crimsonrat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
265s
max time network
267s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

crimsonrat darkcomet modiloader revengerat guest1111 defense_evasion discovery persistence privilege_escalation rat stealer trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest1111

193.242.166.48:1605

Mutex

DC_MUTEX-2QRLPN3

Attributes

InstallPath
Windupdt\winupdate.exe
gencode
Rb5l52XcV9no
install
true
offline_keylogger
false
password
313131
persistence
true
reg_key
winupdater

rc4.plain

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0010000000024372-11160.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe

Modiloader family
modiloader
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

ModiLoader First Stage 1 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000242f4-10134.dat	modiloader_stage1

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000e000000024219-9950.dat	revengerat

Downloads MZ/PE file 6 IoCs

flow	pid	Process
198	4900	firefox.exe
198	4900	firefox.exe
198	4900	firefox.exe
198	4900	firefox.exe
198	4900	firefox.exe
198	4900	firefox.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4508	netsh.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5632	attrib.exe
2820	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	Blackkomet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe

Executes dropped EXE 8 IoCs

pid	Process
6404	Blackkomet.exe
3436	RevengeRAT.exe
5552	NetWire.exe
2476	NetWire.exe
1556	CrimsonRAT.exe
5096	dlrarhsiva.exe
6872	RevengeRAT(1).exe
3924	NJRat.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	firefox.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	firefox.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
191	raw.githubusercontent.com
192	raw.githubusercontent.com
195	raw.githubusercontent.com
198	raw.githubusercontent.com
233	drive.google.com
234	drive.google.com
255	0.tcp.ngrok.io
193	raw.githubusercontent.com
194	raw.githubusercontent.com
229	0.tcp.ngrok.io

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier:$DATA	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3436 set thread context of 3560	3436	RevengeRAT.exe	152
PID 3560 set thread context of 1532	3560	RegSvcs.exe	153
PID 6872 set thread context of 6608	6872	RevengeRAT(1).exe	163
PID 6608 set thread context of 5736	6608	RegSvcs.exe	164

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 7 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\RevengeRAT(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blackkomet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Blackkomet.exe

NTFS ADS 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\RevengeRAT(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier	firefox.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	237	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	234	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe
3924	NJRat.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	4900	firefox.exe
Token: SeDebugPrivilege	4900	firefox.exe
Token: SeDebugPrivilege	4900	firefox.exe
Token: SeDebugPrivilege	4900	firefox.exe
Token: SeDebugPrivilege	4900	firefox.exe
Token: SeTcbPrivilege	7432	svchost.exe
Token: SeRestorePrivilege	7432	svchost.exe
Token: SeIncreaseQuotaPrivilege	6404	Blackkomet.exe
Token: SeSecurityPrivilege	6404	Blackkomet.exe
Token: SeTakeOwnershipPrivilege	6404	Blackkomet.exe
Token: SeLoadDriverPrivilege	6404	Blackkomet.exe
Token: SeSystemProfilePrivilege	6404	Blackkomet.exe
Token: SeSystemtimePrivilege	6404	Blackkomet.exe
Token: SeProfSingleProcessPrivilege	6404	Blackkomet.exe
Token: SeIncBasePriorityPrivilege	6404	Blackkomet.exe
Token: SeCreatePagefilePrivilege	6404	Blackkomet.exe
Token: SeBackupPrivilege	6404	Blackkomet.exe
Token: SeRestorePrivilege	6404	Blackkomet.exe
Token: SeShutdownPrivilege	6404	Blackkomet.exe
Token: SeDebugPrivilege	6404	Blackkomet.exe
Token: SeSystemEnvironmentPrivilege	6404	Blackkomet.exe
Token: SeChangeNotifyPrivilege	6404	Blackkomet.exe
Token: SeRemoteShutdownPrivilege	6404	Blackkomet.exe
Token: SeUndockPrivilege	6404	Blackkomet.exe
Token: SeManageVolumePrivilege	6404	Blackkomet.exe
Token: SeImpersonatePrivilege	6404	Blackkomet.exe
Token: SeCreateGlobalPrivilege	6404	Blackkomet.exe
Token: 33	6404	Blackkomet.exe
Token: 34	6404	Blackkomet.exe
Token: 35	6404	Blackkomet.exe
Token: 36	6404	Blackkomet.exe
Token: SeDebugPrivilege	3436	RevengeRAT.exe
Token: SeDebugPrivilege	3560	RegSvcs.exe
Token: SeDebugPrivilege	6872	RevengeRAT(1).exe
Token: SeDebugPrivilege	6608	RegSvcs.exe
Token: SeDebugPrivilege	3924	NJRat.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 4900	2716	firefox.exe	89
PID 2716 wrote to memory of 4900	2716	firefox.exe	89
PID 2716 wrote to memory of 4900	2716	firefox.exe	89
PID 2716 wrote to memory of 4900	2716	firefox.exe	89
PID 2716 wrote to memory of 4900	2716	firefox.exe	89
PID 2716 wrote to memory of 4900	2716	firefox.exe	89
PID 2716 wrote to memory of 4900	2716	firefox.exe	89
PID 2716 wrote to memory of 4900	2716	firefox.exe	89
PID 2716 wrote to memory of 4900	2716	firefox.exe	89
PID 2716 wrote to memory of 4900	2716	firefox.exe	89
PID 2716 wrote to memory of 4900	2716	firefox.exe	89
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 4668	4900	firefox.exe	90
PID 4900 wrote to memory of 1568	4900	firefox.exe	92
PID 4900 wrote to memory of 1568	4900	firefox.exe	92
PID 4900 wrote to memory of 1568	4900	firefox.exe	92
PID 4900 wrote to memory of 1568	4900	firefox.exe	92
PID 4900 wrote to memory of 1568	4900	firefox.exe	92
PID 4900 wrote to memory of 1568	4900	firefox.exe	92
PID 4900 wrote to memory of 1568	4900	firefox.exe	92
PID 4900 wrote to memory of 1568	4900	firefox.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5632	attrib.exe
2820	attrib.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Da2dalus/The-MALWARE-Repo"
1⤵
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Da2dalus/The-MALWARE-Repo
  2⤵
  - Downloads MZ/PE file
  - Drops desktop.ini file(s)
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2024 -prefsLen 27099 -prefMapHandle 2028 -prefMapSize 270279 -ipcHandle 2112 -initialChannelId {13e85577-ab5e-4951-8f79-16400aa7238e} -parentPid 4900 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4900" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:4668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2500 -prefsLen 27135 -prefMapHandle 2504 -prefMapSize 270279 -ipcHandle 2524 -initialChannelId {9776dc81-4abd-4c60-9360-7a9de8bff5b1} -parentPid 4900 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4900" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:1568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3864 -prefsLen 25164 -prefMapHandle 3868 -prefMapSize 270279 -jsInitHandle 3872 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3880 -initialChannelId {a311a21b-622d-447c-bcad-50a20e20c384} -parentPid 4900 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4900" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:3432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4032 -prefsLen 27276 -prefMapHandle 4036 -prefMapSize 270279 -ipcHandle 4116 -initialChannelId {8118f2a8-8fdc-436e-937c-e71922cefc6c} -parentPid 4900 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4900" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:5104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2692 -prefsLen 34775 -prefMapHandle 2836 -prefMapSize 270279 -jsInitHandle 3268 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3300 -initialChannelId {5f2eb3f0-e2e9-4ce6-a78a-0ce98b1a75f1} -parentPid 4900 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4900" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:1696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5144 -prefsLen 35012 -prefMapHandle 5148 -prefMapSize 270279 -ipcHandle 5152 -initialChannelId {1fc97744-a51a-4134-b035-52ee539f5de1} -parentPid 4900 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4900" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:5436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5424 -prefsLen 32952 -prefMapHandle 5428 -prefMapSize 270279 -jsInitHandle 5140 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5440 -initialChannelId {1d4427c2-060b-48e8-b245-08e2afe2d025} -parentPid 4900 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4900" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:5800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5584 -prefsLen 32952 -prefMapHandle 5588 -prefMapSize 270279 -jsInitHandle 5592 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5600 -initialChannelId {1f138341-bde3-4b41-ab68-ee7deb4b9cc3} -parentPid 4900 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4900" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:5820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5820 -prefsLen 32952 -prefMapHandle 5824 -prefMapSize 270279 -jsInitHandle 5828 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5632 -initialChannelId {b2ae69b3-079b-4b9d-81eb-ee5474c9759b} -parentPid 4900 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4900" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:5852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7432
- C:\Windows\system32\dashost.exe
  dashost.exe {800f7000-693e-4611-927ba820d9c33e00}
  2⤵
  PID:7536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:8084

