hxxps://github[.]com/Viper4K/malware/archive/refs/heads/master[.]zip

Resubmissions

17-01-2025 12:20

250117-phrxmaxqej 10

17-01-2025 12:13

250117-pdsclaxpam 7

Analysis

max time kernel
381s
max time network
376s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Viper4K/malware/archive/refs/heads/master.zip

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	AWEF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Go.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Error0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Error.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Rest.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	RC1.exe

Executes dropped EXE 10 IoCs

pid	Process
5992	40EAAEFC0E.exe
1492	Error0.exe
1816	7za.exe
1552	Error.exe
2636	Rest.exe
3720	Happy.exe
5644	RC1.exe
6012	KIDKEY~1.EXE
4580	AWEF.exe
3376	Go.exe

Loads dropped DLL 2 IoCs

pid	Process
6012	KIDKEY~1.EXE
1552	Error.exe

Adds Run key to start application 2 TTPs 57 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Error.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\40EAAEFC0E = "C:\\Users\\Admin\\AppData\\Roaming\\40EAAEFC0E.exe"	1003.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Happy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\40EAAEFC0E = "C:\\Users\\Admin\\AppData\\Roaming\\40EAAEFC0E.exe"	1002.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\40EAAEFC0E = "C:\\Users\\Admin\\AppData\\Roaming\\40EAAEFC0E.exe"	40EAAEFC0E.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*40EAAEFC0E = "C:\\Users\\Admin\\AppData\\Roaming\\40EAAEFC0E.exe"	40EAAEFC0E.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*40EAAEFC0E = "C:\\Users\\Admin\\AppData\\Roaming\\40EAAEFC0E.exe"	1002.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*40EAAEFC0E = "C:\\Users\\Admin\\AppData\\Roaming\\40EAAEFC0E.exe"	1003.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CODE EVO = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\CODEEVO\\\\CODEEVO.exe"	reg.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/5324-593-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe
behavioral1/memory/5324-592-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe
behavioral1/memory/5324-619-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe
behavioral1/memory/5324-631-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe
behavioral1/memory/5324-707-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe
behavioral1/memory/5324-730-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe
behavioral1/memory/5324-741-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5324-564-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/5324-593-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/5324-592-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/5324-619-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/5324-631-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/5324-707-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/5324-730-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/5324-741-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/files/0x000200000001ecf3-793.dat	upx
behavioral1/memory/2636-799-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x004c000000023299-825.dat	upx
behavioral1/memory/5644-826-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/5644-860-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2636-862-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/4580-1032-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000b000000023b7d-1033.dat	upx
behavioral1/memory/4580-1040-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000e000000023b7f-1051.dat	upx
behavioral1/memory/3376-1052-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/3376-1060-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AWEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CODEEVO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D3STR0Y3R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DELmE_s Batch Virus Generator v 2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Error.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RC1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KIDKEY~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Go.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkHorseTrojanVirusMaker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
6084	taskkill.exe
1864	taskkill.exe
4900	taskkill.exe
5128	taskkill.exe
5332	taskkill.exe
5156	taskkill.exe
6092	taskkill.exe
3720	taskkill.exe
6140	taskkill.exe
4216	taskkill.exe
5288	taskkill.exe
5412	taskkill.exe
668	taskkill.exe
1744	taskkill.exe
3964	taskkill.exe
5880	taskkill.exe
5216	taskkill.exe
5604	taskkill.exe
6120	taskkill.exe
4768	taskkill.exe
5608	taskkill.exe
3044	taskkill.exe
4768	taskkill.exe
1744	taskkill.exe
5948	taskkill.exe
5652	taskkill.exe
5340	taskkill.exe
5492	taskkill.exe
5576	taskkill.exe
4176	taskkill.exe
1360	taskkill.exe
5288	taskkill.exe
5748	taskkill.exe
5228	taskkill.exe
5688	taskkill.exe
1484	taskkill.exe
1200	taskkill.exe
5320	taskkill.exe
5740	taskkill.exe
3116	taskkill.exe
6120	taskkill.exe
5776	taskkill.exe
1036	taskkill.exe
5468	taskkill.exe
6032	taskkill.exe
5984	taskkill.exe
5176	taskkill.exe
2044	taskkill.exe
5192	taskkill.exe
5444	taskkill.exe
5364	taskkill.exe
5908	taskkill.exe
388	taskkill.exe
5788	taskkill.exe
5828	taskkill.exe
5472	taskkill.exe
1636	taskkill.exe
2028	taskkill.exe
2540	taskkill.exe
5636	taskkill.exe
6048	taskkill.exe
2836	taskkill.exe
5176	taskkill.exe
6072	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "194"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ED94440-E5E8-101B-B9B5-444553540000}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\InprocServer32\ = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\DarkHorse VM\\COMCTL32.OCX"	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{612A8626-0FB3-11CE-8747-524153480004}\ = "IToolbarEvents"	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C787A52-E01C-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF877892-E026-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3"	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6E17E80-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.ListViewCtrl\CLSID	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	DarkHorseTrojanVirusMaker.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B7E6393-850A-101B-AFC0-4210102A8DA7}	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E1B5150-DB62-11D0-A0D8-0080C7E7B78D}\ = "IPanel"	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7791BA50-E020-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3"	DarkHorseTrojanVirusMaker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	DELmE_s Batch Virus Generator v 2.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E8C-DF38-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	DarkHorseTrojanVirusMaker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	DELmE_s Batch Virus Generator v 2.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E88-DF38-11CF-8E74-00A0C90F26F8}	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A3-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\ToolboxBitmap32	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EC0AB1C0-6CAB-11CF-8998-00AA00688B10}\ = "IControls"	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612A8624-0FB3-11CE-8747-524153480004}\MiscStatus\ = "0"	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{373FF7F4-EB8B-11CD-8820-08002B2F4F5A}\ = "Slider General Property Page Object"	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E944-850A-101B-AFC0-4210102A8DA7}\ = "ITab10"	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DA8D94-9D6A-101B-AFC0-4210102A8DA7}\ = "IImages10"	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D94-9D6A-101B-AFC0-4210102A8DA7}\TypeLib\Version = "1.3"	DarkHorseTrojanVirusMaker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	DELmE_s Batch Virus Generator v 2.