revengerat | hxxp://gaijin[.]net

Analysis

max time kernel
122s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2023 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://gaijin.net

Score

10^/10

revengerat guest stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 12 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 797657.crdownload	revengerat
C:\Users\Admin\Downloads\RevengeRAT.exe	revengerat
C:\Users\Admin\Downloads\RevengeRAT.exe	revengerat
C:\Users\Admin\Downloads\RevengeRAT.exe	revengerat
C:\Users\Admin\Downloads\RevengeRAT.exe	revengerat
behavioral1/memory/5544-863-0x0000000000400000-0x0000000000420000-memory.dmp	revengerat
C:\Users\Admin\Downloads\RevengeRAT.exe	revengerat
C:\Users\Admin\Downloads\RevengeRAT.exe	revengerat
C:\Users\Admin\Downloads\RevengeRAT.exe	revengerat
C:\Users\Admin\Downloads\RevengeRAT.exe	revengerat
C:\Users\Admin\Downloads\RevengeRAT.exe	revengerat
C:\Users\Admin\Downloads\RevengeRAT.exe	revengerat

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

RevengeRAT.exeRevengeRAT.exeRevengeRAT.exeRevengeRAT.exeRevengeRAT.exeRevengeRAT.exeRevengeRAT.exesvchost.exeRevengeRAT.exe

pid	process
5348	RevengeRAT.exe
544	RevengeRAT.exe
1432	RevengeRAT.exe
468	RevengeRAT.exe
4112	RevengeRAT.exe
3180	RevengeRAT.exe
4856	RevengeRAT.exe
4264	svchost.exe
5724	RevengeRAT.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 18 IoCs

Processes:

RevengeRAT.exeRevengeRAT.exeRevengeRAT.exeRegSvcs.exeRegSvcs.exeRegSvcs.exeRevengeRAT.exeRevengeRAT.exeRevengeRAT.exeRegSvcs.exeRegSvcs.exeRegSvcs.exeRevengeRAT.exesvchost.exeRevengeRAT.exeRegSvcs.exeRegSvcs.exeRegSvcs.exe

description	pid	process	target process
PID 544 set thread context of 5544	544	RevengeRAT.exe	RegSvcs.exe
PID 5348 set thread context of 5524	5348	RevengeRAT.exe	RegSvcs.exe
PID 1432 set thread context of 5604	1432	RevengeRAT.exe	RegSvcs.exe
PID 5544 set thread context of 4296	5544	RegSvcs.exe	RegSvcs.exe
PID 5524 set thread context of 5552	5524	RegSvcs.exe	RegSvcs.exe
PID 5604 set thread context of 1916	5604	RegSvcs.exe	RegSvcs.exe
PID 468 set thread context of 3068	468	RevengeRAT.exe	RegSvcs.exe
PID 4112 set thread context of 5908	4112	RevengeRAT.exe	RegSvcs.exe
PID 3180 set thread context of 5464	3180	RevengeRAT.exe	RegSvcs.exe
PID 5464 set thread context of 4700	5464	RegSvcs.exe	RegSvcs.exe
PID 5908 set thread context of 4888	5908	RegSvcs.exe	RegSvcs.exe
PID 3068 set thread context of 5692	3068	RegSvcs.exe	RegSvcs.exe
PID 4856 set thread context of 2140	4856	RevengeRAT.exe	RegSvcs.exe
PID 4264 set thread context of 3896	4264	svchost.exe	RegSvcs.exe
PID 5724 set thread context of 6128	5724	RevengeRAT.exe	RegSvcs.exe
PID 2140 set thread context of 4056	2140	RegSvcs.exe	RegSvcs.exe
PID 3896 set thread context of 2192	3896	RegSvcs.exe	RegSvcs.exe
PID 6128 set thread context of 4644	6128	RegSvcs.exe	RegSvcs.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1926387074-3400613176-3566796709-1000\{1D2ACB34-24B2-4720-9206-164DCB034328}	msedge.exe

