crimsonrat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan

Analysis

max time kernel
434s
max time network
440s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
19/03/2025, 17:36

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan

Score

10^/10

crimsonrat modiloader revengerat credential_access defense_evasion discovery persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

modiloader

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000f00000002ba50-5726.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x001700000002ba61-5913.dat	revengerat

Disables Task Manager via registry modification
defense_evasion

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe

Executes dropped EXE 2 IoCs

pid	Process
6860	dlrarhsiva.exe
696	Server.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\RAT\\VanToM-Rat.bat"	VanToM-Rat.bat
Set value (str)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe"	Server.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	firefox.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\B:	ChilledWindows.exe
File opened (read-only)	\??\H:	ChilledWindows.exe
File opened (read-only)	\??\Q:	ChilledWindows.exe
File opened (read-only)	\??\S:	ChilledWindows.exe
File opened (read-only)	\??\V:	ChilledWindows.exe
File opened (read-only)	\??\Y:	ChilledWindows.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\J:	ChilledWindows.exe
File opened (read-only)	\??\R:	ChilledWindows.exe
File opened (read-only)	\??\Z:	ChilledWindows.exe
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\A:	ChilledWindows.exe
File opened (read-only)	\??\E:	ChilledWindows.exe
File opened (read-only)	\??\L:	ChilledWindows.exe
File opened (read-only)	\??\X:	ChilledWindows.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\I:	ChilledWindows.exe
File opened (read-only)	\??\T:	ChilledWindows.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\G:	ChilledWindows.exe
File opened (read-only)	\??\N:	ChilledWindows.exe
File opened (read-only)	\??\O:	ChilledWindows.exe
File opened (read-only)	\??\P:	ChilledWindows.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\U:	ChilledWindows.exe
File opened (read-only)	\??\W:	ChilledWindows.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\K:	ChilledWindows.exe
File opened (read-only)	\??\M:	ChilledWindows.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\Y:	000.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
76	drive.google.com
78	drive.google.com
80	0.tcp.ngrok.io

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000\Control Panel\Desktop\Wallpaper	000.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5208 set thread context of 5408	5208	RevengeRAT.exe	119
PID 5408 set thread context of 1692	5408	RegSvcs.exe	120

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll	AgentTesla.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1216	4760	WerFault.exe	93
3772	6912	WerFault.exe	147
2364	6912	WerFault.exe	147

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Curfun.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
6996	taskkill.exe
6272	taskkill.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1736937623-2710279395-1526620350-1000\{E257697A-3492-4991-AC2D-C3EE83833809}	ChilledWindows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	000.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1736937623-2710279395-1526620350-1000\{49185B7A-0ACC-4F5C-92ED-AC3DF3B44494}	000.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe\:Zone.Identifier:$DATA	VanToM-Rat.bat
File created	C:\svchost\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5792	WindowsUpdate.exe
5792	WindowsUpdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4360	firefox.exe
Token: SeDebugPrivilege	4360	firefox.exe
Token: SeDebugPrivilege	4360	firefox.exe
Token: SeDebugPrivilege	4360	firefox.exe
Token: SeDebugPrivilege	4360	firefox.exe
Token: SeDebugPrivilege	4360	firefox.exe
Token: SeShutdownPrivilege	3424	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	3424	ChilledWindows.exe
Token: 33	4228	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4228	AUDIODG.EXE
Token: SeShutdownPrivilege	3424	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	3424	ChilledWindows.exe
Token: SeShutdownPrivilege	3424	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	3424	ChilledWindows.exe
Token: SeDebugPrivilege	4360	firefox.exe
Token: SeDebugPrivilege	4360	firefox.exe
Token: SeDebugPrivilege	5208	RevengeRAT.exe
Token: SeDebugPrivilege	5408	RegSvcs.exe
Token: SeDebugPrivilege	6272	taskkill.exe
Token: SeShutdownPrivilege	6912	000.exe
Token: SeCreatePagefilePrivilege	6912	000.exe
Token: SeShutdownPrivilege	6912	000.exe
Token: SeCreatePagefilePrivilege	6912	000.exe
Token: SeShutdownPrivilege	6912	000.exe
Token: SeCreatePagefilePrivilege	6912	000.exe
Token: SeDebugPrivilege	6996	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5488	WMIC.exe
Token: SeSecurityPrivilege	5488	WMIC.exe
Token: SeTakeOwnershipPrivilege	5488	WMIC.exe
Token: SeLoadDriverPrivilege	5488	WMIC.exe
Token: SeSystemProfilePrivilege	5488	WMIC.exe
Token: SeSystemtimePrivilege	5488	WMIC.exe
Token: SeProfSingleProcessPrivilege	5488	WMIC.exe
Token: SeIncBasePriorityPrivilege	5488	WMIC.exe
Token: SeCreatePagefilePrivilege	5488	WMIC.exe
Token: SeBackupPrivilege	5488	WMIC.exe
Token: SeRestorePrivilege	5488	WMIC.exe
Token: SeShutdownPrivilege	5488	WMIC.exe
Token: SeDebugPrivilege	5488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5488	WMIC.exe
Token: SeRemoteShutdownPrivilege	5488	WMIC.exe
Token: SeUndockPrivilege	5488	WMIC.exe
Token: SeManageVolumePrivilege	5488	WMIC.exe
Token: 33	5488	WMIC.exe
Token: 34	5488	WMIC.exe
Token: 35	5488	WMIC.exe
Token: 36	5488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5488	WMIC.exe
Token: SeSecurityPrivilege	5488	WMIC.exe
Token: SeTakeOwnershipPrivilege	5488	WMIC.exe
Token: SeLoadDriverPrivilege	5488	WMIC.exe
Token: SeSystemProfilePrivilege	5488	WMIC.exe
Token: SeSystemtimePrivilege	5488	WMIC.exe
Token: SeProfSingleProcessPrivilege	5488	WMIC.exe
Token: SeIncBasePriorityPrivilege	5488	WMIC.exe
Token: SeCreatePagefilePrivilege	5488	WMIC.exe
Token: SeBackupPrivilege	5488	WMIC.exe
Token: SeRestorePrivilege	5488	WMIC.exe
Token: SeShutdownPrivilege	5488	WMIC.exe
Token: SeDebugPrivilege	5488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5488	WMIC.exe
Token: SeRemoteShutdownPrivilege	5488	WMIC.exe
Token: SeUndockPrivilege	5488	WMIC.exe
Token: SeManageVolumePrivilege	5488	WMIC.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
3424	ChilledWindows.exe
4392	Avoid.exe
5792	WindowsUpdate.exe
5792	WindowsUpdate.exe
5792	WindowsUpdate.exe
7056	VanToM-Rat.bat
696	Server.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5792	WindowsUpdate.exe
5792	WindowsUpdate.exe
5792	WindowsUpdate.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
5712	AgentTesla.exe
7056	VanToM-Rat.bat
696	Server.exe
6912	000.exe
6912	000.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 4360	812	firefox.exe	80
PID 812 wrote to memory of 4360	812	firefox.exe	80
PID 812 wrote to memory of 4360	812	firefox.exe	80
PID 812 wrote to memory of 4360	812	firefox.exe	80
PID 812 wrote to memory of 4360	812	firefox.exe	80
PID 812 wrote to memory of 4360	812	firefox.exe	80
PID 812 wrote to memory of 4360	812	firefox.exe	80
PID 812 wrote to memory of 4360	812	firefox.exe	80
PID 812 wrote to memory of 4360	812	firefox.exe	80
PID 812 wrote to memory of 4360	812	firefox.exe	80
PID 812 wrote to memory of 4360	812	firefox.exe	80
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 4224	4360	firefox.exe	82
PID 4360 wrote to memory of 576	4360	firefox.exe	83
PID 4360 wrote to memory of 576	4360	firefox.exe	83
PID 4360 wrote to memory of 576	4360	firefox.exe	83
PID 4360 wrote to memory of 576	4360	firefox.exe	83
PID 4360 wrote to memory of 576	4360	firefox.exe	83
PID 4360 wrote to memory of 576	4360	firefox.exe	83
PID 4360 wrote to memory of 576	4360	firefox.exe	83
PID 4360 wrote to memory of 576	4360	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan"
1⤵
- Suspicious use of WriteProcessMemory
PID:812
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan
  2⤵
  - Drops desktop.ini file(s)
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1980 -prefsLen 27097 -prefMapHandle 1984 -prefMapSize 270279 -ipcHandle 2064 -initialChannelId {cb43919c-6d85-4016-99ab-89ed2166e396} -parentPid 4360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4360" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:4224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2408 -prefsLen 27133 -prefMapHandle 2424 -prefMapSize 270279 -ipcHandle 2440 -initialChannelId {667f93a8-2d69-4b87-a13f-2bab6450832e} -parentPid 4360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3976 -prefsLen 25213 -prefMapHandle 3980 -prefMapSize 270279 -jsInitHandle 3984 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3992 -initialChannelId {abe5718f-1d0b-4556-ad21-daa611454f76} -parentPid 4360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:4040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4204 -prefsLen 27323 -prefMapHandle 4208 -prefMapSize 270279 -ipcHandle 4276 -initialChannelId {4bf6dda0-d41a-4508-af3e-3f246b131c17} -parentPid 4360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4360" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:4280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 1660 -prefsLen 34822 -prefMapHandle 1680 -prefMapSize 270279 -jsInitHandle 1336 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2644 -initialChannelId {95c3a7a9-4840-4de8-84ce-50c6e6cef06d} -parentPid 4360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:3960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5064 -prefsLen 35010 -prefMapHandle 5068 -prefMapSize 270279 -ipcHandle 5076 -initialChannelId {becbf0d2-7b3f-46ae-8950-1349baa7ddc4} -parentPid 4360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:5396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5724 -prefsLen 32952 -prefMapHandle 5712 -prefMapSize 270279 -jsInitHandle 2848 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2880 -initialChannelId {39c8f8b8-61ee-494a-9a8e-ea7308deecad} -parentPid 4360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:1836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5712 -prefsLen 32952 -prefMapHandle 5844 -prefMapSize 270279 -jsInitHandle 5860 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5868 -initialChannelId {da5d7123-43e5-4dda-845b-51995bc61f7e} -parentPid 4360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:1056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6036 -prefsLen 32952 -prefMapHandle 6040 -prefMapSize 270279 -jsInitHandle 6044 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6052 -initialChannelId {e8a0a90e-702c-4a17-8487-f7a55c643e8d} -parentPid 4360 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4360" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:4960