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ED94444-E5E8-101B-B9B5-444553540000}\InprocServer32	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E451-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E1B5150-DB62-11D0-A0D8-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DA8D91-9D6A-101B-AFC0-4210102A8DA7}	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.Toolbar.1\CLSID	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9ED94441-E5E8-101B-B9B5-444553540000}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8556BCD0-E01E-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{373FF7F2-EB8B-11CD-8820-08002B2F4F5A}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EC0AB1C0-6CAB-11CF-8998-00AA00688B10}\TypeLib\Version = "1.3"	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83603-895E-11D0-B0A6-000000000000}\TypeLib\Version = "1.3"	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83604-895E-11D0-B0A6-000000000000}\ProxyStubClsid32	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BF877890-E026-11CF-8E74-00A0C90F26F8}\ = "IListItems11"	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.ListViewCtrl\ = "Microsoft ListView Control, version 5.0 (SP2)"	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8A0-850A-101B-AFC0-4210102A8DA7}\ = "IPanels10"	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A5-850A-101B-AFC0-4210102A8DA7}\TypeLib	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612A8624-0FB3-11CE-8747-524153480004}\Programmable	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\ProgID\ = "COMCTL.ImageListCtrl.1"	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A1-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\VersionIndependentProgID	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6E17E8A-DF38-11CF-8E74-00A0C90F26F8}\TypeLib	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E8A-DF38-11CF-8E74-00A0C90F26F8}\ = "ITabStrip"	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA50-E020-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA40-E020-11CF-8E74-00A0C90F26F8}\ = "IButtons"	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7791BA42-E020-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E84-DF38-11CF-8E74-00A0C90F26F8}\ = "IProgressBar"	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8A4-850A-101B-AFC0-4210102A8DA7}\TypeLib	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DA8D8B-9D6A-101B-AFC0-4210102A8DA7}\TypeLib	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6E17E86-DF38-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\Implemented Categories	DarkHorseTrojanVirusMaker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\ToolboxBitmap32\ = "C:\\Users\\Admin\\Downloads\\malware-master\\malware-master\\DarkHorse VM\\COMCTL32.OCX, 2"	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{612A8624-0FB3-11CE-8747-524153480004}\MiscStatus	DarkHorseTrojanVirusMaker.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6027C2D4-FB28-11CD-8820-08002B2F4F5A}	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACBB955-5C57-11CF-8993-00AA00688B10}	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83600-895E-11D0-B0A6-000000000000}\ProxyStubClsid32	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF877892-E026-11CF-8E74-00A0C90F26F8}\TypeLib	DarkHorseTrojanVirusMaker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\TypeLib	DarkHorseTrojanVirusMaker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1604	msedge.exe
1604	msedge.exe
2156	msedge.exe
2156	msedge.exe
3220	identity_helper.exe
3220	identity_helper.exe
1720	msedge.exe
1720	msedge.exe
1744	tskill.exe
1744	tskill.exe
752	tskill.exe
752	tskill.exe
3872	tskill.exe
3872	tskill.exe
3812	tskill.exe
3812	tskill.exe
4400	tskill.exe
4400	tskill.exe
1036	tskill.exe
1036	tskill.exe
1744	tskill.exe
1744	tskill.exe
3116	tskill.exe
3116	tskill.exe
4392	tskill.exe
4392	tskill.exe
2364	tskill.exe
2364	tskill.exe
1832	tskill.exe
1832	tskill.exe
2796	tskill.exe
2796	tskill.exe
1720	tskill.exe
1720	tskill.exe
376	tskill.exe
376	tskill.exe
1744	tskill.exe
1744	tskill.exe
4732	tskill.exe
4732	tskill.exe
2044	tskill.exe
2044	tskill.exe
2540	tskill.exe
2540	tskill.exe
4768	tskill.exe
4768	tskill.exe
3584	tskill.exe
3584	tskill.exe
1720	tskill.exe
1720	tskill.exe
2044	tskill.exe
2044	tskill.exe
1720	tskill.exe
1720	tskill.exe
5012	tskill.exe
5012	tskill.exe
1036	tskill.exe
1036	tskill.exe
3872	tskill.exe
3872	tskill.exe
5144	tskill.exe
5144	tskill.exe
5160	tskill.exe
5160	tskill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5324	DELmE_s Batch Virus Generator v 2.0.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	5188	1002.exe
Token: SeDebugPrivilege	5176	1003.exe
Token: SeDebugPrivilege	6084	taskkill.exe
Token: SeDebugPrivilege	5992	40EAAEFC0E.exe
Token: SeDebugPrivilege	5724	taskmgr.exe
Token: SeSystemProfilePrivilege	5724	taskmgr.exe
Token: SeCreateGlobalPrivilege	5724	taskmgr.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: 33	6092	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6092	AUDIODG.EXE
Token: SeDebugPrivilege	1552	Error.exe
Token: SeShutdownPrivilege	5240	shutdown.exe
Token: SeRemoteShutdownPrivilege	5240	shutdown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
388	DarkHorseTrojanVirusMaker.exe
388	DarkHorseTrojanVirusMaker.exe
5324	DELmE_s Batch Virus Generator v 2.0.exe
6012	KIDKEY~1.EXE
6012	KIDKEY~1.EXE
6012	KIDKEY~1.EXE
3756	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 652	2156	msedge.exe	83
PID 2156 wrote to memory of 652	2156	msedge.exe	83
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 2380	2156	msedge.exe	84
PID 2156 wrote to memory of 1604	2156	msedge.exe	85
PID 2156 wrote to memory of 1604	2156	msedge.exe	85
PID 2156 wrote to memory of 2188	2156	msedge.exe	86
PID 2156 wrote to memory of 2188	2156	msedge.exe	86
PID 2156 wrote to memory of 2188	2156	msedge.exe	86
PID 2156 wrote to memory of 2188	2156	msedge.exe	86
PID 2156 wrote to memory of 2188	2156	msedge.exe	86
PID 2156 wrote to memory of 2188	2156	msedge.exe	86
PID 2156 wrote to memory of 2188	2156	msedge.exe	86
PID 2156 wrote to memory of 2188	2156	msedge.exe	86
PID 2156 wrote to memory of 2188	2156	msedge.exe	86
PID 2156 wrote to memory of 2188	2156	msedge.exe	86
PID 2156 wrote to memory of 2188	2156	msedge.exe	86
PID 2156 wrote to memory of 2188	2156	msedge.exe	86
PID 2156 wrote to memory of 2188	2156	msedge.exe	86
PID 2156 wrote to memory of 2188	2156	msedge.exe	86
PID 2156 wrote to memory of 2188	2156	msedge.exe	86
PID 2156 wrote to memory of 2188	2156	msedge.exe	86
PID 2156 wrote to memory of 2188	2156	msedge.exe	86
PID 2156 wrote to memory of 2188	2156	msedge.exe	86
PID 2156 wrote to memory of 2188	2156	msedge.exe	86
PID 2156 wrote to memory of 2188	2156	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Viper4K/malware/archive/refs/heads/master.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcbe0046f8,0x7ffcbe004708,0x7ffcbe004718
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,17395715461109514121,11828254140375193773,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,17395715461109514121,11828254140375193773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,17395715461109514121,11828254140375193773,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17395715461109514121,11828254140375193773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17395715461109514121,11828254140375193773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17395715461109514121,11828254140375193773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17395715461109514121,11828254140375193773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,17395715461109514121,11828254140375193773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,17395715461109514121,11828254140375193773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17395715461109514121,11828254140375193773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17395715461109514121,11828254140375193773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17395715461109514121,11828254140375193773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2204,17395715461109514121,11828254140375193773,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,17395715461109514121,11828254140375193773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17395715461109514121,11828254140375193773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17395715461109514121,11828254140375193773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17395715461109514121,11828254140375193773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7032 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,17395715461109514121,11828254140375193773,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6948 /prefetch:2
  2⤵
  PID:924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1500