C:\Users\Admin\Downloads\Blackkomet.exe
"C:\Users\Admin\Downloads\Blackkomet.exe" C:\Users\Admin\Downloads\RevengeRAT(1).exe
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6404
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3276
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:5632
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Downloads" +s +h
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2820
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\SysWOW64\notepad.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:4432

C:\Users\Admin\Desktop\RevengeRAT.exe
"C:\Users\Admin\Desktop\RevengeRAT.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3436
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3560
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1532
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dr46zdfq.cmdline"
    3⤵
    PID:2944
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A97.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc84CA744C9E86470DACAEF1D6D99958EF.TMP"
      4⤵
      PID:6536
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sbr70dys.cmdline"
    3⤵
    PID:5720
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3516.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEA7B86AED79F4DB6B5563471FAB8105C.TMP"
      4⤵
      PID:8172
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tutddagc.cmdline"
    3⤵
    PID:4956
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A5B7D15BCFD4B86892C7274F1029D7.TMP"
      4⤵
      PID:6712
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sk2skd_c.cmdline"
    3⤵
    PID:6672
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kvfwesy3.cmdline"
    3⤵
    PID:5744
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7711.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3996FD264ADC4ED4991C505F52FB094.TMP"
      4⤵
      PID:3648
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qsdq7gdz.cmdline"
    3⤵
    PID:7188

C:\Users\Admin\Desktop\NetWire.exe
"C:\Users\Admin\Desktop\NetWire.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5552
- C:\Users\Admin\Desktop\NetWire.exe
  "C:\Users\Admin\Desktop\NetWire.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:7764

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x470 0x410
1⤵
PID:412

C:\Users\Admin\Desktop\CrimsonRAT.exe
"C:\Users\Admin\Desktop\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1556
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:5096

C:\Users\Admin\Desktop\RevengeRAT(1).exe
"C:\Users\Admin\Desktop\RevengeRAT(1).exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:6872
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6608
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:7496

C:\Users\Admin\Desktop\NJRat.exe
"C:\Users\Admin\Desktop\NJRat.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3924
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\Desktop\NJRat.exe" "NJRat.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5768
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5612
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6580
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6596
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:2340
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:1084
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6148
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:3392
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7380
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:4660
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:2412
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5248
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6308
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5384
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:3428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:2912
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:4736
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6008
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6040
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:1464
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:2960
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6884
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6988
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6284
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6528
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:2808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42A3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3D675053634C808852B3CD7A18E5F7.TMP"
1⤵
PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7300
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7016
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5452
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5064
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6860
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5396
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:2820
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7960
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:4564
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:3524
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7120
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6084
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:2812

C:\Users\Admin\Desktop\NJRat.exe
C:\Users\Admin\Desktop\NJRat.exe ..
1⤵
PID:7716

C:\Users\Admin\Desktop\NJRat.exe
C:\Users\Admin\Desktop\NJRat.exe ..
1⤵
PID:5620

C:\Users\Admin\Desktop\NJRat.exe
C:\Users\Admin\Desktop\NJRat.exe ..
1⤵
PID:3928

C:\Users\Admin\Desktop\NJRat.exe
C:\Users\Admin\Desktop\NJRat.exe ..
1⤵
PID:6468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6352
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6756
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:2876

C:\Users\Admin\Desktop\NJRat.exe
C:\Users\Admin\Desktop\NJRat.exe ..
1⤵
PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:4956
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7788

C:\Users\Admin\Desktop\NJRat.exe
C:\Users\Admin\Desktop\NJRat.exe ..
1⤵
PID:7876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:1392
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:6796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:2556

C:\Users\Admin\Desktop\NJRat.exe
C:\Users\Admin\Desktop\NJRat.exe ..
1⤵
PID:7572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:6704

C:\Users\Admin\Desktop\NJRat.exe
C:\Users\Admin\Desktop\NJRat.exe ..
1⤵
PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:1208

C:\Users\Admin\Desktop\NJRat.exe
C:\Users\Admin\Desktop\NJRat.exe ..
1⤵
PID:7364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7080

C:\Users\Admin\Desktop\NJRat.exe
C:\Users\Admin\Desktop\NJRat.exe ..
1⤵
PID:5356

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
1⤵
PID:4164
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  PID:6312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6240

C:\Users\Admin\Desktop\NJRat.exe
C:\Users\Admin\Desktop\NJRat.exe ..
1⤵
PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6788
- C:\Users\Admin\Desktop\NJRat.exe
  C:\Users\Admin\Desktop\NJRat.exe ..
  2⤵
  PID:7004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:7548

C:\Users\Admin\Desktop\NJRat.exe
C:\Users\Admin\Desktop\NJRat.exe ..
1⤵
PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:6204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\NJRat.exe" ..
1⤵
PID:5884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\ProgramData\svchost\XjtnxDp.ico

Filesize
1KB

MD5
42d552558e7e6f7440b2b63a6cde217f

SHA1
9c8fa01060f667cf3b0caad33e91fa59e643cf76

SHA256
11b5a0730666935c78d22b379f83ea5fc30d1afdea09a796b4f18b38a1e1ef69

SHA512
e6a6dc1239b9668e7ffc883b3cf46aff8c9f86ef11ae975f6fb65531d8b9313acd7608272042e322fad415a45c0cf767252d2c620ad066e6809656af0f09441b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NJRat.exe.log

Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log

Filesize
120B

MD5
50dec1858e13f033e6dca3cbfad5e8de

SHA1
79ae1e9131b0faf215b499d2f7b4c595aa120925

SHA256
14a557e226e3ba8620bb3a70035e1e316f1e9fb5c9e8f74c07110ee90b8d8ae4

SHA512
1bd73338df685a5b57b0546e102ecfdee65800410d6f77845e50456ac70de72929088af19b59647f01cba7a5acfb399c52d9ef2402a9451366586862ef88e7bf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\60pbrgcr.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
bc40a5cd5f0cff797775294c8a75c9a5

SHA1
59c6c8793adb6a51c5511f2d518edda02e1da05e

SHA256
933be9e868e4fc27077a0771b2061a9d38c4de69e1a5eb86f7419a1c7c235239

SHA512
90ff508b8aad95538460ee25c85918dfd764e85c955eb7262f899f7c92f699d4ac08cc28138fb2bab99ca035d2fd5e692da7686bd3f7aa9ac2c9737fc2fdb89f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\60pbrgcr.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
3f4b73c5a03c909337fbd5862a8469d9

SHA1
7c0e22219262d02d46de479c223f64efe108cf18

SHA256
080265a72852d049228f7ac414a9d5d1132b2fbaa0e2de1e106f3085b72860e4

SHA512
b4d9c117cbd34c10d729c11d30b8625c30eff66a60ca635f5f8433c3c506c3980f132f3fb0531b2b606274800462c23c90ccdfe9f043d0889fa2597a6322fb5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa289ad6-f522-4633-89a9-d36d55d79631.zip

Filesize
3.7MB

MD5
c4680b37814f7aabd08f6ab32e20dc3e

SHA1
79c9a9397a0be98c7bdaae45e5977fefb91c9e72

SHA256
535247caf4912ac6ca4faf09005a97c7587116a4b1bdbe7e762af34a8d1d71e9

SHA512
bdbdc2c4ed14778cc1efdd5f4728c29642d159edf3351f800a9a5f224142d82176dd9becfccd93b275b6ee8f517395a993bc61fedae0db2724d784a263346175

Download Submit
C:\Users\Admin\AppData\Local\Temp\dr46zdfq.0.vb

Filesize
342B

MD5
eb057b2b26beedef7d931bf659fb6f18

SHA1
3136c99b96686db9ded50aa19b55155c752551d5

SHA256
3066d848e6fa1f1a5041286509fe0319b7e5cf96941f2f3914af9873aaeeb414

SHA512
6d40f52117023ea3171c49cb544c13b703c220a49b7f251d9d4d14332ef637d14ca28e425e723d0906ef31ae77335e38a9e7ced009cde90645b31dde4cea8f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\dr46zdfq.cmdline

Filesize
198B

MD5
fc072998857eca823bce7e3f49dbe179

SHA1
9fdc270b4799a02e7a7fe3be36c14c6f21bf8205

SHA256
4a4c88290227e26bc892c191ee3aedab893d8d882d8c5461876d7b250b5c92bb

SHA512
410ac59908ec082c1061deed955d01d577294340dd600734dcdeadfa2dcf927bf88fdb581c45f9d883e1b259095a78c8e55691ba65dfec7cfa7847e096d46981

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
37B

MD5
a052197adc76f184fa76549d4db12fc8

SHA1
a136892e2b9c8ed6a41e2e5be3c6d81495ce06a8

SHA256
46ddfa2c98cb3c4a6b4d07bc72965d30bd3c733d7242d0f1b16c8b7de335afdb

SHA512
4826eab19059c20b2a34691315433780dc4a70ee2aa87dc8ff59a93a646bfe5ac6eaafa0da1f83f50ee7d5ec32ac7d7454c202458db3f0bcffc368f598441181

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
40B

MD5
f3f38b09fc848dd4b38e5fcaf0c58f4c

SHA1
ee16ded13e4277d2128d71b9db287d0b63230307

SHA256
9ceb30029a109f525538d864a57d743ec6cabd399dbc083a67dd66c44a7a955c

SHA512
e53bdfe8588d8f2e10a96630eb8427bad4a477d9529952d911e0d5ab258298332fe27007a09ff5635d5825bd7f493516d5b2eda3ddae27d60639a73843906b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc84CA744C9E86470DACAEF1D6D99958EF.TMP

Filesize
1KB

MD5
296769437d2c28cc41fed36299d07d25

SHA1
51dae71c6541c0959647011fc3d13e3b7aeed44a

SHA256
53fa144580b0a916400aa8fd12b6300e90d5c7176736e2f535b5bbf26acfb574

SHA512
ab373a03ff1be8d612e1989fb8457d1d47286459587ba59bc20400ecd3edcfd77c959ea08913bc2f09746354de1e5737697b6a28dd548d77fce9f46a91eee392

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KFEPOLI2QZ6BZVF6N59I.temp

Filesize
20KB

MD5
af4a680e32d3acb2309af1ab883db7c3

SHA1
28feb95e2bc1c43f604b9906eb389b5ee1470cbf

SHA256
f1158925a4f9ab1137f1b072c7a6385f36cc32a13122256ecbc5e2109ef7770f

SHA512
0680b3bf64de7e760f1a59c746e69a1fe0f4e04e4c9b682d9c20dc9e8659f2629e350d6d492300576cbb15115f8bdbe94a50647c01f9642e2347bbcac0173845

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe:Zone.Identifier

Filesize
221B

MD5
211ee1f33c61841dc0cb15cff59dbc91

SHA1
cc5d291a3ee0c28297bca6fd754a38221cbccdef

SHA256
f715c4cc71a300030e5d1c5e5c4dd95e6b8d56e44d8a53e1b4eedc80bf178669

SHA512
f224c116d34862888e5d530e5f2769debfdd31732af060dcb7c4321dd6abb4e74d8c6e3d3522b7b560cde54abe96168d3e35830fa23cdd5aa212990407eeb793

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
79aee77ed0be86df589af3961d497f25

SHA1
ccc58e8099f0d7172a7270c189aa8e3e419e711d

SHA256
e02729731a74cca949aaf8dcb057b79aaaa79a99116bb4557a099ca8902e72fb

SHA512
d9eadbf6aeab5e5f6d1a8d3cb9b2b37edcda6d9599f2fc1668ccba5486a888ad487e7d443e18222cf6c7ed9d610e463ce9afb12c5c59561e41c45f1a336fa0ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
29KB

MD5
ed1e0217099005ec0fb1df520ada8d89

SHA1
a817547fed4d57a9617eb40fdc392d050780706e

SHA256
0cf6131c0235a3dd3728771f7ffe0e97714ae53b340d82af018af50700b447eb

SHA512
4315e82cb9e2083e39d153e9f577f3c696847e218054fa2cc9a2b10ca9ff36f8d1c801cf82e38008ce14417dabd3af6fe32cab21be0c5912b04824889825ad67

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
29KB

MD5
378ec8a16b2f325e712e54ba2cc320b3

SHA1
94a094ac6caf827edff78d6c319dc1093372a99b

SHA256
98ced853e388c723359fbf47bb3044c441054dfe9a27205261f16a14185d540e

SHA512
df4702314288cd101395a6bb682dfa9bfcdd6e8f49b23523eb04f99071aee36b9a8ee35a330fbd4b2ba50d1f6c410e85ffe27fb638702407f8b56c920c46a347

