crimsonrat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

17/03/2025, 11:12

250317-naszaa1qt4 4

17/03/2025, 11:05

250317-m62evs1pw2 10

17/03/2025, 11:00

250317-m3yvka1ny6 8

Analysis

max time kernel
323s
max time network
324s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
17/03/2025, 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

crimsonrat darkcomet modiloader remcos revengerat guest1111 host defense_evasion discovery execution impact persistence ransomware rat rezer0 stealer trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest1111

193.242.166.48:1605

Mutex

DC_MUTEX-2QRLPN3

Attributes

InstallPath
Windupdt\winupdate.exe
gencode
Rb5l52XcV9no
install
true
offline_keylogger
false
password
313131
persistence
true
reg_key
winupdater

rc4.plain

Extracted

Family

crimsonrat

185.136.161.124

Extracted

Family

modiloader

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Userdata.exe
copy_folder
Userdata
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%WinDir%\System32
mouse_option
false
mutex
remcos_vcexssuhap
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002b527-1568.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Modiloader family
modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/2700-2460-0x0000000005550000-0x0000000005578000-memory.dmp	rezer0

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x001a00000002b51b-30477.dat	revengerat

Contacts a large (1133) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 4 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2900	netsh.exe
7144	netsh.exe
6704	netsh.exe
36704	NetSh.exe

Sets file to hidden 1 TTPs 50 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
35852	attrib.exe
35868	attrib.exe
5816	attrib.exe
5352	attrib.exe
5072	attrib.exe
6640	attrib.exe
2868	attrib.exe
42508	attrib.exe
5108	attrib.exe
1808	attrib.exe
648	attrib.exe
3204	attrib.exe
2884	attrib.exe
4116	attrib.exe
3876	attrib.exe
2788	attrib.exe
6936	attrib.exe
2168	attrib.exe
6688	attrib.exe
6344	attrib.exe
34936	attrib.exe
4676	attrib.exe
6892	attrib.exe
1580	attrib.exe
6736	attrib.exe
4276	attrib.exe
5628	attrib.exe
5712	attrib.exe
3780	attrib.exe
3584	attrib.exe
1108	attrib.exe
2376	attrib.exe
6392	attrib.exe
6496	attrib.exe
2548	attrib.exe
4124	attrib.exe
6908	attrib.exe
4824	attrib.exe
1064	attrib.exe
6572	attrib.exe
1020	attrib.exe
5276	attrib.exe
6984	attrib.exe
6480	attrib.exe
12932	attrib.exe
1936	attrib.exe
5524	attrib.exe
34944	attrib.exe
35680	attrib.exe
35708	attrib.exe

Executes dropped EXE 6 IoCs

pid	Process
3004	msload.exe
2644	msload.exe
4832	winupdate.exe
5440	winupdate.exe
3576	winupdate.exe
656	winupdate.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\APPXPROVISIONING = "C:\\WINDOWS\\APPXPROVISIONING.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEVICEPAIRINGWIZARD = "C:\\WINDOWS\\DEVICEPAIRINGWIZARD.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MPREXE = "C:\\WINDOWS\\MPREXE.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\LoadManager = "c:\\windows\\system\\msload.exe"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\winsrv = "c:\\windows\\system\\winsrv.exe"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\LoadManager = "c:\\windows\\system\\msload.exe"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\DMCMNUTILS = "C:\\WINDOWS\\DMCMNUTILS.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\DMCMNUTILS = "C:\\WINDOWS\\DMCMNUTILS.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ACXTRNAL = "C:\\WINDOWS\\ACXTRNAL.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\D3D9 = "C:\\WINDOWS\\D3D9.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEVICEPAIRINGWIZARD = "C:\\WINDOWS\\DEVICEPAIRINGWIZARD.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scr = "c:\\windows\\system\\scr.scr"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\winsrv = "c:\\windows\\system\\winsrv.exe"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ACXTRNAL = "C:\\WINDOWS\\ACXTRNAL.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\APPXPROVISIONING = "C:\\WINDOWS\\APPXPROVISIONING.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\D3D10_1 = "C:\\WINDOWS\\D3D10_1.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scr = "c:\\windows\\system\\scr.scr"	Opaserv.l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MPREXE = "C:\\WINDOWS\\MPREXE.EXE"	Opaserv.l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	ChilledWindows.exe
File opened (read-only)	\??\L:	ChilledWindows.exe
File opened (read-only)	\??\U:	ChilledWindows.exe
File opened (read-only)	\??\V:	ChilledWindows.exe
File opened (read-only)	\??\Z:	ChilledWindows.exe
File opened (read-only)	\??\E:	ChilledWindows.exe
File opened (read-only)	\??\G:	ChilledWindows.exe
File opened (read-only)	\??\M:	ChilledWindows.exe
File opened (read-only)	\??\O:	ChilledWindows.exe
File opened (read-only)	\??\P:	ChilledWindows.exe
File opened (read-only)	\??\Q:	ChilledWindows.exe
File opened (read-only)	\??\S:	ChilledWindows.exe
File opened (read-only)	\??\B:	ChilledWindows.exe
File opened (read-only)	\??\J:	ChilledWindows.exe
File opened (read-only)	\??\T:	ChilledWindows.exe
File opened (read-only)	\??\I:	ChilledWindows.exe
File opened (read-only)	\??\N:	ChilledWindows.exe
File opened (read-only)	\??\R:	ChilledWindows.exe
File opened (read-only)	\??\W:	ChilledWindows.exe
File opened (read-only)	\??\X:	ChilledWindows.exe
File opened (read-only)	\??\Y:	ChilledWindows.exe
File opened (read-only)	\??\A:	ChilledWindows.exe
File opened (read-only)	\??\H:	ChilledWindows.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
288	0.tcp.ngrok.io
314	drive.google.com
364	drive.google.com
461	0.tcp.ngrok.io