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2856

C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\CODEEVO.exe
"C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\CODEEVO.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:764
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\35A1.tmp\35A2.bat C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\CODEEVO.exe"
  2⤵
  PID:2252
- - C:\Windows\system32\mode.com
    mode 80, 33
    3⤵
    PID:1864
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4520
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:4592
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2480
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1744
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:752
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:4876
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:1868
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3872
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3812
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:4176
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:2976
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:2716
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:3332
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4400
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1036
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:1864
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:3584
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1744
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3116
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:1636
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:2836
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:1720
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4604
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4392
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2364
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:668
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:3044
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1832
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2796
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:1200
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:1360
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:4768
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:3812
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1720
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:376
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:3720
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:2028
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1744
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4732
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:4900
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:4768
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:4876
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:668
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2044
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2540
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:1744
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:3964
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4768
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3584
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:2044
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:2540
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:1744
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:4900
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1720
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2044
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:3872
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:1744
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1720
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5012
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    PID:5048
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:2856
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:1720
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5012
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1036
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3872
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:1036
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:5128
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5144
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5160
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:5176
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:5192
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:5208
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5220
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5228
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5264
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:5288
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    PID:5312
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5328
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5344
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:5364
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:5404
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:5444
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5484
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5492
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5564
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:5604
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:5636
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5668
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5688
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    PID:5700
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:5748
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:5764
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5784
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5792
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5836
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:5852
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:5880
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5896
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5912
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    PID:5932
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:5948
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:5964
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5980
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5988
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:6024
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:6048
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:6072
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:6088
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:6108
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:6120
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:6140
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:1036
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5148
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5152
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5196
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    - Kills process with taskkill
    PID:5216
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:5228
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5264
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr.exe
    3⤵
    PID:5288
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr
    3⤵
    - Kills process with taskkill
    PID:5340
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f taskmgr.exe
    3⤵
    PID:5356
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
    3⤵
    - Adds Run key to start application
    PID:5368
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5416
- - C:\Windows\system32\tskill.exe
    TSKILL explorer
    3⤵
    PID:5412
- - C:\Windows\system32\tskill.exe
    TSKILL explorer.exe
    3⤵
    PID:5492
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer
    3⤵
    PID:5564
- - C:\Windows\system32\taskkill.exe
    TASKKILL /IM /f explorer.exe
    3⤵
    - Kills process with taskkill
    PID:5652
- - C:\Windows\system32\tskill.exe
    TSKILL taskmgr
    3⤵
    PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\CODEEVO.bat" "
1⤵
PID:5972
- C:\Windows\system32\mode.com
  mode 80, 33
  2⤵
  PID:6060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6076
- C:\Windows\system32\reg.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:6096