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:812

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1456
  2⤵
  - Program crash
  PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4760 -ip 4760
1⤵
PID:1672

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3424

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004D8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:4392

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe"
1⤵
PID:5260

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Curfun.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Curfun.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2896

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Launcher.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Launcher.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1008

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\rickroll.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\rickroll.exe"
1⤵
PID:200

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\WindowsUpdate.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\WindowsUpdate.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5792

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\AgentTesla.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\AgentTesla.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5712

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5720

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5520
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5936

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"
1⤵
PID:6604
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:6860

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:7056
- C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
  "C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:696

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5208
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:5408
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1692
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oe8mbkdn.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5000
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60E7E82F6B7E4017A2768DDC9EE01DDB.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3772
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pxldtxzk.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5756
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9703.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc210751CADBB34CA6958228F6ADA0F.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5832
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s7sjnlhj.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2980
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9751.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc240AB652445B45299112EC106BF793BD.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3004
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_m9wo7qw.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3516
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8857444119A94BBA87B8C8AA76C2AF46.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3952
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m2xhjeet.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2220
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES980C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5BEEEA9CD2C441D489D8679E4195656.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7c3ubzvk.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1632
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES985B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1D97366D264411EB12A6CE9DB2942.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5928
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\azjr4sqs.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC14B7A0DE6D3498289D861C44CBEFA4.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:644
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\akehvyw4.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3716
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9916.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF4E2016A370D4E75912197C0228E3F8.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6240

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:6552

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6996
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' set FullName='UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5488
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' rename 'UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6188
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /f /r /t 0
    3⤵
    PID:3592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 1852
  2⤵
  - Program crash
  PID:3772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 3864
  2⤵
  - Program crash
  PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6912 -ip 6912
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6912 -ip 6912
1⤵
PID:3608

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ec055 /state1:0x41c64e6d
1⤵
PID:5872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin.exe

Filesize
7KB

MD5
77508eac550eba82cdfc8fd6bf7e7880

SHA1
2d2a15cf7a2af768f52dafc6258d0baa351673d2

SHA256
c9a05bf799435193bf4b80798a013f1c12edbfeb7e453bbf68a7085b569c13db

SHA512
7d7a220d5f1d55415a1dfa6e963829af7ca50218794957fa9454b75ef655c6bb72282520b81b9c5b101ad6fe2bb15a7a0b8d454688acbb9c906fc0361b13790e

Download Submit
C:\78bbea877dc60175d2.exe

Filesize
8KB

MD5
fd09d4c2cf0bccd4a44c2cce4d0d8eae

SHA1
3c755be913b11f6730b0a26a8011d75946a495c7

SHA256
25563966bef6dd5fb677668f724b900199f9eaead98a32ee81175319a13887b5

SHA512
5314bc317e01f6702eef2647e37fe64d1cb648de61d7595770d1a408ef3e19aefa0f80a3e622102372e1bc1ccf44125c51f6d3de42bec4e2b5de03cbf814f76b

Download Submit
C:\915b1285dd3372c1280c.exe

Filesize
8KB

MD5
19e2ffe3d3e35a370fe278b35f6caadb

SHA1
ed2a687261b1603d9e251c7e0469b33063ca199d

SHA256
735ecf0874cc5ef7df6cf4d834e10c00199de15eb82d25c3e4390e5908b6f0fe

SHA512
5a4e1a8b1e750f6006a1d25a2832b61e14866526e6e51ba6af0fe1a138d9867a5ad8b747d3057656cf1d3da08bdf35aa8b847fc1b51d67d86572e3a15de5c479

Download Submit
C:\Documents and Settings.exe

Filesize
8KB

MD5
948c76a135ebe7bc0f7193c104501c81

SHA1
3838895bb9dbf8e30f1e39e710ffe941e069efca

SHA256
b1025d5529ddfd9aa28e8241649883fce1280d07167e580fe225c6cef797fc85

SHA512
f37bd5b21078ea6b9ea09fea04b06aa5e4197d6f19f080c699896b035b40de95d8ced6b86da839da0142e4978d427980188cff6577e33971df58c440e786f7d4

Download Submit
C:\PerfLogs.exe

Filesize
7KB

MD5
b7af64ea3df8364e2188129ae86f68cf

SHA1
7321af88dc5f3fb0c01ed41ed84588fdd54ae785

SHA256
4b21ec7b7a6ffdc6caf8211b267a5725bac70ba7e2760e5b70b575e06f93c904

SHA512
0840f8e5b8e799653cf05d34ec779dcae1fe30f4b2eb584d799a3e75dc582a52ee98a159d96856b20f5a4883bb734f7f44de7f68c06a5edf6710830f62306761