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe

Drops file in Windows directory 40 IoCs

description	ioc	Process
File created	\??\c:\windows\system\scr.scr	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\msload.exe	Opaserv.l.exe
File opened for modification	C:\WINDOWS\D3D9.EXE	Opaserv.l.exe
File created	C:\WINDOWS\DMCMNUTILS.EXE	Opaserv.l.exe
File opened for modification	C:\WINDOWS\DMCMNUTILS.EXE	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\winsrv.exe	msload.exe
File opened for modification	C:\WINDOWS\MPREXE.EXE	Opaserv.l.exe
File opened for modification	C:\WINDOWS\D3D10_1.EXE	Opaserv.l.exe
File created	C:\WINDOWS\D3D10_1.EXE	Opaserv.l.exe
File opened for modification	C:\WINDOWS\MPREXE.EXE	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\winsrv.exe	Opaserv.l.exe
File opened for modification	\??\c:\windows\MPREXE.EXE	Opaserv.l.exe
File opened for modification	C:\WINDOWS\DEVICEPAIRINGWIZARD.EXE	Opaserv.l.exe
File opened for modification	C:\Windows\MSBIND.DLL	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\msload.exe	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\scr.scr	Opaserv.l.exe
File created	C:\WINDOWS\D3D9.EXE	Opaserv.l.exe
File created	C:\WINDOWS\APPXPROVISIONING.EXE	Opaserv.l.exe
File opened for modification	\??\c:\windows\MPREXE.EXE	msload.exe
File opened for modification	\??\c:\windows\system\scr.scr	Opaserv.l.exe
File opened for modification	C:\WINDOWS\DEVICEPAIRINGWIZARD.EXE	Opaserv.l.exe
File opened for modification	C:\WINDOWS\ACXTRNAL.EXE	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\scr.scr	msload.exe
File opened for modification	\??\c:\windows\system\msload.exe	msload.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	\??\c:\windows\system\winsrv.exe	Opaserv.l.exe
File opened for modification	C:\WINDOWS\ACXTRNAL.EXE	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\msload.exe	msload.exe
File opened for modification	\??\c:\windows\system\winsrv.exe	msload.exe
File opened for modification	\??\c:\windows\MPREXE.EXE	Opaserv.l.exe
File created	C:\WINDOWS\DEVICEPAIRINGWIZARD.EXE	Opaserv.l.exe
File opened for modification	\??\c:\windows\MPREXE.EXE	msload.exe
File opened for modification	\??\c:\windows\system\scr.scr	msload.exe
File created	C:\WINDOWS\MPREXE.EXE	Opaserv.l.exe
File opened for modification	C:\WINDOWS\DMCMNUTILS.EXE	Opaserv.l.exe
File created	C:\WINDOWS\ACXTRNAL.EXE	Opaserv.l.exe
File opened for modification	C:\WINDOWS\APPXPROVISIONING.EXE	Opaserv.l.exe
File opened for modification	\??\c:\windows\system\winsrv.exe	Opaserv.l.exe
File created	\??\c:\windows\system\msload.exe	Opaserv.l.exe
File opened for modification	C:\WINDOWS\APPXPROVISIONING.EXE	Opaserv.l.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blackkomet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opaserv.l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opaserv.l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3020	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Interacts with shadow copies 3 TTPs 5 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
36292	vssadmin.exe
36380	vssadmin.exe
36212	vssadmin.exe
33772	vssadmin.exe
36316	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133866831385658437"	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1678082226-3994841222-899489560-1000\{D7AD121A-A97C-4616-9AA2-9F482544006D}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1678082226-3994841222-899489560-1000\{33AD5682-6A8A-4148-996F-251AC9E41C6D}	ChilledWindows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Blackkomet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
5980	reg.exe
5100	reg.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3020	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
788	schtasks.exe
2056	schtasks.exe
21080	schtasks.exe
33432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6028	Opaserv.l.exe
6028	Opaserv.l.exe
2044	Opaserv.l.exe
2044	Opaserv.l.exe
6028	Opaserv.l.exe
6028	Opaserv.l.exe
2044	Opaserv.l.exe
2044	Opaserv.l.exe
6028	Opaserv.l.exe
6028	Opaserv.l.exe
2044	Opaserv.l.exe
2044	Opaserv.l.exe
6028	Opaserv.l.exe
6028	Opaserv.l.exe
2044	Opaserv.l.exe
2044	Opaserv.l.exe
6028	Opaserv.l.exe
6028	Opaserv.l.exe
2044	Opaserv.l.exe
2044	Opaserv.l.exe
6028	Opaserv.l.exe
6028	Opaserv.l.exe
2044	Opaserv.l.exe
2044	Opaserv.l.exe
6028	Opaserv.l.exe
6028	Opaserv.l.exe
2044	Opaserv.l.exe
2044	Opaserv.l.exe
6028	Opaserv.l.exe
6028	Opaserv.l.exe
2044	Opaserv.l.exe
2044	Opaserv.l.exe
6028	Opaserv.l.exe
6028	Opaserv.l.exe
2044	Opaserv.l.exe
2044	Opaserv.l.exe
6028	Opaserv.l.exe
6028	Opaserv.l.exe
2044	Opaserv.l.exe
2044	Opaserv.l.exe
6028	Opaserv.l.exe
6028	Opaserv.l.exe
2044	Opaserv.l.exe
2044	Opaserv.l.exe
6028	Opaserv.l.exe
6028	Opaserv.l.exe
2044	Opaserv.l.exe
2044	Opaserv.l.exe
6028	Opaserv.l.exe
6028	Opaserv.l.exe
2044	Opaserv.l.exe
2044	Opaserv.l.exe
6028	Opaserv.l.exe
6028	Opaserv.l.exe
2044	Opaserv.l.exe
2044	Opaserv.l.exe
6028	Opaserv.l.exe
6028	Opaserv.l.exe
2044	Opaserv.l.exe
2044	Opaserv.l.exe
6028	Opaserv.l.exe
6028	Opaserv.l.exe
2044	Opaserv.l.exe
2044	Opaserv.l.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5520	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	5520	ChilledWindows.exe
Token: 33	2404	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2404	AUDIODG.EXE
Token: SeShutdownPrivilege	5520	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	5520	ChilledWindows.exe
Token: SeShutdownPrivilege	5520	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	5520	ChilledWindows.exe
Token: SeDebugPrivilege	6028	Opaserv.l.exe
Token: SeDebugPrivilege	2044	Opaserv.l.exe
Token: SeDebugPrivilege	3004	msload.exe
Token: SeShutdownPrivilege	3004	msload.exe
Token: SeDebugPrivilege	2644	msload.exe
Token: SeShutdownPrivilege	2644	msload.exe
Token: SeIncreaseQuotaPrivilege	2608	Blackkomet.exe
Token: SeSecurityPrivilege	2608	Blackkomet.exe
Token: SeTakeOwnershipPrivilege	2608	Blackkomet.exe
Token: SeLoadDriverPrivilege	2608	Blackkomet.exe
Token: SeSystemProfilePrivilege	2608	Blackkomet.exe
Token: SeSystemtimePrivilege	2608	Blackkomet.exe
Token: SeProfSingleProcessPrivilege	2608	Blackkomet.exe
Token: SeIncBasePriorityPrivilege	2608	Blackkomet.exe
Token: SeCreatePagefilePrivilege	2608	Blackkomet.exe
Token: SeBackupPrivilege	2608	Blackkomet.exe
Token: SeRestorePrivilege	2608	Blackkomet.exe
Token: SeShutdownPrivilege	2608	Blackkomet.exe
Token: SeDebugPrivilege	2608	Blackkomet.exe
Token: SeSystemEnvironmentPrivilege	2608	Blackkomet.exe
Token: SeChangeNotifyPrivilege	2608	Blackkomet.exe
Token: SeRemoteShutdownPrivilege	2608	Blackkomet.exe
Token: SeUndockPrivilege	2608	Blackkomet.exe
Token: SeManageVolumePrivilege	2608	Blackkomet.exe
Token: SeImpersonatePrivilege	2608	Blackkomet.exe
Token: SeCreateGlobalPrivilege	2608	Blackkomet.exe
Token: 33	2608	Blackkomet.exe
Token: 34	2608	Blackkomet.exe
Token: 35	2608	Blackkomet.exe
Token: 36	2608	Blackkomet.exe
Token: SeIncreaseQuotaPrivilege	4832	winupdate.exe
Token: SeSecurityPrivilege	4832	winupdate.exe
Token: SeTakeOwnershipPrivilege	4832	winupdate.exe
Token: SeLoadDriverPrivilege	4832	winupdate.exe
Token: SeSystemProfilePrivilege	4832	winupdate.exe
Token: SeSystemtimePrivilege	4832	winupdate.exe
Token: SeProfSingleProcessPrivilege	4832	winupdate.exe
Token: SeIncBasePriorityPrivilege	4832	winupdate.exe
Token: SeCreatePagefilePrivilege	4832	winupdate.exe
Token: SeBackupPrivilege	4832	winupdate.exe
Token: SeRestorePrivilege	4832	winupdate.exe
Token: SeShutdownPrivilege	4832	winupdate.exe
Token: SeDebugPrivilege	4832	winupdate.exe
Token: SeSystemEnvironmentPrivilege	4832	winupdate.exe
Token: SeChangeNotifyPrivilege	4832	winupdate.exe
Token: SeRemoteShutdownPrivilege	4832	winupdate.exe
Token: SeUndockPrivilege	4832	winupdate.exe
Token: SeManageVolumePrivilege	4832	winupdate.exe
Token: SeImpersonatePrivilege	4832	winupdate.exe
Token: SeCreateGlobalPrivilege	4832	winupdate.exe
Token: 33	4832	winupdate.exe
Token: 34	4832	winupdate.exe
Token: 35	4832	winupdate.exe
Token: 36	4832	winupdate.exe
Token: SeIncreaseQuotaPrivilege	5440	winupdate.exe
Token: SeSecurityPrivilege	5440	winupdate.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 3408	4592	msedge.exe	82
PID 4592 wrote to memory of 3408	4592	msedge.exe	82
PID 4592 wrote to memory of 4512	4592	msedge.exe	83
PID 4592 wrote to memory of 4512	4592	msedge.exe	83
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4908	4592	msedge.exe	84
PID 4592 wrote to memory of 4972	4592	msedge.exe	85
PID 4592 wrote to memory of 4972	4592	msedge.exe	85
PID 4592 wrote to memory of 4972	4592	msedge.exe	85
PID 4592 wrote to memory of 4972	4592	msedge.exe	85
PID 4592 wrote to memory of 4972	4592	msedge.exe	85
PID 4592 wrote to memory of 4972	4592	msedge.exe	85
PID 4592 wrote to memory of 4972	4592	msedge.exe	85
PID 4592 wrote to memory of 4972	4592	msedge.exe	85
PID 4592 wrote to memory of 4972	4592	msedge.exe	85