NTFS ADS 3 IoCs

Processes:

msedge.exeRegSvcs.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 15291.crdownload:SmartScreen	msedge.exe
File created	C:\svchost\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 797657.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
664	msedge.exe
664	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
776	identity_helper.exe
776	identity_helper.exe
3496	msedge.exe
3496	msedge.exe
5168	msedge.exe
5168	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exe

pid	process
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

RevengeRAT.exeRevengeRAT.exeRevengeRAT.exeRevengeRAT.exeRegSvcs.exeRegSvcs.exeRegSvcs.exeRevengeRAT.exeRevengeRAT.exeRegSvcs.exeRegSvcs.exeRegSvcs.exeRevengeRAT.exesvchost.exeRevengeRAT.exeRegSvcs.exeRegSvcs.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	5348	RevengeRAT.exe
Token: SeDebugPrivilege	544	RevengeRAT.exe
Token: SeDebugPrivilege	1432	RevengeRAT.exe
Token: SeDebugPrivilege	468	RevengeRAT.exe
Token: SeDebugPrivilege	5544	RegSvcs.exe
Token: SeDebugPrivilege	5604	RegSvcs.exe
Token: SeDebugPrivilege	5524	RegSvcs.exe
Token: SeDebugPrivilege	4112	RevengeRAT.exe
Token: SeDebugPrivilege	3180	RevengeRAT.exe
Token: SeDebugPrivilege	3068	RegSvcs.exe
Token: SeDebugPrivilege	5908	RegSvcs.exe
Token: SeDebugPrivilege	5464	RegSvcs.exe
Token: SeDebugPrivilege	4856	RevengeRAT.exe
Token: SeDebugPrivilege	4264	svchost.exe
Token: SeDebugPrivilege	5724	RevengeRAT.exe
Token: SeDebugPrivilege	2140	RegSvcs.exe
Token: SeDebugPrivilege	6128	RegSvcs.exe
Token: SeDebugPrivilege	3896	RegSvcs.exe

Suspicious use of FindShellTrayWindow 50 IoCs

Processes:

msedge.exe

pid	process
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

msedge.exe

pid	process
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4780 wrote to memory of 2644	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 2644	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 4036	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 664	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 664	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe
PID 4780 wrote to memory of 788	4780	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://gaijin.net
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffb404f46f8,0x7ffb404f4708,0x7ffb404f4718
2⤵
PID:2644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
2⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
2⤵
PID:788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
2⤵
PID:4100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
2⤵
PID:768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
2⤵
PID:1120

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
2⤵
PID:4172

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
2⤵
PID:748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
2⤵
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5580 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5592 /prefetch:8
2⤵
PID:2060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
2⤵
PID:4116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
2⤵
PID:1756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
2⤵
PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
2⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
2⤵
PID:2532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
2⤵
PID:5924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
2⤵
PID:5968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2336 /prefetch:1
2⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5492 /prefetch:8
2⤵
PID:5824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
2⤵
PID:4100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6668 /prefetch:8
2⤵
PID:2264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6448 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2248,17426599416673252092,2386211444975874441,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6440 /prefetch:8
2⤵
PID:5172

C:\Users\Admin\Downloads\RevengeRAT.exe
"C:\Users\Admin\Downloads\RevengeRAT.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5348

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
4⤵
PID:5552

C:\Users\Admin\Downloads\RevengeRAT.exe
"C:\Users\Admin\Downloads\RevengeRAT.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:5544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
4⤵
PID:4296

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7tv4zmwf.cmdline"
4⤵
PID:400

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41A3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc69777DAEAFBD4858A1EA428745FFF1A.TMP"
5⤵
PID:5288

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qxxis7na.cmdline"
4⤵
PID:5680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES427E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB3D991236524A67BC48BAE48E9EAD6.TMP"
5⤵
PID:3844