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:6132
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:1720
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:5136
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5172
- C:\Windows\system32\tskill.exe
  TSKILL explorer
  2⤵
  PID:5200
- C:\Windows\system32\tskill.exe
  TSKILL explorer.exe
  2⤵
  PID:5268
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f explorer
  2⤵
  - Kills process with taskkill
  PID:5320
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f explorer.exe
  2⤵
  - Kills process with taskkill
  PID:5332
- C:\Windows\system32\tskill.exe
  TSKILL taskmgr
  2⤵
  PID:5344
- C:\Windows\system32\tskill.exe
  TSKILL taskmgr.exe
  2⤵
  PID:5368
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f taskmgr
  2⤵
  - Kills process with taskkill
  PID:5468
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:5492
- C:\Windows\system32\reg.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:5636
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:5684
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:5672
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:3868
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5712
- C:\Windows\system32\tskill.exe
  TSKILL explorer
  2⤵
  PID:5028
- C:\Windows\system32\tskill.exe
  TSKILL explorer.exe
  2⤵
  PID:4992
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f explorer
  2⤵
  PID:5792
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f explorer.exe
  2⤵
  - Kills process with taskkill
  PID:5908
- C:\Windows\system32\tskill.exe
  TSKILL taskmgr
  2⤵
  PID:5260
- C:\Windows\system32\tskill.exe
  TSKILL taskmgr.exe
  2⤵
  PID:5592
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f taskmgr
  2⤵
  - Kills process with taskkill
  PID:5788
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:4768
- C:\Windows\system32\reg.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:5408
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:1744
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:2856
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:752
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4732
- C:\Windows\system32\tskill.exe
  TSKILL explorer
  2⤵
  PID:1200
- C:\Windows\system32\tskill.exe
  TSKILL explorer.exe
  2⤵
  PID:4592
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f explorer
  2⤵
  PID:2588
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f explorer.exe
  2⤵
  - Kills process with taskkill
  PID:388
- C:\Windows\system32\tskill.exe
  TSKILL taskmgr
  2⤵
  PID:2708
- C:\Windows\system32\tskill.exe
  TSKILL taskmgr.exe
  2⤵
  PID:5508
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f taskmgr
  2⤵
  - Kills process with taskkill
  PID:5576
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:5444
- C:\Windows\system32\reg.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:5376
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:2716
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:3720
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:2368
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2540
- C:\Windows\system32\tskill.exe
  TSKILL explorer
  2⤵
  PID:5528
- C:\Windows\system32\tskill.exe
  TSKILL explorer.exe
  2⤵
  PID:2364
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f explorer
  2⤵
  - Kills process with taskkill
  PID:5828
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f explorer.exe
  2⤵
  - Kills process with taskkill
  PID:6032
- C:\Windows\system32\tskill.exe
  TSKILL taskmgr
  2⤵
  PID:3104
- C:\Windows\system32\tskill.exe
  TSKILL taskmgr.exe
  2⤵
  PID:1568
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f taskmgr
  2⤵
  - Kills process with taskkill
  PID:4216
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:5740
- C:\Windows\system32\reg.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:5952
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:6020
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:6084
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:6104
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6116
- C:\Windows\system32\tskill.exe
  TSKILL explorer
  2⤵
  PID:6128
- C:\Windows\system32\tskill.exe
  TSKILL explorer.exe
  2⤵
  PID:5196
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f explorer
  2⤵
  PID:5200
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f explorer.exe
  2⤵
  - Kills process with taskkill
  PID:5288
- C:\Windows\system32\tskill.exe
  TSKILL taskmgr
  2⤵
  PID:5340
- C:\Windows\system32\tskill.exe
  TSKILL taskmgr.exe
  2⤵
  PID:5364
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f taskmgr
  2⤵
  - Kills process with taskkill
  PID:5472
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:5412
- C:\Windows\system32\reg.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:5608
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:5648
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:5676
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:5716
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5020
- C:\Windows\system32\tskill.exe
  TSKILL explorer
  2⤵
  PID:1184
- C:\Windows\system32\tskill.exe
  TSKILL explorer.exe
  2⤵
  PID:5316
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f explorer
  2⤵
  - Kills process with taskkill
  PID:5156
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f explorer.exe
  2⤵
  - Kills process with taskkill
  PID:5984
- C:\Windows\system32\tskill.exe
  TSKILL taskmgr
  2⤵
  PID:5876
- C:\Windows\system32\tskill.exe
  TSKILL taskmgr.exe
  2⤵
  PID:5308
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f taskmgr
  2⤵
  PID:2168
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f taskmgr.exe
  2⤵
  PID:4768
- C:\Windows\system32\reg.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:5408
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:5256
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:5920
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:6016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:772
- C:\Windows\system32\tskill.exe
  TSKILL explorer
  2⤵
  PID:5072
- C:\Windows\system32\tskill.exe
  TSKILL explorer.exe
  2⤵
  PID:5772
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f explorer
  2⤵
  PID:388
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f explorer.exe
  2⤵
  - Kills process with taskkill
  PID:5176
- C:\Windows\system32\tskill.exe
  TSKILL taskmgr
  2⤵
  PID:5580
- C:\Windows\system32\tskill.exe
  TSKILL taskmgr.exe
  2⤵
  PID:2056
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f taskmgr
  2⤵
  - Kills process with taskkill
  PID:3116
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f taskmgr.exe
  2⤵
  PID:2028
- C:\Windows\system32\reg.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:1100
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:1980
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:4392
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:5512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5276
- C:\Windows\system32\tskill.exe
  TSKILL explorer
  2⤵
  PID:3696
- C:\Windows\system32\tskill.exe
  TSKILL explorer.exe
  2⤵
  PID:3104
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f explorer
  2⤵
  - Kills process with taskkill
  PID:5776
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f explorer.exe
  2⤵
  PID:5928
- C:\Windows\system32\tskill.exe
  TSKILL taskmgr
  2⤵
  PID:5952
- C:\Windows\system32\tskill.exe
  TSKILL taskmgr.exe
  2⤵
  PID:6048
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f taskmgr
  2⤵
  - Kills process with taskkill
  PID:6092
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:6120
- C:\Windows\system32\reg.exe
  REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:5140
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:5216
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:5292
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "CODE EVO" /t REG_SZ /F /D "C:\Users\Admin\Downloads\malware-master\malware-master\CODEEVO\\CODEEVO.exe"
  2⤵
  - Adds Run key to start application
  PID:5320
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5356
- C:\Windows\system32\tskill.exe
  TSKILL explorer
  2⤵
  PID:5344
- C:\Windows\system32\tskill.exe
  TSKILL explorer.exe
  2⤵
  PID:5468
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f explorer
  2⤵
  - Kills process with taskkill
  PID:5608
- C:\Windows\system32\taskkill.exe
  TASKKILL /IM /f explorer.exe
  2⤵
  - Kills process with taskkill
  PID:5688