Download Submit
C:\Program Files (x86).exe

Filesize
8KB

MD5
8f55ef6b8395c8b14568c4805eeae2cd

SHA1
0880833d626aa8b55c955bb7901674bb3f2266ea

SHA256
f092d8fdde4d6e39180f4d3937978ccc187efd507420ad1fca9c4000ad23634e

SHA512
763b92774d61fb3e7e350b5153c8ee2d208a47f99945d1c05597af0dd30a0cc23da6cdff38d3ec5c3a963032a61d4b88aad04dd17ef4f463c8944cc90c278ad5

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\ProgramData\svchost\XjtnxDp.ico

Filesize
1KB

MD5
1e6c4b32205b72a32786ffcf143ffaed

SHA1
7a99df34d2d7d17e2e01272cd084fdae505bc8b0

SHA256
84a41ba1d0f60c4097dd6921ea73781140c40c14a1872d4aa1872046203e6872

SHA512
49ad851721e811be4b360819eaf55b5a1f572c536fcd86692c05533fa62e91efcf218ad60fa54ce5fc5bc476b04dae78c8ce59c22c7c1448980d430e288ab7f7

Download Submit
C:\Recovery.exe

Filesize
7KB

MD5
733889df6f781ffeac8ab55243d3bbe9

SHA1
afd2c63abd2d531d41f48d63df6c3e981caf7be5

SHA256
3c0769191067237a7b0e445e0734c80ed52e9cbeaa0ea42caef99510a552eabe

SHA512
392ff8f70ef991363540a084b465f62c31b53bf72832b1d88b7160bd5b3395287e3c26fb912bcb4819024ad07b594fd3b634be6a0b57a90b303dfceebc37880c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
768KB

MD5
b8b889ef3eb86299648c764b1d53edbf

SHA1
9c3f7acf43a5a9d2ed6da27e1d25f9d111232b50

SHA256
26cc4247944029e440074caa4c1aa7951359b4262fbabd2e4f612edc6de43d3b

SHA512
ec1d5a6b130c6dba20405a719b61686035f15ae9a9f0e12a4f8d94357c11792a5774b8c9dea47b25302bf84ede7f1f8d24086ed1a9918728db2d4853c1660923

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
3bad1e9348b8dbd6f23e8f044d46f393

SHA1
5379950c591fd20dcdfa4e457a57568376eb5703

SHA256
88bfa5a1c50277d841a943ea6d9c83ffe6035dcf8f5b7a2933eca2a773f86b63

SHA512
564a3f2466c2a717f62b6aee65ce0322fcf325881ae0bc214d9f49689234c358f38f55d246ef39d5eea1de8933879e9b76ad78e889856f6803a8c6d10a6fd171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\elm0v52z.default-release\activity-stream.contile.json

Filesize
4KB

MD5
b71adc26a75e3eed85e3c5f2a6a92f32

SHA1
b26e35878ab5cc2c8c8356febc18bf17ce39c908

SHA256
ecc77abef22e602002c4efe80633dac6bd5acfd561a5cdb43e69ebd3bdb698c6

SHA512
b9ca7d978a45f8ddb6b9aa32e435f97333fe4a2b5f5b19305d9f9083f4bb4250491882428ae3a8a4f8467df0a41b25cb577a467e53b96d27408c4f964110aea5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\elm0v52z.default-release\cache2\entries\1A2157BA1599155920C15A095C65B1B75A85E913

Filesize
48KB

MD5
dec997a656de115663a9f160195c761a

SHA1
9f0f613a0df8db774663f427852326aba8cc53e5

SHA256
a874939f8ad7169d5d69ebfa84cbe6d2aae0f06854940d791ceef4c322210d6b

SHA512
9289deb96cc2d6cc07b659f05591d51e617a6d678147e11e74d3f021f13453544729603f03370c0bcd80c80b216e8cd5e9931b298a33096357c108cd22c6da29

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\elm0v52z.default-release\cache2\entries\553BE600135F84B60BFB5F983ECDBB2F558EBEBD

Filesize
32KB

MD5
467a97b8c66fdde2b6493498f4bfb851

SHA1
fac77a4ff1463a4efeae59cc62c66f8556f99fd0

SHA256
30a2ac1b3982a0b1f3e6efa53525c81e40314ac41860d87cd7d5385180e1c3de

SHA512
4588e5c60fa2961b831f812ed0d2d8a33dfd501f23fc99afa6d66b25b53b04d29c7abf6529f93913fac0afce5e695cca6477f9c0e2916594bffc302a2eed8abf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\elm0v52z.default-release\cache2\entries\BE955B72491F2A2CD832A3B6A41DF01F42E011C4

Filesize
12KB

MD5
19198223456d714200208815f1634578

SHA1
38e34bcfd3f7550c7e11ee9aa748f7f8f2311da1

SHA256
c08bf2360413e78e72f77fb0cc91fb8f188e60ebda1ae6281766740fe676a21c

SHA512
e8ef6fd8a07a592281f4839f4c54dda6fcbf1e8cbd23c9103c0dd981aa8a04790f084ec4b5fed41bc5fadde09e873c11c4b3628710ab441cad4063cc848db356

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\elm0v52z.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD

Filesize
13KB

MD5
d34bc4c17574ece17da79011c49f69c1

SHA1
6e9e499793a0e8c76fdea19a447581dc0aee8117

SHA256
f9293887d42582d6906dcafa5cf148068dc8dce3f68893c73ebac8b101540610

SHA512
77a5a8e25e09852a6f55dc6b03da82fcb855e97587acc852b5a73eab7cafea79da35524036b3ea5fa2a3992154f3c3079d36f2b983cb85fd88ab53c23ee506b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d91dac51-dbbb-423d-bf24-cfcad7a34261.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fa815a2-ea6b-4e2f-8f87-d156a891ec7e.zip

Filesize
3.6MB

MD5
0c2056e942d8aa56e7114a5e23c093cd

SHA1
a66baa86567ea453085e35bcde945937fafcdbd6

SHA256
196d16674153ec9d78d103e120266e2ea2bd83c0769411e2bc5143eea8e62184

SHA512
5ea2ca961e2f9e21ed93b36f8656497c044c94d95db6edb71aacde7a6d867271c27a932374b55e2cf754856455a0b3d8ec4c5e459bf853a3bef295ea76b09987

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c3ubzvk.0.vb

Filesize
349B

MD5
a983e17fe05ca4e0cb4b37cd05d31792

SHA1
cc91ff79215a350a6a1f2bb4f039d894198e8421

SHA256
76bd2ec98b0d41223725675ce1c055c6f926198151d1fdbe94198ceac68f3eef

SHA512
37400beb6ea1f6c93b7e74124db9a26c6f8ee21d60e4830100aeeba40c7f983d16031ef0e0001935ff3cf0f3392abcf2b88da8476a3ee1c73671abfd3df79ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c3ubzvk.cmdline

Filesize
205B

MD5
4ca441b1ed15b25c6f7339b6d43d9535

SHA1
5bf95bf4ef56d4ebe00f087091954705fb408838

SHA256
0bed190ef1764cc57ec28dd898b6963166e2f261d14595dd33db5dcdccb3b5e4

SHA512
4eb255ff808bbbaf8aa0a7e91ddfc11751e1d31dc182263972b7e89ded81f02187fb062be7f1204a6cef5de60abdf3edd4af5b99fb956100aafc5a3314512379

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES96A5.tmp

Filesize
2KB

MD5
987df8d26653ddb1f6d3c358deebd3b7

SHA1
0ca5d99a1c7f958336958af0bc8f045e060cbd66

SHA256
67ad53d48135351ea992124e0d963fc9839c9cd166b92733be17e452ec59ba3e

SHA512
9baa145c7f8561897b3482b82e6bc24af53dbf4dd6df5008fdce48155a990c79bb78cc44f4e55c1765079e8690b54f782b2059cb220f7a297a5c7af9a68680c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9703.tmp

