Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
222s -
max time network
223s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
01/02/2025, 13:08
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo
Resource
win11-20241007-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Extracted
crimsonrat
185.136.161.124
Extracted
revengerat
Guest
0.tcp.ngrok.io:19521
RV_MUTEX
Extracted
warzonerat
168.61.222.215:5400
Extracted
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\DECRYPT_YOUR_FILES.HTML
Signatures
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x000300000000068d-451.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Darkcomet family
-
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
-
Fantom family
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" Blackkomet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe -
Njrat family
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
resource yara_rule behavioral1/memory/4052-652-0x0000000005D50000-0x0000000005D78000-memory.dmp rezer0 -
Renames multiple (141) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
RevengeRat Executable 1 IoCs
resource yara_rule behavioral1/files/0x000500000000f44d-569.dat revengerat -
Warzone RAT payload 2 IoCs
resource yara_rule behavioral1/memory/2116-662-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/2116-663-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Krotten.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Krotten.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file 10 IoCs
flow pid Process 30 3720 msedge.exe 30 3720 msedge.exe 30 3720 msedge.exe 30 3720 msedge.exe 30 3720 msedge.exe 30 3720 msedge.exe 30 3720 msedge.exe 30 3720 msedge.exe 30 3720 msedge.exe 30 3720 msedge.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2368 netsh.exe -
Sets file to hidden 1 TTPs 6 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 124 attrib.exe 1328 attrib.exe 840 attrib.exe 240 attrib.exe 3844 attrib.exe 4112 attrib.exe -
Drops startup file 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:SmartScreen:$DATA RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe NJRat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe NJRat.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:SmartScreen:$DATA NJRat.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:Zone.Identifier:$DATA NJRat.exe -
Executes dropped EXE 15 IoCs
pid Process 2312 Blackkomet.exe 4916 winupdate.exe 888 CrimsonRAT.exe 5052 dlrarhsiva.exe 2104 winupdate.exe 1356 NJRat.exe 3928 RevengeRAT.exe 4052 WarzoneRAT.exe 3272 AgentTesla.exe 3616 svchost.exe 4972 Fantom.exe 3652 Krotten.exe 3716 svchost.exe 2044 NoMoreRansom.exe 3936 WindowsUpdate.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe" RegSvcs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" NoMoreRansom.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." NJRat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." NJRat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" Blackkomet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 1 raw.githubusercontent.com 1 0.tcp.ngrok.io 3 0.tcp.ngrok.io 30 raw.githubusercontent.com -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER" Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü.  îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû." Krotten.exe -
Drops file in System32 directory 15 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Windupdt\ Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe:SmartScreen:$DATA Blackkomet.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier:$DATA Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 3928 set thread context of 1372 3928 RevengeRAT.exe 134 PID 1372 set thread context of 4844 1372 RegSvcs.exe 135 PID 4052 set thread context of 2116 4052 WarzoneRAT.exe 146 PID 3616 set thread context of 4076 3616 svchost.exe 215 PID 4076 set thread context of 1952 4076 RegSvcs.exe 216 PID 3716 set thread context of 2104 3716 svchost.exe 284 PID 2104 set thread context of 2136 2104 RegSvcs.exe 285 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\gl-ES\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt Fantom.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\zh-TW\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Common Files\System\msadc\es-ES\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files\PublishSet.001 Fantom.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-GB\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Common Files\System\it-IT\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Common Files\System\Ole DB\de-DE\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files\7-Zip\License.txt Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml Fantom.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Common Files\System\msadc\it-IT\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json Fantom.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files\CheckpointTest.3gp2 Fantom.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt Fantom.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt Fantom.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt Fantom.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man Fantom.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json Fantom.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml Fantom.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt Fantom.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\ar-SA\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml Fantom.