Views/modifies file attributes 1 TTPs 50 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5524	attrib.exe
6908	attrib.exe
6984	attrib.exe
6480	attrib.exe
35708	attrib.exe
6736	attrib.exe
1808	attrib.exe
648	attrib.exe
5072	attrib.exe
6892	attrib.exe
1020	attrib.exe
5712	attrib.exe
42508	attrib.exe
5816	attrib.exe
2788	attrib.exe
3584	attrib.exe
2168	attrib.exe
3876	attrib.exe
1580	attrib.exe
1936	attrib.exe
4276	attrib.exe
3780	attrib.exe
12932	attrib.exe
34944	attrib.exe
35868	attrib.exe
4824	attrib.exe
4676	attrib.exe
3204	attrib.exe
6392	attrib.exe
6496	attrib.exe
2548	attrib.exe
2868	attrib.exe
5108	attrib.exe
1108	attrib.exe
5352	attrib.exe
2376	attrib.exe
6572	attrib.exe
5276	attrib.exe
35852	attrib.exe
1064	attrib.exe
6688	attrib.exe
6640	attrib.exe
5628	attrib.exe
35680	attrib.exe
2884	attrib.exe
4124	attrib.exe
6344	attrib.exe
34936	attrib.exe
4116	attrib.exe
6936	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x268,0x7ff9907bf208,0x7ff9907bf214,0x7ff9907bf220
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1804,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:11
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2172,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2484,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=2636 /prefetch:13
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3460,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3384,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5140,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=5108 /prefetch:14
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4656,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=5008 /prefetch:14
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5524,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:14
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5680,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=5696 /prefetch:14
  2⤵
  PID:2940
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1144
    3⤵
    PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5560,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=5660 /prefetch:14
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5560,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=5660 /prefetch:14
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6248,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=6260 /prefetch:14
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6264,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3684,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=6504 /prefetch:14
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6832,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:14
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3676,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:14
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=2716,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=6740,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6936,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=4840 /prefetch:14
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6904,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=6568 /prefetch:14
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=7384,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=7436 /prefetch:1
  2⤵
  PID:5900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=5004,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=7764,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=7780 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=7076,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=2492,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=7056 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=7712,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=7416 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5944,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=7272 /prefetch:14
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=6108,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=1240 /prefetch:1
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7752,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=7796 /prefetch:14
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2608,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=5660 /prefetch:10
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4816,i,6860495926919791663,4465437032163285208,262144 --variations-seed-version --mojo-platform-channel-handle=5840 /prefetch:14
  2⤵
  PID:5468

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5644

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CrazyNCS.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CrazyNCS.exe"
1⤵
PID:5220

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5520

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\rickroll.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\rickroll.exe"
1⤵
PID:5280

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\rickroll.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\rickroll.exe"
1⤵
PID:484

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6028
- C:\Windows\SysWOW64\NET.exe
  NET STOP NAVAPSVC
  2⤵
  PID:5412
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP NAVAPSVC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5528
- C:\Windows\SysWOW64\NET.exe
  NET STOP PERSFW
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5256
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP PERSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2424
- C:\Windows\SysWOW64\NET.exe
  NET STOP AVPCC
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5348
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP AVPCC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4052
- C:\Windows\SysWOW64\NET.exe
  NET STOP MCSHIELD
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1416
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP MCSHIELD
    3⤵
    - System Location Discovery: System Language Discovery
    PID:644
- C:\Windows\SysWOW64\NET.exe
  NET STOP SWEEPSRV.SYS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5712
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP SWEEPSRV.SYS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5108
- C:\WINDOWS\system\msload.exe
  C:\WINDOWS\system\msload.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3144
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      System Location Discovery: System Language Discovery
      PID:5012
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2084
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      System Location Discovery: System Language Discovery
      PID:4640
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5920
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:2012
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:1428
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:4996
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:3676
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      System Location Discovery: System Language Discovery
      PID:2356
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3428
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      System Location Discovery: System Language Discovery
      PID:2008
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:2868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      System Location Discovery: System Language Discovery
      PID:1192
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:4792
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:5648
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2920
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:4340
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:656
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      System Location Discovery: System Language Discovery
      PID:1588