Filesize
2KB

MD5
4546cf8efd6d0e8b28cf98614c1cd32c

SHA1
ae58cbb977374acd8c776d64674dca833d7003c3

SHA256
12b2577aa01390243a66c371ad7ee51fd3bb92cd20f74d7992cf041db498489c

SHA512
8dafe95462c8c124b86c73599358b3169f6cedae85202b9eb9221a5d21a06eaaf07e9cfa8876a9a84bbcdcb4882399a81f13b08a546492ea95e32119cb0d9e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9751.tmp

Filesize
2KB

MD5
9454e932a125132567f14da23d0c106c

SHA1
352ddc3af488fab7f54463e86c176d8718e2075f

SHA256
3780218fbbd05c96e7805090e6db9995918adc9fc7166266b030927460bf5b0d

SHA512
0bc19e9991baaa7e2672e5258bc9507191900a0afe51c619eea919c3519d9f2281a79d15620e8781ae152340fce7134e7e09e45849f97a4a034e645e6679be84

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES97AF.tmp

Filesize
2KB

MD5
4a6e57f13a3c58593d1ece6c296320e5

SHA1
7cb996b990723c52e8d4e4d994def9b25b039dd8

SHA256
4a12cb642890fb79d1d03900bd50adb962f7ca824a4937cb76f1d4cde070deed

SHA512
299efaad8236cc4474991a9ce8fb3ee4d39e693a7f193c20b911920a8f6a2cad595516dcd49de03f9cbb0521fce7d21f14c1dbf96b886c19825903a4bf108717

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES980C.tmp

Filesize
2KB

MD5
ce2bf4a3c5a6c7baca8810c2f6444d1e

SHA1
11b4e82f58af3a331565c3fc72ecc9ec7e363cfd

SHA256
3329cdd9d9252b91bf2a28b1059e5148484cdf5a82c9a7faa2b0fc5fad044932

SHA512
56338b4163d80beb0a084a09b6b3d050b4a7470cadcf0f94039219e648424cfacdcda405dc78cf7e9423766811de1f7489928424d3dc794c2d51bfa4d76e1d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES985B.tmp

Filesize
2KB

MD5
65ea34e4bb140973b80c449f63b97bef

SHA1
8007bddd43d66fdb17c17f577e0b452229c08705

SHA256
76ba35053bb29fac26f5b29b8693849eb149e5fdde3e5ccec2109b9603c1a693

SHA512
b660fba783dac755cd75144816cdef5f3d049d8828ba57466586d6ee75b36289c4ea30c27c582893aed618b7d333d196f0838992de1bdc8fb46a737ba86b0404

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES98B8.tmp

Filesize
2KB

MD5
1dbc50fcc095bcc8dc0187f0f3fecf1a

SHA1
3f4916f0dd1bff7d6ee42466f595765a5ba45fca

SHA256
9c6eb95f7369ed00ea506f720110c59a5ab78b60338f6037e5bddb4cf17981ad

SHA512
2479158011ff007741e542d80f90b96ae50419aa48e1820ea7281d1da6e125ed938811674e3e79f96ecf2e2eb84709983bb5704f7f41e4d96ec470ac90a09d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9916.tmp

Filesize
2KB

MD5
958bac6d1113369aeba5f9ecd3904c6b

SHA1
1723cb336058cfcb1b71aeceeff4848e0d7b42ab

SHA256
05a878f8ffa9cca81ddbdad1b104ced9bcbd1db51bc7303dddf104e7e3c930b4

SHA512
b3e74a06b5c8c2978aa91b5949c3a84aee3b0b2dae031bb2fdb973b0cafc4c476cc8d67f6134ef000dbc80ef8a6c9febd1aa20db6e4670ca400648d8dec27b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_m9wo7qw.0.vb

Filesize
352B

MD5
1830e137566529844ec4176432dbbabd

SHA1
34e0949bb3b0258f4b70cf50a1d78e124e0c62d9

SHA256
57f9e5ea5a7f49bdabb9bc2d1b36588e6a9a004e083a3a70c753cef82d032fcf

SHA512
63080864b35571e333f276865b639f8af805e1d5f6077b899db55b6bcf0f8026027989350d5051523c5cb58c4358a3ce5d7c26e990b08403cca223e41ace8468

Download Submit
C:\Users\Admin\AppData\Local\Temp\_m9wo7qw.cmdline

Filesize
208B

MD5
58cbb63afa8f1c9e0efc9c44a5e8f9a0

SHA1
973d9333ad68fe4d1c2e631d43cfd1d1f32c20da

SHA256
57851ae42cfd2ca63b9bcb9d15a94068b24d516811d0eef887969610bd03ccec

SHA512
a6d4284651e9d4f17f4edeb787fb1a91eaf965ab05d55ea495d95df41c8b060c6ac5d6bb14689304aaac59e276993ab788ff1e327c65dd0e159e1f1fa8e73480

Download Submit
C:\Users\Admin\AppData\Local\Temp\akehvyw4.0.vb

Filesize
342B

MD5
b8566f5519856f80dec85a1a2729e372

SHA1
ae442bcd0c97fed28f38b2ae224a93bfdf14dd13

SHA256
ec9f3959285c7493041f7cd7008620ba10b6685d670b21a2c31173fe9b215cde

SHA512
3da5378a33b77fae8cab09d72ec4c940e20bb8d736b7a4b91ee45211270719c12afaca3bac39683919e1cd76e80c310fb179a800592807495eac5a6350777d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\akehvyw4.cmdline

Filesize
198B

MD5
552a82bb8c7d089028c2c3b301a7216c

SHA1
20a06f89855d245b31765f6a717bfcac327e35f6

SHA256
a497f1fef69e5e627d6cd02d8969820750391633dde05272c757921ed9964f9c

SHA512
0af1ee6643d3593f59922a99d1c3508017534a879ab16a4a577126cb0ae25a74ec065a25d293053e59e23389c242cb03ee8c42416f6492bd7ac87c87889ddcc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\azjr4sqs.0.vb

Filesize
338B

MD5
2de37b6c25304214817c88f9ec6e9847

SHA1
74f77a317b1f9822d11094eb3fe1c71797bb878a

SHA256
a4f127dbaa96ba729d5e754624b76625e5ad68908185b2e1ffaf5c935ba7ce7a

SHA512
a8cd8899cd8498598b992c158bb01850888d86c50fdf754f2223ee27613eda3e9a29aa7530ff60b7156da5d4ab030482aba59413cb5a842e8122c8df679bb954

Download Submit
C:\Users\Admin\AppData\Local\Temp\azjr4sqs.cmdline

Filesize
194B

MD5
ccd8a28e6adec55913a7ec6837d03663

SHA1
9c6edeaefd7e2bd7d6741a746131383de8dd0d14

SHA256
d93a54027d8c1939e0bd90d6641d86a122e50d2489713247f747410879bd868e

SHA512
c731abb926b04d7b82b6e95fd48c61a916c2695298227f05ca917d9cd9d243bb67858d598cd48b63e92d790860834cdc32ea743ba0c9e4fd44ab67afa1aab614

Download Submit
C:\Users\Admin\AppData\Local\Temp\m2xhjeet.0.vb

Filesize
338B

MD5
7a354b496b9b397ebb14057eafede32f

SHA1
8970ca3895ca9472366e4fecc1f1d79ac1da78b8

SHA256
c12764cfd58a8df36d22008411f5054ab82256473817260f1d55069f04a083f8

SHA512
ccd8ebaf49e1d94610ac85571a5f3eec92eecb4e07f2138804dc4caf49137d03b30d69540c1a9ece6455539423b906a6c3c477b8496e93fbfce8c815836da5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\m2xhjeet.cmdline