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fyca9_ux.cmdline"
4⤵
PID:5332

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4358.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCF17F45F81BE40FCAF338D618294D5B9.TMP"
5⤵
PID:5652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h4qo3kmc.cmdline"
4⤵
PID:1552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4414.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc58145949B694167ABABFC6929502CC5.TMP"
5⤵
PID:5344

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\efozmrca.cmdline"
4⤵
PID:5836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES453D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc614057334AE04AFC869C4988A7DD6CEA.TMP"
5⤵
PID:3364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xxw0snf1.cmdline"
4⤵
PID:5188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4617.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC81D6DC287CD44FA8EDCFCC8BC4879B3.TMP"
5⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a1ogpvrh.cmdline"
4⤵
PID:3408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4740.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC7ED1A9A863C4F38BED587BA2BA9021.TMP"
5⤵
PID:2092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1p4tooko.cmdline"
4⤵
PID:3040

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES482B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B4C81B014D740CB9D74F512DEBB89.TMP"
5⤵
PID:1984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vvq_dcmn.cmdline"
4⤵
PID:5020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4915.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0BB3C2E551C48FBA9D35E3290132177.TMP"
5⤵
PID:3428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\weyydnyg.cmdline"
4⤵
PID:5964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc287E65BFE2E44F1FA0B285DE7B38C525.TMP"
5⤵
PID:2416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k9tta_c9.cmdline"
4⤵
PID:776

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4ADA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc168C31CE988F4D2A9CCA42414E61A39F.TMP"
5⤵
PID:2320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jed6gvhn.cmdline"
4⤵
PID:2276

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B96.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF185EE236CC42DAA274329EB93DAA.TMP"
5⤵
PID:2168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2ljemkmb.cmdline"
4⤵
PID:3564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C70.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C9B424178D744849F2CFDAAEDBBF6D.TMP"
5⤵
PID:4532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kkyqhs_r.cmdline"
4⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D6A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc310F2C52C924467293F2DDE14BAA1AB2.TMP"
5⤵
PID:4668

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a_ragl_6.cmdline"
4⤵
PID:1176

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E36.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5EF7417A9EA043E69F8D2F38CDCBAE90.TMP"
5⤵
PID:4676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6t8dbxyj.cmdline"
4⤵
PID:5312

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F5E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4FE8CA294EAF40C3865137A7D5C4164D.TMP"
5⤵
PID:5552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zydcq53m.cmdline"
4⤵
PID:5472

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5087.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc24F1D291241448BDA9465DFDC0F81E.TMP"
5⤵
PID:6024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\czs4rifz.cmdline"
4⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES525C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc994BC050C1254D0B9869B9656C133281.TMP"
5⤵
PID:5904

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6xllprsp.cmdline"
4⤵
PID:3240

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52D9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7779F8FA730645688AABA8E7F6BB8056.TMP"
5⤵
PID:3700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sv9ce2fz.cmdline"
4⤵
PID:3704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5412.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9005195D45F45F7AD7F527337413FDB.TMP"
5⤵
PID:5412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ixudxcla.cmdline"
4⤵
PID:5220

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8DD0B0AB647243D1B7BB2F4CC13FEDB.TMP"
5⤵
PID:5960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jlfviuxu.cmdline"
4⤵
PID:2128

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57AB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9BAA8CCBD4E34D72BE93F22DC0B7C8D3.TMP"
5⤵
PID:3408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rmlg5chr.cmdline"
4⤵
PID:4464

C:\Users\Admin\Downloads\RevengeRAT.exe
"C:\Users\Admin\Downloads\RevengeRAT.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5604

C:\Users\Admin\Downloads\RevengeRAT.exe
"C:\Users\Admin\Downloads\RevengeRAT.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
4⤵
PID:5692

C:\Users\Admin\Downloads\RevengeRAT.exe
"C:\Users\Admin\Downloads\RevengeRAT.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5464