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
29KB

MD5
10d9e7d0f9f9639afa6504d841987d51

SHA1
d945ffb8b484784e6fc69984d4947cd462a0b6c1

SHA256
4024e1844e0530d098cc3ff05c1657cd2fb061251b87a912dc52d4c946344272

SHA512
027ac71c152fca1bf7a8da34a3fed355c30dd3774d9abcbfec6d31639c25996bfaa3f2c8556711750162a9bbc709824f74ab26c78d566e87cba4b67e42615ff9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
e87baafaf31734e6b91dfe78075e2ebe

SHA1
a3cd5fea2d20e23a175d01d8ed66c475e40bc89f

SHA256
7da9690c236793c0bf2f98d174f9decf8707460d12d03431a68a7cdeabe38709

SHA512
3328f1487073c45f8c1a8b897cc547eb57210e50a070d6387cbf73d9a05ff818ae5ec62ea72ee1f998d1499efa63d0f794aebbda44c13cceb2db2827256df38b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\events\events

Filesize
4KB

MD5
9d0f9caa11ca9f161a7fa72f375be504

SHA1
dda54be5e5c32ed58e6c4026f68c83b27e1c798d

SHA256
8b5d3d585a490887c3536a96463f8b803a4056f9b13f548ef0cee9a3b403be82

SHA512
dd29173d6b5729deb079436ea2aee2b5df8f2f434261ff7f030dffdf372ccd05a03dbccc48ddf411ab7ee672bccbb4130f64179f9ec242c156c82d295a3482f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
606db8af302c5fb6c8c3071263467771

SHA1
0879be4d8862585bc999aa4862387af06b6d1469

SHA256
0503e508ff96076e8f477ba94f338eb449c3dd01bb0756ef7d283efda1f74e6e

SHA512
97180cff1f15f530dfebcb248d07938113e9c6825102fdf568d03dec229eb40be85ad8fbfeb5f86833e97f3a0e905651d9ae0f43d7b5f5eb6fe67908a74e29a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\2995c13d-fb9d-44bb-ae06-d0f10f45e55e

Filesize
16KB

MD5
735d7c7d11bf4c8ccff32859f609859c

SHA1
aa22cd4bd9c8cf08453f81b817ef77572b88e06e

SHA256
39473dfe760a08b101576488b63b6321bb8444dddc0e24a678a13f6428f990fa

SHA512
2cece3d3880aa4c092fc6474796c54c15657b44d8b6c2bf016151841f56d82ee0210c249bb83e31ef7cfb73e7de1912333b1e39dfbb648518f8352a7ae2f13c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\3ce58cba-e8aa-46c9-ae72-63318fc87beb

Filesize
235B

MD5
185b5b1dcc8c06578c1b1df44dc374c3

SHA1
537c8b7ae07dd5cf89a9492831a4101af93431a3

SHA256
83fe8ce54ae6d505a007de37107b7b7610e01979610fb68ea450b01e46ccf238

SHA512
8380fd4f6b7217fa7a21768365a74b1eb1f1f33f8355f790b9d0d8292e486bb367e43bed8046c837a0b6076c691d00c1aaee493c586877aa5bbcda9ee26c57b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\95979d05-03e9-49cf-b681-a0c0f16a3f8c

Filesize
883B

MD5
7cd5c6b27140b1d4368436e8ab6c1608

SHA1
7e23168b91899e9dae808da0f14d9085777cf3f3

SHA256
e64c25a525b8a7837b2daa172930ca9ef4aa20106fd255f63ba774c3fea29fa4

SHA512
ee21a839ffc27abac561c1061a22ccad15a36d6c76b0a6223272d4ed00e7ab089700c5ff19c41f9380eb8c1b6f6f2a53a95fcceba1d845d0bf9df49d47e7eeae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\e04387c5-88e4-439b-abee-51bce4479cdc

Filesize
235B

MD5
f9cb979e885a5020e0e3505219d915e0

SHA1
50ce0ce666b1287e4365b68f6feec9c4ea8c8440

SHA256
44a211cef96781ceaf4a60e8e56d926b4736323cd7222421d44e71dce54742ce

SHA512
da65caa7fc479998750f056d66d99f89fc0182f2c4183314633ef6ba48d0e3168efddf917bd4421fd63ec84c96273611ed6bf11817bee051abc8de54d5509c28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\e36471c7-d616-402f-a37c-1f9935f9b335

Filesize
2KB

MD5
d1a347be80dfc73bb6a7b10cd3991731

SHA1
66f1fcae0b951f3b3082110a384939b2b3bc8b7c

SHA256
a512716051609412e0286788e64bd2f5f8310e86599410568360d7de4315ca25

SHA512
d9341fd59cc9360990dab643f5bd086fe68d5398ac3ca60bfe8627caba6172d6bc06c2958bc969ded8455375da393094df70415d30cbf2dd0d147123a7b488e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\datareporting\glean\pending_pings\ef71d206-ac40-4b41-9b97-15c88db78023

Filesize
886B

MD5
770e42358a55f62ea679f62042f9599d

SHA1
a89373245e712d7af9741a052a84cf0600f9b2ac

SHA256
02beab503604be5e2f21ac76497994fbf77f37bbaedf66a473cd69728fec9bcc

SHA512
ea7ae501e133d59b5ab973f98d41418675dfd7ad9412764f7ad4ed7db6fd444373332ffea06e32c2394f8327de2acc44548c65142dedfddf4732fb68d737f20b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\extensions.json

Filesize
16KB

MD5
32fbebe6f70442293f2fb90bc29ed018

SHA1
af7b9eb6deb0c047f34ab0951a0523b092ef2137

SHA256
dc01094eebbccd4a3ceaab4f5c2454309be631fda5932cba31c69e2445466c65

SHA512
0bf9b6d01396345434cf37d2f0d4f3f7b41fcc41fa9dcb7e99f9a276c495e76bae50aa92dae6b1de921196a93620ac4c6a123615c09d1451ed1328ba50c4f4cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\prefs-1.js

Filesize
8KB

MD5
0eeacc35e7e4dd937e79badc3c0991bf

SHA1
da7bd60c0f226af5084f823a92147c1473f84dd7

SHA256
08f93f2cde432af077b51c8fa5ad28ba1bb13be636cafa7d2685d15a09705a67

SHA512
3ee25a344e5024d1ba4742016326903dec2eb4265589edd8c7977e6bfe30a04fdd7df4eed5b4a191f5b3d520477aa831354ac7c2c1ac74581a07ab94d2b33253

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\prefs-1.js

Filesize
6KB

MD5
dc28d7ac20458844e0f44fbce42655f7

SHA1
fff3e4d8234170dd766fe52aa293ef9e79c33928

SHA256
ac65ccc5f4d00aa9d87725602622bd1d6c628773b3060800cbeb278174c75e8e

SHA512
53747c5640d941f69e67e5b577dfd1c10ae92df2028b7d5953f0f84556cdc1deb209d6b07adc5c3d8051939ed24a1cdec2d58ab1ccce00a31ccffdb0e02d5d4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\prefs-1.js