Filesize
194B

MD5
fe982d5d1e929cc5fb4b6d35890369dc

SHA1
3742ac842ed9b17ea27aa4cca83ed7074069df02

SHA256
470bb61f7e33acd09bae8f6372c63f8ea05332bc67a203057507e4b829dfbad8

SHA512
353e9d343d2028d68077f64bb4b9423638f2a7d70c840a161b7e9b9b6a6169eb8ae249a2a91d0b8ef69dcf6f822ba4db7788347265e6532fe7848d058b2594d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
91B

MD5
f169d4314eac558c126347c9c306a220

SHA1
03ac751a07b7347541dac5e0f254769aadbde0e4

SHA256
ccfec9a3c2f862abed746e5c40f37985053b1ebed048ad0452eaab6143b93969

SHA512
2ff8ce927e41fea9de98f7fc91e2d641f6342ffe3f154258c8d9b005fa09d094cff6587def01bee1cbb43b9191db067c3174c23c5916cb422c478c9ba537fecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\oe8mbkdn.0.vb

Filesize
342B

MD5
eb057b2b26beedef7d931bf659fb6f18

SHA1
3136c99b96686db9ded50aa19b55155c752551d5

SHA256
3066d848e6fa1f1a5041286509fe0319b7e5cf96941f2f3914af9873aaeeb414

SHA512
6d40f52117023ea3171c49cb544c13b703c220a49b7f251d9d4d14332ef637d14ca28e425e723d0906ef31ae77335e38a9e7ced009cde90645b31dde4cea8f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\oe8mbkdn.cmdline

Filesize
198B

MD5
52ece5b68cb4eb07be489a0f7462220c

SHA1
302bdc44d89c73a27915f317d6d552409186365d

SHA256
d3f4d7ff47b1bef9d86ee1661cb54e0be1c29a6a887f1cf806da44067aa319e4

SHA512
6ac13d830a67bfd8a2b1d402059303a465b072a8b7bcedee3f3da594a662a670367d89f22e67f391a095663152b4b32fdc1ed97dd1e6745244a54049b0e40cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxldtxzk.0.vb

Filesize
348B

MD5
0b018b95256d4516ab1ca957c1a1710a

SHA1
51f98465328a99a0e19bea4fe4d379c1efeacbea

SHA256
b687935d3a29cdcc7466dc507f8630ec0234f5ebb8bf31dbcf906f31fcbc8671

SHA512
d7a2f499ac6c4962bb6a30ff83e7230bdf11c3dd80612b7ab949132e4d5797a0c21bb6734b5b1750def36f95e817da183706a207d63264fe4e0b5c2c85f6e362

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxldtxzk.cmdline

Filesize
204B

MD5
7dc0b5fb1de6c13bf4b63f0dc0453f2e

SHA1
3aa730959a1a85fbec2d65dcb570f364821368f1

SHA256
ccd09e783c0e8e93a48777523b911355dae603203ba5b39a10600db395731978

SHA512
0a2d12358217bd422f8d47a49ccaeea986c005d47b5e6ad961218cc319ba40657841b190454f8afc141e972efd3a3107eb3215923ed6e6a8c67de30dd249736a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\s7sjnlhj.0.vb

Filesize
350B

MD5
fc8262c9544e892d1e9c08330412a2be

SHA1
5af2cb9816fa06e50a6a0705e86955ef943a8095

SHA256
4f4ef7658c9838625574f0538346b582e71a570d5b33ee74b3bfff0836f9d396

SHA512
24d6e3393ad25b00321a7a9dff4749f9067fd529ab498b5114b9b02e15b24f5cb206dede607e2324aa15620018ac3bf353f3eebdb1073dd3b29a991d3a260a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\s7sjnlhj.cmdline

Filesize
206B

MD5
b50429edfa3ee688fbf9855df6acd33e

SHA1
799177e5ef851c60756b3471af323e6ce6bba6f1

SHA256
65bd3cbae025aa0a78a9ff82bf29c41479138312fb1dcad057a2d22cb2f49ce2

SHA512
b7776ef35722fc65f1e189cd3c43a4b2eeb9ac1ff29b0b665b15ad102a96003610ebaf4ae2ce1777fbfe3ef073165f5bc1109e5996eb9c9c2a8502f83ac94bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\text.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
13.8MB

MD5
3db950b4014a955d2142621aaeecd826

SHA1
c2b728b05bc34b43d82379ac4ce6bdae77d27c51

SHA256
567f5df81ea0c9bdcfb7221f0ea091893150f8c16e3012e4f0314ba3d43f1632

SHA512
03105dcf804e4713b6ed7c281ad0343ac6d6eb2aed57a897c6a09515a8c7f3e06b344563e224365dc9159cfd8ed3ef665d6aec18cc07aaad66eed0dc4957dde3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
91B

MD5
de97f8c7f4f066b79ad91c4883cc6716

SHA1
92cc8bf74888ea1151d9fd219eb8caee02978556

SHA256
a99f5d4f9a3cff36d5fa6ce75c5aa651448860ee1b29111bd8ad96eca85b05d9

SHA512
cfc7ab2465cce5b7bd5a8ed8ba0b632afc3f1b74f70f1d799f858d2271afbbbb3b37697e1074d6f85aabb4748745566d72ec68bfb2e90d312879875406efd0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc210751CADBB34CA6958228F6ADA0F.TMP

Filesize
1KB

MD5
a47873e1bb0e84b9841fe8e1b9e1f3ed

SHA1
0df553af93575f993eea932a38b116f358e8e6c5

SHA256
d32d9bb554209e27adfed73e0f36441f0764c9e02fbadd457923ae44c5c880ac

SHA512
207c8739e26ac6a24dfb637ef235b12092903b223491a1e6e1157f8b38a4434c681d3477690ccb75aa23ce38469dccdd748fb92522de6d061e6c4801ac941931

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc240AB652445B45299112EC106BF793BD.TMP

Filesize
1KB

MD5
5e546d1201881afe82bfd3df17a20eff

SHA1
471999886af652ba8859cadf3f42c8d28129d37b

SHA256
6f8e8ad67781e81256ef3185f5e88822fb9c1de7f4259f18a7e29d108be934d3

SHA512
b65a3b65e8f31bdfdeee63ac006c0645f950883c8821fb1467a67892d4d196fbbc31a3baa2babc1ce11613788aa7b9b4c632686fdc3c3d0af71f41e9d5354034

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5BEEEA9CD2C441D489D8679E4195656.TMP

Filesize
1KB

MD5
4a2eacccdb01b01b117216dcde15c8fc

SHA1
b72d017bfd2f6123889b336a4f8c9009efe8dd76

SHA256
54f012b070c3cdf483219dc21fd51fe898a47b23d1fd4a708a071f7eba3d6584

SHA512
520941eafb92ec62ccfb3d1b87222bbaae2b044fb6f89732b2735175f6d12ecbfad111ccf1ad9cbf639925716553129617bebce772c678d70a94dee5ef23acc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc60E7E82F6B7E4017A2768DDC9EE01DDB.TMP

Filesize
1KB

MD5
6afd9b01508c9c69a0de03535ad5f530

SHA1
d727f0baf6278a5bfff339fc5b8a8ea9511f42b5

SHA256
6a3c72a45799088fb441484696436b87e6b923ec1a403cbbc2d6cf0273cc9c23

SHA512
0308b417648e44b59bbf1de84c36368d11490faa87f64557dd26189217427e4c73254f96d88ec30430112f70a8e2f3dd346ffe36fcb2d34c529e839d9264fc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8857444119A94BBA87B8C8AA76C2AF46.TMP

