crimsonrat | hxxps://github[.]com/enginestein/Virus-Collection

Analysis

max time kernel
155s
max time network
158s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30-01-2025 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/enginestein/Virus-Collection

Score

10^/10

crimsonrat fantom defense_evasion discovery persistence ransomware rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Extracted

Path

C:\g6QpgrhJDdQZeF0\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>ZrydpkG+FUHUjAOn84NcqFEQHy1sBnFL1mEDj4i1sRB66MkffNA4vaUtE84yJ+fvERcg6xuANvvrd7F3GIKzlGzcWEL8BWSzpZ/YK8x0bNBqxaGGQ12io7wXG3AzvXFY1jlvBmGEwS5L58wyrc5vYC/tYkEtxlofgC1/jpJwYw0Qt8dxSpFJUc9zcM7bXEyn6doPsChxGvDkom44R3Bmzx2Y2tm1WEx8kwEQQPWAnOaaxCExXd+OqkR1CVc/G9RSnKiekHaqXPbLR6f5qOC3qtfrMap7sYRuzGDO+11By3jjgUeLohiALQICfFSGabAyVHn3AR1NkRHJrS/2iJA+bQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ab59-256.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Fantom family
fantom
Renames multiple (1019) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Disables RegEdit via registry modification 4 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 3 IoCs

flow	pid	Process
29	4812	msedge.exe
29	4812	msedge.exe
29	4812	msedge.exe

Executes dropped EXE 10 IoCs

pid	Process
4376	CrimsonRAT.exe
1152	dlrarhsiva.exe
4156	CrimsonRAT.exe
2916	dlrarhsiva.exe
2768	CrimsonRAT (1).exe
3200	dlrarhsiva.exe
3852	Fantom.exe
4852	Krotten.exe
2684	Krotten.exe
2064	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	Krotten.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	camo.githubusercontent.com
12	raw.githubusercontent.com
29	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü. Â îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû."	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü. Â îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû."	Krotten.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsAppList.targetsize-30_altform-lightunplated_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\NewsAppList.targetsize-24_altform-lightunplated_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingNews_4.7.28001.0_neutral_~_8wekyb3d8bbwe\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md	Fantom.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.42251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SnipSketchSplashScreen.scale-125_altform-colorful.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\CortanaApp.ViewElements\Assets\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherAppList.targetsize-256.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\bcel.md	Fantom.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\AppXManifest.xml	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	Fantom.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\0BB40DB1-C717-4CEA-AE59-3A7966C9D89B\root\vfs\Windows\assembly\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\StoreMedTile.scale-125.png	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Merged\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	Fantom.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png	Fantom.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-40_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\NewsAppList.targetsize-32_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreSplashScreen.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	Fantom.exe
File created	C:\Program Files\Java\jdk-1.8\bin\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-200_8wekyb3d8bbwe\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\KeywordSpotters\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TipsSmallTile.scale-125.png	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Paint_10.2104.17.0_neutral_split.scale-125_8wekyb3d8bbwe\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pl.pak	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\ecc.md	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\SmallTile.scale-200.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\NewsSplashScreen.scale-100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.scale-125_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Web	Krotten.exe
File opened for modification	C:\WINDOWS\Web	Krotten.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 5 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Fantom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Krotten.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT (1).exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Krotten.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Krotten.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 12 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\WallpaperOriginY = "187"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\WallpaperOriginX = "210"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\WallpaperOriginY = "187"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sTimeFormat = "ÕÓÉ"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\WallpaperOriginX = "210"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\MenuShowDelay = "9999"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\sTimeFormat = "ÕÓÉ"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\MenuShowDelay = "9999"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International	Krotten.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe

Modifies Internet Explorer start page 1 TTPs 4 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND	Krotten.exe

NTFS ADS 11 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 654845.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 423232.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Krotten.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 526963.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 270801.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Backdoor.MSIL.Tyupkin.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 674186.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Fantom.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4812	msedge.exe
4812	msedge.exe
352	msedge.exe
352	msedge.exe
4020	identity_helper.exe
4020	identity_helper.exe
2648	msedge.exe
2648	msedge.exe
2420	msedge.exe
2420	msedge.exe
2476	msedge.exe
2476	msedge.exe
3148	msedge.exe
3148	msedge.exe
2088	msedge.exe
2088	msedge.exe
4848	msedge.exe
4848	msedge.exe
3872	msedge.exe
3872	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
3852	Fantom.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3852	Fantom.exe
Token: SeSystemtimePrivilege	4852	Krotten.exe
Token: SeSystemtimePrivilege	4852	Krotten.exe
Token: SeSystemtimePrivilege	4852	Krotten.exe
Token: SeSystemtimePrivilege	2684	Krotten.exe
Token: SeSystemtimePrivilege	2684	Krotten.exe
Token: SeSystemtimePrivilege	2684	Krotten.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe
352	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
352	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 3160	352	msedge.exe	77
PID 352 wrote to memory of 3160	352	msedge.exe	77
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4824	352	msedge.exe	78
PID 352 wrote to memory of 4812	352	msedge.exe	79
PID 352 wrote to memory of 4812	352	msedge.exe	79
PID 352 wrote to memory of 2136	352	msedge.exe	80
PID 352 wrote to memory of 2136	352	msedge.exe	80
PID 352 wrote to memory of 2136	352	msedge.exe	80
PID 352 wrote to memory of 2136	352	msedge.exe	80
PID 352 wrote to memory of 2136	352	msedge.exe	80
PID 352 wrote to memory of 2136	352	msedge.exe	80
PID 352 wrote to memory of 2136	352	msedge.exe	80
PID 352 wrote to memory of 2136	352	msedge.exe	80
PID 352 wrote to memory of 2136	352	msedge.exe	80
PID 352 wrote to memory of 2136	352	msedge.exe	80
PID 352 wrote to memory of 2136	352	msedge.exe	80
PID 352 wrote to memory of 2136	352	msedge.exe	80
PID 352 wrote to memory of 2136	352	msedge.exe	80
PID 352 wrote to memory of 2136	352	msedge.exe	80
PID 352 wrote to memory of 2136	352	msedge.exe	80
PID 352 wrote to memory of 2136	352	msedge.exe	80
PID 352 wrote to memory of 2136	352	msedge.exe	80
PID 352 wrote to memory of 2136	352	msedge.exe	80
PID 352 wrote to memory of 2136	352	msedge.exe	80
PID 352 wrote to memory of 2136	352	msedge.exe	80