C:\Users\Admin\Downloads\malware-master\malware-master\CryptoLocker 2014\1002.exe
"C:\Users\Admin\Downloads\malware-master\malware-master\CryptoLocker 2014\1002.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5188
- C:\Users\Admin\AppData\Roaming\40EAAEFC0E.exe
  "C:\Users\Admin\AppData\Roaming\40EAAEFC0E.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:5992
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM 1002.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6084

C:\Users\Admin\Downloads\malware-master\malware-master\CryptoLocker 2014\1003.exe
"C:\Users\Admin\Downloads\malware-master\malware-master\CryptoLocker 2014\1003.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5176

C:\Users\Admin\Downloads\malware-master\malware-master\D3STR0Y3R (test)\D3STR0Y3R.exe
"C:\Users\Admin\Downloads\malware-master\malware-master\D3STR0Y3R (test)\D3STR0Y3R.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c title Welcome!
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c title D3STR0Y3R T00L
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c title Page 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5808

C:\Users\Admin\Downloads\malware-master\malware-master\DarkHorse VM\DarkHorseTrojanVirusMaker.exe
"C:\Users\Admin\Downloads\malware-master\malware-master\DarkHorse VM\DarkHorseTrojanVirusMaker.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:388

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\malware-master\malware-master\DarkHorse VM\fucker.txt
1⤵
PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\malware-master\malware-master\DarkHorse VM\fucker.bat" "
1⤵
PID:3436

C:\Users\Admin\Downloads\malware-master\malware-master\DELmE\DELmE_s Batch Virus Generator v 2.0.exe
"C:\Users\Admin\Downloads\malware-master\malware-master\DELmE\DELmE_s Batch Virus Generator v 2.0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5324

C:\Users\Admin\Downloads\malware-master\malware-master\ERROR\Error.exe
"C:\Users\Admin\Downloads\malware-master\malware-master\ERROR\Error.exe"
1⤵
- Adds Run key to start application
PID:3452
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Error0.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Error0.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\temp.bat" "
    3⤵
    PID:4796
  - - C:\Windows\system32\wscript.exe
      wscript.exe Error3.vbs Error2.bat
      4⤵
      Checks computer location settings
      PID:2980
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Error2.bat" "
        5⤵
        
        PID:860
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7za.exe
        
        7za e Error1.zip -pv7d5fg7v0b0v86gh4j35h8j0k08b76 -aoa
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1816
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Error.exe
        
        Error.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\Temp\Rest.exe
        
        "C:\Windows\Temp\Rest.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\KILL.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /IM explorer.exe
        9⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\SysWOW64\taskmgr.exe
        
        taskmgr.exe
        7⤵
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:5724
        
        C:\Windows\Temp\Happy.exe
        
        "C:\Windows\Temp\Happy.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KIDKEY~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KIDKEY~1.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6012
        
        C:\Windows\Temp\RC1.exe
        
        "C:\Windows\Temp\RC1.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RC1.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\Temp\AWEF.exe
        
        "C:\Windows\Temp\AWEF.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\AWE.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\Temp\Go.exe
        
        "C:\Windows\Temp\Go.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\WShut.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\shutdown.exe
        
        shutdown /s /t 05 /c "Fatal Drive Failure (0xEE462) --- Emergency Shutdown Initiated..."
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5240

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8 0x4a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6092

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3fe0855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7f8a3263435c7da5efeacd8595c8909e

SHA1
21706edfd94499454ec06c4ad6b010c78c4172ac

SHA256
c6f1170fee1920cd6e0cdbc2282ba60ef5fbdc7b26a6c449cbbb467f6b69708b

SHA512
75cbc59dcfad27bbd32251b70a30eceb5683eac4ccf604bc499e35a148b5c9e2136e10662749f8e7e3b86dd207afed87f53add89e5535995bd95cb4fa223d215

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
0070dc2129676a06b45148c131d08f74

SHA1
b6568dde3af21304cb69d3f16644fb00f9d43d1b

SHA256
03a44c785c0aef81afdd898fa9a69121ad62e8791eba73403fff2cb136ed09d8

SHA512
7f5092a0083b331e7ec3b2c3ca31cf6b358dfee66b16d87785604d3e62ee0b066e31d1a5415d7fb74c07601eb349b2342c5322f9a801a414ab9fc77e60195852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
255B

MD5
d11edf9e08a127c768843acea41d0bc5

SHA1
ff1af9b39de4a3f547407fd9864ffdd2bb6c7354

SHA256
217e4d9d1412e45abf7a653f72a5ab8b53bc8fc6f377f52a042668a41abc7478

SHA512
92c3f0def567b0e2f2523ed25eb9d4abff06070b8be744fea4a6678f25f292439d7bc0c8015eaa6281b7f43149eebb3d3821cd6d6436598481113694b11ddea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
547B

MD5
2b60f3b9cb0a614c589b6384e2307091

SHA1
dcfbaee7be8af9a692dd159940222844c9ad0a1e

SHA256
fe0905d35803b1af71e9cd0cd20312df7d1cf4440e02996b5f6aa799a1e110a8

SHA512
a461e96b4af9285b586cbfe7678c8dd88e47eb41bd2a13938a67e42b26cb657aceaeac449cff562bb649f3e4b075c5ce41453b8d00c8b71c48c1465df15c9d3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
823B

MD5
8455682a40f840024dae8cdd36a0201b

SHA1
9db7770e8f81f851403d96b5b29fd41686215de3

SHA256
2e037c41fae87f71601b49bdacb36a306c307f5710fb11dcbaf880854c2e7f2b

SHA512
728717646aa329ff74455f81d6b3a30d28b45dbf0778cf59d596d08f323fb8647e45c53424ec71194f0fa53dc0141085029f1e00f88f9e5209f24d885dc9722a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fb87226c1b5ad5d6368710cea64cac56