Filesize
1KB

MD5
12056ad3066679f5dbd325572fbe2a99

SHA1
53cecfb6b3b612284b4d8b8a9395280d385e6f99

SHA256
a2ceb54f07787150f648d3601443b878113c917b30de88206823c2b1ca36652b

SHA512
f8fbf63c5646ebe7329e33138468fb2459d96cdd8415ed136870c84d6a3ac03e0f2353f359788748b6310b36d097bd4e5bdf4a0843336bce34fb3c2428cfb88a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA1D97366D264411EB12A6CE9DB2942.TMP

Filesize
1KB

MD5
94452bd6f8ec255ee5d68bbdcc877e3a

SHA1
a68eb46669df01936ec5b031c8c08f2afa86b91e

SHA256
011c2444d4b8696252fc3f26234ae1d3550324d1edc810f555c05b2997f37544

SHA512
1639308f3ccdd3f70834b451d09cc62257618ee4ae3c92ad9c992a06280880360b4b7e6ba4069e72e4847f3b6d26db97272a30236bba0be99770dadca4f8d2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC14B7A0DE6D3498289D861C44CBEFA4.TMP

Filesize
1KB

MD5
47ff0e089fa27d610e0b6d32697d66f7

SHA1
aa8f8566d7180d52cabd7dc37437b9a5f093e75c

SHA256
fc0f73bfdc1e71a2f4fba2090d060068333eb23f9fa70fa91591dc688d3b2a26

SHA512
74ceb9114158289ee1ad6fa31f16ebfacf24909976b5750c653446427cdf1d8cc3d88643c39b8b4082e354f86e721f6130e3d675c3cf2f69a57c5725736b22d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF4E2016A370D4E75912197C0228E3F8.TMP

Filesize
1KB

MD5
7916feed8bc0e43442862a106b433455

SHA1
7db8350ae1f95109c9ff8facb238fa8cb38e7401

SHA256
e8ed1405f1038ad617655fb2b09b418fe425aa2a3592e8335afabdcad567f6ee

SHA512
b77715558077c168c6208eb608ccaaa8755e5446e406a0032dc3ec5378fa9a067ffeaa99ab80a3d315a9699d323579b411d788044823611517db5c46f2594bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
11KB

MD5
fd1f61f3109c24fb8aee20ce28803d72

SHA1
d1b130429f6cee1f88ed3009bf3d2cc0e09af5d0

SHA256
1bd5683558fb9accef9fad8e8293299fd6fad7dad585cb90477e965fee48cfdd

SHA512
e36394de4e3ddb6b12a95cac985594f06f344ced1e30938f6ff332655e41374dce257335d146c43df1f0128b676f8e350b7e1dcb5edee4582bbef89a7cc848ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IO43JABDHS8A4MBPOL44.temp

Filesize
11KB

MD5
a186783a326a96d44ac92852e4129246

SHA1
f70269d21ae20d2572887575886c25be3617958e

SHA256
bc77699dbbf0a1aa4492c728a0c79decfacde0a07d6b3d9dbee6b84a945f4c09

SHA512
1d36e955d91619e86262752a3c638ce68c1d174d06bb19b0a79f4b2ff77ac89eb9f5f102979042e0e3c732a9ad971a51cb94fb632ba8218ace78784ea8d1350a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
6a9a906d357fa815baeec01343bae2bb

SHA1
fe7c17c769a5aa8718dac5d751e6838186fbfc78

SHA256
c39e0c249ed30e20d5da3fab37eab0ebba63dc613800725abd3362cdcd1622d1

SHA512
94a054dae8945e21db0f1191f316572c2923df52e0d5e695aa6789c0d5819d3bcecb2aa6615de3d1201a403245b04e1723813882dbc6b47e91cb2d2a5bfb3244

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
53KB

MD5
c9185c513dae7afd114a09d71d04b87c

SHA1
947aa222b083e3d713a4940192377f7fb83f76cd

SHA256
9d194e4f1ffe4efda6373be5bb00257bfc1305c1dcd67e3c0d8566fa8b2fdbd7

SHA512
408890e9bf67e9a0fd29cdc3e17dd4ff0fc06cb1a823ec10d45c43de7b9288b57a3d7ac217a540a82767d04d2ad17ce6303faa1fc22281924e8ebea24e59a3ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
54fb79a0cc5f5db04ac7acd7e6aa3e34

SHA1
5f5cf7b1ed5e74333e102a3dac30dd3d2d41931e

SHA256
a2b8b73e23ecf7e857b40979d1da3efdea949c338ebd6ae30e15ff3e71c42c63

SHA512
c72c55321b494c62dfa9437e781c5dc57536c019eddbd321aa4e232899bfed3a0ca91cda6594b94351c272868d8483bd8e65d1f97bf6dc4a4cb44fb6db749742

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
53KB

MD5
f1875534826190bc917a64a8511f0be4

SHA1
cc8729f7a2db8b35d14c82f7f8d3d72e8c4ad7c6

SHA256
4c478b69810b4691bc57687c364e16feb08a8ab527e0488b811cd51a575acec3

SHA512
f3b34dbb0d6a275673075767aba34e69775db6298a763b7fb2465b5cb3854bc62a47e9d0db1609547e1e44c5d86be9f51eaefa943a8ef3fe61520dd4772aa46b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
53KB

MD5
d08e5d740458b825a74f208b998f8b18

SHA1
5cb2711bc1ee65178358303b15a21b6e0ec94926

SHA256
1a3565486e416fa69028d25a4280d9bdf074ece8feec74d937ae29ff2909aed2

SHA512
4473e08937b806970888fe3b95be8fae03e6a56c2c6e222d54faa4743571457d8593722d8925c90db87e9626725c39b6c5d8f0ce665354a1f5551eb78b5e3716

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
2d928bf925ab141d575ff87b1380ae0e

SHA1
691540a85984259adfcaba1b865e760b56b37c73

SHA256
83a120c5abddd47c5c074025c561a5e21cbacedc9d83e83b7001f5325a0a321e

SHA512
77de375bcce34dd3bb2f8b70b79beace2b93b2520604fdd63a21ce11ae845bf29095e2269a40f9b0d13674f761d5b196c94d28c7b7de8f62f659a81e4020877c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\pending_pings\42be7c84-ff20-4ce2-95d6-2d75ee729580

Filesize
16KB

MD5
d179d6122cb255f871f0f734fb9a1689

SHA1
b8a46351a62d0c1b98d911dc631b68dd651d64a4

SHA256
ab7198f5caf6eefce0eb401ef5040a3a1df0c798ac0c2dbabb73ac39e26e9f80

SHA512
dcfaffc6d69c807e017960b6e6b45830de0a5e74e754f3f253b9d96d3bbd71370ae4068de5e244b5b55918245c770f15f4415262b33a3ecaf9b7f89d329bc19d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\pending_pings\5e02a044-f57f-4caf-b114-54b7a4020168

Filesize
2KB

MD5
30ad8d4507f446e0774b03f1ab198c26

SHA1
45771c075c7cc4ffcdfce08cfe41bc28361ec0da

SHA256
5e4908a24b23728bca5ad57d7eb0f76fbc2abc9455a02900017645b173e9c0e9

SHA512
4493337ff307b24f8c181e05f32900b0020eb1ae1b67655c63214e3597f395d95b636e3fc0ccda7e22cf2f85564d904a3e8791db67220ef55c52e52b8708e231

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\pending_pings\84aa1fbb-2a03-43d2-99c1-39d7449d2902