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1"	Krotten.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/enginestein/Virus-Collection
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xa8,0x10c,0x7fffeda43cb8,0x7fffeda43cc8,0x7fffeda43cd8
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2420
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:4376
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:1844
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:4156
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6660 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2476
- C:\Users\Admin\Downloads\CrimsonRAT (1).exe
  "C:\Users\Admin\Downloads\CrimsonRAT (1).exe"
  2⤵
  - Executes dropped EXE
  PID:2768
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6836 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6656 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6564 /prefetch:8
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2088
- C:\Users\Admin\Downloads\Fantom.exe
  "C:\Users\Admin\Downloads\Fantom.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
    3⤵
    - Executes dropped EXE
    PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6892 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4848
- C:\Users\Admin\Downloads\Krotten.exe
  "C:\Users\Admin\Downloads\Krotten.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:4852
- C:\Users\Admin\Downloads\Krotten.exe
  "C:\Users\Admin\Downloads\Krotten.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6232 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,976233551481288872,3741574577910369568,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5124 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
8fc1ca13e7c9f7f35d0213eaca4ca891

SHA1
bdb355f6553b1e8a9bcf9d702abc787fd24b823f

SHA256
a5d4a19f7d7c91a434600d6d247611dea1101024afacefbd1abd3ac053f5f6e4

SHA512
04399d6848f56808f434813afdb2d706f6c5871fafbe398d75660c6f33f85a74e233eb81f1bcb035e67ecef12cd067e79465ffa07dfe502a904297a7237addbb

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
192B

MD5
2942b392ef67154b6b227b0719e8935f

SHA1
e8396de93dce4e0bb3e3e3e8f3a02cf79b6b00d5

SHA256
53a393ca9543b22a6433ba57c84df9374aaf6c2a2f27bf074477e8d8a148258b

SHA512
64025e49c1bb1772f4e434b6b036106ec0a3dc3412933f16a4d136e72ba2a483b56433f6ea52d9d56d79201e781e95638da462d5c858171b117cd4626d382b08

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
192B

MD5
44868e5129e2f390939ca512e8a03903

SHA1
17180e4a2fe469d3d42cc5081dbc6d45f6064963

SHA256
402d9c74d83f583a0f13f921fbbfcf8c9a84fb784ebba2ec22d4cbefd3a5c3cd

SHA512
72a42c391f318d938edb948752c1320fb90c3124cf9ce1d49c4ffee5ecfc45f6f1ebe41eba9bf26ffad978231d0f7acd0195423173c17b55fe41ac4843cd95ff

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md

Filesize
1KB

MD5
48df36f730921855ad15f9ad4e1b7907

SHA1
d639ec463b6b7f32bcf86bfdf065f5a27b05ed51

SHA256
37757a2ac893eafbf87cf3fb900cf4caa6ccb0350afd86283e0bf81014531ed7

SHA512
bcbcb44c0ce51921f13600e38cfd0436edb1f90fbbee970207af741b6cc20317154f1bfb4537361a56ca80da64591e50f9d3118bc1e2ec1865ecb7539fef274e

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\glib.md

Filesize
31KB

MD5
6e43fbf269590a975858c1628e4dec4d

SHA1
ff439f2f6346d1c30abd9813eb03bbfd2bbccb90

SHA256
00eab6af0a71b4b52c5c07ffd992708efa1ac25380efc10eca8c1ad33297d0c7

SHA512
b97986c2ca154b43517f31495d6c8b5fb440940ac4489a69d792f2d7deee1331793c8067e726458524771b30a796fa182e76f54b95d8da28f4e7d255415cf382

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md

Filesize
34KB

MD5
9011d749830eaaed10c6db9d86e7376e

SHA1
0b61f106dc5de6bd7ff5a6856c8e9c1fe1e9d4d2

SHA256
42e2e29f468185d20fb47b83352dd804fd4a561e3e4913219933aebb177a74db

SHA512
c049ba3449f30dfaaafe8a5864c915e6c2c60077e574fb48cf541429503b8455172324c92a8f0c29bbb1edd2cc1adeb9e9acef4f902399ecc8f298e9553db053

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md

Filesize
23KB

MD5
573ce973861dce39b5ccd6e66bfc0bfa

SHA1
7a0c56b701bd700070ca094d466151e484d2bc99

SHA256
e762bbee4e051469b9fd619803c93227f4de7991fa3141bfc1974441cd8018f0

SHA512
b70f8510430355cd4fbbf69326b206bf4c797b68168188de7ad833b866ac5a3ce406aa2be8c0eb6d0b8bea8c787402ba6995298bcc7e44babc260b952ef9c0d0

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

Filesize
2KB

MD5
44d71f98cf23b6c7c39dca6061c8a2d4

SHA1
1ade87ed78c275a5fcf72f27c834616978100e75

SHA256
654c3570f892c4c8b2a304075c1791d672df14879d97cd7653ab119d36bff17b

SHA512
c92c4c3b71c9541794f53c9ad4eb486675aca9fc81f5e9af77db91c26d7591ddf4c701a21bfed3203ed8777b61347c609841d4c453db1ff1a4b560f4ceab4d08

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md

Filesize
1KB

MD5
d4bd993659f9165c1fb6f39ffb1e6276

SHA1
c0ea0f31b1f4584b79071c53e3942caddb5494ee

SHA256
1bc044fdd4fb5b10613613fdc0c27d8f09e29d427985f0f7cf22b1a9608ea260

SHA512
7e09e764338e9038d230ca0ae2c1f600482a17587ccbcc97457602f6b6e141ea438a06d18cf6040d317e6c60874a84a11222e616e80ed2bd3cc3de9baf14d24a

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md

Filesize
3KB

MD5
a136a50e215f068a196e5a93440ae00c

SHA1
8009e51241081529bd8a292b9d59aca1dcdc106d

SHA256
e054c4c7a28e4c8f075a1902ad3ad065b0ff3ecd06715dccc1b97337ec70fbd5

SHA512
1a1184b59d14b203fefb479b892f25b7bdefea42c23ffaa4ebf8ce05420977f9d30701d615e2e611d549e1187c4c5fb9c15794481fd491952e21bd9f006b439e

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

Filesize
2KB

MD5
f6dcad12eba9ca2f646b4024686d8215

SHA1
dd851ca7e6f634f062a6c85eac148d517d4b914d

SHA256
e481e84d06dce9ebdda469bec9e2efc182f71eb3d55c5a24a71a6902c33af0dd

SHA512
8678fc986098a8c73db15befc5d6922bfce6113370f4c5483a1f9131aa8f99e3ca09df934fa014fb4191a3ddea6a895dceed0dfed041d994fa971d4fb6ded1e2

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

Filesize
5KB

MD5
b0ca106d313fc68ef5590d8dcf20e851

SHA1
8cd73ee10aaffd80ef22f9632ba7130df0173074

SHA256
9f18962eaa2d58e845a30c64491b0641b8590c0f31ea0d8300c38b1e7b9bae8c

SHA512
da94090993434b72466828e03c12ec772309810ab40f890be2299b705f5518b232d8f85f3de8297dd1fe4fa709568c610321e6eacce681eafb61ae84367be25e

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md

Filesize
17KB

MD5
ed7a05242b4553030654d2c15a34b13c

SHA1
74b0610b20a62eb82b6015ba606b3aa006d424b3

SHA256
c2654b6583cf384b6e68052f2ddedcc1978420814e4354e692c9b3dd26aad77a

SHA512
7619ae7c919745c8453e470d6ec9a50c1c5ac368be123cf8d7c3fb35c90874d9a63f9ef944b99dfe36b69bceca5b622b50ecaa5bd7e43b643f2720562f39f6ec

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

Filesize
320KB

MD5
4c663ad447c64eb5b3d4214fad07d5a8

SHA1
d6b6e50e6cb98ccc3637f83780bad589a5c05f5b

SHA256
b4b845097ec905b36430978f5eecfb7c1812b2aa3a9184e561aedcbf40973fb7

SHA512
9ab80d32d45ec58fac1a66ac8173e72293d7ea2889a08c5868f3f461d6e700599d1e164b8181b58dd4e712f8570cbf7febdfbeee994ee90a2193708b7e49c0d4

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

Filesize
1KB

MD5
7744ba3b98f081745231f7e624c290a1

SHA1
779a13f0a4f282cc3f05f7992c7ca14b8187f526

SHA256
5ea8ae6645dd97d0ed2f685356a284e1e8af9f23c55180bab79507fd42370455

SHA512
c86bcffda715a06180e5c760de71a524437b894004e0c34d3cde22a5e114d4ddf0968335750b909467fd9a2b77689f10f877aa56c6db12adb7fed4b773d5abf1

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

Filesize
10KB

MD5
a4bb18b9b30cbb949ed655d66543d3bf

SHA1
dbcb62fd48bebf561011b3d2ee42175622d853b3

SHA256
8d03adf8b738c07eb2931f5f74aecee780362d0a7005913f57e05bfa2e3be536

SHA512
47ac66091f6b649178e854a771f9df66c82d6dc2566e84060038805615093e995677f63125d3e4c09e666a6b8be08b69e835346b8d12ee3a7b481e9486340bba

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

Filesize
3KB

MD5
4b99dc821bab0967f7e4f1f61d3481dd

SHA1
4b0f6cd8a163f24abb20e7f66d7d77269de6208b

SHA256
0795c600e5a2a37deabb7779df9e0dbd48d5ea7bf7c1e286a4347b81478e9c45

SHA512
0688dd84204b91c1c9837da81737d15840cfec9fbb46a51acc8a8c0f56279df76438e35155a5587208b5cf0a1998b5d5abc48593d06eac07c38c76ca362e23bd

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

Filesize
176B

MD5
c0fd4e7762c6dd7fb494f4eba57ef2c5

SHA1
a44a2b8486c09926f528ef653d85ce4a0df68efa

SHA256
535f4495010b583839e39721cb2305f826bad212ba41145574c637f7a6aef390

SHA512
90673ca40db4ba4220c347e5169be032398d34a09e5d1182a44227f5b853e0554a34d012675f4f5e33ee8c87d7444bf1b6f8c5722c3703ecc41f773f9a6a6d7f

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

Filesize
1KB

MD5
696e2fd3ba3d29d250cab1a4a18b2e35

SHA1
1983c6b452116d61fb878ccfb59da6dd115e300a

SHA256
70795d0b82f629c65de1d4a2bd6ad72901d74d36487815daa7621fad11529d08

SHA512
e6a2758c370a4e719eb0e7f68ce7bc33608a5577fcc02997f96b05e93ace2b5b753c73d2aa2d245b551357e8b0dd695b3298b2c4239ed4e7c23be969239a0c92

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

Filesize
3KB

MD5
eaf9a7fb48252a4dad02291ce534cc77

SHA1
1215f7f5330b24d87d14152776ae99828ee175d8

SHA256
2820091a2210a460228edc6657672ee69c134e6ecdc2f89450e970984e6332c2

SHA512
1719c2820d0d2c6a82f7060e292c895f3e454936cd3de24e1a0c844f592eceff7c2c3e3f3db11b3792fed2bf6b01f05f27e6eb4547f4ca3036c33aa1f100b96d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

Filesize
1KB

MD5
05011928d92a994d5b552f6741349290

SHA1
823178e3b97c5365dc13ce37490166611c068796

SHA256
7e7317c760976220522e2af6bad3cfca4e29904d83ea95d1bbaecb7e2a449d34

SHA512
7a29c19c82db218b9c078ba33e9b56074f48dc1dce71398b3eee36cc1dfe437ebb053f06a54e911599dfb8874249c0312609a3f1834a64e6366179e21b79629f

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

Filesize
28KB

MD5
10bfe136b2f43a86384188330c864fa7

SHA1
d46d0a8912368eba26ed97498c333db42ec28ad5

SHA256
bb50a31a20a8cdb94c608b02bfdd590c7891d34d83c78f7898a5d6f18a9346b2

SHA512
f68c74322abe82332db1abfbc326bf26ceb3db258de09b384428002ac672fa5a8eb5a18aebcf8043f83473ef4c730f8e02e6141745f8bd757dbb041463125b7d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

Filesize
2KB

MD5
be0c5e39451c670a44aecad0b623e270

SHA1
b6ec7ced9b1017ba7edf0615db7bf49e804b41f0

SHA256
959659f87e5ce783826b02e0c93b745e5fcb5532c344dabfa6b3ac8950abffdd

SHA512
f1908f2726b55112f91d9a63db0942e5662f58f7fa7dbbb74f9647653bdae3e3268d023a4d26b2acc16c3cb3ab0c00727f7e8cb34456349cb0cb17094459bf82

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

Filesize
1KB

MD5
66680390034d12391ce6dc1b4c4aa8b5

SHA1
6e723694e968c2fdedceff5a443d1487d8273b25

SHA256
fac8ec8545cc7f23a362dc36306e02014544b661d0b8cf4a2f500cfffb00f724

SHA512
24e7492d35a73746ba4853c21992d0d674d44038a6ea4f8b83109d1228528fef6a6425f538ef1bceb51e3722280708957c856db43979e01b27782fedde9809db

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

Filesize
2KB

MD5
08a282097fb965dc76bb892ee8da4c8d

SHA1
c883d68a1fac2e38e1a0eb1be680e3b932bc0e63

SHA256
5ec23c165ee8ebb8d9d1775275c3144c7634b587c64879907363105801d6613b

SHA512
07aeb2f1b47636772203fed23c5da48c09138e91a81ef1b77676fbbecda21f31d8cf7c8bd074951a085af62fdbbbd83100b936ebe469f593c7d773a79a2eb1a4

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

Filesize
1KB

MD5
f13eb456427a6a09a2fe138b274ca161

SHA1
f0b04021bc2ff099407a174b3a96c47c654cc465

SHA256
8c90ee5d4bf90dece04ac82807b5849e82469e6e8b5e53ef80ae89ad89482239

SHA512
bb7565eca7ea53e1b8b3bbbff9ed0e990550e3fb5b12c83445b26bec1ed9c668ff356b2127a9f69bb629e9b67814c4b77275f7396f57ac5c6883749c2fa8dfa0

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

Filesize
1KB

MD5
443731c25483d9b99784bd40994dec97

SHA1
a6d5b247f7925a3d3c6ef3304473ce54fce496cf

SHA256
5ff2593346597edb2e930472de42b5cb0d6dce36ee8aa2d952f2b260f80bdd04

SHA512
451fecc1e6be6e51868566d8bfc6acb534d5e48977089b9a1a88dd1d1d055fab28ea3267455587b0297400fd742be4b897ad70d27cf231515d3d41ec534138b7

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

Filesize
1KB

MD5
6f13c013c90a92a8543ad7b3eb1160ae

SHA1
88d7696d2008e956965d86667c757cce9499c7d0

SHA256
3b02cf1704bfcf3fcf281b0bd9cc791c1583ab8879cba921359f7110a406ed55

SHA512
748773c6f0362694e2390e2fc47c5bc25a85e5d2bf69afec8afb5cb4965fcdcc07f0b87a9fa33aff2cd9842cd69e20e8df7597c70f08d52e2baab54789dc5d53

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

Filesize
3KB

MD5
d3e00f8c3b887325438799105476b791

SHA1
2da8b8d070567e6a10b0f5d3e1eea16c114c59b7

SHA256
7d619aed978a4ebca13bb38a4e5f7f5941350bb92096474710e4dbf3ec657ad2

SHA512
c2ecfff82fe70942fb71dce6a9e6ecfafd40192f0058f63ced39ca4895a2b5d96fc8f7ca3dff23487a40dbf9ca5e662508477ad93b0070c24827d44e64e0e770

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

Filesize
2KB

MD5
bd6e860627e990560e38f02f265e5a64

SHA1
87fca6150631fe803456e8c867077d9549e6d5d2

SHA256
b086e9fa04170906ec399cd7217efa48f68ef19abbb69d2b8cf2f9d6c7d52ca6

SHA512
efca0bc92e989afeb431a26455bc4c37e6c1090f63c4ba5432246ac657613e6cd557b1255df6690992bc1c0036b1801fe74b35bf4e0172c4a3a918a35dc5a862

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md

Filesize
6KB

MD5
e586067519072c5a53ceb2f95419a5a1

SHA1
c69fda30da14408a24d67524774c959e787e2683

SHA256
8a361cbf3be50e7bd83d6c59a0da5f3f07a6c644821c956cbc3479aa04692280

SHA512
5b6f8a426caf9a3de5016f775414f339124524f7b2f6b4d18038d05787d53ae0050d8abf081aaaff08f37e99e28e26c7139b357752b3b0412d3a8e4355149457

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md

Filesize
5KB

MD5
22dd232e4baa702237cd399713586584

SHA1
5e7c607a613daac41681933433627eb812b4d3c8

SHA256
eea1765c1ec954c495937a8b47bcfbdeb8b30d30077a8e817d0fb92cc1889ccd

SHA512
9c44aeba2b74cf427945ff8ec6ac5ed48fd1f7a361c7cfbee75f8da462dde58a636e01ad26d8c0a76d0ccc28134f8d78ed97edb801aadb419009080df5b50ae9

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

Filesize
3KB

MD5
0e95ff110c2398b5ce1fc19fa4921952

SHA1
bcbb042feae5abc2d55e9cb001722f626b1919ae

SHA256
89ec58c8c96bee3fc051a0bd7f805101671e602adae5aa3266003e7eb121955f

SHA512
d772f07f10784710ca3b145939f09397514d448f6ecf232b4f38af2f5b3071cbfeb8b454a312f6c1c561731d5d0309d70e94740006b13d0ef618d58bb4785e13

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

Filesize
2KB

MD5
725b94ce4cc9b3b138556c6839b06deb

SHA1
54aa118bc1038adddc8eb55a243ce732cb82cd7f

SHA256
1fa7bbb5f289de3e1e2be6486416d28cbcac7ac22740f974887a68c89c9a9ec8

SHA512
739809fda92fcb9e2d7ab5a9c634538d7590ceee9c174cc9c742643842fa975ee9b6d47ced102e91f41cb52332f552eb33e02d29c118c58f357db86618f2adc1

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

Filesize
2KB

MD5
3e257cc5a73e475898eee33baba0c1ab

SHA1
34f8181c19588ff71ea365d01e4727099c40d007

SHA256
77087f2dae2b73f44f6c52392d3b99430e34f0d95deca4c271f4c01fb64dfe99

SHA512
dbdd0fdda85d77e50356d3338aab70746cb2d74dfa01ed8c4065085186ba285c37832a676d7c499056ff0a3610184a458cbd51c8ec35c4f7c0914447fc1a466f

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

Filesize
1KB

MD5
d8fb3cfaed6bd5942d508220c6dfc3e4

SHA1
6a6bc35ebd7c074991b2c5ec3abc63f511d9a263

SHA256
35b5635fb3ef258e45ea0a229a1c098adda868f0c6688ee719bd4a091240beaa

SHA512
8c9f313f4d367c7a66bd5973c66807a08bcbb59427bb5fbabd65879fef21bc544893d00692ec2c9b4fcfe4ffa8f48323dc8e42868bd055e48b59e71fb77d903b

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

Filesize
1KB

MD5
8e85e3544f5f6aa4bed92b8f5b53796e

SHA1
3f5fc49ea1bbc8c5f29297d684266b9ed8be3007

SHA256
00a8e3fdc223e32c621fdd9c530322665312395e73b98706efaece9d5243579a

SHA512
cb7c907f0b1b230a4ef274f360b4a66cdff1075c860d01cafc0261c7937b7b313e40e0b7217cc08c519efb55347294b75753338c07b8c3fd2b2832e8851b73d3

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

Filesize
11KB

MD5
8381f192f1f2d03fa75529f8926491a3

SHA1
572c67e93ca65edf31b85bbb3a5e3ce052ffb985

SHA256
3c297944a667d3f446c27c5bd0e812bad8d5552a335f8ff2e9bb10f1d13c6347

SHA512
4384ba3d0e13e5ef469939b0d6f83c5da8b152e29ade10338b63ce791380207fca24cb61c5b697d972bcdc69dbd91f978db2671f03ccf8e917ba6fa77ab829eb

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

Filesize
1KB

MD5
35094e2ea1c5cf35e31c7fd49fefbe15

SHA1
c4691464884375f80eecd11c00750291ba00cfca

SHA256
bce5f1995d10aa1efaeed84443623f368bccd022b6187f143b526fafcc4d5018

SHA512
8af02e740773bcd56fa482995bd32448002d1c4d06c7330d367336cc74e714a5bea3fd4e834014f2f82d143f61793118327bbb509644733e4bed547f61176d72

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md

Filesize
2KB

MD5
a19cfcc2a2f0c88e0bc7b145ffcbd849

SHA1
95efd5b47b605440d307c8c03ae529c3a610ed22

SHA256
d0376763796fed8872aacdcb9f27163394ad8f9b47378681365ebb0058e19368

SHA512
11641be79dc9404cb373edeab8887ddd27e5e0bef25e5025423c00aea4141f7444cc1dd8c99eeb0c363b1ce4b5c87a8056c1bda0905a4dcf302b193ce2517339

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

Filesize
11KB

MD5
9990d47a7dcbada1676af8d06a412d08

SHA1
47c58dabc8f83a9c66a0ae3d53c935558c7d9d93

SHA256
1a7ba28d50fe9b8be87ba845ca62b9572d63e056c5cec93c104b3bad5c2808d0

SHA512
6750bcd6b0c289c6501700262e7a329dd2b2a2ea22724cc48c6db1c310c81a841a79cb70c860cacb37798a3ed477a2079ef9a9500685dae94bffe0b48eab1660

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

Filesize
11KB

MD5
9b7c86450c454274e220220c15e02aaa

SHA1
4c292b780121e1fd68904a37726384c486c5eab0

SHA256
db8be38621411ba37941a6032351479826f387a976b9c97e64ac5e64266fd8e4

SHA512
f9114ee1f972fe6f470a9aed516d421e254a8080bd19069f52cc1d962338c332793d5baafc163966f3be6a39177d57e82eda77b0d4aacefc7b0258e68bdc2a95

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

Filesize
11KB

MD5
a482edf0ee061fd1f6650ad37f819c1b

SHA1
db6259462a20b2c409fee042293378ee3fd231ba

SHA256
a4a4af62ccf1cfe777739b15e44a30379dfdf4d1477516b1d5aeff149f11b730

SHA512
07b260a84c182e8b99a052de62ceb941460ac0f0698af851c7c3e3c576b362e93f83f204ee51ef355e266188218b6f70be62e03048d96cdf40296950516e14e8

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

Filesize
1024B

MD5
6c418de29cae42ff7fd42fec1f4bd04a

SHA1
4e20ef481ada0071e8b1c4cbcc739910090cd948

SHA256
4069c4d93f86f67c74d5bfe8ee2303de35b8b16cb15837d2660e075b82f1560b

SHA512
dd32c28b9fb043be8fa6bd1f70a176ae382a4bb976608ac96acf937c770c2deb2ebd9b5e8d14aa31568ce93bb4bd6d62f2cea8107a123c9a9a5d8282285e5242

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
48B

MD5
57fb570143c4880ade61dd4e94a1322b

SHA1
cd41d43c56cba6536cd6b209fb9fc46863986ff8

SHA256
d8f723b036c1359b4e9a34a8e26495618acd898eedd1ce11ee1b7498258dd5b7

SHA512
e9bab1294404d116daf4b2662720c0ce6fcf3f005f2dd3deb13e46210e2266cb17ffd1334b931a6bea99ee6da1486ff71ab84dc8adc06dd41d18b891ef1f9b1d

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrimsonRAT.exe.log

Filesize
1KB

MD5
8e0f23092b7a620dc2f45b4a9a596029

SHA1
58cc7c47602c73529e91ff9db3c74ff05459e4ea

SHA256
58b9918225aee046894cb3c6263687bfe4b5a5b8dff7196d72687d0f3f735034

SHA512
be458f811ad6a1f6b320e8d3e68e71062a8de686bae77c400d65091947b805c95024f3f1837e088cf5ecac5388d36f354285a6b57f91ea55567f19706128a043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9bf90e6b-9e05-4cd9-aba8-6aad5d29dc9c.tmp

Filesize
1KB

MD5
9ee90471e8fd88988de618e0ee207bd8

SHA1
9384041e08d24f28682826e5ba49966975c9f130

SHA256
df85652e27ed1c0829520416481a200340bff0e3e37cf26210acbf63b18dbfac

SHA512
0f6dc1f3f317d47045fca8a130a5517988eccfb711ae76597a11a40a6651387decf09e664afda01e25dc5c4c1b855b891828df40c0621545df9a468f2e4c48c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8272de7545874741a837e1168978c836

SHA1
edf23bb8bb2e7646b3f0cd7b536ff7c9630b66f6

SHA256
930a43705b7fe8d7fd015c8cbbfb9c1f838b9429b277d19e7239e6d05c89741c

SHA512
749b3f507c5593bc9ccb0c8ddb3b69f23a40fdd1dacbba56fb4dac084decf05c0ce6c8e7b248fa9dbf99b11314bb5cd36960e20b96cac56363851a96d5e436a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
eaa41e447d34ee9c6bea6cf1ecc64ebd

SHA1
a2a47395a06103cdcd85d3f247fd3b55bbc44d3b

SHA256
62b4fb5acfee3d2deb0d1390df26172cfa2b5a17289541d7e7caa2af7c5d379c

SHA512
5cd96c25eca6189037a78cf9cf4fc93771bd939420c27e9e6fb0144c3c738d3b6c1d69bdfc1bd98c140a40dab0cedee34b37adfed69fc79e5a8c601140376844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b0e7bc7bc97038463f5bf2136e6e5d22

SHA1
0031dbe64cb068cc603f1d55800e6716570ae5e0

SHA256
f60737847f7b196fe819662e1aa2470eba904450f7884c0b00c39f6dc155641b

SHA512
d7322ec54427d55ce9803beec050ff79235ecbb8be3701d1593fb9ebbbdfda319f885a38699b56d0ddbac6bedacfd008151200e0ab0cf0ce16097de7bae746f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
84840fe017578081f3529397eee92838

SHA1
8be07c23785a5c40205f713b48dee88306e8d676

SHA256
1da61c453205a6a7d0b6c37352e057aa56abab34707fbc11d870a906f307f3a9

SHA512
5f858a9852d792f413899a72dbcaf31a3c3053ad0a6459bacb0e56f5d6a3601aeff4f5a518d8fff651b9f6bfb5cece269de7bf9fd08b97d6289ccaa951683054

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
55ab98b31a43c4ad50a6a23f7ebfd951

SHA1
d67d76ad62a2931f4e0243f4737c367d9337790b

SHA256
91882f4d0e45758298ede259128c413ec3f58692553af4ad5588062d6c09f1fc

SHA512
da0c7afbdacd9845d2a73ba882d4ddfab7ce9738c8f3ab8624a66779f3166b29842a3f6030bada588be17c80d95f024486fdfa51be8b02e16df3854fa8afa21c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3195d8413332b74f99eea43e19b1b30d

SHA1
3bc6eda2f39b6c4c0fce7bd4493c10061a36ac14

SHA256
e2e7e98c8b2937386b2fa72a66954e5f479643cf173f46b1bf6382a350405fc9

SHA512
5a933456a801e394562e0c9028d3cbd998d26e0c574bcd792df69c64675e06c5b811924de72843660e9641a02cbc19904b5eb414f9ea2aeb182ad5046633efd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
016a37f71065f93bf9898c933423da62

SHA1
5c95e229c38c6e6ee2f61f09ec43a060f38b2e21

SHA256
201f504c14d45ea846be5d67bd9fa219cadf8a474dda63be3c096a502a93fd2c

SHA512
3a2c5d8136acba5e6df198195095ed4066c9e344ed63ba6450bf4ba62064d56c2b2d3c16d34785e51b08ad969f597298eeb1e93d7bdf32aab8cbbe86695c149c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0d0cd0c1294e42e0b04677b8767c0314

SHA1
67f7746c5488dc325b4ba2bcfa09118fc3eda669

SHA256
dda50584e963171166f596047d983624548db859ac97afb25443b5b56d4d1216

SHA512
4100c459fd6b884864d7330ae93cef39bb2f0490808cdb9be59477094e65c94d6fce3ba4b5d4bfe2f6a5c50ce6f8c46d2e8e0593cbf594a91e7993fd870a9a83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
670b698c44db7340e73fab48a8caf50c

SHA1
82d2c6789f584e3b9e0d59ec28b4955846a653c0

SHA256
85d7ba8ecaccc85ea1281f0c66d0d4cba9eed6fd3910dacfbc1759a7ae8f5335

SHA512
b4bf0c338013317694a30ee6f878d3e9ede46c59b1e1822d405d99a6e997f7388b6df0aaf8ab401d39d91ce641cdcde234f1616aeb6196da53b3cbc74c27b7c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a2983a37078f9f024c7169a9845973e9

SHA1
4624ec1859ec28622dac51e883e9f440af8cde41

SHA256
5b89ff95c27ff7de2dcf4691bfc1ee8bcf893fd63b646c5ff564f18dd4f46733

SHA512
2bf8bd16643bea9fd5f062a1e15dd9186cbe9d9c97ceddab18ca60c0fa7cc4cf92a7e1efcd27c18502d3805180554a809ad8e498827e2932b2540b980e83c685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eac1899af412b547d3410812d576d743

SHA1
1b5c4bd84a29cb5c8c0c05a82a515309e21fc440

SHA256
b9509110625e71f945d7d9f4afedbaf8877ec758d4cb13b540622037d4abd839

SHA512
80a898655fefdf2bb01a88e4e07997a97831f0f0a35787c7bd56f39a4b1cd8374fa4fb744b39a2fa6f0f2f39087f935c511af0c68664ad14f44e038e8eca9dfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
60f819f720a02ca13b6f6b3e81c96068

SHA1
ab7e73eeb49412cd5ed9091bae98121ba03c0825

SHA256
ed06dcdffb9f65444084a054488c9842ce6dfbd74f0ee25a15230cce81db1f6c

SHA512
638702e0cd1ff71de92f2209b32be87ca4e94b3414a644a9a6890052acfae381bb3c384f2c93a9563c533ea3d5a2f5cffb90b57754547041225cfacc73123896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d5ed.TMP