Filesize
11KB

MD5
e62cadd2239ff6033ccf3cced572b7ad

SHA1
0df70e37a4de05b3cc42599cbdf02a2de3fce1c3

SHA256
6422f903d5633db72464c3c00127e0ebf92818b5c41063a45151b1e923e8713c

SHA512
25313942a4e74d92a41dca2619dc59d018fc2dbf3ebd42403b2b843a8ac91533d1b4ae90e3d03c0b2d57eb3c48aefbc922858846c4bc3d819ee9c9b4f27a9cd6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\prefs.js

Filesize
6KB

MD5
8c6cf6d96b98b5c6e5b7a9e597431d76

SHA1
c4c5d8693cfe1cdb2dd147f51cb8c83dfa798d4e

SHA256
0ab66557e4b2385c2e68c4c4b56956eaa6c6d298d5112adf6cd28d283a0d5b6f

SHA512
7842b5594194b06eab9f667316f56a2b76393c4af0314099084bc673dcc16d06ebbd033474e0f625d50554afd47f75497e7ee74aa999338a1940e11b50daca2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\prefs.js

Filesize
6KB

MD5
413237e718a818456285569b84cd4a91

SHA1
f74aff192b4db3eb229c38bd205a24d361c454fe

SHA256
ea89ceb58b2ee05082c19e053fa6e865b15c18aa4a6ec8d4ebc7d842ef934ab6

SHA512
e7730a451587abf01e6707351e393d7665f2ef7ea75c375c9b1fef4c6f196f6a568e404026e0f60f42ff6bed9d0e7aead0c787f4c83926f460424bd46c3ae0a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\prefs.js

Filesize
12KB

MD5
e9060e9b7986fbbc726f531b1dd484bd

SHA1
27fc187bdebce680d6e490feb9a24277a259db3c

SHA256
2fd93941295ef65f17bcdd329d9f94c4ddeaf41b026159e0f65b647303e68a35

SHA512
b338255ebd5c63f3687bc5b4da0844219c7fc77fd8afdcff55d934691c59680e5bea4a5e346c46860cd2bac613bb1b89f74092286ce34217924171ae1e7c75fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
8a23a7e954b508feb2b0764378a77c39

SHA1
4367825169c867cb1ca2352e634e8dfc47758e5e

SHA256
dc68c8991bd0429d2e2c855216d09540469a6481f9aebb015fe4332c1862a325

SHA512
8af68e0d37a5a7b61876f7d72553c71b6ea44aee3d06e29c801492777608b57572088ca8bfb8531edb34409977990ebc5b8feac130ed2391d6f05195727953d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
a8e1d243e3e0b042451a4c677d57553b

SHA1
2468d5aa74bc0b258f5a21467ff6b6761f64965b

SHA256
6b14fa1fae8eef19ea75b83609093215f2d40e6cf465d0062fc48caae90ee270

SHA512
c3b891b9b6f8181ca1e7c5e29aa2db8ee7b41898d59607c23bbfbb2444d4558327d28e6f8e0c08f7ad7f209918a2e53d816fa43d2010ee1374651a44b1a3ad65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
dbd6a280339f596d88e3bcfa4a6e308d

SHA1
b60715585d85ca3456ac8319e3bbf80f8ae33d9a

SHA256
3e91b9fad1c2d7a96e1797494a71110366bcb6462511bbc4631ad98f7ed73948

SHA512
eba798bc231da1c97fcffe0c17a0bee7ff4c75e45f296634a4f15b5eaa94d4d6b10cadb897c653e497a7ea2572fac18b4f45a6ee5e9d5582a3e6e3fdbf2597d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
49bc18d83853b990bb0523ead7022b35

SHA1
4c989ab21e303ed45778dac3592e71466a33f26e

SHA256
7c8e43483ff3b3c7e6b71b9255dc6d38284b96104db0f4ef4b8b19547c19c0a2

SHA512
185d5d126e554e2ca4d8e3b5fd3bf15c62f983dfb5a48db008838060e3cc2706a40a338450bc43fdafeb0b48ab0c0c74331fd07bc203d5cf9f3c3092caa046bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
9388c6108aff4d6e6d73b8993753fb70

SHA1
755c9a52087a2f24c544e46f9a50f920856bfa57

SHA256
03d9ec37bcef5a063952b25dd0beb6facfe5c4e4a63babca87183750867c881e

SHA512
6d2024832f46672a8fdd540299583b20bf8a95ba29fd7834bca368573422e6a44df81d2449da9d009abe047d73832160378e04a77d96ea6be14cdb4c26f58b2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
a88e59a4445adc40d435cd51ec2b823c

SHA1
234eef0c1235ece499ca2493aba08b9073c7fbd8

SHA256
27057abf09ef9b4c072581c8812caa181489d978a7c0cba92a3f45679d3ef487

SHA512
9a45152c927c47434ec09c85de30ba0cd61abbea951bb83c3e3ba41dcfd5ae1ff5a3a8167c828ea095a6b60e1ba99c1d1dcc4875d779e3c11a3567f80026160c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
aaf575ec7715e8b43a71bd982c3c6f57

SHA1
d99f7fed178c3687b2f8f8a2fa7597f2056f2b91

SHA256
e17ffd99853391e76ce0dc481b2f6aa339695ae1ce9cff9ecd2f7e358b66a60c

SHA512
4196688199927ebfa5ed9209452fd8774c9ca2e2fb8dabef0466df5980afc4155465bd454a41fcc9fb6a0a54a56c19a08cc73fe2fac2031d7b246c2391c67042

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
be37a5dbfee5b2ac395e8bdd86036fc5

SHA1
9e757f84132c0527ebe0c23254dbcd656f906d59

SHA256
10244580afb09746f77ac2b8661231b502c772cf6db7a9596f07937a938505df

SHA512
9f809de52931ce69c537fc265afe0414e44ebb13b3435ba3b03327c845af2f1d0fe17eb1a79b39c3b8b862b76c40c43296b71d1a9eeaadc151fc4462dc1f18a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.5MB

MD5
e28a32c29ae1a9c6715dce911bf870cb

SHA1
2599952f9c37da7984b3072bbad9e36bf8936b96

SHA256
d45ca99d7e0e3be91302e89e0bbff3c73548e7f8276277050edba77f711b1a15

SHA512
9de85dc49b1383bfb77e9ea40b35a6e581816b198620845d73fb01d3d1556374f81c38c41008093f137587eb1860139000ab4f8a50181a9f7fb0c7e368368ee2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
10.3MB

MD5
e8a4c1f2a50d4711e88f7f9e5802f172

SHA1
c0bf705e5ac595d37e80a9d93360ca8467cb6e1c

SHA256
32cd6ba69977e31f2c1f8cfecd7b51c6c4fae481db8d1c4b04aed58da8a35b9a

SHA512
b3baf407276a4620b122206bef0062811952843545482d01a64ea8b61345c76adf33c4147085b5f4a7571de62bb1c45b9ba6d822e1248d602b9e916e65f5d6d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
10.3MB