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
4⤵
PID:4700

C:\Users\Admin\Downloads\RevengeRAT.exe
"C:\Users\Admin\Downloads\RevengeRAT.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
4⤵
PID:4056

C:\Users\Admin\Downloads\RevengeRAT.exe
"C:\Users\Admin\Downloads\RevengeRAT.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Users\Admin\Downloads\RevengeRAT.exe
"C:\Users\Admin\Downloads\RevengeRAT.exe"
2⤵
PID:4264

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
4⤵
PID:2192

C:\Users\Admin\Downloads\RevengeRAT.exe
"C:\Users\Admin\Downloads\RevengeRAT.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:6128

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
4⤵
PID:4644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2144

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
2⤵
PID:4888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
1⤵
PID:1916

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\3efb70ac45984b6089fb58d812c18c9a /t 860 /p 4780
1⤵
PID:3144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4264

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost\DumpStack.log.ico
Filesize
4KB

MD5
9430abf1376e53c0e5cf57b89725e992

SHA1
87d11177ee1baa392c6cca84cf4930074ad535c5

SHA256
21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381

SHA512
dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico
Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\ProgramData\svchost\vcredist2010_x86.log-MSI_vc_red.msi.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\svchost\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico
Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log
Filesize
591B

MD5
944402545afccaaf768f62367ad5d842

SHA1
d1598ec9409d0d59f52f9bf0da6390bb5d5b6559

SHA256
4fc9414bd5572166acdf31288625df1f0bd34f5d0ba8888bca181258d81c85ac

SHA512
9ec3875fb0e84301992f902ef3f85c53417d759f8e9e7064a0316a556043d428ffb90f91b54fe2761fae7ce9b73ed5d536dcc51b9a696965e6c4b209ec01711c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f95638730ec51abd55794c140ca826c9

SHA1
77c415e2599fbdfe16530c2ab533fd6b193e82ef

SHA256
106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3

SHA512
0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
Filesize
20KB

MD5
040ff81763dfd0fa5d9bfeaf2f4f1b55

SHA1
6001db27e20d4ba79dcd10e71d37d15018a79c46

SHA256
1ba006a42f455ce369bc25fcc25ad0311dd65052a9545aa522f82234a017a96b

SHA512
47680e4be2086d1a104f9dd34f15ad76d3bfacb713d60002b6cda8566f6f420e84a1004f046df88565d1a387e24b539600197a4393d2dd85fa630e24034cf19a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011
Filesize
67KB

MD5
d94e0e0a05b178d5f668021e14c7a1d9

SHA1
d28e00ff7663ba19bc80a379643ef1cb20b4d2a6

SHA256
ce471ce8016410f68616f0b1f122fc43f2dbaa7fd747877fe19955f492c630e2

SHA512
aa62a9b26850343db5b05ba623b1db75281ffefd7d5b168fd1a4a85c28655b1f3f900edfab3ac57ee7c4ace83769265c9a44d7b19b1b0e9c7fd3e11dc6267831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013
Filesize
89KB

MD5
20b4214373f69aa87de9275e453f6b2d

SHA1
05d5a9980b96319015843eee1bd58c5e6673e0c2

SHA256
aa3989bee002801f726b171dcc39c806371112d0cfd4b4d1d4ae91495a419820

SHA512
c1e86e909473386b890d25d934de803f313a8d8572eb54984b97f3f9b2b88cbe2fb43a20f9c3361b53b040b3b61afb154b3ec99a60e35df8cf3563dabf335f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014
Filesize
981KB

MD5
2e0ba2f77fbfe3e0bba7a349df175f04

SHA1
52d4a4c17d7a136e4ecafe307ae6757e6ff684a0

SHA256
6774f8a1149b0c16efeeefb2f77246aebe1534e20b84a4d9f2dea26142109315

SHA512
04bf7ecbf4eebe63649a3d788ae8692d906c5ccb2837977f837c54d404bdaa4a1be3ab484e4836778305a29d18c9ccc8ab6516d17d1f7c685fac0f5cb61ab460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015
Filesize
32KB