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\Opaserv.l.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044
- C:\Windows\SysWOW64\NET.exe
  NET STOP NAVAPSVC
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP NAVAPSVC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3392
- C:\Windows\SysWOW64\NET.exe
  NET STOP PERSFW
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3468
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP PERSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1068
- C:\Windows\SysWOW64\NET.exe
  NET STOP AVPCC
  2⤵
  PID:3472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP AVPCC
    3⤵
    PID:3840
- C:\Windows\SysWOW64\NET.exe
  NET STOP MCSHIELD
  2⤵
  - System Location Discovery: System Language Discovery
  PID:756
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP MCSHIELD
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3428
- C:\Windows\SysWOW64\NET.exe
  NET STOP SWEEPSRV.SYS
  2⤵
  - System Location Discovery: System Language Discovery
  PID:632
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 STOP SWEEPSRV.SYS
    3⤵
    PID:2940
- C:\WINDOWS\system\msload.exe
  C:\WINDOWS\system\msload.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5584
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      System Location Discovery: System Language Discovery
      PID:2748
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2220
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      System Location Discovery: System Language Discovery
      PID:1972
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:2092
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      System Location Discovery: System Language Discovery
      PID:4596
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5276
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      System Location Discovery: System Language Discovery
      PID:3880
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3804
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      System Location Discovery: System Language Discovery
      PID:4352
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2508
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      System Location Discovery: System Language Discovery
      PID:3708
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:1564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:2664
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      System Location Discovery: System Language Discovery
      PID:2708
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3684
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:3888
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:3812
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      System Location Discovery: System Language Discovery
      PID:868
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3784
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:2080
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1492
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:2036
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4476
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      System Location Discovery: System Language Discovery
      PID:3928
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      System Location Discovery: System Language Discovery
      PID:1592
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4124
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      System Location Discovery: System Language Discovery
      PID:1028
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1128
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      System Location Discovery: System Language Discovery
      PID:1620
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:1760
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:3804
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5288
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:4976
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      System Location Discovery: System Language Discovery
      PID:5956
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:5896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:1296
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:5336
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:4748
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:232
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:2440
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:5712
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:464
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:5540
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:3904
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:340
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6408
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:3840
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:6624
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:2412
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:6700
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:2744
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:6720
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:3388
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:740
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:6448
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:6188
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:6412
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:6212
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:6520
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:6236
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:6376
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:6272
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:6232
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:4340
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:2840
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:3388
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:656
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:5072
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:3448
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:6664
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:1296
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:6712
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:3760
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:6900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:21576
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:8052
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:42496
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:17472
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:26820
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:18604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:21164
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:28940
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:30480
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:34980
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:34152
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:34992
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:35556
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:35012
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:35572
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:35032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:35608
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:35052
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:35624
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:35944
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:36776
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:36164
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:37032
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:36148
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:4956
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:36088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:36976
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:36044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:36820
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:39024
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:39408
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:39052
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:39392
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:38976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:39440
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:38948
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:39532
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:38932
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:39504
- - C:\Windows\SysWOW64\NET.exe
    NET STOP NAVAPSVC
    3⤵
    PID:40064
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP NAVAPSVC
      4⤵
      PID:40864
- - C:\Windows\SysWOW64\NET.exe
    NET STOP PERSFW
    3⤵
    PID:40280
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP PERSFW
      4⤵
      PID:41232
- - C:\Windows\SysWOW64\NET.exe
    NET STOP AVPCC
    3⤵
    PID:40288
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AVPCC
      4⤵
      PID:40852
- - C:\Windows\SysWOW64\NET.exe
    NET STOP MCSHIELD
    3⤵
    PID:40296
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP MCSHIELD
      4⤵
      PID:41208
- - C:\Windows\SysWOW64\NET.exe
    NET STOP SWEEPSRV.SYS
    3⤵
    PID:40328
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP SWEEPSRV.SYS
      4⤵
      PID:41192

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\EternalRocks.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Net-Worm\EternalRocks.exe"
1⤵
PID:2720

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2608
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe" +s +h
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:5816
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT" +s +h
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4824
- C:\Windows\SysWOW64\Windupdt\winupdate.exe
  "C:\Windows\system32\Windupdt\winupdate.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4832
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1808
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt" +s +h
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:4676
- - C:\Windows\SysWOW64\Windupdt\winupdate.exe
    "C:\Windows\system32\Windupdt\winupdate.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:5440
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2788
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt" +s +h
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:648
  - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
      "C:\Windows\system32\Windupdt\winupdate.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Modifies registry class
      PID:3576
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3204
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3584
    - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:656
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5352
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1108
      - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        6⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1064
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        7⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4116
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        8⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6936
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        9⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2168
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        10⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        11⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        11⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6572
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        11⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        12⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        12⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3876
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        12⤵
        
        PID:868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        13⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        13⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1580
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        13⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        14⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        14⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6736
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        14⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        15⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        15⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1020
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        15⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        16⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        16⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5276
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        16⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        17⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        17⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4276
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        17⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        18⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        18⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4124
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        18⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        19⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        19⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2868
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        19⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        20⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        20⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6908
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        20⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        21⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        21⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3780
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        21⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        22⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        22⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6984
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        22⤵
        
        PID:21020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        23⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:12932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        23⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:42508
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        23⤵
        
        PID:34772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        24⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:34944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        24⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:34936
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        24⤵
        
        PID:23224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        25⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:35680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        25⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:35708
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        25⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        26⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:35852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        26⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:35868
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        26⤵
        
        PID:37280
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        27⤵
        
        PID:38628
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        28⤵
        
        PID:38384
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        29⤵
        
        PID:38872
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        30⤵
        
        PID:39968
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        31⤵
        
        PID:40128
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        32⤵
        
        PID:40892
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        21⤵
        
        PID:5100

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"
1⤵
PID:5732
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  PID:5216

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
1⤵
PID:1656
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
  2⤵
  PID:3396

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NJRat.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NJRat.exe"
1⤵
PID:6852
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NJRat.exe" "NJRat.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2900

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe"
1⤵
PID:3452
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:4792
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:5980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  PID:6156
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3020
- - C:\Windows\SysWOW64\Userdata\Userdata.exe
    "C:\Windows\SysWOW64\Userdata\Userdata.exe"
    3⤵
    PID:3632
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:6320
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:5100
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      PID:6368

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"
1⤵
PID:6496
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  PID:6772
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:3444
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\re5pq9pt.cmdline"
    3⤵
    PID:6808
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC82E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95739464D94D420EA6DBB9BB6840F9D3.TMP"
      4⤵
      PID:33728
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
    3⤵
    PID:33584
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      PID:33996
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        
        PID:34332
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yyadnul_.cmdline"
        5⤵
        
        PID:15268
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hq96bgul.cmdline"
        5⤵
        
        PID:40192
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EF5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3D309C876F38414C818974BAB7CEE25E.TMP"
        6⤵
        
        PID:40488
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tr2sucnn.cmdline"
        5⤵
        
        PID:41240
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDD3405C3195E47E887E02790B67C85A.TMP"
        6⤵
        
        PID:40940
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mld8bicl.cmdline"
        5⤵
        
        PID:41328

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat"
1⤵
PID:432
- C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
  "C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
  2⤵
  PID:2648

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"
1⤵
PID:2700
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1411.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2344

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"
1⤵
PID:1444
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1970.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1588

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"
1⤵
PID:6116
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:1372
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:30064
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:36212
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:31568
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:34456
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:33772
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:28772
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:33640

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Cerber5.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Cerber5.exe"
1⤵
PID:3136
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  PID:7144
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  PID:6704

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"
1⤵
PID:1052
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  PID:6824
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:6568
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:20772
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3154147355 && exit"
    3⤵
    PID:29952
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3154147355 && exit"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:21080
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 11:28:00
    3⤵
    PID:20808
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 11:28:00
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:33432
- - C:\Windows\7C8F.tmp
    "C:\Windows\7C8F.tmp" \\.\pipe\{28443530-C48C-474F-87B2-D08814C04C47}
    3⤵
    PID:21044

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"
1⤵
PID:7020
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  PID:20564