MD5
479887ecbceb4297d3d5396d33ff2ef6

SHA1
4ce0fcd317de2fa4451701329c76e69c96276fff

SHA256
9a0e690aabb1dc4f30111ef28502b3a1efc0514f8104f52e02f1526156465d8f

SHA512
c53af587b0a4e47bf380a4701020ac2365968141525a553c37b3a72cf51054a90d2a86227942bb09c58a55f3996235afd228e5659d98a294b177157a811ed4a3

Download Submit
C:\Users\Admin\Desktop\AssertPush.mhtml

Filesize
707KB

MD5
b864b2f0907f752e82d53bf29f855f77

SHA1
96e8e3fcf6925e19172f0a99bb0fd00a60cb8c00

SHA256
3e11c3c0a36e6d31520a6a0702a2f72bfde2cb9e53e2f5f34bf793c3c261fa78

SHA512
06e83a24b2359f5b0dc3bb910eda95ff1bf1492f9ae3be3358470f96dc1e371f6bb1f62f8c5066a8d6be131e3629e441b3eba8e40e886602c04cea2ba5077906

Download Submit
C:\Users\Admin\Desktop\CloseSearch.mpg

Filesize
1.4MB

MD5
c81c78c9ae32c0eed2890b977fcfb6fc

SHA1
a85d8aad23c86764e95933e8546f874575934b37

SHA256
14bc42f24acc0afca0c5e14bf8ae7a780d70870914e4c317a586523750503a42

SHA512
2331996f11c9ec33f97c5d9d401f64554201227931252fd7d3d80c733a670f459f3bd2896ecf8ad7e4db5e9811b8d266634253a634d2e43a212e898a268741bd

Download Submit
C:\Users\Admin\Desktop\ConfirmMerge.vssx

Filesize
970KB

MD5
3bca577b62cd9c35a172c375b182ddf2

SHA1
ebdc6bdefeb88fecf9f2797de4cbc819e487850a

SHA256
fe3285db8696e44fc7e01a5ddee6c701b80defa624faebb49b899172350e2b7f

SHA512
4d25f204afc57709df231586e69aa016105be19fe00457ee11605c62b86553f7f5b4948afdfdbed005d522266a51c4d41393e6ec913eb9e0998de4844d63940a

Download Submit
C:\Users\Admin\Desktop\DenyWrite.js

Filesize
806KB

MD5
5271bf7614c13e11d16c72e9fdee9438

SHA1
5af98d80964793b4493b143722629520cf954c91

SHA256
be8310d725d4eebdcc2eb4ea289707660d63e35b3e1ec6d9bdcea0c5a3087b6f

SHA512
12490d7e538449550a66237cfe89a8ee911530f612b2a4a4d845334a9cee00bc88bdedf37ac029ba3c0d5e61701c858d4c252458b21048494805da894ab976d5

Download Submit
C:\Users\Admin\Desktop\DisableUninstall.ADT

Filesize
641KB

MD5
ebae3370bb619c2ad7e83f61da34ffd9

SHA1
14ec93636fdc885d31302510dc1996c7635efdfa

SHA256
cd3f66d03d305d0c5ba619543c8594e30261e568e13bb41829225cb4e8b1ebaa

SHA512
e0fc9b5b51715e38f27eacbcb122667dddd2be57f3370ebe20ff4f49308715c829d246e88b513866083dcff0d2d3b4e5b49fb281728ec0b415b2ad14a9860d48

Download Submit
C:\Users\Admin\Desktop\EditImport.jtx

Filesize
542KB

MD5
eba62e0fe9853b33fd816bcf4b0c3b35

SHA1
391773e82275d6dc9d28aefd314849b2bdc10f80

SHA256
451601287db73822dad9434903874131766426bc4b496c522adfe6a8168cbc38

SHA512
ffe67c9e8dbc365b52acf154cfc24335bc7b2282250698512abb741b2ffc8061d9dce12d5eeb83d8cc12ba1ccd36aa72d7c34f5cb0771860ad37a4e34daeb788

Download Submit
C:\Users\Admin\Desktop\ExitUnlock.fon

Filesize
411KB

MD5
379e444e417270b6976ea31d05f18ef9

SHA1
cf6463e48621162a45592d01dae93418ae05d384

SHA256
74bdc9a5bcef483b114e86fa7a1652a2eefde03363e869eb94bd5f7c253a74b2

SHA512
3b88f5145008ea0843fa8297e1f2d71a0a0ab21668157dfc5c3d02d64d3b83e6b2b37eb703a1fda0129e123ec896f9f26bfdcd5080e65e88f37fa360adf025b8

Download Submit
C:\Users\Admin\Desktop\ExportRevoke.xlsx

Filesize
14KB

MD5
fdf2cb22d00234c2d869593ed9be3fb1

SHA1
62e893d957174a093d15531a479b50e745f65fb8

SHA256
6d46203d96528d7c2b26290735bbc454e738af82a9e7d843b521f126c9adc3a0

SHA512
dad5e8932c57210bb614725b304a1d6511a71c0c316c7fda1565ad05f5488f6eb3abd88133504b7928edaebe55a461ef53f60930ee7c93c8d95d91028dccacf9

Download Submit
C:\Users\Admin\Desktop\FormatCompress.xlsx

Filesize
11KB

MD5
4eb501465d297c9cf3b423d74988fcb6

SHA1
0903f3ada5033f98d3456e3f15e6403fdba069d1

SHA256
f5db3479163f2a335f2c33df4c92854b9f694eb9bfda7766ec990fd4bb2fc6e6

SHA512
c81f185bd6bcb81d747d38f754f4b2a416da75e396ab1d86cec3ef4f71c86ba3d01b1a71a64281fec13671c11217b2e801b1254fc90439b895fec70b078969dc

Download Submit
C:\Users\Admin\Desktop\GetRestart.docx

Filesize
17KB

MD5
da87de752c103b2790d47436b42225f2

SHA1
dc3e02c93a05f405b913fab8258d5c2731c579a3

SHA256
295b58ac86e643031e8bcc0a6c78ad5698fa1eb3a0f1ca01215453d47b3e8863

SHA512
22223efe51823c479f2eb9ade9f204b69c28cc0b5d49c38f8c4db13e98c4f3dcd197bf03f69016d19370516e812c915031b22d1f530f5c73a79c5c0ddb4ccd1a

Download Submit
C:\Users\Admin\Desktop\GrantTest.mpg

Filesize
1.0MB

MD5
81ca6b3a92bc36544c8f0a3f63022b50

SHA1
5b324e4028d987da04b24ccff5e6a3c1e9936e48

SHA256
e655ef24e8ab1ce3f33d8ae7bb74d01bbd24d37251da795c9d3f13ac9f534313

SHA512
c60d1341f136271c80bc5e0c4380f714c02e394300b3e533389104b37be72fd2d28f1aa61df1abc0dc80522bce74c6523cb357e47077eab7eafa26a32dc56da1