SHA1
900d952d51fce46d66a66d02936159ebe9db665d

SHA256
f0e2bbe6ff1714cec148da5d9f80a17380c6832f3c6c19ecf9d99eec58db1961

SHA512
38425f5495849c24a69c9ea6b7ec66d45aff7cb863208e9cd0703fb4788b434bb70958ad920a34210d3007018da731d3aba38cefd03e0e6d7043731acc12b246

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7ec40ed1c81c747ab3a7b189341aea20

SHA1
5aadd9d8e367f9ee911c0b46953acacd6f73f53f

SHA256
e3121fd69f23a2b5068f57319f9c1497183ba1c8525508f820956f1fe3e088e7

SHA512
0ee09a4cfe98dbf8d42bd59be5be988fb85bf1e8f91178d1897a567d43da55d163911a8aef5c20f7350699767acd04a389d48f9266b7ee50b75ddc85991c7284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
31e5f55fc073be6f209c39c6538839d9

SHA1
ffb2c1b342d15b99d3f9dc69ab4accfa50297bb7

SHA256
b8e82edcc05c668b528637336e1fdfd245d8fddea44d265f956e5b61eacfecf9

SHA512
ab72cc2a7547b845fb6c71cb48f0100cd7ef4f637da12d0bba36f3f1f4051206f2f3ceb35799ff4c939472856e0acd72ce3d48082011e5ffcf6798215d378b50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a926f4bacdfe5f74eca1edb33ad26c09

SHA1
73e33bb2ceeb08416fe8c62859b3bee4122c7b19

SHA256
18c9e157105e3f147c34c41cd586cc0856fb21e7e2a81c8c692b4b7bd228aabc

SHA512
73173f03132bb90d9cf08c0d3fdfe0c144e353430e4448ff93b9357b5e01a9c5bbf4409636e8c423370c6fcd6d21f53f21a73de70a72b814e03ed001f34993a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
869B

MD5
0a4f470b091e82da3ec17bc7a68780f5

SHA1
f293104dc204c1cc6b76c89b8d7386b4d45ed980

SHA256
11e0903fe5f9f7c1121d27002967bddfe48e693a4043eb773460c01b0d561f5a

SHA512
68dbf35f4ca7e08e3c063a13210055725251800d7844a0af240f31c8a5f7692ce6cfc77c144f0ef58e34e8c8d4ff84fe95a31a1f7abec5fc19c628ee8aab32fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593649.TMP

Filesize
371B

MD5
4f9c389a017226b813ea7dd8c40dd49f

SHA1
62265dbc76e3239a72061a264de72371fa8f35fe

SHA256
ba6d5fe51411a39697dbf3e90732e57a93dae93c6a5802ac6e2ae8db361e04f4

SHA512
31201885d5114030f2fa34fc85718abfcefcc46b33a11d9ed7e22a37ea165273840564ec5da2c6a451b450c197eeda94ad2d2b762e264cb0b6443b23c0a7f698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
76ee475411157f685bb24d0f9c6082d0

SHA1
6af67e4179a879a0cc0ff2b396b9043ce69241f2

SHA256
f858686be127cf862289904e087a85696969ebf57db71f569e85e78e67bd07f3

SHA512
77a08080a0797b94591dc2720932fb8a8bf75a783195ac10d40c1db93d81fb565298dd8fdc5f39e3816283977ebd768955e5461388edf0492d5ef03dd96f5187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
609c10dac4720d591cde31341f5ea1af

SHA1
805b0e86857cdd5cefaac91c619b13eb751d202b

SHA256
ff684a784758934049f2c6b4725adb7275be5af6a0070223dea2999d371e9b5d

SHA512
b93c7d5927285d4d3ccf7026def3d93360e4f615de289cb62fdae36e617c74ec6137a7feb28a327e0d91e79203b58176927de4274149ef3c47ea4d077c4e716f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
78c67c4b88beed115ba310130c26d72a

SHA1
958fe64fb31dca91cb4d219d8649b29640de65d8

SHA256
6775cf0e067568f9b653fb02f24fa1cbc5e1ca0f25b1caebeba2ff7e0e4822a1

SHA512
bd3e7714854bcb71ff97368a7fa2319813ec1865038efa8315d86fa157c2a1e1f224d5de90d3f2881b6e64a0f07f2f56aa60b5533c8215f29620a0147e8a5082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
69113cdb486b9e8ab9b9fbd69ee0466e

SHA1
e7c2e750def1123a44c9b9dab1d2815000a61cac

SHA256
fe41f041d4450f677d2e51fa67bc86efc659e3f305d4c620592f861751682665

SHA512
6e9207982d5fbb26bdcd92dea2a9f151fa1e8479fd80405d757adc6e9a0a63678e3f6fadd5210e6042940b894af324113d0f719ddf600555fb2cca1bf3e8acec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dc4f6f63fe37013728c9d5df08cfb983

SHA1
8a6e7d3426eb90f77b66d95dffe4fcfac96732f7

SHA256
ad999b5b4e1c0600a45f33cd82f947bf4cb810cab4bf60c8de852d4da92da913

SHA512
36977c18b841919f9b61b32ff8c241989c559d979d80d0de9aff36d3ca1dd35060cb764696510839fa3fae19171f408e6666d7febcd87a600e652525832e6f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\35A1.tmp\35A2.bat

Filesize
4KB

MD5
235e1d83b4a346020b50438f85e83c3d

SHA1
82d22e815c7d1d76a3241e44a21a7f4c506c1366

SHA256
022435acf50187cababa7f93192ce98aa42b340c9a94e1642413931dc9900ab0

SHA512
c72493445ecaa67b0e2471f142a57f804998205220186693f90301f0c8a0f0f31fad76f78b6239fa929334456a261526e6115d310b4387a39f73e206ed3a8428

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\AWE.bat

Filesize
66B

MD5
5dd3fd4e7e9984e9011d8a508dd7ab0f

SHA1
07b86883801bbcc9e7faad6e2c191d2cf850f92b

SHA256
0b7c5ecb0c3df47fd9229a47fd518fc92b774f5352d251579aba9a03d025e60c

SHA512
0e188bce59921eabca59403bee3a70b5c23005ec42cde52d36f3db2439f5a0e2f7b943ea48fc8e59a6ebc0ebccecacd454e544525573943d1e6b267a0cff882b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\KILL.bat

Filesize
39B

MD5
ffc0edd6137e323a91d9306f94cb6019

SHA1
365a7cc858bd5b5a47801ad201bcd39a709a5acd

SHA256
a9c5d9647f1895ecf384091a0f45872663bff4397f848655faa98769c76c3cbc

SHA512
9ac7c93d6755d424d8867eded8c57b2f8f662ac6e47bca2d2c81af9a88253dc44d5695fc95ef063e2c076d6fb5f6f444088c460ccf05e3179fb0fa793332050a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\WShut.bat

Filesize
88B

MD5
1eccb0cc6781f96824b92efaf8a82e8f

SHA1
deeb24248ac2ed01f4d4a64b4c715d7c5627cd6b

SHA256
17708d1457e7c76376aa5a541d41a0f059fae75019ed9ea748bd202c468f28cc

SHA512
b163206d6e32d38fb4e8feb848aae88775c5f665ede70bf123d0a67f351cef10d7110b05ef2f7ed264e6fa8058c5f3f5a231859325d52c9b4804da3c4aa94e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RC1.bat

Filesize
21B

MD5
4be1af4883cabd629e0c743c313c8ec2

SHA1
d158409c114e2d1f013a293bf3e4eb67dc390686

SHA256
61db28d1641641998c3d28b7078544fed68671adc3f0380a745666f28d98e7e1

SHA512
2245ef05aa6b1da5f24bbdc1025e0d915d56c486454b8486aee30ce8c7abbe82e24d4167e97267f7210e81b0f9393b2d62ef8ae727ee9d2b93f5dde2b2f78864

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Error.exe

Filesize
17.3MB

MD5
3f1a1620c7c7ec9505de7f196248ee2a

SHA1
a6fb988fd1b4dc9494dfb71a642a84f5b73e3590

SHA256
f0dfd0e662ef7b7e83eef661cc80e4aa37899f72946bd555980cac050d59f0ef

SHA512
d05371eabf3d3eae009b880a462b2fb46b3201742a8f0a7540dc33390a383607a296a76ef9d7d6f9599b8e5ae22073c7e95296032516b0dd9156d48eb83f5cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Error0.exe

Filesize
5KB

MD5
18ca8069b2c58dd295b2acea077b1069

SHA1
503c5a5585024a8d2a33a7e90db308ca99867872

SHA256
62c41fe2ff5bfc4dff587ff2e3fc1004e4b39a32a15f6ed4673318371abbdf89

SHA512
61fdbbab7b235314e68957147fa756a57088690bebe39b87ffd813257d3045cacb24d68307948de325c149be32a599f75e387eedf4f0adf20651b40a6c55e432

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Error1.zip

Filesize
14.1MB

MD5
0e06cb263dbfe0e4c96220eff6d88744

SHA1
d81d6afb8ea81061aa6ba6673e90f03dc872740a

SHA256
f58034c2038a980a4606e7dda6b456a9c5ef1ea3395788b87034b4971e92252f

SHA512
da11e003a0e95bf3176cb473f91b872f622559d909032ed250dece7bb8bc2a9c9b616d7f7b105d9fbad1cb7c461403c6f8915d5ed348b878e432bdf8b57306e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Error2.bat

Filesize
65B

MD5
90299ce622f9429ef648050e7cc06123

SHA1
c420520ae1b275074627a66085d4f794ce925360

SHA256
c6555f882ab4fbb99b363c3919e99edfcedc83ac100568a41add4e50e710cd39

SHA512
013aa82297e605c67737c52717195bbc7151de3e5414602b672fd5fcf345c32a0feb92258fa84575d260b18007e256fcbc9b1ef588a6d6f29a799b9f2a8f94ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Error3.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\temp.bat

Filesize
35B

MD5
63e31e8788487732bf544c260ad6f55e

SHA1
bea39cd7425c89f3d1e84abc53947209e49bfea3

SHA256
a58c9b0b1468f10a68b734b62755f17c1a6f41649b5838291b6f71327a70b966

SHA512
cbe52a70a62d21037a51e3903a0800f4301c2197066d9b6bb36fcef5e2224f17aac41b9a8f452eb3db93b4eacf61ae381e75d3911a2d9cffa750c30526e12e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KIDKEY~1.EXE

Filesize
1.7MB

MD5
1a0712f6681c543e2dd0f631b12d5fda

SHA1
a27bea17013bc8df08848bc0439971682f8b1def

SHA256
d64394a86a6808cd2640e6aa6fcac2d93ac594df892c40bbabf9f22f20932bd9

SHA512
8f82db02ac363e3f2dce26655a2d144df07fb392c4083b23041e98f1a5d34928ca7b835f8697c6b4e185428f40c6f9cbd00d45b79ed237051c1c694281aaf0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kkl_dll.dll

Filesize
37KB

MD5
2a2db39f90bfd2ac0940d4eced0805e4

SHA1
6676d817c86cd2b81f6013296006c20658ad839a

SHA256
6fe292926562d03839fc54d378f081bc5b773ccef7c355a0a96162b0c1697763

SHA512
0f72b5ef9efe43275de72bf2dd61db1cf3dcc330e312f576a5b48a2ca6c7bc9d717be8ddacc12133ec6306a278f3626f9d6f3554abb36d8c64ea2b187ae14596

Download Submit
C:\Users\Admin\AppData\Roaming\40EAAEFC0E.exe

Filesize
251KB

MD5
829dde7015c32d7d77d8128665390dab

SHA1
a4185032072a2ee7629c53bda54067e0022600f8

SHA256
5291232b297dfcb56f88b020ec7b896728f139b98cef7ab33d4f84c85a06d553

SHA512
c3eb98e3f27e53a62dcb206fcd9057add778860065a1147e66eac7e4d37af3f77d2aab314d6ef9df14bf6e180aed0e1342355abaa67716153dd48ae9609ca6e1