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files\SkipSwitch.wmx Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\lt-LT\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Common Files\System\ado\es-ES\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Common Files\System\msadc\fr-FR\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json Fantom.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.runtimeconfig.json Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\sk-SK\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\tr-TR\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Common Files\System\fr-FR\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\dotnet\host\fxr\7.0.16\DECRYPT_YOUR_FILES.HTML Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\lv-LV\DECRYPT_YOUR_FILES.HTML Fantom.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt Fantom.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt Fantom.exe File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\DECRYPT_YOUR_FILES.HTML Fantom.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\WINDOWS\Web Krotten.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 10 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\Fantom.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Krotten.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AgentTesla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NoMoreRansom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blackkomet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Krotten.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 RegSvcs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegSvcs.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 RegSvcs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegSvcs.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies Control Panel 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\International\sTimeFormat = "ÕÓÉ" Krotten.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\Desktop Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\Desktop\WallpaperOriginX = "210" Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\Desktop\WallpaperOriginY = "187" Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\Desktop\MenuShowDelay = "9999" Krotten.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\International Krotten.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" Krotten.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" Krotten.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" Krotten.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Blackkomet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe -
NTFS ADS 27 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 867798.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 376597.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 981100.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 492592.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 838215.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 68302.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 533665.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 970338.crdownload:SmartScreen msedge.exe File created C:\svchost\svchost.exe\:SmartScreen:$DATA RegSvcs.exe File opened for modification C:\Users\Admin\Downloads\Fantom.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:SmartScreen:$DATA WarzoneRAT.exe File opened for modification C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 936603.crdownload:SmartScreen msedge.exe File created C:\Users\Admin\AppData\Roaming\svchost.exe\:SmartScreen:$DATA RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:Zone.Identifier:$DATA WarzoneRAT.exe File created C:\Users\Admin\AppData\Roaming\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe File opened for modification C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 749995.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier msedge.exe File created C:\svchost\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 390591.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Krotten.exe:Zone.Identifier msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3584 schtasks.exe 3396 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3720 msedge.exe 3720 msedge.exe 2168 msedge.exe 2168 msedge.exe 3112 identity_helper.exe 3112 identity_helper.exe 4032 msedge.exe 4032 msedge.exe 2856 msedge.exe 2856 msedge.exe 3996 msedge.exe 3996 msedge.exe 1592 msedge.exe 1592 msedge.exe 4124 msedge.exe 4124 msedge.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe 1356 NJRat.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2168 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
pid Process 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2312 Blackkomet.exe Token: SeSecurityPrivilege 2312 Blackkomet.exe Token: SeTakeOwnershipPrivilege 2312 Blackkomet.exe Token: SeLoadDriverPrivilege 2312 Blackkomet.exe Token: SeSystemProfilePrivilege 2312 Blackkomet.exe Token: SeSystemtimePrivilege 2312 Blackkomet.exe Token: SeProfSingleProcessPrivilege 2312 Blackkomet.exe Token: SeIncBasePriorityPrivilege 2312 Blackkomet.exe Token: SeCreatePagefilePrivilege 2312 Blackkomet.exe Token: SeBackupPrivilege 2312 Blackkomet.exe Token: SeRestorePrivilege 2312 Blackkomet.exe Token: SeShutdownPrivilege 2312 Blackkomet.exe Token: SeDebugPrivilege 2312 Blackkomet.exe Token: SeSystemEnvironmentPrivilege 2312 Blackkomet.exe Token: SeChangeNotifyPrivilege 2312 Blackkomet.exe Token: SeRemoteShutdownPrivilege 2312 Blackkomet.exe Token: SeUndockPrivilege 2312 Blackkomet.exe Token: SeManageVolumePrivilege 2312 Blackkomet.exe Token: SeImpersonatePrivilege 2312 Blackkomet.exe Token: SeCreateGlobalPrivilege 2312 Blackkomet.exe Token: 33 2312 Blackkomet.exe Token: 34 2312 Blackkomet.exe Token: 35 2312 Blackkomet.exe Token: 36 2312 Blackkomet.exe Token: SeIncreaseQuotaPrivilege 4916 winupdate.exe Token: SeSecurityPrivilege 4916 winupdate.exe Token: SeTakeOwnershipPrivilege 4916 winupdate.exe Token: SeLoadDriverPrivilege 4916 winupdate.exe Token: SeSystemProfilePrivilege 4916 winupdate.exe Token: SeSystemtimePrivilege 4916 winupdate.exe Token: SeProfSingleProcessPrivilege 4916 winupdate.exe Token: SeIncBasePriorityPrivilege 4916 winupdate.exe Token: SeCreatePagefilePrivilege 4916 winupdate.exe Token: SeBackupPrivilege 4916 winupdate.exe Token: SeRestorePrivilege 4916 winupdate.exe Token: SeShutdownPrivilege 4916 winupdate.exe Token: SeDebugPrivilege 4916 winupdate.exe Token: SeSystemEnvironmentPrivilege 4916 winupdate.exe Token: SeChangeNotifyPrivilege 4916 winupdate.exe Token: SeRemoteShutdownPrivilege 4916 winupdate.exe Token: SeUndockPrivilege 4916 winupdate.exe Token: SeManageVolumePrivilege 4916 winupdate.exe Token: SeImpersonatePrivilege 4916 winupdate.exe Token: SeCreateGlobalPrivilege 4916 winupdate.exe Token: 33 4916 winupdate.exe Token: 34 4916 winupdate.exe Token: 35 4916 winupdate.exe Token: 36 4916 winupdate.exe Token: SeIncreaseQuotaPrivilege 2104 winupdate.exe Token: SeSecurityPrivilege 2104 winupdate.exe Token: SeTakeOwnershipPrivilege 2104 winupdate.exe Token: SeLoadDriverPrivilege 2104 winupdate.exe Token: SeSystemProfilePrivilege 2104 winupdate.exe Token: SeSystemtimePrivilege 2104 winupdate.exe Token: SeProfSingleProcessPrivilege 2104 winupdate.exe Token: SeIncBasePriorityPrivilege 2104 winupdate.exe Token: SeCreatePagefilePrivilege 2104 winupdate.exe Token: SeBackupPrivilege 2104 winupdate.exe Token: SeRestorePrivilege 2104 winupdate.exe Token: SeShutdownPrivilege 2104 winupdate.exe Token: SeDebugPrivilege 2104 winupdate.exe Token: SeSystemEnvironmentPrivilege 2104 winupdate.exe Token: SeChangeNotifyPrivilege 2104 winupdate.exe Token: SeRemoteShutdownPrivilege 2104 winupdate.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2168 msedge.exe 3272 AgentTesla.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2168 wrote to memory of 3640 2168 msedge.exe 79 PID 2168 wrote to memory of 3640 2168 msedge.exe 79 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 1124 2168 msedge.exe 80 PID 2168 wrote to memory of 3720 2168 msedge.exe 81 PID 2168 wrote to memory of 3720 2168 msedge.exe 81 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 PID 2168 wrote to memory of 2836 2168 msedge.exe 82 -
System policy modification 1 TTPs 37 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1" Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044" Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1" Krotten.exe -
Views/modifies file attributes 1 TTPs 6 IoCs
pid Process 4112 attrib.exe 124 attrib.exe 1328 attrib.exe 840 attrib.exe 240 attrib.exe 3844 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc19bb3cb8,0x7ffc19bb3cc8,0x7ffc19bb3cd82⤵PID:3640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2020 /prefetch:22⤵PID:1124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:82⤵PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:1552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵PID:3164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵PID:4752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:12⤵PID:4372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:2580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:2272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵PID:4524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵PID:4664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6284 /prefetch:82⤵PID:4164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6564 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2856
-
-
C:\Users\Admin\Downloads\Blackkomet.exe"C:\Users\Admin\Downloads\Blackkomet.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2312 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:124
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1328
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4916 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:840
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:240
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4112
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3844
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:2476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6068 /prefetch:82⤵PID:732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:12⤵PID:4060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6688 /prefetch:82⤵PID:5040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1592
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Executes dropped EXE
PID:888 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:5052
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:12⤵PID:4592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5084 /prefetch:82⤵PID:2788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4124
-
-
C:\Users\Admin\Downloads\NJRat.exe"C:\Users\Admin\Downloads\NJRat.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1356 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2368
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:12⤵PID:1428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:12⤵PID:4392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2580 /prefetch:82⤵PID:884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6560 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:988
-
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3928 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- NTFS ADS
PID:1372 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵PID:4844
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cazk9cvd.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C6C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc91C430651F5C45A79C8022C081A1DB9.TMP"5⤵PID:3400
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jwilxfps.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:1428 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CF9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8781784B55B3482F93C9AD886B427B80.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:3668
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nf-xwk-2.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:4148 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DA4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA54DD10D66C04636A9305E4A4D961832.TMP"5⤵PID:2548
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iittwlb9.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E31.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFFECBF78DDBA4C9B9DBEF0454CBBA60.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:3936
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ahoqhbwn.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E8F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE068F79E69742129C4A5FD08D78E4CC.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:2068
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\azn3sisi.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F2B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1978D42C91904CC28E7F893E12F4F793.TMP"5⤵PID:2280
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_rmpq1xu.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FC7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDDB012D7F05F43CCB645642A808F249.TMP"5⤵PID:2072
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yfqfquja.cmdline"4⤵PID:2408
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7044.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc440BE15A6E4268B0D259223DBC70FC.TMP"5⤵PID:3980
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e6oeqbff.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:3924 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70C1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc52FA1DA1F3A4E289F539FB965F9F80.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:4860
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qcuibcie.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:3848 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES714E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9252C0A93A1245A1A6DD2F3876C825D2.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:3268
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hfqrw8dh.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:3604 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF94452D9550D48918D41BABBD279C998.TMP"5⤵PID:2820
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\znblrfsu.cmdline"4⤵PID:2284
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7238.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE87B04DB6C754C5EB49998204938B5A4.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5024
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jo7x34xt.cmdline"4⤵PID:2036
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES72B5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF84A8F095BE4D6495E27449BEA8E69B.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:3880
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ticqia8q.cmdline"4⤵PID:3252
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7352.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5D070E458BDC423B8AC86C12F0B33D.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:2696
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6vkvs0df.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:3388 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4710F1FBEA564EC1B664974934E4129.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:1228
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\erf-hn_q.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:4104 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES744C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70E6496C6B954E84B65590DF4D8F7E42.TMP"5⤵PID:2960
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uytqxxyo.cmdline"4⤵PID:3048
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34EC9FED83A84A6BB0348EBEF0DFC510.TMP"5⤵PID:2848
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q-_e8eew.cmdline"4⤵PID:3616
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7565.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA3429BEB1BF44188CAD7D9DE64CE8B6.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:2260
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a6zczyvy.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:3724 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF35C30ADB09411EB05A2FC53BB6C81.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:1676
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hncgzyes.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:4264 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES767E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC2A4D6D9774946DD89442E25A1C6369.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:3928
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uqhhcub1.cmdline"4⤵PID:1724
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7759.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9841968821684C50A42C7569EB68926C.TMP"5⤵PID:4556
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3616 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"5⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- NTFS ADS
PID:4076 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"6⤵PID:1952
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"6⤵
- Scheduled Task/Job: Scheduled Task
PID:3396
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w5yulkk6.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:124 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD56D1371F5E243938710DD4D6409328.TMP"7⤵PID:2436
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vyr3aocg.cmdline"6⤵PID:4992
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2982.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3B6D0BB179240CA97A991FF6B7AB70.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3064
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\navzx3kg.cmdline"6⤵PID:4068
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc825ED940CC244C05BDCBCB3CC099C6AE.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3492
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x5hoxda2.cmdline"6⤵PID:772
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A5D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5048AEAFCC944805AD4DFB39FCB4289A.TMP"7⤵PID:3904
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i4enp52k.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2ADA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCAD94E5AE80C4D5EB4F575B177EC9AA.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3228
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bgkoxtv6.cmdline"6⤵PID:1592
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B67.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5816D60BC5EB420A85B396138D83F6A.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2872
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xgykifj4.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C03.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE5A9B4E3D17431E9A98FECC7D4143.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:4728
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\79y2vzjz.cmdline"6⤵PID:1152
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CAF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6D7A55C137B4A6FA7DF5B35D7F33415.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:4676
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dtw1cjdx.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E06.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc665B580C94D84C308E46ADC216A6ADE.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:340
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ywpzhgvc.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:684 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EC2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7EB8D15DD014788B2AFDBB54E8974F.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3608
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pevn2ie8.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:3796 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6311.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4E5703AD30F4FB7BA37EB87EBD96FCE.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3076
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5_xoedel.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E8ECC872F1F478795FF128192464A16.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2468
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\daabmvah.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:4172 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6449.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc574B584FC6F3453B878038AC322E965D.TMP"7⤵PID:716
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d9hx2q3c.cmdline"6⤵PID:4992
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6497.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9315A761C9493899544A3D7877119.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3636
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6zdyd6qe.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6524.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9CCE73D6F8C416598BAB522A9C81B78.TMP"7⤵PID:4652
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qgqnm9ce.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:912 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65D0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1BFC2181F0E4C91959618FCDBD37818.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3848
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g-ismjmq.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:4184 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA244B7D42B498E942ADEF327D4AACB.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3656
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:12⤵PID:1888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7016 /prefetch:82⤵PID:2548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6888 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:1992
-
-
C:\Users\Admin\Downloads\WarzoneRAT.exe"C:\Users\Admin\Downloads\WarzoneRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- NTFS ADS
PID:4052 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3CD0.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:3584
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:3656
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:2116
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6936 /prefetch:22⤵PID:3948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:12⤵PID:4780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5052 /prefetch:82⤵PID:3080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:1668
-
-
C:\Users\Admin\Downloads\AgentTesla.exe"C:\Users\Admin\Downloads\AgentTesla.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:12⤵PID:1588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6988 /prefetch:82⤵PID:760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3412 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:4372
-
-
C:\Users\Admin\Downloads\Fantom.exe"C:\Users\Admin\Downloads\Fantom.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"3⤵
- Executes dropped EXE
PID:3936
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵PID:2312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7036 /prefetch:82⤵PID:4172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵PID:1656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:3492
-
-
C:\Users\Admin\Downloads\Krotten.exe"C:\Users\Admin\Downloads\Krotten.exe"2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- System policy modification
PID:3652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:12⤵PID:2904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6668 /prefetch:82⤵PID:2872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:1236
-
-
C:\Users\Admin\Downloads\NoMoreRansom.exe"C:\Users\Admin\Downloads\NoMoreRansom.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:12⤵PID:2408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,15365755324366376903,17989985757876513998,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7052 /prefetch:82⤵PID:2296
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1956
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2272
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3716 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
PID:2104 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2136
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
6Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cba3e132a0eb4d8f555cfb365f5d1fdf
SHA1ae5d87c45fefef329c51f3cc7cfd318df3c3a108
SHA256c0edd5cfbc36555552693562e8d8ce5853b12c0981e89586034324680a4ec757
SHA512a60fc5feb75f68884cb95c545d6913fdca59375363994984d854e76edf9be693413f2b8db6af5012f133a5c2b029f8373713670102727a471fa63ec5f0cfd22a
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
4KB
MD5602ddd0c457eb622800ec2b65d1a3723
SHA1e322f2927b3eb868f88f61318589cdbc9b5e4554
SHA2566491b2ebfda073e601f99be125c6ce0c4a72162e0995c673605c673581023a82
SHA512eb0cd42b7178ee205af959b3b811bf85c44343c2e3ead6678ece7bc340fd0efdde3067a583649d12aa2123b555a4cc2a7be7a587fb2874a9f9aa666093df782b
-
Filesize
4KB
MD528d98fecf9351c6a31c9c37a738f7c15
SHA1c449dee100d5219a28019537472edc6a42a87db2
SHA25639445a090b7ce086d5efb4ac35add13672fac9bf40eb481b54fa87302a3f45e0
SHA512f5c2458348347798304393fdb5c77f4f7ed7245c0d4c7594deb0113262828cb8e210e7b48a4aa7c4d2fe1e31201b4e326cd60a6f9d4e3ba1a7fbef322dde0971
-
Filesize
152B
MD5fdee96b970080ef7f5bfa5964075575e
SHA12c821998dc2674d291bfa83a4df46814f0c29ab4
SHA256a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0
SHA51220875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff
-
Filesize
152B
MD546e6ad711a84b5dc7b30b75297d64875
SHA18ca343bfab1e2c04e67b9b16b8e06ba463b4f485
SHA25677b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f
SHA5128472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5a02ba5b8cf138d82c62fc5c30dfb5f9c
SHA138714d5ef470b3c78d7b95fd2dcc2b2cceb2a81d
SHA2563e083ef9268d86a27fbf43c5fe9f7ca2e86a36a30efcdbeed47c063e05d56ef8
SHA512cf72d606cd74e20a70849496b0c64ecbde69e4994bdade405a8e9de4ca526e11d11b15708201fca43a1ea88f4b52957fa0eefffb9d2e37eb97e9b60cef93d3b1
-
Filesize
579B
MD5ed5f4213c17629776cd75510648fc019
SHA1ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9
SHA256e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87
SHA51271bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
579B
MD5b8fdc8d04b83beb089126efbce00f896
SHA1971ff6e70884b2cdf229be5a0cad066e3bdb085b
SHA256c3084bc354488bb98cea934da0e3d6a462b574774df7f3b4fe289688acf3ebfe
SHA512f5f0033e6bc47a723773fb221dbb2d5b684209ffc7a8046e708df1f5cade52b05158d2fc09fdb3867ca1922734f64fc5cb3bb7224da24df348085092385a45fd
-
Filesize
6KB
MD5bd2103a2c2dac5680cac80dd06a3e9b3
SHA1b68f7cdd952c5dd1c150938a73cced28c567f063
SHA2569c33965f4c783bee6391796a39d2a5b83593d1ddbf18ef2a367f9cba4215280c
SHA512904110b7fa1d366a41f880abe21d28beaf93d72ebbab3299a569fcaeebe6bb2d21bdf51579c6349e8c26dd2a4c70c29ba28df504e5543bf85f61c9ddb35d6aa0
-
Filesize
5KB
MD56357d89884fa3fb2426e49c5153d350e
SHA1bae83d7d020795e890ef718e5c7e98545510bbb4
SHA2569c46c410e0205ac893c768cd4dbc227865ff194f8ae4d0728286db4ec16b4904
SHA512793f3e50c0f0f38f08408b2e8d320754f76db80b6d09d2535767f08aac047fd9431e47c72145926258c7e1eea02a304abb7f87638f43c72644fc2b7dba7dcc37
-
Filesize
1KB
MD5623dafc58f5aa34734de28e29440f233
SHA1bf0610c0f00310bb1ef82149e75efefba23e1922
SHA256ec5ec9e4c7e17ca4001f4532ebb00070151dd985c526d2cd504044b60f810524
SHA5125dfd337d0f76d188a53a0124737fd903df20da14519653bc2c4c0d59fd3ec31ae7b38bdf6f61e9e99df97da93edd6bfe8dc40d1e0156ec27b88cf42a6b644262
-
Filesize
1KB
MD5ffa77d4503c2878f6dd5bdc8acdb4d4a
SHA1d3a97d787f23e3c1377a0c25d308037f1245880f
SHA2565de1a41f6db3f1cf0d43c11800a8255537ef95cfa56b03da70e71c96bb4ed123
SHA5127eb97d1393f5c7260e831ac2136784751c333576281e4e4d647df8e097853e07101165fb03a9a986802edc9bcbe2cdbe4c77c828af0873ac40a8bd330948a898
-
Filesize
1KB
MD51682653ea0cc4c3b9b74f8409ee30b2f
SHA11799201985ba603a7029d95ec4d16cf971cebe4d
SHA2560712746db3b7a3c201e1a7f891edb694104ce1c933f84c253b21defa5b3a7775
SHA51264f078ab4c13f47656091084eeb792a4c5f6d461b10aa10ae58b05831b47125f9a4faac9c912432879d136c9d052304573f6adfa9c7631e2028639975e71c3b8
-
Filesize
1KB
MD504653f05d4d1a175ba5ad741e32bf62a
SHA1a6cb4eb168469928d897392ddb368884b76c1eb3
SHA25633e845fd5ab6fc88ac0e3f14eb309ca761ee1bcc15bc5ce55d1a6a95ceb59428
SHA51289361b9c5a3c11b95120b97f3991e542da1f3b16a4e6162838dbfaedffc821f1549b1fdfd4c9cc9d9210b89700c2ebe75de59bd566c5cc366fe926352abe395d
-
Filesize
1KB
MD5573d1e62925387d13e0d613411cc121c
SHA1a123c7d8623abd133c8ed806ec188676f7376b16
SHA256694305059193d9349a93ced3581657f4b657b86c89877c018abb4508749458d6
SHA5125a14af2c4d655bb6c5754a21e1034bd11fa8d4f332d480c8e1e7c5dbb3b92de659a34782d43516f92bcf64f53e487c9d6fb87280416d745fe7c4f6fa7f0062e6
-
Filesize
1KB
MD56fec4b8f7746769eefe3cb452d658b1b
SHA17b013184096a7f57646694c8cad4905f084b3c9a
SHA2565bc020a4314992a113b2be1c74703f8f4fbf20f17e2c1240b59d04f51ddc2b62
SHA512272fe20981f61daa9cfc45aa1512fadc528d5be3b656dc790748c85cf23921f680c23a2e3b01b4b450ec4584e6662783efeddefd521056eaa82f02dd009eeccd
-
Filesize
1KB
MD584c7c77296210b5b897c1722192f481d
SHA171fce80ed7d851c1c81dd37fefc368c443fa5401
SHA256659a87eff513131ca9ce5a51a9ed647528b20178d8fbb9934ffd744fc99ba279
SHA5122ff47ffa0ce8ca984fe72a9b4c6c3801d00f2bd1312c967e8a49d4118b00090f8a3e0e36b515b5e224845b596dc143c838e008fad41745e566546542be0f536b
-
Filesize
1KB
MD513fae00152d7f61dabed44f283a5de01
SHA13f7ef763c87e63edb94ffccfbbdc8d107f3d7aa9
SHA2564136e1573efcf03539437cce71eb7ff00c2bf95bf4c62b14b6322f83ec349870
SHA5121d4b3ba4ace18cb7174de20a705167e66db1eb519f38dda7a1eedb07080c9b73613ce8b88db830423245b816f77ebd9a43ccec62798832f06ab7c58c2c360ba0
-
Filesize
1KB
MD5314130bd2fce3a7c8dc2da86dfce8def
SHA14e8f495a13b485a28ef8a4e0424c52a185721d42
SHA2560b646d3cf94d5fca0990cd6dc7e3f0916ede402c3b7123523977d37ab546e694
SHA5122429a5a79c42bb37eab2b2b97bb4d00caaa68a418eff5314e2b1151212c997c9839ee95d96bb18c57ecaf6174dcd55cedd2a6c293e435c3419b85f5226cb764b
-
Filesize
1KB
MD517e8daea488f495ad18ed3c755f8e15d
SHA1e17ccdda80c243525d48b606f2a3dcee39cf7ba0
SHA256a8122cde4c8c3ae92c2d0545b6d25cc01d75e2ef5a2749b37cb0635c7dec567c
SHA512ca799a8e8aba14bf9378027d4893117761f2c302523dece7be228fc1fbd591218f542d18a3d8a9560a0740b63d2968dad5ac49ff5713279761b3932e3e9dc5e4
-
Filesize
1KB
MD58268ba0f144b4ccd201d2185ddc9c398
SHA147150481b0791935910cc7187daa9e7a0d0cae29
SHA256231a45133837ab9c5218852c261159515a7fb6c492673020a4c126faf78040a0
SHA5129d5a5e501c494921245b1f9df0c9e12875e0497aed3a7492f87a92fa3c21d993c3b68466cfb0bac35471a1a26e1e6812604a924cb337f81c29742643fff8dc83
-
Filesize
1KB
MD5853d5a76b93c564ebef1c6d80d4ca690
SHA1090ad8da14dd5a846d04dfc7e134de797fccd24e
SHA256b1811329e7a821458f32de99f4133e450a27937c3206fb54ac1472d4ff61eef8
SHA512e83e3ae8b96196d36b4e88dda8416e44cf66dd5db6d11b45f2dddc82f37709e6a2b0a2998217014ab74bfb650576c0f942e9570c7e3e40edab72a26a6730a8b7
-
Filesize
1KB
MD56c2364c799b8f619fb0c548f8af9e290
SHA17e6636eb0b9067681c4edd481519703aae2cd8c2
SHA2563c0565bdbfd3c92549eb0af147fd83817cf1874098d3fed18324c3e5974dce6e
SHA512314eb71c1e0a93ffe78897bd618fcbec50a5499de1a95985121f2867833ec4aa274d382c01bbc32861e601944e41a096cda96ddccc8864137c49fbb0a94d840d
-
Filesize
1KB
MD5218c9061dd2d92a44690a7a1ab2370ce
SHA1ed59330850c9144406499d86a58535966c96de7d
SHA256213dfcff45cc19a61e16d51e1bdf2c5419ce90884f8b3d7f3b676e2a9002913a
SHA512dce25358270ad44750886c6affcc65dd351efb9d8f8f99d5b83738c7b13b56c7207a872256e2d30fb0f5b1ebf098a867ff808b4736eb95d57fef3ba78dce4220
-
Filesize
874B
MD599c855a3ac5d57d5dce0480b507c0e0e
SHA15df9d16d1d6b7e928628075c8f2c5f1da3ecc72f
SHA256eeb958fce05fbe38a2e8987a659a3dd9fae2ccd87e3cc528c00050fad36de663
SHA5126f36b74426d44079c2d8ce3e1654e8925fc20165bcfa758be9c3af8d4fddf4a6919109e92192d1de11b474ed1c05883bd0bc27c1f0b299abc59d85154444e731
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5929271d0c1c0892bbc672a8d19de1383
SHA1fec00f89704bc6fbc8e1c05c3e9793f9996efd52
SHA256f732b3d1efc7259f48ca84a8f1c7e9669745bdd4994288ba256da924a884b3a7
SHA512b617c7d9adf7156da1a5aca906847fd45dfb8eee958017a63ed0e5c9965c307c9e4d84138118620361475eb54244cfb8673bc8bb805863bcaa8092491be98d97
-
Filesize
11KB
MD557ddab1503059bf8b56cb8cd9f5a8b8b
SHA19f352aa868fad2205e8fcca3ac4fab6c0a843b05
SHA25636dc312b58baa5ded91730d146c21c597b0f27e10b831e7522e72a49b5a7c6e6
SHA512b52a69dd1fef10714e8bf3a354563fa30585679401df86b62dfcb1ce27fea02c2b83c186689a3260ad2add9c4d285afbac618385d99aba89c8f679844f360335
-
Filesize
11KB
MD50db4bb1bd9a105d2b8db26e86c6d0ebb
SHA161b120602dd562453959b9c216495b42b9f45e03
SHA256892d03a04529827655f6dbd61f2516fc55591c9dc6b677ab68edc95f9a257a17
SHA512577be289922a213e8fa76d821d0c59a4114f2c686bce8c3ba2e56e753446d5cee6fceff59d89ca3f90eb28cec0aabb2b0ace586ea8b5dc51d8b6b0d1493291e5
-
Filesize
11KB
MD5dd4bd6fa79521dbad68ace38acc6db79
SHA1dae96a1c7ff2c7df237649baba40d5cc3a1e33b7
SHA2562748d1284f0e65d3b00699dca14af100f2b4498f3eff22ae2987644cb9ef2da0
SHA5121c455a9f8ea14ce2130757d555e7217e1366a81756b5fc3a0743466bc8f1bb37efd727034ec13c26c7754a7ab874db8442f09da11153ac268d7080818fc72dea
-
Filesize
10KB
MD5b0cb7a3d7ad8c2aa732ecda5bd95db6b
SHA1edba0377869ad0a32d7aeb58b94c9b38954b0905
SHA2566eb024852f9ba2f5cb59337ee6e0de1637d8470ae54c01955106de3d1aba095f
SHA512c82af16c35d783a7d945b6a70a077de97a764bf0673e4e1ee65a2572cb0897bbf1623c5e4174ee056aa202c17f035fbfb56baa3f00daad4c66888c9b4ef23c5b
-
Filesize
10KB
MD554bfeb29ec3b9a2aa0680e939555f76c
SHA18d04a1522d2c0e60a940559a862c833c30f23e1d
SHA256a12f9b2689b8ef060f51e4f5c0b584e0c20afd4365f4717a834ae845438a3194
SHA512c1586cad2d0091aaffe21d9245480548177a822e66efd30e5270ba759fc7cabcbd862e5d5046628358082c7a132af020e36cee00997e78c91d7fe95ec17f57f6
-
Filesize
5KB
MD558e533c29daef35add2447e0cf5b0306
SHA1a380607728a124cc22b70233ea2e1c6e873ca5c5
SHA2564f03e864f599dde78c8b7c0af488378c6aee1f3c65ad0797506b981c5063c33f
SHA512529366c4ea3c2f1ea414ed70547f3e7710359d2ba1b31530ac10866157a87520f4d92338360b9cadbc850562c606a2ef63a9a0481bea82fc239a7483653ec4f4
-
Filesize
21KB
MD5fec89e9d2784b4c015fed6f5ae558e08
SHA1581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2
SHA256489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065
SHA512e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24
-
Filesize
369B
MD5e4a08a8771d09ebc9b6f8c2579f79e49
SHA1e9fcba487e1a511f4a3650ab5581911b5e88395d
SHA256ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6
SHA51248135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1
-
Filesize
253B
MD5c2ca814a4ce12fecc6a292368da5ae5b
SHA1c97d404ec889dfcd20611ccb1980b19007c63aa7
SHA256e252f13f893d6c65cbfa52d9b6c57ea56c8e6c5edc0d71d56b848bca5e0f8f8e
SHA5123d87741aab550ba922f6443267712152e5a6972a40904a20e8d0dd94f760eef541c6884388d94b0321e8f56eedd86019d7ad0bd2115f9796e42bb68d413f9070
-
Filesize
355B
MD5acd609faf5d65b35619397dc8a3bc721
SHA1ba681e91613d275de4b51317a83e19de2dbf1399
SHA2564cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518
SHA512400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c
-
Filesize
224B
MD5802940544c9e757c5037bb772d09737f
SHA15261d9c41a7182e736393973442f4859101ca0dc
SHA256231392980a2435248d62548331bb7c4142b5440387f419cb66f2449fca6ac0a2
SHA512e939c953ab91fe6a11365d3dd785f3c1c8cf384cf39a4ec58214d55edacd6307529454085e573a1bf286fc8173c0c4a53c1e4294591295f93620fd67d0d499ba
-
Filesize
1KB
MD5fa95a89e9d4c69775bde959fb56e51f7
SHA15913c717179663c85c68af6b3d00e3c2078c719f
SHA256bfd170ee10cfd6ca81e63196c356c89d1f11032e105c7e04238656b788c2a811
SHA512accc00c271f9db21c3c2d01b590d19e757e7349ab2abec78b86ac018f85699d8c15edd6eba24b7e572be0bc2fea705affc0dcec60ca05549bb68464f1295594c
-
Filesize
39B
MD5502984a8e7a0925ac8f79ef407382140
SHA10e047aa443d2101eb33ac4742720cb528d9d9dba
SHA256d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c
SHA5126c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17
-
Filesize
668B
MD53906bddee0286f09007add3cffcaa5d5
SHA10e7ec4da19db060ab3c90b19070d39699561aae2
SHA2560deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA5120a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0
-
Filesize
5KB
MD584e9754f45218a78242330abb7473ecb
SHA13794a5508df76d7f33bde4737eda47522f5c1fdd
SHA256a979621de3bcabf9a0fa00116bcd57f69908b5471341f966c2930f07acfee835
SHA51232b51e82e505e9124fa032bfd02997de6d6f56e0c0dfb206aec2124199048168ec0f7927a0a289f4653662bdeb5089d91db080019a9556491ef111df99b12623
-
Filesize
644B
MD5dac60af34e6b37e2ce48ac2551aee4e7
SHA1968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA2562edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA5121f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084
-
Filesize
676B
MD585c61c03055878407f9433e0cc278eb7
SHA115a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA5127099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize8KB
MD515d4d5d8ad9ba7681f3f0035a513c958
SHA1a181ef9c31e5bdf0eae0f86b6ead928a02d7e551
SHA256900189b399ceb0ee848446af65c89aa5592111ebf03e75f03bea701837165012
SHA512496044303a357efea5b247ca208aeaa005737032b0356fff743a0850c7af4e4a6b93cb1910334512b0487f378fb45cdabe9ad25693b6bcf5321a0379238f6bd1
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
31KB
MD529a37b6532a7acefa7580b826f23f6dd
SHA1a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f
SHA2567a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69
SHA512a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
756KB
MD5c7dcd585b7e8b046f209052bcd6dd84b
SHA1604dcfae9eed4f65c80a4a39454db409291e08fa
SHA2560e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48
SHA512c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2
-
Filesize
2.8MB
MD5cce284cab135d9c0a2a64a7caec09107
SHA1e4b8f4b6cab18b9748f83e9fffd275ef5276199e
SHA25618aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9
SHA512c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f
-
Filesize
84KB
MD5b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA5124b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
-
Filesize
53KB
MD587ccd6f4ec0e6b706d65550f90b0e3c7
SHA1213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
-
Filesize
224KB
MD55c7fb0927db37372da25f270708103a2
SHA1120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
Filesize
261KB
MD57d80230df68ccba871815d68f016c282
SHA1e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA51264d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
Filesize
5KB
MD5fe537a3346590c04d81d357e3c4be6e8
SHA1b1285f1d8618292e17e490857d1bdf0a79104837
SHA256bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a
SHA51250a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce
-
Filesize
1.4MB
MD563210f8f1dde6c40a7f3643ccf0ff313
SHA157edd72391d710d71bead504d44389d0462ccec9
SHA2562aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA51287a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
Filesize
321KB
MD5600e0dbaefc03f7bf50abb0def3fb465
SHA11b5f0ac48e06edc4ed8243be61d71077f770f2b4
SHA25661e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2
SHA512151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9
-
Filesize
4.0MB
MD51d9045870dbd31e2e399a4e8ecd9302f
SHA17857c1ebfd1b37756d106027ed03121d8e7887cf
SHA2569b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA5129419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909