Filesize
235B

MD5
4c7272a8fe4b5678075917cc449fe8cd

SHA1
aaee8561f001c8514d392ff6ca610d1eb825b686

SHA256
431c94d8f903fb9911628ec464a4b1b5047b2dad5757be80695cf96b6daad3a5

SHA512
98ce2d7ce6e393595e79149b377c8274bcedba72b318a239ba6f36971948c0a7b38999a545a0ff96ec52c925c2224347e54042a9f8c232abcbd15a577a5c1dc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\pending_pings\96d2dcae-0b9a-49fc-9ca1-692f514dcb1f

Filesize
235B

MD5
49f367dabb7f45e42733f60175e0d5a9

SHA1
d980efbd5003b10c79eee4d65c63ee06adb1fc75

SHA256
d353e5916c96173c23764226322fff3564e91559bd567c27673415044ed0bc6b

SHA512
2d9e3a4e3e6333066df67e9c988ea903de75c85457552d9ed4dc56b1cd25629745c1ace7560ab8905446d9adecd446c909e3e8a95fee5c09852b4f1491f9a1ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\pending_pings\ae357df9-071b-4ae8-89d6-5dff61ea6eaf

Filesize
883B

MD5
de85c96ff590ac281a7eee79c31ad998

SHA1
c9769c6a988cf52382b86406b5f425799c43ef8a

SHA256
06008147c76be65fd1901a002a8ee07f85d71dd3286f680df968e195a26dc6c0

SHA512
36046239872346c50063788e1af33767c671e91da7d070d79effa28072d3fa11589e1c326775d7d8f9730b8a5403103861da3cd17f2b0e3e99144979c3f1204c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\datareporting\glean\pending_pings\f0158580-e197-4979-97b1-dd58fe4f0e10

Filesize
886B

MD5
a70e7c28cf0b4c85280dda87cdda9a44

SHA1
1e09bd3642fb6c76ea1247dd09b94d767f526f19

SHA256
220c2d23c03ee77bc25f104d6174bcd5f24e6f4611321d10c3242208dbb0646c

SHA512
5189e1fb031397a41fa633dab4fbde7a157a6cfb2276e00defa51a667a8598e45e5ad87d0ab68c87606afaa9c4c17579f00344c8340a4afe0e32af38e2ebf295

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\gmp-widevinecdm\4.10.2830.0\manifest.json

Filesize
1001B

MD5
2ff237adbc218a4934a8b361bcd3428e

SHA1
efad279269d9372dcf9c65b8527792e2e9e6ca7d

SHA256
25a702dd5389cc7b077c6b4e06c1fad9bdea74a9c37453388986d093c277d827

SHA512
bafd91699019ab756adf13633b825d9d9bae374ca146e8c05abc70c931d491d421268a6e6549a8d284782898bc6eb99e3017fbe3a98e09cd3dfecad19f95e542

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\gmp-widevinecdm\4.10.2830.0\widevinecdm.dll

Filesize
18.3MB

MD5
9d76604a452d6fdad3cdad64dbdd68a1

SHA1
dc7e98ad3cf8d7be84f6b3074158b7196356675b

SHA256
eb98fa2cfe142976b33fc3e15cf38a391f079e01cf61a82577b15107a98dea02

SHA512
edd0c26c0b1323344eb89f315876e9deb460817fc7c52faedadad34732797dad0d73906f63f832e7c877a37db4b2907c071748edfad81ea4009685385e9e9137

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\prefs-1.js

Filesize
12KB

MD5
d71099e6bdcdab38e0ad469ed518b40b

SHA1
96520bafb33a1bf99ba98dcde738bb93616e3167

SHA256
62681eb75ae68fdecc980577ba83ec8fef60bf172e2fdc0581974ba1cf77e4fb

SHA512
ae0111688dc10a4c5833ef13bafa9d541b4953e19b3c9a1036ccd69e069d6966ebc764859e22806adb06bfe6df3bd7d8cfb43170192ba37e0605094a1642e4cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\prefs-1.js

Filesize
6KB

MD5
986ccea083ec71ff00c3d84442483ca3

SHA1
35e628e503efa66741e0a2a1e70aeae79b77c19d

SHA256
acb75f5e573eea05c07d4bcdea5062fec37627086270aaea89c7b92196fd6eaf

SHA512
1cf8f2c4bb81fd299c8340fce295fce04fc347881a3944169ff786957ec0d6d53a125a144cb43d46e8245a210add6e7cfd9a53000ec166d737f0cfec31f6a138

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\prefs-1.js

Filesize
11KB

MD5
c4cf766ddf09f66fdfcf63549499cc73

SHA1
ab9b6a8d0e63bcd001679d66cbeaf17f71858ddd

SHA256
f0da923d320920c8d74607b4c8d40c2cff5a06590ee91c6c43f048bc6735e969

SHA512
1ec3c4d22cab7ebf60008a65a46b1318d694d34c74481eb87ec5df05a05beaa2873b3eefb674674fa7c73991316ebb7a3dcd15fd4c78d66c94d22f1c69108d58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\prefs.js

Filesize
6KB

MD5
37d347fdc9d266cab72afaa888df0bab

SHA1
44491a961fde4e66031b0f6f8f28527094a6b41d

SHA256
3b84800a7ca0f55897fb083ddec89767fe84eb2fb423ebd799c4762d13c00f16

SHA512
7158221fefdcac67ea1f68f68662ef2dbf1ba3f3dbf7fdb777fe50e8f7af72320fee45b3f6b3dd4f77c7360e00b11f6ab1eec38f782395fb23b023df1562495d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\prefs.js

Filesize
7KB

MD5
8739d618fb3eb9d332e106245876d11f

SHA1
4349f9e9f4f6131e233dd5bd2154e5a34ccedd0f

SHA256
d94fd945e3cb6821b248c8f338e159828c2fd7a64ee6f13f73ff391ab18b4f5a

SHA512
e73790ce0d364b7d73f59ad322a20c0c18d7eac1615dce70c3a9d294af085e8a56d48ce8e6b0ea16e9a282066613b9846df36b9f41b0084b2d7c80b95fc642e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\prefs.js

Filesize
12KB

MD5
20c9373c68e523b7445af40ee6468915

SHA1
e75e2597677db7441883cfbe26c9152d85cf476d

SHA256
b221cba3e1d1fbd5e21b06064a57e45167e2e94be054283ebdc45aab9e6fdc96

SHA512
577a1ee460c22ca6153b13ee00d823aa2efe19496ea014d7c17485fc1c826d2bbd25b84b641da4f74ee1c212cb3a8683b39ed35cd82fe7e2898c4d4c83ea321c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\prefs.js

Filesize
7KB

MD5
4a5c852c9c3bd11b1f150c2b42f99b73

SHA1
7679cdffb77b0dbecda9454ca9d83cedfd54f2b4

SHA256
f347f753e06f1bc447e6b3d621cb9681f94ef29ff1ec906419b8dd6ba7be3f15

SHA512
fab7d2549414bb098e2668255dfd3159ff9ebc0cbe4acba1d5f80fa9b48a1d50ae0d69cf6bfa716ef5b984610c420e2012a61f7f4395ecfd18b637c1bbff03db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
632c61b827653fd616b8ce5292df5048

SHA1
e644317048c3c9ea5e99ad31181346fb6f8bf3bd

SHA256
4dc759f0eb560466d76a6d89f32f102f7a4d2b73de8150cd4969095bef016daf

SHA512
a8cb0a2f0b2403c4ab60a2a57d105e4876489c3863cc87dab9e6184c2e8a494cbb4f6b2411b8750ec76174146292fd14f62413a541d2738ca449fe2d42dcf16a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
6fa08cfa48a588aa3b2a91ecc24501fc