Download Submit
C:\Users\Admin\Desktop\ImportUnblock.vssx

Filesize
872KB

MD5
4b85b23bca603d86ac3710afbaf6a332

SHA1
0ec04861a2bfa75ce906e56e95247365977f3d3e

SHA256
60a00e9fc061424b8bc8473024540c0deb58c5f0ec4b9c70a80cf12935593273

SHA512
001ceb014203c58d7d399e20396c378805a2499c4601fb3596d1c2d9aeda0ce6956c52c1968320522ed3d69894d7a15e2c600327cdddbfc693e0c3f51c24ede7

Download Submit
C:\Users\Admin\Desktop\InvokeApprove.xht

Filesize
1.0MB

MD5
216c5e4b3884421805450f5777dc9d16

SHA1
aac6cb570baa25783ac1b84ef1fc3aa9e093d236

SHA256
3461e95961222b3b4f3980234de03ce09e10c4d5a69d67debbd1089266bb0a3d

SHA512
318839a9c7a94fde2e689436a16b543222d8712ef4b47e7dbfda389ffda829ce2502b10bcd754884c482724511f0650bc55d495f191b99fbe7c795cadb8976e0

Download Submit
C:\Users\Admin\Desktop\JoinUnregister.mpv2

Filesize
608KB

MD5
a646bf94fabb5f2bf86638cbcb21805b

SHA1
846fd35d7e17afe8647d031c6ef80cf06ea34494

SHA256
16fbc780f26c5327597d59fcfac29058873f936ed6f6c56b16d331f27cc173ee

SHA512
82f6a478cede57d0ee29b9698b72205bb235e3adafabf1442e0494821cae3f76a217811237828c3ab89b043b6ad8b51840c4e24a6c3f350b23f52eb67f18df04

Download Submit
C:\Users\Admin\Desktop\MergeAssert.nfo

Filesize
740KB

MD5
509362442318736373a3b1e7ad073c25

SHA1
aa475581f003eea8716461016cf2696995fce834

SHA256
787e57f8948ddce8d44b914533a447205542d62e6d9aeabc8d77e1b99a303fa9

SHA512
59550a75bf4e3a0245a21f6d0193a65b97670dd946718b67da56cb24b2453197c3660d18d16650282b0c89b0f1d486236bde264b96ff6f6a078046dbccbb64d3

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
c1f355d4d1fb70f683cfdd6f98241e62

SHA1
b114c930dc4f5e492071b1e1027e6a993af66db4

SHA256
fd2610818793504052586e136fc812f10fdc8f1ebf3b7b021b5e586f3474b15e

SHA512
882581c601109866d09e7a7b463031dde5dae12957404592a6f047ba2c8b9dba5541f973f3add6340544fd2d862c54369d33691f97466f76de9e16af2cc37c6e

Download Submit
C:\Users\Admin\Desktop\ReadCopy.mid

Filesize
477KB

MD5
99509595ccadbbb31d2442b0f86c1684

SHA1
3a8e8551ecfb023ea1c177ed5d36b30b38cac8f9

SHA256
c48005b34471bce80a5c26760ec58a67d85ab53cb8eab926ea2f8800094cebb3

SHA512
c9b8e78ebc74ec7e8fd2faedc1079475b7e11b338aab231e27d1394a636a21cbbeeea346db5ca3e52bdb8aaf8420029531036810b28bd7a13a88ed74065d539c

Download Submit
C:\Users\Admin\Desktop\RenameProtect.docx

Filesize
15KB

MD5
0f26761732adc59001e445c8f6e967bc

SHA1
babf39c0fd92161bec720d307eef4e1cd6efd94c

SHA256
6c25baa2ffd3504382c10038210c6a148645b471108a92f67e09cb2bfa3e0a2b

SHA512
f077b61a729dba8ad0fee96f39bd02af0131f27ccdc1f0d2f847b73fd16c1868c520370291f0bd71f66f799718c8aa997d112276c5d634afcf7738e814e76b07

Download Submit
C:\Users\Admin\Desktop\RequestCopy.hta

Filesize
937KB

MD5
732672a416464948a8dbbc15994d1f45

SHA1
2994eb451994c94b48ed9e15e7da68e6b1251610

SHA256
e8250bdce24780d136abb39b475412d7c230f2e7d4697cb541355209d3cf20b6

SHA512
2b92b260f99ea5a1bddc5929a0bb87a3d64a9160b5f05796772b6a232b6c13401b980ac8f6b27d1c1d3ccf9a0fe242661493694822131235b9e55efe96cf96bf

Download Submit
C:\Users\Admin\Desktop\RestoreFormat.xps

Filesize
510KB

MD5
26ce05a48fa845105e3cb2b27c2529ca

SHA1
1083511fb704461254f4a0943e6c911fab0144d9

SHA256
a8278f12458554f5eb3fb9fcf9bcfca12e1ec8d85fe5dcb1b992bd1ee065535a

SHA512
dcadb54bee0a316fff89336aecfc8297dc92346d5ec7a6183422e2065a03aa0b8ac89a8680f2c04da6add2bd278b96224c0761e498631bf48c1e21a880258d51

Download Submit
C:\Users\Admin\Desktop\ResumeDebug.jtx

Filesize
773KB

MD5
c3218a91ae99e5f092e97cffa0723815

SHA1
c0af39ae989628fe973407c4b41f3bbfb7f43eaf

SHA256
f2fd1b817089cd019e8dae7f9684b1521d35e87e5be7e4518cb327ee7f93afe5

SHA512
9c96d10ca219d6ae170637aec2e9c8bc9ad65afc014bc5195eba31c1552b9285f16de62023970b978e0615f2f5e0cbebe3ceb3d6370dfd8c4a9db6feae363189

Download Submit
C:\Users\Admin\Desktop\SelectUnpublish.mpeg

Filesize
1003KB

MD5
d43a5d60c85a490fe899c8f6188cb5c0

SHA1
39218399d2c6766f8f279940d1bde70445324da8

SHA256
92e1c59d89687d10790373fa6cccdb9bb3e3f3daed0c28ee4bea52388ee7e2aa

SHA512
7bff008f6d4afb50463b80a0a458f5c5faa3da3aa99bd5bde5c5b3c0ceb0391b8050dff32af7f07cf40ec67892a7ac0b53d132aa80db7e3452a9f0b3e1caa05c

Download Submit
C:\Users\Admin\Desktop\SkipUninstall.emf

Filesize
674KB

MD5
ce268f559d63b679acdbea6b621d90b6

SHA1
f40fefc9b7bcb46a18c79255a61f810fddb913db

SHA256
f8fbe225ce4769050e1d3a5d206dddb4306584d158eae7f0e44f9690072135b1

SHA512
0b46b740ac729eafd43523de72700942ed51059231cf5cde6825041b25357cffb4ba824198f07321b80ea6414e20307d19148211252ee87daea520003b7a4735

