crimsonrat | hxxps://github[.]com/enginestein/Virus-Collection

Analysis

max time kernel
189s
max time network
190s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
31-01-2025 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/enginestein/Virus-Collection

Score

10^/10

crimsonrat fantom rms defense_evasion discovery persistence ransomware rat trojan

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Extracted

Path

C:\g6QpgrhJDdQZeF0\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>fXbA0AZcwnh84Y5zPaKrhzaBDWWaziGjRC4TPmAzxEXb87f0XJrNfIWPCbVE1LB6tLizIFxEUkCS4rxMsSS/4XvCNqz4t3/EU4P9UfKITgwPxabF5y2nuypG1SwhKCSYrstVWg1ozrFxE6RGs0+I2dCfaTlRysA6mpsY0Zp4ulbX5EOrEybPBO8cz+gNyecJITMxDrkmNt+lZG2Cat7g5EiAoN4rnUl4KBusVe39GZUqD4Wi4CZMp/FdNWTkO3l/qgnQ97gNvA2hAgF++XR9gZrszcMU0J1jOVai9tTbjY2spxKtsfy2E9YKG+550tGEg0nQNIBReY5ScRa5DHNgDw==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\g6QpgrhJDdQZeF0\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>lBnvtgDd1d+53dMYeaZ5THkMZaCs9v81I0zNs5Yw7qi8E8vxEs8+hUpviL7SfMqTFgSPgIBldZ0jMQMv7WqfuNuPX4Ip/FELpC84QwOX2NfYMIrZqL8qkyj639WJOPsTFq/0a2vS05trKMdbjvdSCRrK3V7kpeNcYYMpumu+0y6TKdoJqZ8UHRwp3TrdINjXZgy9rPnpHEI6L2eoJZ8+2pPgcvTiUKG8J1C3Y2D5wNMQ7CR38oxNvYTQWsAlrOFXaWpzuscwwLp0mH32FJ1+VKDCScLoEjNkzhlBVwtFq/bik54oCyiuzpUZfIWLNLU+a5If212YCZ+FfIFIW/zezw==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000300000000069f-375.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Fantom family
fantom

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

UAC bypass 3 TTPs 5 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe

Windows security bypass 2 TTPs 1 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

Renames multiple (129) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult.exe

Disables RegEdit via registry modification 4 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 4 IoCs

flow	pid	Process
33	4604	msedge.exe
33	4604	msedge.exe
33	4604	msedge.exe
33	4604	msedge.exe

Executes dropped EXE 12 IoCs

pid	Process
2152	CrimsonRAT.exe
4156	dlrarhsiva.exe
3584	CrimsonRAT.exe
2588	dlrarhsiva.exe
4968	Fantom.exe
2312	Fantom (1).exe
3912	Krotten (1).exe
2816	Krotten.exe
4928	Azorult.exe
2812	WindowsUpdate.exe
3116	wini.exe
3268	winit.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	Krotten (1).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	Krotten (1).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	Krotten.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
33	raw.githubusercontent.com
11	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER"	Krotten (1).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü. Â îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû."	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü. Â îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû."	Krotten (1).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000700000000f3f7-848.dat	autoit_exe
behavioral1/files/0x0002000000025cc5-1033.dat	autoit_exe

Hide Artifacts: Hidden Users 1 TTPs 3 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	regedit.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	Fantom (1).exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml	Fantom (1).exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	Fantom (1).exe
File opened for modification	C:\Program Files\7-Zip\History.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml	Fantom (1).exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\DECRYPT_YOUR_FILES.HTML	Fantom (1).exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	Fantom (1).exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	Fantom (1).exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	Fantom (1).exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml	Fantom (1).exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML	Fantom (1).exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\DECRYPT_YOUR_FILES.HTML	Fantom (1).exe
File opened for modification	C:\Program Files\7-Zip\License.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	Fantom.exe
File opened for modification	C:\Program Files\ResetStart.rtf	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml	Fantom (1).exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	Fantom.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Web	Krotten (1).exe
File opened for modification	C:\WINDOWS\Web	Krotten.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 8 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Fantom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Fantom (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Krotten (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Krotten.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Azorult (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Azorult.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Krotten (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Krotten.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3852	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 12 IoCs