SHA1
7c0d1af78ee8de0152d4050fcf7a7453805e870a

SHA256
0bb1dff87d6a2bd4e64e5107da76c4de59fdbd13cc402f1149cb006e0934b7fe

SHA512
f1531d7da27ea7be1413aabb22e61b83631244b98846e34f0082c37b009baf545b1033fab726816a092fac897bf714cfd7247d7440e1008793d7e1ad834c967e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.3MB

MD5
0c595ecb3e5c8045da09b7cd07b7120a

SHA1
a959b68d33dc11885a91d0f8b51cbc3756d3c7a1

SHA256
fbeb51fd0fe3d67225727c82fd25fc508e6f15b056f07c9bc8a157a4f3e90696

SHA512
3fc4fa7af057a39063b989521f7d73904faaaffd196b179c12666e451a348e4f422d31b1a8fec79086d3cf497842345cbd0e0edc7914a2bb1596f711defbdb0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.5MB

MD5
9510e03e99c7ab0977e973ea8ac7081f

SHA1
2113ab863b200fe576683e9b9b90b718a89ac865

SHA256
6ecb9815241e08c1f88150d29f7111d31f0ad138f076959e976b0a748340c1e6

SHA512
f545e3a802100826f4fe4956b71b599b822c3ef9ae0df9e5d9ad4c3af113f0445892796b6cd8f792ca2195fb3bdd1ece0ac18aa87cdd0926fc48028aecaec1d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\elm0v52z.default-release\storage\permanent\indexeddb+++fx-devtools\idb\478967115deegvatroootlss--cans.sqlite

Filesize
48KB

MD5
32a2f09b3b1c86c0dc255a3a6c8f9e9b

SHA1
b82df608cf22642c2c8594aa674c80813534d4ec

SHA256
140313318a44162e63056fc4b316a4be3dc4923b826ec7b794889b9bf57ff052

SHA512
02be71def9c639b1d5936f2422ccb3221548ca4108ee6519cc209c79d6004eff71fbb1f46a1dee11a617fc8bbd18fc68fafdd544cc852a3e922f8bbf48b9783c

Download Submit
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe

Filesize
183KB

MD5
3d4e3f149f3d0cdfe76bf8b235742c97

SHA1
0e0e34b5fd8c15547ca98027e49b1dcf37146d95

SHA256
b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a

SHA512
8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff

Download Submit
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe:Zone.Identifier

Filesize
92B

MD5
c6c7806bab4e3c932bb5acb3280b793e

SHA1
a2a90b8008e5b27bdc53a15dc345be1d8bd5386b

SHA256
5ba37b532dbb714d29f33e79dacb5740096fd1e89da0a07b9b8e6b803931c61a

SHA512
c648be984413fdbaeb34808c8164c48b5441a8f3f35533b189f420230e5e90605c15fde2ce0d9fe42e9755c594dd1ef32de71a24016277ad2cef2f9afcf0ad93

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\chilledwindows.mp4

Filesize
3.6MB

MD5
698ddcaec1edcf1245807627884edf9c

SHA1
c7fcbeaa2aadffaf807c096c51fb14c47003ac20

SHA256
cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b

SHA512
a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155

Download Submit
F:\$RECYCLE.BIN.exe

Filesize
7KB

MD5
53e2d8e0b4580e41b11fe0cd015348b1

SHA1
4692bf70f1183ef5d5a80477a4c59e4c26a7ffb0

SHA256
93c926c4849fa0ba477b2c668378990d35c63f255f171ac52f971d6698320f27

SHA512
04e8509569e4092e4b8d92d1c40a36f117a57e35e588387cace886b76cc35f3158b68cd220a747e0183674ecce6b3e2b6cf4b7d667e023719c6c09899f143b8e

Download Submit
memory/200-4783-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1008-4778-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1008-4779-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2896-4765-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3424-4710-0x00007FFA6E440000-0x00007FFA6EF02000-memory.dmp

Filesize
10.8MB

Download
memory/3424-4742-0x00007FFA6E443000-0x00007FFA6E445000-memory.dmp

Filesize
8KB

Download
memory/3424-4743-0x00007FFA6E440000-0x00007FFA6EF02000-memory.dmp

Filesize
10.8MB

Download
memory/3424-4724-0x000000001B9C0000-0x000000001B9CE000-memory.dmp

Filesize
56KB

Download
memory/3424-4723-0x000000001C080000-0x000000001C0B8000-memory.dmp

Filesize
224KB

Download
memory/3424-4722-0x000000001B190000-0x000000001B198000-memory.dmp

Filesize
32KB

Download
memory/3424-4709-0x0000000000030000-0x0000000000494000-memory.dmp

Filesize
4.4MB

Download
memory/3424-4758-0x00007FFA6E440000-0x00007FFA6EF02000-memory.dmp

Filesize
10.8MB

Download
memory/3424-4708-0x00007FFA6E443000-0x00007FFA6E445000-memory.dmp

Filesize
8KB

Download
memory/4392-4764-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4760-4699-0x00000000055D0000-0x0000000005B76000-memory.dmp

Filesize
5.6MB

Download
memory/4760-4697-0x0000000000480000-0x00000000004F2000-memory.dmp

Filesize
456KB

Download
memory/4760-4705-0x0000000074E60000-0x0000000075611000-memory.dmp

Filesize
7.7MB

Download
memory/4760-4703-0x0000000005040000-0x000000000504A000-memory.dmp

Filesize
40KB

Download
memory/4760-4704-0x00000000052D0000-0x0000000005326000-memory.dmp

Filesize
344KB

Download
memory/4760-4706-0x0000000005070000-0x000000000507A000-memory.dmp

Filesize
40KB

Download
memory/4760-4707-0x0000000074E60000-0x0000000075611000-memory.dmp

Filesize
7.7MB

Download
memory/4760-4696-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

Filesize
4KB

Download
memory/4760-4698-0x0000000004F30000-0x0000000004FCC000-memory.dmp

Filesize
624KB

Download
memory/4760-4700-0x00000000050C0000-0x0000000005152000-memory.dmp

Filesize
584KB

Download
memory/5208-5780-0x000000001C2F0000-0x000000001C352000-memory.dmp

Filesize
392KB

Download
memory/5260-4760-0x000000001C2B0000-0x000000001C77E000-memory.dmp

Filesize
4.8MB

Download
memory/5260-4762-0x0000000001550000-0x0000000001558000-memory.dmp

Filesize
32KB

Download
memory/5260-4759-0x000000001BC40000-0x000000001BCE6000-memory.dmp

Filesize
664KB

Download
memory/5260-4763-0x000000001CA40000-0x000000001CA8C000-memory.dmp

Filesize
304KB

Download
memory/5260-4761-0x000000001C820000-0x000000001C8BC000-memory.dmp

Filesize
624KB

Download
memory/5520-4854-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/5792-4786-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/5792-4782-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/5792-6813-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/5936-4855-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/5936-4856-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/6604-5703-0x000001C015F50000-0x000001C015F6E000-memory.dmp

Filesize
120KB

Download
memory/6860-5735-0x000001F635A70000-0x000001F636384000-memory.dmp

Filesize
9.1MB

Download
memory/6912-5926-0x00000000005A0000-0x0000000000C4E000-memory.dmp

Filesize
6.7MB

Download
memory/6912-5934-0x0000000009680000-0x00000000096B8000-memory.dmp

Filesize
224KB

Download
memory/6912-5935-0x0000000009650000-0x000000000965E000-memory.dmp

Filesize
56KB

Download
memory/7056-5750-0x000000001E860000-0x000000001EB70000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads