crimsonrat | 6bc32e935a514da31e6ed5559252c36d82fd64b1e6403748b0ba86598ef20071

Analysis

max time kernel
149s
max time network
151s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
01/04/2025, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SpeedAutoClicker.exe
Size

2.1MB
MD5

b3a2e60b9cf66a908fbc22fec9a5f398
SHA1

7e8bc7e0e0c7de380e1b5d6565bd9258317e80f5
SHA256

6bc32e935a514da31e6ed5559252c36d82fd64b1e6403748b0ba86598ef20071
SHA512

293a9a8d6df97fa90d3abe6c756d7c063e0ee80c8f71f7f16bb6793a8d84c5781307e9bb93dca267f6aade2a39a120b9fa00e7c8f7e41bd6cdecf16adad3e697
SSDEEP

49152:ypJWi2J3Y2ptHEAz+axysYC6syUkoPaPS2AJNyxUP+MkZBF:22Jo2rytClVkoOSfJNAUWJ

Score

10^/10

crimsonrat metasploit backdoor discovery macro macro_on_action rat trojan upx

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://149.129.72.37:23456/SNpK

Attributes

headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000002836e-1648.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2964	2548	rundll32.exe	125

Blocklisted process makes network request 1 IoCs

flow	pid	Process
173	2964	rundll32.exe

Downloads MZ/PE file 5 IoCs

flow	pid	Process
120	5920	chrome.exe
120	5920	chrome.exe
120	5920	chrome.exe
120	5920	chrome.exe
120	5920	chrome.exe

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral1/files/0x0007000000028369-1583.dat	office_macro_on_action

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe

Executes dropped EXE 5 IoCs

pid	Process
1752	YahooAccountCreator.exe
4648	QuikNEZUpdater.exe
3544	website ip grabber.exe
5428	CrimsonRAT.exe
2292	dlrarhsiva.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
119	raw.githubusercontent.com
120	raw.githubusercontent.com

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000f000000027ff8-934.dat	upx
behavioral1/memory/3544-949-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/3544-963-0x0000000000400000-0x0000000000476000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpeedAutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	website ip grabber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2604	PING.EXE

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133880042993403201"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000_Classes\Local Settings	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2604	PING.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2548	WINWORD.EXE
2548	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1540	SpeedAutoClicker.exe
5176	chrome.exe
5176	chrome.exe
1540	SpeedAutoClicker.exe
5176	chrome.exe
5176	chrome.exe
5012	chrome.exe
5012	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5176	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1540	SpeedAutoClicker.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe
Token: SeCreatePagefilePrivilege	5176	chrome.exe
Token: SeShutdownPrivilege	5176	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1540	SpeedAutoClicker.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
1540	SpeedAutoClicker.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe
5176	chrome.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
1752	YahooAccountCreator.exe
1752	YahooAccountCreator.exe
2548	WINWORD.EXE
2548	WINWORD.EXE
2548	WINWORD.EXE
2548	WINWORD.EXE
2548	WINWORD.EXE
2548	WINWORD.EXE
2548	WINWORD.EXE
2548	WINWORD.EXE
2548	WINWORD.EXE
2548	WINWORD.EXE
2548	WINWORD.EXE
2548	WINWORD.EXE
2548	WINWORD.EXE
2548	WINWORD.EXE
2548	WINWORD.EXE
2548	WINWORD.EXE
2548	WINWORD.EXE
5176	chrome.exe
2548	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5176 wrote to memory of 3432	5176	chrome.exe	85
PID 5176 wrote to memory of 3432	5176	chrome.exe	85
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 3712	5176	chrome.exe	86
PID 5176 wrote to memory of 5920	5176	chrome.exe	87
PID 5176 wrote to memory of 5920	5176	chrome.exe	87
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88
PID 5176 wrote to memory of 4828	5176	chrome.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SpeedAutoClicker.exe
"C:\Users\Admin\AppData\Local\Temp\SpeedAutoClicker.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffa09e8dcf8,0x7ffa09e8dd04,0x7ffa09e8dd10
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2020,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1588,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:5920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2384,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2400 /prefetch:8
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:5648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4396,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4420 /prefetch:2
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4676,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5412,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:5796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5500,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5820,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:5280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5832,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5896,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5948,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3232,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4380,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6460,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6404 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6304,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6516 /prefetch:8
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6196,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6512 /prefetch:8
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4416,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4724 /prefetch:2
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4692,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6444 /prefetch:8
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4780,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:1856
- C:\Users\Admin\Downloads\YahooAccountCreator.exe
  "C:\Users\Admin\Downloads\YahooAccountCreator.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1752
- C:\Users\Admin\Downloads\QuikNEZUpdater.exe
  "C:\Users\Admin\Downloads\QuikNEZUpdater.exe"
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4824,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3252 /prefetch:8
  2⤵
  PID:3036
- C:\Users\Admin\Downloads\website ip grabber.exe
  "C:\Users\Admin\Downloads\website ip grabber.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\825A.tmp\website ip grabber.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1668
  - - C:\Windows\SysWOW64\PING.EXE
      ping roblox
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6384,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3344 /prefetch:8
  2⤵
  PID:980
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\CobaltStrike.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2548
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe
    3⤵
    - Process spawned unexpected child process
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=1104,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3332 /prefetch:8
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=6444,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6044,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:6124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5084,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6264 /prefetch:8
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4744,i,16904782635120659599,8193101931119941437,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1512 /prefetch:8
  2⤵
  PID:3920
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5428
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:2292
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\NetWire.doc" /o ""
  2⤵
  PID:2516

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0427d9f7ef9c1911a4c0050961f3ac57

SHA1
839f2bfcd03e833281a677c2048cb95519dd51cd

SHA256
74d7866ed0b195f69f98d75992cb16b33cd4a27f4517166e1a5a6c91145c39e9

SHA512
a2723c6910137e614829aab8ae09c6260766aa0dc60c56f4484f29dbef542e23149be931c4bf20be0bb6ac3368327ea8db20221222fff29eaee1ecf834ad64b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
faa0c83d72ad057d1f49d4349e45d008

SHA1
b49b7c48bcdbb60bb55dc4cdaceeb428d0d074ee

SHA256
faf2f6d369d1534fde6ad69e519c8d9a4ee72e832fd3c788bc895e5f13c9ee64

SHA512
0e7d5e2484213244b180cd1bbe50000581dec12d98878caacb2b7652f6b78f4d83de7e610cbb47219d8ae9e7c536e5a9c30d86317014159b2bb023426142881e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
3712f2f842ad238297c31229be0bf915

SHA1
534fdc4edc8d5029cc5e835fe3299edbfa686c06

SHA256
7af020dc18ab2d56fa046a63da55bf3bb8c25a702f1ce939020cc210b8907510

SHA512
fcb38bec461c316a2d8c6db0af78de87cc3023d4572749f8b6675e874fa7378a479fc3215a45892e70de6aa9eccab86de7cf877481b80d39534beafd0c71b2d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
895938560e8e14c53048073ac03cc066

SHA1
a41f03b98a0b4ef5e3f5254c368d0f6b4c701e1f

SHA256
33eb67c7f5858294d2380ad60d600726d393768dffed54ea2db254097ecb564d

SHA512
fe53290a54a3dd1c337815b550501b434039f3ed347e9803c83ab6c97b12e95df63445301dfde5f04a8694793f912dff34bdb735cd58082dbca7c9c978e7c6c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1b20db97de462c7efb933a839cadc1ed

SHA1
600ba10509be1bd144646c6990bc153c7168215f

SHA256
76cb5a2f12c6b6feecfc79ceef53666aa6da78062ee2432b80d919c540617a12

SHA512
3fcf55503acd76301bc95f32e7cf7552dc9ceeae7819bb0aae255d98b54b983ebfad8fabb2babf4cadef051f39686b6a80c874426b4afd0af5aaeecc960b66fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
a8a3d856fa4606db74a0afb619b2a263

SHA1
27bfcc8377da2861550333795f1050b9af387dd3

SHA256
8c12e28b888f6d8f571a9e7769f9875828827425e3582854b0226f6210683906

SHA512
562cb279d80f0c775b671183b986799dd5e75a6be4a7ae26c91e9aa8215fb9e5ca77e96c9b1a42649a8aff3a9b9a1934a0d5863deb30933faecae0012a2d6d03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
8cef6bb414288ac08893a135051689fe

SHA1
b3770bac05ef8d0f6141d39a0c71bc0a171c947b

SHA256
61bb62418fb41c307d53ac744c22b08154a6886b87a8eb74ebb8ee2dbe6321b5

SHA512
a86f4fd5394b731df7e4f2639a163e162bfaa505e3c4fe88563f267f0e9efca4869d4e5933b994204094991f7926277239ea41787b8e3a4ddca516c4dbb0abf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
c231a934e87e0f48c1161ea631da48ba

SHA1
6e6401c85d16beb20c9efabb0583a6edb19a2585

SHA256
b32dc9bec2f75556f8bd8d3d6ab1245b472f26d3d019dbc8750c49113cfcf26a

SHA512
81396bf8f94b8f2fd3c79d5513c27bfd05ccbfe28f87c9ea2c61d14c6e548dad5b0c6e8afc262023406e88b98534739c2254769388b30d0ee771005aac3a4ea1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
5eab6f8a55b778c29893ce477ef39dae

SHA1
0e60f40c1fc89d59f99dd1832e6fee78afebf9d3

SHA256
b6100acdd32feee407caa2e9dc252a992466afeb5cecdcfa6db7660c9dbdb7b3

SHA512
88f05616f6c614533ac7d5bb71fb811fc09b3769aa1647d91bd88d9241f885899056f373004ad8012756749fb16ac9724aac1c5d3e8c76968298b02e22d98e93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
cc034322f97e5e63d9860781ca549f47

SHA1
8be568e9ade12dfb423ac1edc71e928194330f32

SHA256
992f1b114172573c1f7404a514c7d7bd6eb9912cd91419ec39aaa82b05e54108

SHA512
bc7e842494d1135c22686265930659ec0889302a8474a5dcd5cc4c608ee6d7415e10cc1b0d5204a950a3f1b2502a2472e92c2d5214bbb6eafd5f584f2881123c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
68b050533fb0df4fad567b48046c6924

SHA1
2921ab1827bfaad2436e5510df3469bab0b8148c

SHA256
f3975205ad45e2b74a057eb4800d1566bae021846e47bb6cc31e7a1ee4a1c1b2

SHA512
12b7673a4658f3a5aa9111cc67813ee5e7e21000e06f239a4a9a5834d217ad313d3527ee67f12a2d66c7c0bd8595e3f5b2067cce39fdcc9e1f2b1e7b8c70cf36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
346742ef70b30f50b49a5b4182fc1e19

SHA1
1048862659f23cd2d3fa1d80c46de5e68e8f0917

SHA256
17bee7882016f542be3c694c4810b4bb9db4db04483395c145e4a40e4d48c41f

SHA512
7f4ef7be91250bd155aef08072a8510e3c8d5d4c18a4e1ee68c970ead93c97ff85c8d81a83cb98f1b9b153496a311c457ca44104df906513d5d0231fd8ebd393

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
8886a11738b46545d190f56ddab043f9

SHA1
ccf475ccf865bc1d33503bd65395e8f683fa9b90

SHA256
e767c45b25f4955ccfb29703174956ee8111e9e307e04ec40ea870e3cb7a1e0b

SHA512
b1843c4cb148d405aa47309eff535f397a169d2f0eacc9cb99e2f2c9d984a37ac2de273f8835ab8604015571445c765e28deabae25dc82b0676a0b017837fc5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d60a3055f8125d9fb37ab74dc2c14ef5

SHA1
75f6010d943a4ed5f2efea00237d194cd7ce7320

SHA256
407aaef722c882d619fcb22a4b3142577faa1f49a078254e18ce121d7a847d64

SHA512
c732b5f6b855d244fe6af8beb090d914ab7725f911c3388e4d269678cf040f04cf8619f6eb2119084326e0bcc8a7ac9ab8baefb4137ee5d4c1369e083ed4e19a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e42c39f431f45c05cc1e50234da721db

SHA1
2099308670893fa47d4fb1bb0482aa9a0969011b

SHA256
07ff9e258430d4e7c0a231c51b7c193d086d106cfe2d256c65adafe5aac188f9

SHA512
bab33ad7c5ed1790d57df24c4a569ec09371b3b7c75b99e1c0abdf828fdcb68465375ac04957292c88c2a59b42f73d0a6cf5a99e54b09065159bee68809195f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
397a0a6134c808e25963abe1e6d0cb84

SHA1
e8fee5fceeae427e1bf568b5c4b0d60512db873d

SHA256
0df54bf146e781139df8768142b97ed5de8da6f50d189002f5525866dee510eb

SHA512
11c33e20f117ffcac8416eb6daca1318605886ef2b7a86386b9a76c52e7117bfdeb5597f077783813c99667fe865fd103ec2a1871761fb52d50fd717c871ba34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57a25a.TMP

Filesize
48B

MD5
9ed895e580cecce98f78d09f445b8b95

SHA1
0c71b3655baf5e49da946f75088efa482df07443

SHA256
3c54289793834514ec8c54cab2879699323018d58b469930fbb30e876fa9f038

SHA512
aecd5f4f8a3393c78001439a27d2aecbb0c587079eb5279fe39134bdc4ac48ff72b20d502b7e91fdd077a8114f4f8face0b3207d83d79affb6f33b8421b49323

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
e97981ddd1e1648cd45518f67598e359

SHA1
28764bb670aac89d491028b27527294393f1eb9e

SHA256
02284ef23068f7d976399f9016fb89c9c1a8b3c838394c8441dc50b96d435cfd

SHA512
aaf95fd9527604bfd6f7761ac0da2a995a57ee7abf63d944c6e92f472dc07355fbd3f55d4f08f5103686734ce3d79ab53d8694077d0e54899adc0f495352e622

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
d1842c5ca78f8ffacb08a95b8a883280

SHA1
a049885a782ab63ae2d2edc5fcd9bd1ef83e5d46

SHA256
0234f15653af8167b40a23af7664b476145e3e6ce6f828967608c37f269fbc8e

SHA512
d517321f291a05b05a54f3bafb9c169cb58a80505269e6dc8526ca64c533d6a86ff9869bb823e089f2df037ea6e214c9f92565ccc71ad36300368586c2c7b3bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
e9b63ddfd030a2101b20a66276b9205c

SHA1
ab0cc040183d490d534e3c56fa22afe865d70043

SHA256
f31cb22485655e6a7856221bfb8b779b98e5360f13874992c3d11dba2d847181

SHA512
6a82804182f0b93194658a38e01e1767bba2bd18128927b145be2827c345c9d044fde23ecec68d47d59f2f68fb9dfc16f4bb3939b8ea6824d494c3e1a2f16ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\825A.tmp\website ip grabber.bat

Filesize
484B

MD5
de825eb742f2d9cb06edb6a19cb54a54

SHA1
77b92f377f4b79fba5ec793eb80c573d2b906e58

SHA256
9b141c2fdea8e31f8ce501c8517f1915e98ee12be3e67fe629f122b1f6e3e32a

SHA512
69ad990c825adb7892cc7e164c61eb983b4d5e0928b9acc384a089e99971c38a51327bf18bcfca3016b8f0f6acbd41bccea2d96b2a495d92df12c4a141e53fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD3710.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
323B

MD5
d50731c45709f877c89ad140c90e8ea2

SHA1
3ff78703ac8878ad5126b8415a3ef42828152099

SHA256
61d873142690e61a7aa55ae70eb63006e10a3e1e6f8695e62a2d230c4f26f890

SHA512
67395b5f52179bc6fafa66511394ad890bfb3b97a04327393284ae146f28a38fb4d11e1c4736cce9929f82cc29ac71e98c0ff4d01f2729460258b8379ebb8236

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
361B

MD5
21893c31458fde820da1607cb072dfef

SHA1
a80d0768b8067be0b21631d0c881461dd109ccfd

SHA256
d5fb5d076c752f9a9ee509bf12983e1643547b62fb0c7d34ed097e5870c1f3b4

SHA512
9e78de4e6e3859a1d6481ba4b84a5b0cf4ad92e71523a9ca3ae75310f8338235297b157494dfe70fbb0c65c5ffa68d6e26bce114f83c7583fe615175cd7fc0cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
080c57f62cbd98be05f7257e653f08c1

SHA1
a703dc74df202a1d3e92249c0da499e138ee00c6

SHA256
8c459a1e058f53611186ac283585abf4ec88961f5565f72b377ce8a0708397e2

SHA512
e37814734352201d0c6a6d3056489289739bc17d2b9850805115e61a8ddc8f7d7a06e4b192635df7b18f40d38ece5356a5b4390600b8a98bf49740b3f21ba037

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
a933ff1b76bdc92791fac87a7779a273

SHA1
e7a83b3d0be0e7f68e52d9ed5ab46f743889ecec

SHA256
5f7f6f42837b4c41d09568ec21bf741e0c3cce373fe34b1c5055e82d27cd7aa3

SHA512
d4b5b331fb992fa44484c8bdc135e6c1b61a5ae288cad1095db0fb62859c07eef8b8b51c2e0403d03502e6248a564646d579a18b5cfedb24cf0811b70e756ded

Download Submit
C:\Users\Admin\Downloads\Adwind.exe

Filesize
5KB

MD5
fe537a3346590c04d81d357e3c4be6e8

SHA1
b1285f1d8618292e17e490857d1bdf0a79104837

SHA256
bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a

SHA512
50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce

Download Submit
C:\Users\Admin\Downloads\CobaltStrike.doc

Filesize
86KB

MD5
96ff9d4cac8d3a8e73c33fc6bf72f198

SHA1
17d7edf6e496dec4695d686e7d0e422081cd5cbe

SHA256
96db5d52f4addf46b0a41d45351a52041d9e5368aead642402db577bcb33cc3d

SHA512
23659fb32dff24b17caffaf94133dac253ccde16ea1ad4d378563b16e99cb10b3d7e9dacf1b95911cd54a2cad4710e48c109ab73796b954cd20844833d3a7c46

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\NetWire.doc.crdownload

Filesize
7.3MB

MD5
6b23cce75ff84aaa6216e90b6ce6a5f3

SHA1
e6cc0ef23044de9b1f96b67699c55232aea67f7d

SHA256
9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15

SHA512
4d0705644ade8e8a215cc3190717850d88f4d532ac875e504cb59b7e5c6dd3ffae69ea946e2208e2286e2f7168709850b7b6e3b6d0572de40cfe442d96bba125

Download Submit
C:\Users\Admin\Downloads\QuikNEZUpdater.exe

Filesize
80KB

MD5
fb02f87c1d1559ff3c9216f2c2939da8

SHA1
7897f931863dcbbff159285e17a9d6a35af5bf0d

SHA256
ccc20e99d60ddaffb7b60a027180e0c2071d43a4f01b10ac73f90b67b3cf7ae4

SHA512
a1de88cc673cbe5d6ba8df9fe097b569b93786ded2f4f300f3ffc0ca9d8b97824e747b01580c91f8d24a35713eabf9905603efcd1482a1fac98834b44bbbfee5

Download Submit
C:\Users\Admin\Downloads\VanToM-Rat.bat

Filesize
183KB

MD5
3d4e3f149f3d0cdfe76bf8b235742c97

SHA1
0e0e34b5fd8c15547ca98027e49b1dcf37146d95

SHA256
b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a

SHA512
8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff

Download Submit
C:\Users\Admin\Downloads\YahooAccountCreator.exe

Filesize
47KB

MD5
745330a913694abb4e492632feb2e427

SHA1
887135f815244debbaf714b4397f8b5769d091c9

SHA256
d3c8942e22a288ff323fa911943442334fdc34ad013acbbba2995acb74558067

SHA512
86d3625b510852dbd2feb7886800e3ecb867b5aae696f35df6cc8b1ffa3cd8f4d8967afe7dca4ed06b0dcbea6cc5dc76d8cc0a572b002949c2cc133dba6e3964

Download Submit
C:\Users\Admin\Downloads\website ip grabber.exe

Filesize
225KB

MD5
6520d9ab650c992b25c6467324baa2b2

SHA1
0a1f8a830228eb8f6229fed60b1171b2cdbfa5c1

SHA256
1100b197992c499e5ae8d484ab83ef06e20e46d4f74847e2f838c98ee1c0caeb

SHA512
2d8be4db599f735869fc5e9f0357fb5559e828c551399eeee7b9530850bd23577d27d0554e13ceb43ed3c9e7eb933e5509c2bee8408407f01f966e6ca858609b

Download Submit
memory/1540-385-0x0000000074FFE000-0x0000000074FFF000-memory.dmp

Filesize
4KB

Download
memory/1540-386-0x0000000074FF0000-0x00000000757A1000-memory.dmp

Filesize
7.7MB

Download
memory/1540-1-0x0000000000BE0000-0x0000000000E06000-memory.dmp

Filesize
2.1MB

Download
memory/1540-7-0x0000000005690000-0x00000000056DA000-memory.dmp

Filesize
296KB

Download
memory/1540-9-0x0000000005740000-0x0000000005748000-memory.dmp

Filesize
32KB

Download
memory/1540-12-0x00000000066C0000-0x00000000066CA000-memory.dmp

Filesize
40KB

Download
memory/1540-13-0x0000000074FF0000-0x00000000757A1000-memory.dmp

Filesize
7.7MB

Download
memory/1540-8-0x0000000005710000-0x000000000572A000-memory.dmp

Filesize
104KB

Download
memory/1540-14-0x0000000074FF0000-0x00000000757A1000-memory.dmp

Filesize
7.7MB

Download
memory/1540-4-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/1540-0-0x0000000074FFE000-0x0000000074FFF000-memory.dmp

Filesize
4KB

Download
memory/1540-34-0x000000000AFF0000-0x000000000B51C000-memory.dmp

Filesize
5.2MB

Download
memory/1540-6-0x0000000074FF0000-0x00000000757A1000-memory.dmp

Filesize
7.7MB

Download
memory/1540-33-0x000000000A8F0000-0x000000000AAB2000-memory.dmp

Filesize
1.8MB

Download
memory/1540-2-0x0000000005D20000-0x00000000062C6000-memory.dmp

Filesize
5.6MB

Download
memory/1540-5-0x0000000005670000-0x0000000005682000-memory.dmp

Filesize
72KB

Download
memory/1540-3-0x0000000005630000-0x000000000564A000-memory.dmp

Filesize
104KB

Download
memory/1752-859-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

Filesize
64KB

Download
memory/1752-896-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

Filesize
64KB

Download
memory/1752-860-0x000000001BAA0000-0x000000001BF6E000-memory.dmp

Filesize
4.8MB

Download
memory/1752-861-0x000000001B490000-0x000000001B52C000-memory.dmp

Filesize
624KB

Download
memory/1752-862-0x0000000000E40000-0x0000000000E48000-memory.dmp

Filesize
32KB

Download
memory/2292-1660-0x0000026B505E0000-0x0000026B50EF4000-memory.dmp

Filesize
9.1MB

Download
memory/2516-1689-0x00007FF9E8270000-0x00007FF9E8280000-memory.dmp

Filesize
64KB

Download
memory/2516-1691-0x00007FF9E8270000-0x00007FF9E8280000-memory.dmp

Filesize
64KB

Download
memory/2516-1690-0x00007FF9E8270000-0x00007FF9E8280000-memory.dmp

Filesize
64KB

Download
memory/2516-1688-0x00007FF9E8270000-0x00007FF9E8280000-memory.dmp

Filesize
64KB

Download
memory/2548-1052-0x0000018D6ACB0000-0x0000018D6AD48000-memory.dmp

Filesize
608KB

Download
memory/2548-1000-0x00007FF9E8270000-0x00007FF9E8280000-memory.dmp

Filesize
64KB

Download
memory/2548-1565-0x0000018D6ACB0000-0x0000018D6AD48000-memory.dmp

Filesize
608KB

Download
memory/2548-1006-0x00007FF9E5AD0000-0x00007FF9E5AE0000-memory.dmp

Filesize
64KB

Download
memory/2548-1002-0x00007FF9E8270000-0x00007FF9E8280000-memory.dmp

Filesize
64KB

Download
memory/2548-1005-0x00007FF9E5AD0000-0x00007FF9E5AE0000-memory.dmp

Filesize
64KB

Download
memory/2548-1004-0x00007FF9E8270000-0x00007FF9E8280000-memory.dmp

Filesize
64KB

Download
memory/2548-1003-0x00007FF9E8270000-0x00007FF9E8280000-memory.dmp

Filesize
64KB

Download
memory/2548-1001-0x00007FF9E8270000-0x00007FF9E8280000-memory.dmp

Filesize
64KB

Download
memory/2964-1035-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3544-963-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3544-949-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4648-886-0x000000001ECF0000-0x000000001ED52000-memory.dmp

Filesize
392KB

Download
memory/5428-1618-0x000001BF36F00000-0x000001BF36F1E000-memory.dmp

Filesize
120KB

Download