058.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
5096	msedge.exe
5096	msedge.exe
4296	msedge.exe
4296	msedge.exe
1040	identity_helper.exe
1040	identity_helper.exe
1760	msedge.exe
1760	msedge.exe
1796	msedge.exe
1796	msedge.exe
1488	msedge.exe
1488	msedge.exe
4144	msedge.exe
4144	msedge.exe
1824	msedge.exe
1824	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
2384	msedge.exe
4680	msedge.exe
4680	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3600	Blackkomet (1).exe
Token: SeSecurityPrivilege	3600	Blackkomet (1).exe
Token: SeTakeOwnershipPrivilege	3600	Blackkomet (1).exe
Token: SeLoadDriverPrivilege	3600	Blackkomet (1).exe
Token: SeSystemProfilePrivilege	3600	Blackkomet (1).exe
Token: SeSystemtimePrivilege	3600	Blackkomet (1).exe
Token: SeProfSingleProcessPrivilege	3600	Blackkomet (1).exe
Token: SeIncBasePriorityPrivilege	3600	Blackkomet (1).exe
Token: SeCreatePagefilePrivilege	3600	Blackkomet (1).exe
Token: SeBackupPrivilege	3600	Blackkomet (1).exe
Token: SeRestorePrivilege	3600	Blackkomet (1).exe
Token: SeShutdownPrivilege	3600	Blackkomet (1).exe
Token: SeDebugPrivilege	3600	Blackkomet (1).exe
Token: SeSystemEnvironmentPrivilege	3600	Blackkomet (1).exe
Token: SeChangeNotifyPrivilege	3600	Blackkomet (1).exe
Token: SeRemoteShutdownPrivilege	3600	Blackkomet (1).exe
Token: SeUndockPrivilege	3600	Blackkomet (1).exe
Token: SeManageVolumePrivilege	3600	Blackkomet (1).exe
Token: SeImpersonatePrivilege	3600	Blackkomet (1).exe
Token: SeCreateGlobalPrivilege	3600	Blackkomet (1).exe
Token: 33	3600	Blackkomet (1).exe
Token: 34	3600	Blackkomet (1).exe
Token: 35	3600	Blackkomet (1).exe
Token: 36	3600	Blackkomet (1).exe
Token: SeIncreaseQuotaPrivilege	1976	winupdate.exe
Token: SeSecurityPrivilege	1976	winupdate.exe
Token: SeTakeOwnershipPrivilege	1976	winupdate.exe
Token: SeLoadDriverPrivilege	1976	winupdate.exe
Token: SeSystemProfilePrivilege	1976	winupdate.exe
Token: SeSystemtimePrivilege	1976	winupdate.exe
Token: SeProfSingleProcessPrivilege	1976	winupdate.exe
Token: SeIncBasePriorityPrivilege	1976	winupdate.exe
Token: SeCreatePagefilePrivilege	1976	winupdate.exe
Token: SeBackupPrivilege	1976	winupdate.exe
Token: SeRestorePrivilege	1976	winupdate.exe
Token: SeShutdownPrivilege	1976	winupdate.exe
Token: SeDebugPrivilege	1976	winupdate.exe
Token: SeSystemEnvironmentPrivilege	1976	winupdate.exe
Token: SeChangeNotifyPrivilege	1976	winupdate.exe
Token: SeRemoteShutdownPrivilege	1976	winupdate.exe
Token: SeUndockPrivilege	1976	winupdate.exe
Token: SeManageVolumePrivilege	1976	winupdate.exe
Token: SeImpersonatePrivilege	1976	winupdate.exe
Token: SeCreateGlobalPrivilege	1976	winupdate.exe
Token: 33	1976	winupdate.exe
Token: 34	1976	winupdate.exe
Token: 35	1976	winupdate.exe
Token: 36	1976	winupdate.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeShutdownPrivilege	2088	000.exe
Token: SeCreatePagefilePrivilege	2088	000.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeShutdownPrivilege	2088	000.exe
Token: SeCreatePagefilePrivilege	2088	000.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4296	msedge.exe
2088	000.exe
2088	000.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 4128	4296	msedge.exe	81
PID 4296 wrote to memory of 4128	4296	msedge.exe	81
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 3160	4296	msedge.exe	82
PID 4296 wrote to memory of 5096	4296	msedge.exe	83
PID 4296 wrote to memory of 5096	4296	msedge.exe	83
PID 4296 wrote to memory of 2940	4296	msedge.exe	84
PID 4296 wrote to memory of 2940	4296	msedge.exe	84
PID 4296 wrote to memory of 2940	4296	msedge.exe	84
PID 4296 wrote to memory of 2940	4296	msedge.exe	84
PID 4296 wrote to memory of 2940	4296	msedge.exe	84
PID 4296 wrote to memory of 2940	4296	msedge.exe	84
PID 4296 wrote to memory of 2940	4296	msedge.exe	84
PID 4296 wrote to memory of 2940	4296	msedge.exe	84
PID 4296 wrote to memory of 2940	4296	msedge.exe	84
PID 4296 wrote to memory of 2940	4296	msedge.exe	84
PID 4296 wrote to memory of 2940	4296	msedge.exe	84
PID 4296 wrote to memory of 2940	4296	msedge.exe	84
PID 4296 wrote to memory of 2940	4296	msedge.exe	84
PID 4296 wrote to memory of 2940	4296	msedge.exe	84
PID 4296 wrote to memory of 2940	4296	msedge.exe	84
PID 4296 wrote to memory of 2940	4296	msedge.exe	84
PID 4296 wrote to memory of 2940	4296	msedge.exe	84
PID 4296 wrote to memory of 2940	4296	msedge.exe	84
PID 4296 wrote to memory of 2940	4296	msedge.exe	84
PID 4296 wrote to memory of 2940	4296	msedge.exe	84