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe"
1⤵
PID:30024
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:36292
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:36316
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:36380
- C:\Windows\SYSTEM32\NetSh.exe
  NetSh Advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  PID:36704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:34260

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\95da214eb0d1467281f9c60115609a0f /t 33648 /p 33640
1⤵
PID:27268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-B2A5D049.[[email protected]].ncov

Filesize
2.9MB

MD5
9aff4f21618c880675fce15b5ba2009e

SHA1
1d449339e326e3210bca82c6d684ededa64eb67b

SHA256
817cf767a682f684159605f758f1bb712f0aa53049ae757331c55f3dd3d00e18

SHA512
77fe01812f183e255a0d3615e475edb371e3ca761162eb4f60d4a8598ea68309430022fdcccabf07558299e55fbb2be1af222bcb96729576647270c3d1a75e9e

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WarzoneRAT.exe.log

Filesize
507B

MD5
a0c3e1aca0335d2d3a6c16038a5e1feb

SHA1
865132ecfd8bc3781419e10a57ef33686d80f83f

SHA256
68e52b0dae9281848730d457702a3fbe0868a0209d2740c9b5435dcf872d1072

SHA512
6b5dc7bb61bebea323e806e4eeaac8383621c84be7545af744923445dc4545b9395abcd8f7b82f8b30fddc28872e3f47a010a271f588b5dd725cdd1be2ee4ed8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
19a88bad99bffbae6102e191cfedd75b

SHA1
df476b325df883b73eda1b2349bab45aa22e808d

SHA256
0d576dfbde1712b7288e4561e3eea75ffdad84dc50a77ceb57a6e9c37d60465a

SHA512
9ec5eb487d8c8fc8e283a94bd43afd740edc4df6a4509d83629416d040586bd42330eb0da6dd41ec1e5550bce9a6643319ff8584f8638a9cde9042fa406825fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
d404dfbee988e9ebaccce464678e48d8

SHA1
1609bc90b67f2bb5a55d3b6ba43ea4d02cf5c26a

SHA256
35d9487e5d405d4d3786fdfd51ee68d5d6d94cc6733fc21269dba7275e471f81

SHA512
2064ccd38de22f238c790bcbce980b1aa9d33be49a0dfa57d6352f7de9168e16a7976de0f7e7262ddd4c483123bb9d4ed848ba31b82b06b8fda8c92e1c93fac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
c70d976f4ae975d605648d642cfc155d

SHA1
0d609ddb34b0fb32771596ebf1b131762df1ec54

SHA256
d3f7b8aed2e0805754644b92c67726b7d9868d1e4173ac411cb7e99dfb9b600f

SHA512
b084088baddb2844813eaca54d012045ab9e667e299b1eabb6a225f8dceea69e9978ab94e66eac82333492190b1de86b408d5585d4cc600b5a46b869ef071e4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5813c2.TMP

Filesize
3KB

MD5
ca33c8c80006fec55fdbbc056db6a7ea

SHA1
e9e5a98a043530a44cec1867baba15423c4d8900

SHA256
e0d9fce17da7fa86c91dc268edf494fedbed3285937c1c3f7aa3d157a4e11351

SHA512
95c990236c628ce50a7402ee11078e5e04e9ac91a3b2eb755d86a0a420d56003cc970d0b2de8d9f4f2bff2c331e11c3da582d6e0f0bee0d0896ee62d9342cec1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\000003.log

Filesize
33KB

MD5
b563c92688a1de9fc95771d756a50fbb

SHA1
6d775b34fd46e572946f895daa28d92a39131869

SHA256
2d8cc738fc97774c0d42b0dd8f1b048073f705174c19021dc00ac74137b9afae

SHA512
cc34db3761fd2603071f8631e80f84e329e3a622bf6b58060a1ab2099d8c6ce08272c0c0e5ea53035748b0d424365f75f6053cccfe5e70aca3ca3ed71e2268a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\LOG.old

Filesize
345B

MD5
fa7859f37818b7b5bc5b79d346a8440b

SHA1
2a8e2f3ef81f14d9933ca60a9a3c4b9ac99bcf3f

SHA256
7fcda60521e3dcd8b8f0c6dfb70e5b4d1569e7903a3262d71e2d16331c53ad43

SHA512
9a0b8099c6cf014ae8f04dd73f44b7bd56560e2480a35336aca5defe72b3c489e782a7d374f3d2c469683312015676ae6671b0ff4ea22e0727a28ec65b94c453

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
f1cfffd044b155b2b9cc2f39620212be

SHA1
82517c1d531f3007692130382416899d12c75509

SHA256
6c16d01c5a0b403fdcfd1b31c83fca8a3a26f52f24018c52b9a674be6d840fdc

SHA512
fbdc0bbed24f58ec6782ec66d7bf6834952788f41710d1d763605e90d7eceb7c04ccc0b9e0b07b4ccb6982642d04725ee67b063e3e77c15feb9b62050f87f930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
d931fd1cb67daff1b05cb01d00eb167c

SHA1
68690e8c5561fa9f396a3b1ec3960814a976605e

SHA256
6c088357d26d2ad951d5034c3d35e51656ef1b93330bffb8fc6c778249736413

SHA512
3a74f8a35469e2aa04d59fbb9421405bda823be3db887fa8084a884a8688223b9345a0ffd8e4352504225552754f5db8a66a05381d64e8af69a6cb7d4fefc6a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
5584ddbee4baa80e36b23173e439f499

SHA1
00a40cfdc64938933e46a6bc3a5184b403826b35

SHA256
ecfc3b0137f985fd9791f6b92b662dddced54c57cff87aaf2fb947f7e05477f0

SHA512
0315c2e7e855f1e1d0ecae1aeecf3f283a3bd3685e484e3b72dd77ebecfaed30a8e55bcae72e540c4064be8b97813368fe7287ebb28cf5ee12e99a860e0beb24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
c26f021a2bf1556c80accd9fbdd96e12

SHA1
684946e287e731b25335ff93642d57eac5966d92

SHA256
9a3129624056ef90468e6aefd47105b3d391aa5c5749b47aa89b0f658c95c45a

SHA512
5f5fcb8a36f5e27f86a8b236ce4ab1666fab3162d153f5c5f971c82aeb61b8d40c8ee1385c75bbb671911f72d466b0fa7c83d0781e1c8b36033650b80d48ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
1d80ce65686c0e1ccb0540c763fdcbc5

SHA1
232b743387b3e55878c13089defa725d118f0bba

SHA256
47c23cae81484cc63ec0c196e72dbb816a65207c4c2cf87e12d40ebc912390f3

SHA512
81018fa1e65339dc1242c2aff157c9cc4acbb8411a970292475887d0aef4b22817bacb1ba147f839c30df29ac6464093fd7dae51ef74ac787968aa9484159bd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
ab76f2f68315b1538599868eba666a3c

SHA1
37e6b05a28188106a3cd3f8a99c793d5f6181fbc

SHA256
3e9256e67dc490653807534600fac43dcc0a54e16f0d23481bea8a3bc215b7ec

SHA512
329ec1ca0582701d5afbf0e9b7dc8bb28187b8bca905ae99b5183aab943b50cd434373859870fa7274cb2d59a783c8cc96494492ea5c10df933031787a94ddbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
f81020a69350de103e0352384db380f8