Download Submit
C:\Users\Admin\Downloads\malware-master.zip

Filesize
47.0MB

MD5
5eba758ab6c01a378d8f67c30e327cba

SHA1
5e0040767b9093e337ee6384f8a2830ddf2a0f76

SHA256
5d8e8e31e5529bf443f5d654a21bc0ec836520348ee91b185eb1477d67258bd6

SHA512
e4a8b7760cd6e8f02ae54f9f3b0b9980a9fef6a820ccdd1a5821aefbca8469887c33e346ea216575ccca003aa0c85fd51b7317a0552124dfd8c29e469fbd3d2c

Download Submit
C:\Users\Admin\Downloads\malware-master\malware-master\DarkHorse VM\.bat

Filesize
27KB

MD5
a7fa60fcc15c099411e731692ce407a2

SHA1
358ab5900db46be09cc42f3bf84189bed9bc5405

SHA256
b91ba3c712e5d347f28562cd24edd79f74a019cef932c151c88b534ea2e6779a

SHA512
7e02d5c9a90013c7f82958cf36f9125f35e180c7d3e0740f3afaf40fc789b97c04c58a83c2d60f53ace887fd2908237d0e0c1659d60138e4e6497e9f8492906b

Download Submit
C:\Windows\Temp\AWEF.exe

Filesize
57KB

MD5
a2953a06d3fdcb5d7eb7a965be574e36

SHA1
83cf03a4fa15d4a4d5920c8605b027090cc89d67

SHA256
1a19ecc04220ac85cc6fa2689117ff5d7519e77a375c0a68fb770c0416ed2b72

SHA512
2b18890c8fae202b60b0415aa14e7f0d7b4b36213fba04de00742ca7848a5dfa518fe787189c1f13bd9cb72edf40d93836854164c0a630a31b51b9dfa60f6210

Download Submit
C:\Windows\Temp\Go.exe

Filesize
57KB

MD5
15932939a6bc7e05c7952181ced896ed

SHA1
2a6ccdc66ca80b5e2b25af0d470827f2a388de35

SHA256
92dc3ddd5e27f90a4f4c48a1dd27d9754bc4cca791ab5571dd5ea932a61b7e6e

SHA512
d8e2b208f392089d7b2f843a8511e41f937328df6b54e8b8ec927f804b511470983dfe0b2270ea81ae2569fed4ca035a7d419600cad2e7876cab3b468423f789

Download Submit
C:\Windows\Temp\Happy.exe

Filesize
659KB

MD5
d18b54090138552099e17c45a7a24e68

SHA1
01d1b273eaa3d5474fdfd8d4005d35d4b8ce7e73

SHA256
6383840b39513dca71e09361e9b5a127d82949fc4fd71e7ee9d93586310bd265

SHA512
f205933a7545cd4d367c99bf2a79310a82c6b0766b39e750be475f6881d43877658b60542b93151c33f27500782368620dc26e042fa167eefe759e7f25fd8449

Download Submit
C:\Windows\Temp\RC1.exe

Filesize
57KB

MD5
9d8eeb4e92dbab27709f8c741d2489d8

SHA1
abb19df742081fa8d3a66459c5c58e1b0c060353

SHA256
e8d8ee855090d4bd64a431dc904f0c7ae652334253befb0bf9284737396a1289

SHA512
f9fef63f95188ab52413a2899a2e60371560cc424920dbc7ca68b7c980e41e2e8c7b21af83bb2ce66c0718f523c779c411e9a16c03a93539f7c4fb3cb4c1ebec

Download Submit
C:\Windows\Temp\Rest.exe

Filesize
57KB

MD5
bc8541cf78672c468b46a50485189fc2

SHA1
1532ec525a98c94f68dcc88b9c6280bc9eebbf42

SHA256
9960c300872999da79c1204b863e78f8375d58ebe1ed34591205d29d38cae669

SHA512
251709d2372e26d1e8dba8c8fe81aa001dbd53434cd4db770d359d14922361fea644a319fb28c059ee676f51d7e231f73624e1f929586b534a51754807c22cf7

Download Submit
memory/1552-783-0x0000000000640000-0x00000000017A0000-memory.dmp

Filesize
17.4MB

Download
memory/1552-784-0x0000000006050000-0x00000000060EC000-memory.dmp

Filesize
624KB

Download
memory/1552-785-0x00000000066A0000-0x0000000006C44000-memory.dmp

Filesize
5.6MB

Download
memory/1552-786-0x0000000006190000-0x0000000006222000-memory.dmp

Filesize
584KB

Download
memory/1552-787-0x00000000060F0000-0x00000000060FA000-memory.dmp

Filesize
40KB

Download
memory/1552-788-0x0000000006290000-0x00000000062E6000-memory.dmp

Filesize
344KB

Download
memory/2636-799-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2636-862-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3376-1060-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3376-1052-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4580-1032-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4580-1040-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5176-131-0x000000001C3F0000-0x000000001C8BE000-memory.dmp

Filesize
4.8MB

Download
memory/5176-130-0x000000001B910000-0x000000001B928000-memory.dmp

Filesize
96KB

Download
memory/5188-132-0x000000001BC70000-0x000000001BD0C000-memory.dmp

Filesize
624KB

Download
memory/5188-133-0x00000000010B0000-0x00000000010B8000-memory.dmp

Filesize
32KB

Download
memory/5188-129-0x0000000001350000-0x0000000001368000-memory.dmp

Filesize
96KB

Download
memory/5324-619-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5324-707-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5324-631-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5324-741-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5324-593-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5324-592-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5324-564-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5324-730-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/5404-154-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5404-145-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5644-860-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5644-826-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5724-856-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/5724-854-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/5724-855-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/5724-853-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/5724-857-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/5724-845-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/5724-846-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/5724-847-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/5724-852-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/5724-851-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download