Filesize
874B

MD5
3e532d520bdceac3579a3c68d436c711

SHA1
ac12ad6ec4465abfc7a17c9f441665e21c4c0265

SHA256
95e5d7e92ae80ab57b053cc669ff5c4fa724f694933b7b29442d0a26acc4bd94

SHA512
beae2e5000c79674c1e4d2cc9f640c4fcf219de9e5856c3d6cc010f60dea247cfa617a43cb2fb6cfbb04fc33e60a1f3d3e92d0a022785ba61132578d7e504760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1af701772f0b7c03f299ce4e9c6b09a2

SHA1
9a66d72d3be9d1ab60046cf388d1f88e8585752a

SHA256
e5b824baba1472e5c7d2f957dd55fb8e0221fb4373e8b26dc2e83bcadbe192a0

SHA512
c069473d5b039b05a51e7d68c7e3c93f9515f73e99366710be075c1d2d9329e80ebb1ec347bd81616cc4af5b20d2629206ec4e865a1b4c84fd84613e72ba19e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b2f513aff67c184a55cf2182fd0104c4

SHA1
1b9631004c1e69d26093895069445d97679bda4f

SHA256
bf65a264531b0458198c3b7bc8999ebb87fd7e2575c5395f6997364cab3eb5bb

SHA512
97ac525235cd9cb5979e21c53304977797139e482687308c383d64975285efc29072cbaae81056294081e1af37d0f62f8558c290b7923ac5782fe1fff9841d41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cc589820dc3be732a329ae40a1aefde8

SHA1
57cffc92509b8146bb17a4e647a4859ae1306f99

SHA256
014c51e09423e37cbc61178b6a2af0b2dab34b9ec55edcdf6d698013d81fd8ab

SHA512
ae591686140389a9c53e45f315190493aff03b086c512bcbc9c3066403794707a245e8a2a3ed74e4f8d71fafe0774d0f00eb68e6c7524319eb7ee287f2a204e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
fb8d1ba9157f49fc82b1a19efbedc0ad

SHA1
7959f99cddeec179cffe9ffc48939091dea31dc1

SHA256
f5ef91b36bde277d658e5831dedfe4ae8640e542eb8f89905b8cdc5b7aff6586

SHA512
d7e712ae047afe2dce587ca87100f601bf259ed533b3e689817e858ef028992d0abaa854d04f3c040c2a67ad5da93892f1b0d0c48c85e50d37b7720b272b7b0f

Download Submit
C:\Users\Admin\Downloads\Backdoor.MSIL.Tyupkin.zip

Filesize
574KB

MD5
69fbc6a70b315d827c524bea4b899c44

SHA1
38ea7bae684864714599fb0d1e7f702967c5a35a

SHA256
fb07fb7cb7b15ecb86920b74be2ec2b955ae356b464baa7415a7f257b0c02e98

SHA512
9ad9c936bf869c30b2b0ecda4f362dbc43647ab6c9c0a8ed6a7ce12e7c42e6281340d93262a01c9ceb55765c05ea6ee043104ce9f178e3185c1fed3f18efa043

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 270801.crdownload

Filesize
5KB

MD5
fe537a3346590c04d81d357e3c4be6e8

SHA1
b1285f1d8618292e17e490857d1bdf0a79104837

SHA256
bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a

SHA512
50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 423232.crdownload

Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 423232.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 654845.crdownload

Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 674186.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\g6QpgrhJDdQZeF0\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
2580fcb852846c9cb4853c15a5d5bd34

SHA1
7bd43f3286649c068d852c616da8202d4acf8ef6

SHA256
092d98bae5efe60815a2abaf188a9d74a7dcb68a01bbcab22f7d5172a3d2e299

SHA512
8cc6f582077126094551416062ef3bd2141a30fe37bdcd57c6362734f21e10716fd4800bc2cdb96c18607da83d3adac24e7c33ccee514b41f61b3e4be0a4da45

Download Submit
memory/1152-265-0x000002DFFA9A0000-0x000002DFFB2B4000-memory.dmp

Filesize
9.1MB

Download
memory/2064-692-0x0000000000890000-0x000000000089C000-memory.dmp

Filesize
48KB

Download
memory/3852-491-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-680-0x0000000005830000-0x000000000583E000-memory.dmp

Filesize
56KB

Download
memory/3852-560-0x0000000005420000-0x000000000542A000-memory.dmp

Filesize
40KB

Download
memory/3852-434-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-435-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-437-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-439-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-443-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-445-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-447-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-449-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-451-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-453-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-455-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-493-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-457-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-459-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-461-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-463-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-467-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-469-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-471-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-473-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-475-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-477-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-479-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-481-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-483-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-485-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-487-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-558-0x0000000004BF0000-0x0000000005196000-memory.dmp

Filesize
5.6MB

Download
memory/3852-559-0x00000000051F0000-0x0000000005282000-memory.dmp

Filesize
584KB

Download
memory/3852-489-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-495-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-497-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-465-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-441-0x0000000004BC0000-0x0000000004BEB000-memory.dmp

Filesize
172KB

Download
memory/3852-433-0x0000000004BC0000-0x0000000004BF2000-memory.dmp

Filesize
200KB

Download
memory/3852-432-0x0000000004B90000-0x0000000004BC2000-memory.dmp

Filesize
200KB

Download
memory/4376-230-0x000002E4BAEE0000-0x000002E4BAEFE000-memory.dmp

Filesize
120KB

Download