SHA1
8abf6dc80492653c07e3eede30d5b8e3dadfc533

SHA256
b910775603103a5bc6150c2728f50cac33cd5a5e069679e8b1e830aa0fcc70e5

SHA512
06bffabf3821032dd5509d0c1e829b6cac106563b6d9f14cd78702077c30555b0ad42be23a49472f55c2efb957189485b76ef89ca3dcdc95e1ce712d74060a3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\13bf7cd5-3f0a-4967-869d-004c84656018\170ce29fd1bcbf73_0

Filesize
57KB

MD5
74a59b9e1c718a595ac0c5521949b93e

SHA1
d2a0199d99a764968e985f9ebb9bca5c256de775

SHA256
00bd8f9938ef372f815ac1fee5428cfd12c382606258ff1ed32395df53b79c0f

SHA512
663c2124fbe963fa4fb64bbd17c8f0ac93712f926803bbdddda43b5881bc80085d1548b9e3d970c862175110984f11144ba2f5eeb62b90867270ab22a6c54d62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\13bf7cd5-3f0a-4967-869d-004c84656018\index-dir\the-real-index

Filesize
72B

MD5
cc590647fc867b451c10f9fbe494f11e

SHA1
acb6a2b7146811cbfdffeaf1e09bf508f7e534f1

SHA256
9c24b122f86b037d88203b3d707e2b6314da3b7b1e28caa9a7490ce2557c165c

SHA512
5285de01d0c72a50e399608543bb3fa831130ec8431874cb11440fd6f8e3f268b393efb6ef46d92d8e1d4fcc5d2fda1ac3419ccf68cf4c1daec25329f8d013be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6de81848-5b24-4103-b044-7a04b1ce3981\index-dir\the-real-index

Filesize
2KB

MD5
ca8c2c6b68f9b588dfa42bcc5fca7276

SHA1
22ea0fad412e4c9cbdce9892d9404785c0e64769

SHA256
b3021950c7de1f594f86da2dca240700487f1fd701ee1239ff2fad43ca742ef7

SHA512
ae831f3bf386ab9ef2e18a849efc77a5958f014e81f9fcddbaafc3edcf067beaf148edcf5da5b9583eeb4a5072b1287777d7291e149491640ae750b833366a16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6de81848-5b24-4103-b044-7a04b1ce3981\index-dir\the-real-index

Filesize
2KB

MD5
885035eda2d505c8b641b81d13312b55

SHA1
dee12740f68cfad9727d7e41da6b53a259abc2b4

SHA256
1deed47f891ac959b44d347db8a48e8c6d5e9c80d9fcc7cedd4ebc2c0480060e

SHA512
5483752af5d3dfc081de54cd513d28507d25bbab4b9b50952b3479df9bfd3b095ac788d8f33f90182530e9acdb40732bb142adceeddbc517eb723c21ce70ff42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\cc7ad1e6-2a51-4dc0-9579-f8bf6674ff51\index-dir\the-real-index

Filesize
72B

MD5
784e347b9fcf818f61e4c4c5ff0eaa91

SHA1
4d542c35d322e85c75acf02481d8ce9877d5c01f

SHA256
295602b18715343936934ce8e950351b248cb7b9be8f9aaa0e257ded33484833

SHA512
f4966442bd0c2824bff4c5fdcf6f524c1754092a9bcc6c0c122a0b1a39d250a2b4e88aadcaed497ca8cd57f968818f22ff0f2619df5fd0e8b1fe64555b9b6085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\cc7ad1e6-2a51-4dc0-9579-f8bf6674ff51\index-dir\the-real-index~RFe589313.TMP

Filesize
72B

MD5
8f88645bc4cd269aede85ad09fecc7be

SHA1
0c9533ad6b5809c1df55f88878314ed33decf1af

SHA256
0f480c87d15a3f0ef3433628a4a712c658321e07389648ed7be4637fe9cb5c03

SHA512
1dac2549ff0e4a3e8ea173463b1d431a447fe3ea7bb12d9b3fde5cc1c33f99b375190622e10b1cf69e3e3a7141ad967546661d7a21e5b73e9e32fb6f20001df3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f36e08ac-138c-4223-aa0c-bbc9e3e734e9\index-dir\the-real-index

Filesize
96B

MD5
a48d1dcf374f7e3a11b7abcf3fded727

SHA1
fa9bae9d89f312ec4915278c00eb3d486c1943d9

SHA256
2928f0780079a094afca267fa40906c208f49c6278b170daa35cdd75fcdad939

SHA512
cfd902629f33945cf84b223b9b4ef0be143658587a36ed5977ba650e8dbd065ecb74cb1e744641d3df7d3959ba1228e71bbe48a4e2fcf0dc5e73bfc34ca3ae5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f36e08ac-138c-4223-aa0c-bbc9e3e734e9\index-dir\the-real-index~RFe58b021.TMP

Filesize
48B

MD5
abd00f99134fabe0f9ed1f8558836f96

SHA1
f409de6f76b1fb701576a0fa0701582e61055e14

SHA256
464c6d5e101ebfc817c5e113cd8a0334c58b844701ff3175766141f1563556cf

SHA512
11f8d6e9f6688110d2ae209d4605c1bc417156b58e500514866a4092327a530a149d10e930289bbb652bd59f83eede94c87f5462e498e770227103da990b9a79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
2da4246210b575fe1be6977da8b5db68

SHA1
144892b05b7e23a6747efa397d8437f76615dacb

SHA256
c697cf5e177905f4e6cba49cd34baed0e718e243dd1cdf3f2b2b8e5f248dc9ea

SHA512
496d0eda892e3ea328c5fc02c3056c9848c4188d0fea49c13cf874c339ff9c14ac707bd77f3c6c3d4af61945370b60bf0bf55a435757d4bed7a87746225ea4d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
322B

MD5
2b2858a7cce4286d788e4fd08f5dffab

SHA1
848d6e372d853235e7d1df212b1e36e21cfb6303

SHA256
8d10a370f577ae59f0da8476127ef778e861188625988aa34fc4d8e596b3b572

SHA512
b641b8d8d12b989b238c590406d123a0a744197bfb10f0824418951de9d16f13482a6ac35ac2e3357b90216f98d4f3705fc91e88e58dd356d20753b387f70087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
81b87549ee3cb76f2fe11a37299844aa

SHA1
8b14bef38b5341b5c3cf75d9546cbb00605cacaa

SHA256
d310207bb328bcf180f5f2b9ca30c3b06262f87b714b535944ca1ccb59ccb610

SHA512
0abb6b1b0ab5525fc001f6492d9fc0c6b0c49640c7fd8f5e7436b71bfe3f1379d6ef4b02489b6c9ea227ba10f7f28ebfa67b7d4e46d5b36a060b4cfb52df7567

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58a246.TMP

Filesize
72B

MD5
839b3d56310f6a44d38f931e992eeb80

SHA1
a42c449203e7c9392573b7811c37fbdd2c262315

SHA256
60a5241a438eff61242a5e6aabfab6a05a2d40122d68b91ce242d442b7a6a637

SHA512
43bebcd3755576d55d427677a0bafcbb96f096255ed6ad35815357b488b1f3f1d038004c394bc49ace32b71d2455a52a8208ae8f7e184896869083819dd5ff8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
9b6626a4d415e1dc2a6a4f8973e59353

SHA1
e5e0132ae69951e0b51c422aaae1ee4fba0b22cf

SHA256
ed441fabb4f1a486fbffaaed0793be933a94812006ea1fc886934de27d8255fd

SHA512
fb16791e9968f2bf187d07b0bc671fb5ebafbedf1a54dc119317a4876a67c1c5749749e153acd526de95aba1af5cb1f093c0c010b52a51c6d042a4876bdab6ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
462B

MD5
d86ad683794d7ebd96f15a4dd8dbef75

SHA1
190f1345143985997afd55a560184f332c20ef7f

SHA256
4568cf805fa36fa1c85838cc2329d795f01d3b3dbd3962a59ef3e85666ee6577

SHA512
fb52360427bd96edaad8ca3e81cdd52865bf14df08d8f11c63eac1dac9fca098f50d153bd2344387c7de3426f92a2fa7b1b634567e5126e161d12610bd23d11f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
38b6aca7115ddeeca2f06ea10c154a0e

SHA1
d09881285dd109951047c8799703fdc0283c22e0

SHA256
811d1d17fa7b03821947d0f2505ebcea669bb320f2d2d34e7ff0c524a2dbbdd4

SHA512
d7238584632c42e64637418b6074ab5a693bc6815df3d6765889375f4dfe629cbdc7fe26c57dd6a50cef2eb198442b31b9d3a124268e3e2eec37fe81c541badb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
1b7f8bdb6453290b9fe38b6634800d9d

SHA1
f0c6c9818eb17d21162c793592a2672ac6c72dc2

SHA256
e2aec6dadbe323016baf8057968113d29935d293b2ba4fb14b928884ba6912eb

SHA512
97e886c2fb947d9118138a434dbb6ebeffaf589ee66f1d135438e85e35f633dbb3778c1b61dc09dcdb090bb6154f92cb07dfbac017c0b97f30c2812c565d4b9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
d1fd7b3cba9161739dd2c4b8e22d9842

SHA1
a7091880c69700bdc5b862d7899432df56ddd89b

SHA256
63d7682dca5ab0ae6e9ba999c0b92d3358d3f6747eb3fd54c5a4e6f6669d31ee

SHA512
83e9820ed86a243fb52a647c90986eec52120ec558938038d939166caadd59ae46b1ec928eef4d8979e7d445244e26a3f33588df0845005cd21981302c3e89df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
f44397a2c5465d6521639c8448a79b90

SHA1
befcba499d947ec9d75c5a4b178b4ba4333dffca

SHA256
e07d7295f56bd95eb2a15bff7a4f599680fe857d6d6587be20d4b29c1c4c78f6

SHA512
58178a7fe6da0ffaf99f360e3b36a82b9f439f42eec839611d961c84e5ed6c5057e8d45e8a8af24ed2ccd7e186ad6dbdb94f2248e004e436f63830a379b99e39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
d48600f8b47792644d8e6bcbb21988e7

SHA1
748c6aa6dec32081172bbd7155a30e3874a96932

SHA256
2c95da2f3876e62bf321360f4a50fb3fff1d15963e4170f9aad46772008fcb95

SHA512
e3ad0bb8bc4d9db0ffddbdf2161a6ce454a3e2cee8e3df446babe7f7b868ca435f4b425b44c974a8976f7c60e43de14e7f6631686a26a6379040a9f280aa5a2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
fb049c9f70bfbcbf70ffcf007b954a8a

SHA1
f092d4ecaea53f1768eb312d8fa0536bc480b496

SHA256
ab76ffec594b6c10288b7d53bdc291049c908a4739df6958838ac5c132013dcb

SHA512
9412af89ccc144f9c76ff3e2c157abe645c01da63780c2a7ec3ce2881bff97354e2551b1d8e33a27b1108ec61b329448a5d6c8d6d5d48ee22c9985b31d6d2487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
f1ae41d59d2edbbda2d0423c51fc8ee0

SHA1
c1262fa2af057f9645e95852522a73e795656c41

SHA256
17c2f477b431ba36b7247fd6c297415d7549a3910e3bc2c27c09dcc04a11f861

SHA512
9baa5c8a7f0f984c823483d31dce64d59498d574855f31129b9a293963496c8d92209e8bcfc181d7165624da3b274ef798846b5bc2f87eab41a3f9bdcc23c3ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
963f1470ee832f193a45b0a5d6827ebb

SHA1
804e2fc663f6f42ed089fa6aa5b79b10b118d924

SHA256
71fa805ace1fdc0c23f224ac23fa7ab9bae79dfdf2e4c50f2146203e01fa23c5

SHA512
b42e95187032285dfd0b8c03f8c0dc6c8c67dcf4b47e95fd8f49b9d5327f32dd03642fc77e1db6be7e82bd1dec1d61c6d2cd4ec76668c32657da7756ee3a0ab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe58506d.TMP

Filesize
392B

MD5
514dcc31cffe7dd7e96a3fec48da302d

SHA1
418821b1223d8aa1571ec9be1daa1fee05ed63ea

SHA256
7fe00291b685a2ef05fdc9745cce14763aab651e8ea8c82cbf981f6c09196d5f

SHA512
e694e62ec4c614fe2222b0a6f0f601b93d2be756577bb304d93fd7771b790842379b8225bb58b4d9aff2f7a24cd0bde10428e6caeb14822f5ac161a1f6724164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
640KB

MD5
806a71699f2c6e71e7ffbea8f883676d

SHA1
c96b46fddef09ad4eeaad51c2ef3c45964451475

SHA256
6baf3690642eb580e1fdef84963c25145a66d7292b35c19a0107c533e995e8b1

SHA512
4b035012f41b8063b74c491949225803e2aa744a03ad2020bafa6cd9becd4ffb5b895b648299470b253b77ddbd2d90551964943a4961c4761f150c8fadd6df89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
187B

MD5
08d2e4a2d9e2c22025fc369cc551ca6c

SHA1
fbb518fd33cf1c752f762dc43d904cacad3aec00

SHA256
0e7dc72dce87f7448c7e65dfdae1ffebec653e4f066807a94993feb1039787bb

SHA512
92993473f027749718df243d6ac9480c1607cf908b3b01fc7dd92bd6afe4b8f3b0ae17c79fc75ed79c52cf79fc5f7bdc1814a4d132fd80202d80ba6539577686

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
91B

MD5
f169d4314eac558c126347c9c306a220

SHA1
03ac751a07b7347541dac5e0f254769aadbde0e4

SHA256
ccfec9a3c2f862abed746e5c40f37985053b1ebed048ad0452eaab6143b93969

SHA512
2ff8ce927e41fea9de98f7fc91e2d641f6342ffe3f154258c8d9b005fa09d094cff6587def01bee1cbb43b9191db067c3174c23c5916cb422c478c9ba537fecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1411.tmp

Filesize
1KB

MD5
071e6d059bcf44ea0400c3aba41a0170

SHA1
073e88139d49975f6596733b50f71aae28e3e996

SHA256
786225aa9671d4526dcb073daa4cc16eaf974f6284b1e5ca3f0e195c89f6cd4f

SHA512
5033302df0d75dd0cf86ab16896bd7e2ce39a1d41312053db40da63bad86a559e577023581aea65644fd46d783d9aa6b2c9640b36521dff9898697dda414e775

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
91B

MD5
de97f8c7f4f066b79ad91c4883cc6716

SHA1
92cc8bf74888ea1151d9fd219eb8caee02978556

SHA256
a99f5d4f9a3cff36d5fa6ce75c5aa651448860ee1b29111bd8ad96eca85b05d9

SHA512
cfc7ab2465cce5b7bd5a8ed8ba0b632afc3f1b74f70f1d799f858d2271afbbbb3b37697e1074d6f85aabb4748745566d72ec68bfb2e90d312879875406efd0f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe

Filesize
183KB

MD5
3d4e3f149f3d0cdfe76bf8b235742c97

SHA1
0e0e34b5fd8c15547ca98027e49b1dcf37146d95

SHA256
b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a

SHA512
8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\chilledwindows.mp4

Filesize
3.6MB

MD5
698ddcaec1edcf1245807627884edf9c

SHA1
c7fcbeaa2aadffaf807c096c51fb14c47003ac20

SHA256
cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b

SHA512
a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155

Download Submit
C:\Windows\DMCMNUTILS.EXE

Filesize
12KB

MD5
9a53cd6b36825e500254fca152e1193b

SHA1
d18642e2d45e8886abc6b0fc57f9624e4c7321c5

SHA256
c93d4fe28aac9d63003c10585d7db9b32950af33387e45f1cd35d3c5dc128f47

SHA512
c5de4f00198ab3d27a77ccb9e1ced649dbe1aef6d7f68b94832693825517d032aa8e21ccf95f952e726ef4b8540e7a0402373dec07e4dda2fc6b49db00246328

Download Submit
C:\Windows\SysWOW64\Userdata\Userdata.exe

Filesize
92KB

MD5
fb598b93c04baafe98683dc210e779c9

SHA1
c7ccd43a721a508b807c9bf6d774344df58e752f

SHA256
c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4

SHA512
1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
756KB

MD5
c7dcd585b7e8b046f209052bcd6dd84b

SHA1
604dcfae9eed4f65c80a4a39454db409291e08fa

SHA256
0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

SHA512
c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
336B

MD5
8b450bdd9267ce9e0cdd99f6ebf88d13

SHA1
ca2516ef38cb2da276fd231b5802b8caf2caeea4

SHA256
d640bac8990c3b13b9b50909efc8170fc3a993cec4c9587475719b7f8387849c

SHA512
bae68adfe392a1c7595b1698041df2376d0c26033a34f3685a934bd5a77af149951ad9396452a92429a29665358a4d1bea0bbfb41de06bb925abf749b02cc696

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
412B

MD5
944436a88ea9107c06abfbaf6f8ec3f0

SHA1
b09c04af2e73be57bbcf7a55f892ee98f6b31cd0

SHA256
245d4746c7ec911a2bea81cd64f06e8bcbc09126f62d2fb52d271ccbf8f20620

SHA512
619d82a512cb036b9d97ce7494054f3c717e0720d61f21d094c3838b84717a535ebe9b7976cbcdd368363975c9714de3a61da6ac5292b10e635f7a794f5d83ed

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
455B

MD5
074dd70e8b517c2f0af0706d42f4da1c

SHA1
6ec4fed2d9691b4e226565a2e41bb48bdb3ef958

SHA256
79567368a2352c64a339303632bc598be81784f9e0618dabf3c9ce7ea9e16c77

SHA512
a755e7e44ac48a5453f4402539189a537eceeee5fd228acc9d89082800b42201f841bb7dd8be2103139836013d28d9d3e88d98fd1ec8f25cbd77d46d37f0e172

Download Submit
\??\c:\windows\system\winsrv.exe

Filesize
28KB

MD5
71c981d4f5316c3ad1deefe48fddb94a

SHA1
8e59bbdb29c4234bfcd0465bb6526154bd98b8e4

SHA256
de709dacac623c637448dc91f6dfd441a49c89372af2c53e2027e4af5310b95d

SHA512
e6ed88ce880e0bbb96995140df0999b1fb3bd45b3d0976e92f94be042d63b8f5030d346f3d24fbadd9822a98690a6d90ba000d9188b3946807fd77735c65c2b1

Download Submit
memory/432-2438-0x000000001D600000-0x000000001D910000-memory.dmp

Filesize
3.1MB

Download
memory/432-2437-0x000000001C690000-0x000000001C6DC000-memory.dmp

Filesize
304KB

Download
memory/484-1465-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/656-1535-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/1656-1572-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/2044-1363-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2044-1382-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2608-1524-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/2644-1474-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2700-2455-0x0000000000410000-0x0000000000466000-memory.dmp

Filesize
344KB

Download
memory/2700-2456-0x0000000005860000-0x0000000005E06000-memory.dmp

Filesize
5.6MB

Download
memory/2700-2457-0x0000000005350000-0x00000000053E2000-memory.dmp

Filesize
584KB

Download
memory/2700-2460-0x0000000005550000-0x0000000005578000-memory.dmp

Filesize
160KB

Download
memory/2700-2459-0x0000000005790000-0x000000000582C000-memory.dmp

Filesize
624KB

Download
memory/2700-2458-0x0000000004F90000-0x0000000004F98000-memory.dmp

Filesize
32KB

Download
memory/2720-1467-0x000000001D910000-0x000000001D9AC000-memory.dmp

Filesize
624KB

Download
memory/2720-1466-0x000000001D360000-0x000000001D870000-memory.dmp

Filesize
5.1MB

Download
memory/2720-1389-0x000000001C130000-0x000000001C5FE000-memory.dmp

Filesize
4.8MB

Download
memory/2720-1468-0x0000000000F40000-0x0000000000F48000-memory.dmp

Filesize
32KB

Download
memory/2720-1388-0x000000001B610000-0x000000001BA3E000-memory.dmp

Filesize
4.2MB

Download
memory/3004-1386-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3004-1485-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3004-1490-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3396-1573-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3396-1574-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3472-1558-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3576-1533-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/4832-1528-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/5216-1571-0x00000239ADA30000-0x00000239AE344000-memory.dmp

Filesize
9.1MB

Download
memory/5220-1283-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5280-1390-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5440-1530-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/5520-1298-0x000000001CE30000-0x000000001CE3E000-memory.dmp

Filesize
56KB

Download
memory/5520-1284-0x0000000000EA0000-0x0000000001304000-memory.dmp

Filesize
4.4MB

Download
memory/5520-1296-0x000000001C7B0000-0x000000001C7B8000-memory.dmp

Filesize
32KB

Download
memory/5520-1297-0x000000001CE60000-0x000000001CE98000-memory.dmp

Filesize
224KB

Download
memory/5732-1536-0x000001AB545C0000-0x000001AB545DE000-memory.dmp

Filesize
120KB

Download
memory/6028-1347-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/6028-1489-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/6028-1484-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/6028-1469-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/6116-2495-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/6496-2430-0x000000001B6D0000-0x000000001B776000-memory.dmp

Filesize
664KB

Download
memory/6496-2431-0x000000001C240000-0x000000001C2A2000-memory.dmp

Filesize
392KB

Download
memory/30024-8684-0x000002EE63210000-0x000002EE64204000-memory.dmp

Filesize
16.0MB

Download
memory/30024-30504-0x000002EE7E980000-0x000002EE7FF0E000-memory.dmp

Filesize
21.6MB

Download