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3624	attrib.exe
4868	attrib.exe
2284	attrib.exe
1864	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Design sem nome.png"
1⤵
PID:3476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdc8a83cb8,0x7ffdc8a83cc8,0x7ffdc8a83cd8
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6284 /prefetch:8
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5900 /prefetch:8
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6888 /prefetch:8
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7088 /prefetch:8
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1104 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1488
- C:\Users\Admin\Downloads\Blackkomet (1).exe
  "C:\Users\Admin\Downloads\Blackkomet (1).exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:3600
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Downloads\Blackkomet (1).exe" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3624
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\Downloads" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4868
- - C:\Windows\SysWOW64\Windupdt\winupdate.exe
    "C:\Windows\system32\Windupdt\winupdate.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt" +s +h
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6812 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6720 /prefetch:8
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6752 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1824
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:1352
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6852 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3628 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6308 /prefetch:8
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,13267461242412169846,5598488983541790340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7048 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4680
- C:\Users\Admin\Downloads\000.exe
  "C:\Users\Admin\Downloads\000.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies WinLogon
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3936
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' set FullName='UR NEXT'
      4⤵
      PID:5084
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' rename 'UR NEXT'
      4⤵
      PID:1224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
756KB

MD5
c7dcd585b7e8b046f209052bcd6dd84b

SHA1
604dcfae9eed4f65c80a4a39454db409291e08fa

SHA256
0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

SHA512
c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c2bda97dc2c3d82ad3d4f532ae886d3d

SHA1
e0da06b90dc2c53df54153eca745c7e95170d3f4

SHA256
113cabf4d60765ad15803c3eac2e165feb9edc156b8c00c9691de7e07031b508

SHA512
f1f1032c3c0666b3acc820386c25239e8dfac18b5f94f95b1a85df6d3bc54f209dfcf1a5e744015c1dfbba7168a8bdc3b4a8f56c8167acb51e9002db683499fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
871B

MD5
47c5045efed40b95192be1ecd0271692

SHA1
841cf9e86a5383facbb938d23cc72e6c38c0acbf

SHA256
adda9e6db233b9da400ea52103a36c661f2700f8dcb6d27296d5e141caa485eb

SHA512
7fcee16e681ec74b39f466eba9942d06acaacba6e63476a4c9b1e30831736b148d85739d535547ee4dd151b86af975bb13011559a1f06f177dcc111e27d034c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
44d19aa193d3f3af3a562de22ca8eea0

SHA1
bc9d9a145ab7a28d3ca0e395142d5195dc047f82

SHA256
5eb9802ad5481ddc74a57d5061516469f6c9d41a677690f213bdf595fa93cbaf

SHA512
ef3a077a27c23d3af01e5588e59f3e22fd52eb845819945c8b0f2388ab5d85391ac1dbe89bc3bedd9cbf8aac4163ec2b91aad4f2214aebde550a3d82a26f3437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fd79771501d2640f4a936eaf861771ae

SHA1
6c7279b89c6bf875dffeebf2742755e3054417be

SHA256
48ffad992b5eec84828f34caeed39f96cb7810ebb9a513e1f6125ced8b5e3fc3

SHA512
2857479f23478f11bc47792f4cca54d59327405cb30633f9a31c838eb26bf939db29d50a627b6f3cb867b440007e73fa788c940bb8af20e15ccaf2843f21038e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
577a1125497587452b345eea83607f2c

SHA1
3eddd6e92cf2078f8149f70338be06d7178d5cd0

SHA256
3b3569a93817ce018a31e48dc43840e9600b45ee35471ffb1080a820f0e125f9

SHA512
71584f2514910c341a00adfa8e2a29da87e324d09a2c7d253e2fa1b3d20712f6a3afe93920082915a39625e41a0fd91c4f90774d7497e675aa60d2b29958cb58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b1062df647649d04f17d79f3bcfe57a9

SHA1
05c4a5e8b9c9d43fdbf86909351eae4546165968

SHA256
d2683b9ca8190b380116112ef99d64ad808be14049b28df6da530f3abf3bffe1

SHA512
5be92c6daedf623fface893b8be314654131e4c1ed63a5bfccd8a3bc81de3d3c74a5c0c9046b455a54259ea11e3f8c20a433a70faf3013edd8666b4286c3eef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8a60bcec51202022078619ce5e614164

SHA1
9e28b29b97b9d80a7f854b2dfc0266a39d1a6e76

SHA256
a5019afc5d9e7886621513bdf911fcf39b40a1840f9bb2818f873983bcf5a2fc

SHA512
89de4d229fb4fbcb618d9512de8c1a12f108737ce3d3d15f2529e46944ed9576f3a7e537bc01d54bd6890116a20a0a818db42e25feae785f22e8b05e6d0396ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ccf1f78da9c19ce0c00769b72e3a342e

SHA1
de8eda82d2cb8073a9c349ef81cee6208cd7f613

SHA256
b6dc110d812a6c835e69e2a57547511b69f386c63b97d2c736cd7ddc02e3d540

SHA512
6cc84633689282be3d807a726516149370836f36b8888a24537a62af2c4382f969cf9717dec43ca7abf59de810d3d548f43ceb5550053ef09bb309f6e99d1882

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d882dd33008e5ace23af952f9ec7ea90

SHA1
600685c929b9eb92ec265ccd55dd1bbb687c59d4

SHA256
7b61e2f888faa9517085b76f0f40400f8e2def1f0b83be9a5181da56017ef844

SHA512
ceedbd22ab268f2feb133937f475f8789aa5c0644a85e8fa17466406359868ea2092b7b6b69053caf45dd1b5a5f62d393e6dbd27e7133f4fff549bda2d874d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2163ecd2dbea88dd6818025e4b5f4a66

SHA1
758542b2d0457e9d32fa16019eb6e9d0cedf1210

SHA256
f7052a995430106ec32f365618f85da85a8d34613ab8d8624c4fa90da03ea48b

SHA512
735393875505bda45bfb85e4980190fa605ac81cd4664682b5096212b4cfa1b5b1c52e2f7cf1dc8a0bfeb0d394195c95626a2be0cfb565b944c4a3a604a57896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0dc2aa0e8de78c3cf6f81d5c213dcd4b

SHA1
d1bad174289bcd0be43e6099b12e56e3010e7e20

SHA256
837a532a2808fd1cbfd15b118f045f0982572dfd1023f8ac028c25bfb2719007

SHA512
da01aabe3e0a4b86309990ab0a1508f855f0a71f2c035137ccd75acbb931f5ed7c2a576cac6d8a12dceb94d4e00869f8014d4fa40fdc46b0fa916640d519836c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
77801b2b09390eda3305b9297e97b5de

SHA1
0b1e8f70b757f67011b455e052844e681240ad8a

SHA256
8716b8513250f3bd42ebc137082741787b5297fb49aea5a89d35a9f02cf501f0

SHA512
d8a3d40ce5152463f965dfec1a7c4ed9ee4b0f36b5b5db078f945761ff4009bd7af0b40f233ea225f7e4707c87d9983473e2a31f0be4e0c3500ad57f3362485e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581690.TMP

Filesize
1KB

MD5
7a138b8c1d6b8dc9aa6e6dd1016d8c1d

SHA1
ffc95ccfc44fba296751506e09191d178e869699

SHA256
9b9ca7761493f69e2e2a4e927f2071e8461fe489a3564267244b5790979a5628

SHA512
dd19168ff23c4935af8e5b0b1c9f1b497062e9a9d61a0c3563f72cc73af2c144341d87b2bb0168a6abe08f324858cce6e94c2f0ea1d82e39e9860edad325f421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
110fefc147084db9448e066e11715a6e

SHA1
d115840c199c2e0aeb8f88f556ea3199ceaca16a

SHA256
760c50ba36c2ec4c56b2689ca5c06aa91cb9be358a22c0b7c3dcd913de5728d0

SHA512
156efe678ac32a1df5928929540a537efa1a1dd26fd7f08c9be052d65cf801a441fa16a0b80f78dffc8515695225f2051fc6d114d838e2a7d601d054782c94b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8d3e3fa974834dd83c460161b182e19a

SHA1
769bb2e3f187d0e7ecfbbc299fafc1d905c2ce4f

SHA256
3a3ef799a785ab10752221d87729da54dcbad63822e1e58a5ba691921e07f150

SHA512
efe8d4e549d94376f6ab35d03eb773203b8d35d6d2f335e62877c7ee70b72898017d36bba0deca8151c896edc0da1ddbcbe3628fac4ebae88121a6b9c324fc52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
731b62876de411c6b3c4e6966afa7b43

SHA1
cceac6606fc0efc985d1e84a767564028ba976a0

SHA256
693267849b6a7728f6e0c829899f4508aa0a82a777683bac7a448de883781154

SHA512
cd49d0f1ad3ba65360c47e665f46fd30e4851d3bfafc6d2796748f7643d34c015a7cf84e00ae15c1c371e278e30c6197d8214ae66c217bf351c29bd0e107fe15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0bf5aa03b2773dca27fc28d7512c5657

SHA1
56cfa64f13f90a63b4616cafcd7bf3e5e3713945

SHA256
87a9a1d97c9548dc4af30cefe115f2d0e747a74b311d690e7c5707612394686d

SHA512
63bff545bd48517c3062518fb90ee8677acf1c9fb99987cac421f6d9fddb32a8956c44f5b8a2b89f4b054df27762bdf9814e143814bc6365e1f6ba1840f582ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
190fb9b95f9e9ab3eb5fcdcc61d9da03

SHA1
80a983fbcdd7fb3d991c5c01d1a200964a39fd91

SHA256
be2d02ac8d7f3995619fb01dbd01d8f986685faf19a6ccf2916f0c7d3c3e7c08

SHA512
aeba9fe81fb498fcecbf4ffd197e256c2a9483453b122fb27e8bb36672f76aa1e754467145b3b4d9b69dbdc5f9e3da3f33cbe1e45b7af55c7aaaee3766dbf1a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
bf7d32659b76157248de44b66015b3f6

SHA1
dbd744c003d47e58a3612fa1d1020c3daba06e63

SHA256
21ec64c7e3a634ecb92c21e2d4e3dac80346a2d4c77a40e1a90bff2e2c68d947

SHA512
4333acb707d59e28db97988fe548b738b4f31569aabc330b580301ec84d0790997a7fdade14841e875bab6a8a0af01bcd5d1a5f27ca8748786d86ebda7d5fbb0

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\Downloads\052f0ab7-3cd3-41fd-9575-336154c9039c.tmp

Filesize
6.7MB

MD5
f2b7074e1543720a9a98fda660e02688

SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca

SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Download Submit
C:\Users\Admin\Downloads\Adwind (1).exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\CobaltStrike.doc

Filesize
86KB

MD5
96ff9d4cac8d3a8e73c33fc6bf72f198

SHA1
17d7edf6e496dec4695d686e7d0e422081cd5cbe

SHA256
96db5d52f4addf46b0a41d45351a52041d9e5368aead642402db577bcb33cc3d

SHA512
23659fb32dff24b17caffaf94133dac253ccde16ea1ad4d378563b16e99cb10b3d7e9dacf1b95911cd54a2cad4710e48c109ab73796b954cd20844833d3a7c46

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 555307.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 667658.crdownload

Filesize
5KB

MD5
fe537a3346590c04d81d357e3c4be6e8

SHA1
b1285f1d8618292e17e490857d1bdf0a79104837

SHA256
bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a

SHA512
50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
memory/856-634-0x00000132B23A0000-0x00000132B2CB4000-memory.dmp

Filesize
9.1MB

Download
memory/1352-601-0x0000012AA6500000-0x0000012AA651E000-memory.dmp

Filesize
120KB

Download
memory/1976-535-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/2088-724-0x000000000BD80000-0x000000000BDB8000-memory.dmp

Filesize
224KB

Download
memory/2088-730-0x000000000BD70000-0x000000000BD80000-memory.dmp

Filesize
64KB

Download
memory/2088-728-0x000000000BD70000-0x000000000BD80000-memory.dmp

Filesize
64KB

Download
memory/2088-729-0x000000000BD70000-0x000000000BD80000-memory.dmp

Filesize
64KB

Download
memory/2088-732-0x000000000C090000-0x000000000C0A0000-memory.dmp

Filesize
64KB

Download
memory/2088-733-0x000000000C090000-0x000000000C0A0000-memory.dmp

Filesize
64KB

Download
memory/2088-735-0x000000000BD70000-0x000000000BD80000-memory.dmp

Filesize
64KB

Download
memory/2088-736-0x000000000C090000-0x000000000C0A0000-memory.dmp

Filesize
64KB

Download
memory/2088-734-0x000000000BD70000-0x000000000BD80000-memory.dmp

Filesize
64KB

Download
memory/2088-731-0x000000000BD70000-0x000000000BD80000-memory.dmp

Filesize
64KB

Download
memory/2088-725-0x0000000009630000-0x000000000963E000-memory.dmp

Filesize
56KB

Download
memory/2088-706-0x0000000006280000-0x0000000006826000-memory.dmp

Filesize
5.6MB

Download
memory/2088-705-0x0000000000A40000-0x00000000010EE000-memory.dmp

Filesize
6.7MB

Download
memory/3600-503-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download