Download Submit
C:\Users\Admin\Desktop\StepCheckpoint.bat

Filesize
575KB

MD5
e73d29f63439896af973d1700fa5b31b

SHA1
fea721fc13916a9b6db832220f43125bce33f5d1

SHA256
f535b3842412558a4724ee88c1e8ff944729c7f72350213f0a403132b08d0a23

SHA512
b4a5cdad6550009cbb39af0b44854d4d73158d79d16af38416893f2695c307b15b62c45ca4bd4e764f60316d8891d4a971eb479b0190d9aa2fe44ae95a3d7905

Download Submit
C:\Users\Admin\Desktop\StopProtect.txt

Filesize
904KB

MD5
bec418e46a46693eab7a912b3c16e16b

SHA1
d09081f81be37c06ce19e8178da18bd62dfd01b7

SHA256
0d1677225510773115cc702f3840c46c1f33f1f239ed1e4941efdf62da2b0687

SHA512
79bceae7ce7c74d6f5f35173caa43ae6c2b7b02954bbdcb1abd05a6ccd41653e6529ba58ae7fc5a661195ec15a251df16dee2a42cecca3ab702fae1fd6f2f4f7

Download Submit
C:\Users\Admin\Desktop\SwitchClear.i64

Filesize
839KB

MD5
e08114b4d5235695d6146ff0badfb51a

SHA1
4ecfb82a24d76f15a5edd0d537888f933432add7

SHA256
7e540bffbe3998e9a298be22ba3ad6cc576328984d866a5207ab81ef85844ec8

SHA512
0eb9ce521f9eb98e3e1980c935243db2bab751c6d744bfa36a409b5723319224dc6bde3409406dc8d949ab20ff6f9756749266a7ca14b1d443111dfe8a0e8748

Download Submit
C:\Users\Admin\Desktop\UnblockMerge.xps

Filesize
378KB

MD5
5011232ce0effab3b6971893efa4467b

SHA1
6353ac2f43e02885bd92599d7cf74c62dad80522

SHA256
87bb5d956d6d1c8a140c2359e05ddd4f2a974bf1954fb9262741354bfb30e532

SHA512
273f635584081e159d22245442bc55c572409b2ccbbfd5f288ed5a7c95304fb2fd85b8d0af796afb34394cc10d43ad6bd600a691313719f1cba2375d6cf163be

Download Submit
C:\Users\Admin\Desktop\WriteInvoke.asf

Filesize
444KB

MD5
bc4cb4dde4122b4aeca7399dc1be55be

SHA1
6553e3689c1815cb3ab20fff0a571ba7e98e1e45

SHA256
43728052e386cb0f81f9accbbf3d8797721197efc93b3278cd52333e86ec3df3

SHA512
b918cde062b40676283768468de17a319eb335fc05247e0572fa9c82894f880ab31899558876190101840a9a7945a7cb27fce0e420ccb7ebf682c7f98da61f0c

Download Submit
C:\Users\Admin\Downloads\Blackkomet.h5FdwTPJ.exe.part

Filesize
756KB

MD5
c7dcd585b7e8b046f209052bcd6dd84b

SHA1
604dcfae9eed4f65c80a4a39454db409291e08fa

SHA256
0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

SHA512
c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.x0PfFmql.exe.part

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\NJRat.exe

Filesize
31KB

MD5
29a37b6532a7acefa7580b826f23f6dd

SHA1
a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

SHA256
7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

SHA512
a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

Download Submit
C:\Users\Admin\Downloads\NetWire.BdIsMqfs.exe.part

Filesize
1.2MB

MD5
7621f79a7f66c25ad6c636d5248abeb9

SHA1
98304e41f82c3aee82213a286abdee9abf79bcce

SHA256
086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

SHA512
59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

Download Submit
C:\Users\Admin\Downloads\RevengeRAT.XNxC7mN9.exe.part

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\hrin1TdK.exe.part

Filesize
5KB

MD5
fe537a3346590c04d81d357e3c4be6e8

SHA1
b1285f1d8618292e17e490857d1bdf0a79104837

SHA256
bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a

SHA512
50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
5e8d2d265519452ce118df2c92ac1b8f

SHA1
31eea33c1d7dbd8613a9c240c6ced48ca24bbaf2

SHA256
c6dabfcd9ddf85c1d0340efd69bfc0f09b24063099c77c08e0ad48baf5f4cb07

SHA512
d5cbe22814fa271b7b8f939431b4229e72159d8bda5c7dfeae79f3a8c75fe8093a1c71813a174c0cfa59b15e53b6a3a0cf949f5399b8bc4f13f05023812b2918

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1KB

MD5
7b8b380914e4b8e7549cf690408bc9d2

SHA1
85eeb7ece758a4434becf3983631f13ba89056fd

SHA256
50f99f300693e64438ecaf72ad93a7ec4b347eaf82afccaba91086be2c505f0c

SHA512
dfee14e5a7242e0385f99112ab7efc81fb8a10af9f8bde4bd042d5448636b40cf87a4be4ccd20a29a263f97eb1ab0f2dac79b74b726f866fcffca268c88d09c9

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
5accd85e076295021f03136f4b19b2a1

SHA1
276c7b7d76b137e7ca8ee63b7246abfd22d2d478

SHA256
9cdf05be94d0498dfdcc7d16f355535f3c3a9304a6abfd8718edced396fa6793

SHA512
6d0b8f81b2926abe52a241d0f541373b1f1c7a53143f148b62a00399e1837cfe6864befa3950c37c9b6511a30072a70ef724d620e0aab278aff91c1420b721f1

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
2089f0c89ad839174853271328b5bd8f

SHA1
00e8419190fd9d2674fa2ac9da3b0300614285ec

SHA256
b37fe4f00461ca183b4480b2316d718bde5a95c750a7f79327a57a75ce0635e2

SHA512
71abd236ef429f87436996b51230e0e49b1a05eeaa623d456efbef803a985dea38c3339b6f2c7c7895cead73ded3980453793f2b747894fee38cabfd3eedf08a

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier

Filesize
221B

MD5
f1b325288486362f1dc3ad9f592bdde6

SHA1
5204e7fd2ae9dcc986fa693c9e862a8ea7340539

SHA256
96d5cab2345d032d020aaa521771975cbce108fd905aeac11d94e7e7940ff962

SHA512
f8261d8d9c933172c2dbf3b8387b779f271724de52b216f9c2e7a7fc8da6bab285b69c9e10bda987825e894053de83292146c4e2253e45448a7fa106f7732e31

Download Submit
memory/1532-10282-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1556-11137-0x00000252C8A00000-0x00000252C8A1E000-memory.dmp

Filesize
120KB

Download
memory/2476-10288-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2476-10289-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3276-10235-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/3436-10279-0x000000001C9D0000-0x000000001CA32000-memory.dmp

Filesize
392KB

Download
memory/3436-10278-0x000000001BF00000-0x000000001BFA6000-memory.dmp

Filesize
664KB

Download
memory/3436-10277-0x000000001C500000-0x000000001C9CE000-memory.dmp

Filesize
4.8MB

Download
memory/5032-10272-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/5096-11169-0x0000021F496F0000-0x0000021F4A004000-memory.dmp

Filesize
9.1MB

Download
memory/6404-10232-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/6404-10273-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download