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\WallpaperOriginX = "210"	Krotten (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\WallpaperOriginX = "210"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\WallpaperOriginY = "187"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\MenuShowDelay = "9999"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\International\sTimeFormat = "ÕÓÉ"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\International	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop	Krotten (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\WallpaperOriginY = "187"	Krotten (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\MenuShowDelay = "9999"	Krotten (1).exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\International	Krotten (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\International\sTimeFormat = "ÕÓÉ"	Krotten (1).exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten (1).exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	Krotten (1).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten (1).exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main	Krotten (1).exe

Modifies Internet Explorer start page 1 TTPs 4 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten (1).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND	Krotten (1).exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	wini.exe

NTFS ADS 20 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Krotten.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 608648.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 473490.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Azorult (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Fantom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 822501.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 939955.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Krotten (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 123652.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 508511.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Fantom (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 841670.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 142565.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 483591.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 580990.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 937806.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 787151.crdownload:SmartScreen	msedge.exe

Runs .reg file with regedit 2 IoCs

pid	Process
2800	regedit.exe
4188	regedit.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
4604	msedge.exe
4604	msedge.exe
3704	msedge.exe
3704	msedge.exe
696	msedge.exe
696	msedge.exe
2824	identity_helper.exe
2824	identity_helper.exe
3132	msedge.exe
3132	msedge.exe
1844	msedge.exe
1844	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
1184	msedge.exe
1184	msedge.exe
2120	msedge.exe
2120	msedge.exe
2144	msedge.exe
2144	msedge.exe
3144	msedge.exe
3144	msedge.exe
5004	msedge.exe
5004	msedge.exe
4928	Azorult.exe
4928	Azorult.exe
4928	Azorult.exe
4928	Azorult.exe
4928	Azorult.exe
4928	Azorult.exe
4928	Azorult.exe
4928	Azorult.exe
4928	Azorult.exe
4928	Azorult.exe
3000	msedge.exe
3000	msedge.exe
4968	Fantom.exe
2312	Fantom (1).exe
2312	Fantom (1).exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4968	Fantom.exe
Token: SeDebugPrivilege	2312	Fantom (1).exe
Token: SeSystemtimePrivilege	3912	Krotten (1).exe
Token: SeSystemtimePrivilege	3912	Krotten (1).exe
Token: SeSystemtimePrivilege	3912	Krotten (1).exe
Token: SeSystemtimePrivilege	2816	Krotten.exe
Token: SeSystemtimePrivilege	2816	Krotten.exe
Token: SeSystemtimePrivilege	2816	Krotten.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe
3704	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3704	msedge.exe
4928	Azorult.exe
3116	wini.exe
3268	winit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 4180	3704	msedge.exe	79
PID 3704 wrote to memory of 4180	3704	msedge.exe	79
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4996	3704	msedge.exe	80
PID 3704 wrote to memory of 4604	3704	msedge.exe	81
PID 3704 wrote to memory of 4604	3704	msedge.exe	81
PID 3704 wrote to memory of 3320	3704	msedge.exe	82
PID 3704 wrote to memory of 3320	3704	msedge.exe	82
PID 3704 wrote to memory of 3320	3704	msedge.exe	82
PID 3704 wrote to memory of 3320	3704	msedge.exe	82
PID 3704 wrote to memory of 3320	3704	msedge.exe	82
PID 3704 wrote to memory of 3320	3704	msedge.exe	82
PID 3704 wrote to memory of 3320	3704	msedge.exe	82
PID 3704 wrote to memory of 3320	3704	msedge.exe	82
PID 3704 wrote to memory of 3320	3704	msedge.exe	82
PID 3704 wrote to memory of 3320	3704	msedge.exe	82
PID 3704 wrote to memory of 3320	3704	msedge.exe	82
PID 3704 wrote to memory of 3320	3704	msedge.exe	82
PID 3704 wrote to memory of 3320	3704	msedge.exe	82
PID 3704 wrote to memory of 3320	3704	msedge.exe	82
PID 3704 wrote to memory of 3320	3704	msedge.exe	82
PID 3704 wrote to memory of 3320	3704	msedge.exe	82
PID 3704 wrote to memory of 3320	3704	msedge.exe	82
PID 3704 wrote to memory of 3320	3704	msedge.exe	82
PID 3704 wrote to memory of 3320	3704	msedge.exe	82
PID 3704 wrote to memory of 3320	3704	msedge.exe	82

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1"	Krotten (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1"	Krotten (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1"	Krotten (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Krotten (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1"	Krotten (1).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044"	Krotten.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/enginestein/Virus-Collection
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc06ee3cb8,0x7ffc06ee3cc8,0x7ffc06ee3cd8
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2100 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6532 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6524 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1844
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:2152
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:4156
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:3584
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5908 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3880 /prefetch:8
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6620 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1184
- C:\Users\Admin\Downloads\Fantom.exe
  "C:\Users\Admin\Downloads\Fantom.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
    3⤵
    - Executes dropped EXE
    PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6680 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2120
- C:\Users\Admin\Downloads\Fantom (1).exe
  "C:\Users\Admin\Downloads\Fantom (1).exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6608 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6748 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6872 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2144
- C:\Users\Admin\Downloads\Krotten (1).exe
  "C:\Users\Admin\Downloads\Krotten (1).exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3144
- C:\Users\Admin\Downloads\Krotten.exe
  "C:\Users\Admin\Downloads\Krotten.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6984 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6828 /prefetch:8
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6708 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5004
- C:\Users\Admin\Downloads\Azorult.exe
  "C:\Users\Admin\Downloads\Azorult.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Blocks application from running via registry modification
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies WinLogon
  - Hide Artifacts: Hidden Users
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4928
- - C:\ProgramData\Microsoft\Intel\wini.exe
    C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3116
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        6⤵
        UAC bypass
        Windows security bypass
        Hide Artifacts: Hidden Users
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2800
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        6⤵
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:4188
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3852
      - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        6⤵
        
        PID:3144
  - - C:\ProgramData\Windows\winit.exe
      "C:\ProgramData\Windows\winit.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1716,1477404337404053354,11994659250751625031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
03a781bb33a21a742be31deb053221f3

SHA1
3951c17d7cadfc4450c40b05adeeb9df8d4fb578

SHA256
e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

SHA512
010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrimsonRAT.exe.log

Filesize
1KB

MD5
8e0f23092b7a620dc2f45b4a9a596029

SHA1
58cc7c47602c73529e91ff9db3c74ff05459e4ea

SHA256
58b9918225aee046894cb3c6263687bfe4b5a5b8dff7196d72687d0f3f735034

SHA512
be458f811ad6a1f6b320e8d3e68e71062a8de686bae77c400d65091947b805c95024f3f1837e088cf5ecac5388d36f354285a6b57f91ea55567f19706128a043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1250f051-a842-4eb7-abdc-0ba4d5ae2b05.tmp

Filesize
579B

MD5
0a215e77048a147d5ca6a0f085a6cbfd

SHA1
8d4abdcbbcd3dced499301ee4398952285ebd9ac

SHA256
81bbfe3f5fb2f5d99a723db8d227299126998b0a3f5658011c7b626bafd305ce

SHA512
6dd9741242244cb55cf2f9c59f7f9fc73ed8df53810beff13407cc7a27992b30591df5f5c4eb9dc6327369a9483f82e069578c2c18790caeb4e54768665f9b49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
10.0MB

MD5
5df0cf8b8aa7e56884f71da3720fb2c6

SHA1
0610e911ade5d666a45b41f771903170af58a05a

SHA256
dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

SHA512
724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e7535270eb5b28728c8a5fcce9ca58d0

SHA1
dee91dab7176910b6dcd7781175ebbe066a7d43b

SHA256
e31e183d3123c730a788b46cc0ecf4a2999577f442c6de031ec4792a98380afa

SHA512
b2c6e5940ebce12d3bec2af4f073d9f07c18c4be2e5cbbcd0426fdbbe7cf724615fe0541fec956082f022daf426ed9337f5a9efa57e62c5d1a4a898ac79f4d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
42b5a4e81342526eb6f8b40625e49097

SHA1
8ab39cf7669ae0e4bb1146d62af59777d8e30fc4

SHA256
2a7b38b09957e985444c358e91b19b2b7f19016b78b1f1041f39106c4025d2a7

SHA512
e0a8da2d25d09f3cb89df84b95c90439b8408d73faa5d52101025fa984dee87fdbede98985a40a605332253d2b4160e5bcce010c7eb24446a68e679c3b58fcf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a22c992cab6189e73f631e5bc599f34a

SHA1
6c35e1832b3b82dee4c6149c3a7adb608552a29a

SHA256
55ee55cdd07959fa17c7a5ee34b08492a4d9946cae4eed1117f898f95501013f

SHA512
3237f836735089b62ea02db09c57eb3cf6502a7d16b808e67ce1a39d6c64baabf83c2518d0da299596598b3bd9aa09ae52f5dffbe7f0a637c30f6ad07a393c3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
37e52af174009bfe475155ae81d8304d

SHA1
f95af1ce7324a293b8960b577daee83d3613198a

SHA256
8a5e1c87c7a03df3064ef32a0e0c5722778cce0e87f2ac4e67f9672299013cc4

SHA512
5a6109e252949245099ab91f1158ce5256875b9ed6e08012d0ecf1572d35fae8792303b3f2a32e5567f6de9724ddacaf4b029a37593dcbd591b6e86f044d66c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bdafdd71594a178b591446bdd7641160

SHA1
f99dd5b08f49709a910b2750cdd99b5c079df722

SHA256
da36fbefc3f301d2e8ed7e9ec2e7042781a2541ed65eb03595fdad5b0b657cab

SHA512
22d926f1bf2956614d2fdc536006df65fed679932b8c3509b40c34d66c1912d6a6e18185144e1c54ac45ccc14596a0010f084cc4bb9b99c0d655ac722e1f3de9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
20689921f855b2ed0792d81fa333b6f7

SHA1
a406560a374ae77c7a217589825daa4f70c01bfb

SHA256
a85cae80f8dc9c182aa19d46f90cd9a5b0ee7e2f26e0fc6774db404293975751

SHA512
5743b8e040fd813bfebdd3c858ddd906f7e24f3961a314b56a37e6dcde129b5d6e3b8571c0beab9ee1e92b1ba416fa7443c3cd992b22f280b9316cee6a4ff857

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
03ee2e93ba6670d8e0bf6d25b97693c9

SHA1
c84b3ef43f90d4b54bb4f5fcd77f44d27376e955

SHA256
962be7eac3547983bf931b089184ea31145bd7a31fa44daf950c7bfaeb8187d0

SHA512
09a35b91c00a4eb16d7bd81de9f78a420bc47c80b37aba91d790434e71b7344a7f3bac42c10bef1b89b4953839537edc43a3a1c90311cfb9f7ef5ae8480753c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fae037d480affe9fbc6530b46217649f

SHA1
185f03c02f8c28af6f42309314c571639ad1dea3

SHA256
f2a5ec94bced4a4f39d181b3cf83408f9ddfb9341d7c2e32e10d448840b8aed8

SHA512
5f764ba92b8660f7a5a2bb63a39a2df61657f06d83fb4839c61e729daab5e87b7881be44dd81c15b358ba328342aae79e6a3dd1342b51c770c77f2226f88afec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c5b35d2913b1fc49c6003364e7847822

SHA1
d938435d39b16e1da501333cb1f9aa4054624723

SHA256
f41bc5194010039bb6cf9cc9d8784058cd7ef20f95d47ad4b5ab55cc4fab77a3

SHA512
31a6f68edaf832b7a169af64b4d3540b7d58f3e52a10fa250c970f15193f29f91ffa370655ad835908d3e6474f84733b97e44bda21f4f043e70f6f808a2c788b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
001516a651797b341cf453cf6a895372

SHA1
edd5db61f378bd2a8d47373f14855f056e71e946

SHA256
c9413a1f666afd7d93eb2d6d35d70f6da33bf6c2dd8472162b955d3806e85066

SHA512
c1ad3a84647e601719fcb80b1a967b63f92894058867cf7d77b9a9e2031be2ea41b481d8bfeacccd5a6b65f5f124b3027cddab425fb2fcb7139c3db95f348b2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
99d7d6125bc7312f96157b46941bd305

SHA1
23e039b7ee83c60ea70168a984dba792e3589dbb

SHA256
e1f37da9f8806d3f79ec5191a6edaddcf0b0cdb82f6c218eab7e9720766224e8

SHA512
25f3d1a1066090ecbaab279e7c320a7c92edc69ddb5e43fd91c25a2bcc78476272c0320c7195f453e686aef176f92428087f405594a1f929db3cae73e85b818d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
864B

MD5
d74c1e3b0dd815371373f05deb43a549

SHA1
2778f20cc9e79eee51d32b04df570cb43d992d76

SHA256
231bfada7cdf37b6ffe97d1bf4b21246019f8f153da7840f9ad83c941f4cb33a

SHA512
b0558858619c932ca80d2ba9ab12d18a8bacf80327c43d23a818ff7bfc8e3174ef14bdf3c8b13b1d1de6f5a6d68d5653256ec52b29de53b70ac3b79fdd459584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57df83.TMP

Filesize
864B

MD5
d93be1a91613832b4ad15bb93953ec64

SHA1
c7912fe659da75cd6d61d9f50f16ad9677d0e813

SHA256
712a0df7ebc2cfde853128fc72be12103c574e3943366ae105007e9efe0b3cfd

SHA512
08dca8df8aebcaaa3d36db89e06a0b90847e48b400cb33902882f8f03bf681bfe7a491c942ca34cebf1aba9d78f20965530cf4ebb98f2ba3e18b9ab6e23f0e3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\534b025c-cfad-42f5-a4ea-88aea0548024\0

Filesize
5.0MB

MD5
eba07a223ea44e572b5f7fc529f35cd1

SHA1
d98670883ef1443895a6c0462c5fb884b57710bb

SHA256
271e42d4efcacc5a729b85a30b96cf6153ac574875e39079a9519b4c3e1246ff

SHA512
25df6338a77ceec59f016a2365d4817a0720d68a3bd916bb9f2fa3d20fc4230a620d661f3c13e9f68cd06e2002b80674cc7f2e72a8dab44284b653fb75fd2b50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0026499de145e1c3b1a3510ee2402727

SHA1
072f60dd5c49d2f69f3261d97c1e29a82f12bd18

SHA256
85c5d6a7755baa1f9989379ca9e54199fb02dcc548e73574bc47a5808c23ddbf

SHA512
57cee0d6d323c27f2513f06e0d9b9947757b34cb400438e939460f06ab0dac70b869f1b0f52e0f7cfa27f77814bb44bd3b6e8d48181553dda2895b77b7d6158e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
77c799e1121f3cd51cf4203865d72753

SHA1
8aa3c82021eae64d608e7cb366414d1b9b3c2a0f

SHA256
6c1bad3dfdb4d13f9343f018321eaf3b161c970f8e1d8148526f4f21e05533f0

SHA512
386d5f8c827941c8a97ef8475566c8a4aebf4e4f5ac6d4b0e2e2fa957e6067e021b8882f3bc077118d0c28da80c6341691f7e071d790e981e84cd5b347503a63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e9cbfd413baf0a6f1b1c38b8914940b8

SHA1
16b82bf051363f0ba68e1bc68d7277295335581d

SHA256
a9fdbfe47585f34227ddd186a3e0466f80ce90982e77e38f7bf8f70085c25625

SHA512
c5052c46c274d1b59fcc4a009e5597b1ef99c100392dac6797d47011efe420bac1134c1cb32842c3a40f29d8bf212f5b0c4775ae6e1bc2a01018f4cb1edef0f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
333d12480de086788d3a88c7a6c2d71c

SHA1
bd7ec17e5d51e520a2978909703878b8e74f1a0b

SHA256
a42b5efc757c10226f4c0a95d36145272ade115da9d1941ddc60e75cb540c150

SHA512
d4704413ebbcc0a180b0cd1dba41f9a4c33cfe2ec06c868c66768d9b7e1f09c4c19bfcba7ff8f183de2ecd9880fd3194c976c9325fe7a0063d260121b86cbfe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5762e9d1f01fa0a889c553841b16e859

SHA1
e7e17ba24a0032cb891358bee062af7142fed45b

SHA256
8247fbb2c361ee9ad7451dda9268b548abd848ed1b264c48444b4df5a9502e0b

SHA512
0f1935eee428a7a0da9b543a191a83b2900b27314dffb5c67ff8b3460ca1b056840adc1ade7a3d7025292496fce7850008603a367d8c3381a666d48c4971341a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut57F9.tmp

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
a008084324fe02f08b9ad306d7aa62b2

SHA1
63968d53aa05d6ec0855b49c60b37a83f49a8e03

SHA256
7594cb4fff504d67abcfc1cf7ad719c949eb705dc27a7d68aa6e81633d78175a

SHA512
47a0e72f4d501688f3f690cf836dbbb593e948ff244df3a7efb3f34da043fccd0184088479ecc14ca3c5895dad6fcab981165b478ef81628052454970400ac0d

Download Submit
C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Krotten (1).exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 508511.crdownload

Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 787151.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 841670.crdownload

Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 841670.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 937806.crdownload

Filesize
5KB

MD5
fe537a3346590c04d81d357e3c4be6e8

SHA1
b1285f1d8618292e17e490857d1bdf0a79104837

SHA256
bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a

SHA512
50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce

Download Submit
C:\g6QpgrhJDdQZeF0\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
8164a48b56a5d6815c6f15d415c55d41

SHA1
77159e660aec53a5d09dfd16ea55c3c6cce84d59

SHA256
1fc95f74713ea6ed6107b1ac03e99ac22899fe0ac745c77a7d01dc51880e1a8f

SHA512
52873afa9f3d87cf9e6f1b753888e7fa8f20785c6f38732006bbcdd09a297a71283d2fa0867da1f789a7991a64211356335829f0bc0f4adc81a22948154cc3da

Download Submit
C:\g6QpgrhJDdQZeF0\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
49c52fa5e1767d22bf1e159567069974

SHA1
b69a22ed406f929e4287c945a1c3e521413bb1c8

SHA256
caae67ea08530a473326b9b13b98fb5bb5ef8177721245b7eb8287e68521a07a

SHA512
85eb3e53a90a33c5806f3340366f4dbb19b594789fe76fde97d71a4a1c1a5da42915e6e10b0d88e764a79daea4825bd7ec68098ef97e97c3e27c5d4a3a937e1f

Download Submit
memory/2152-352-0x0000018A399D0000-0x0000018A399EE000-memory.dmp

Filesize
120KB

Download
memory/2312-589-0x00000000022F0000-0x0000000002322000-memory.dmp

Filesize
200KB

Download
memory/2812-960-0x00000000007A0000-0x00000000007AC000-memory.dmp

Filesize
48KB

Download
memory/3144-1643-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3144-1523-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4156-384-0x00000234708C0000-0x00000234711D4000-memory.dmp

Filesize
9.1MB

Download
memory/4968-455-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-471-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-467-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-509-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-465-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-506-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-463-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-497-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-495-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-461-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-491-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-459-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-485-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-501-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-454-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-580-0x0000000005410000-0x000000000541A000-memory.dmp

Filesize
40KB

Download
memory/4968-469-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-503-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-507-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-513-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-511-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-578-0x0000000004C10000-0x00000000051B6000-memory.dmp

Filesize
5.6MB

Download
memory/4968-579-0x0000000005200000-0x0000000005292000-memory.dmp

Filesize
584KB

Download
memory/4968-515-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-517-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-475-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-457-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-453-0x0000000002540000-0x0000000002572000-memory.dmp

Filesize
200KB

Download
memory/4968-948-0x0000000005830000-0x000000000583E000-memory.dmp

Filesize
56KB

Download
memory/4968-452-0x0000000002510000-0x0000000002542000-memory.dmp

Filesize
200KB

Download
memory/4968-473-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-477-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-479-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-481-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-483-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-487-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-489-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-493-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4968-499-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download