MD5
873c4764c2a7befb6d4d78650fffa6cb

SHA1
3052199d1a09e6aa9a48667267a1a65e01925785

SHA256
c6396cfb3b709128efd82810adebff888f1af62d634f882abf05b09cde839b15

SHA512
385d88634055001bcb3526b0878f2a9adbc02b77e60d0c72a3cc9d81c0c8e59aa7ec04f15e7d80e34ec416c876631288171c8924ea91482b12f7b8ddf37bb2fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016
Filesize
75KB

MD5
58d4ec17141f90f940c0c8cf1babf0c4

SHA1
188d4da38593a7fbffa950c4d7017a40bca8e8f1

SHA256
07a29e19ab31e312a9bbe223588b66408531bdca831a97fcf79fd30206010d4d

SHA512
fffa1a79c33b2212974a50474a1798a20e0667befa77391f97124347bbefd4bb7785e747aa02482240cacff1a5305c4d92702c7467554a0f0e7660105e8b9a24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
9f9ea8fcd69d7b83ae7b9862d576c697

SHA1
87d3003b891efa56eaa71be583423f37de21f421

SHA256
718d2a27891287cc29169fcb4058dc45453c84b1444fea2fd2c20f5798dbbd9a

SHA512
10bab6f226ab6953427ee11d37641f83d688b3adfb4761a1946feca44a50d8783c1450d366c8bd937712ba363ae6d70c4c92f8bf7ffbb214bf1b817fc2bd8f4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
966a935f403bfec60c011ced01dc88e9

SHA1
54f34cfdb26f9c76ff2ae7482c9d340ca427de75

SHA256
6b59a4c56d6420dbafa19d7f564e1055a1b8eddede1068812ff2674fdc727296

SHA512
92698e5a63d2a87d925803ef80b5bc93db909a2cf1a5d8428d5cab412d2287644b74e66f3fde480e2b6c7ef002115e1d052989f043063fca9c5dd3d1d80fc0fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
1db9d5d56bb3d5c95f3751aaa1e01626

SHA1
4d90d488ec42152aa05df1ac283fd5706df81e74

SHA256
1c9d352259a9f41e63da3166f566e47611d147b13ffa207251417503c7cc5e94

SHA512
9f010b8e5d3803b6460a8140175513847f5dc8caa8ef6d8866e20d3de21b2fb93b4998c831aaac5bf85be6bc925eb38e2e34c00d4429ca4063a9e27108bf068b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
583c5deef1714729f34c4e27191b2c94

SHA1
84e52ceecb88767589008d9ea0eb9b2a7d426dfc

SHA256
bfbd9484cab2d6dba3affe79c16987810531fcb386cbdfda0ea35efaa1a1cc7e

SHA512
e168929f676d2b47151548417b7d7e48725372e8b502459d70353eb8109bd8e975e31816d1d8f1342f9d86f868f9f6d71322342ab9281c8f753f14f8f6cd2220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b35798ea082d3048110a3793f77ca755

SHA1
2d9a8e142c22ec3e5280b0b9ebed0b70bde10402

SHA256
efe3df7808f1e108a70e27c56b11294755dcb34b30026cce43a25fcc189f38a8

SHA512
1ab1f4997474688d6549b88f9ed171e28e8f32c1f49d280807d37b3cf2e53ceb277ba3021ff0975e66a4770494e50a6483180943232ddcd6ce09eb70553ec8ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
15189653967c7fc6211b1ab993fc5e01

SHA1
46e38a25d072a9d2f9f0dbf7d65711965a4747e5

SHA256
35a95ebaefa504a36cb9443d1765fa2dee20800e6029e3bec56aea1bd720b00f

SHA512
543801ed15f20becfc941c8ab2b95767f1d57e82e35d5d0a2d7fb70f929161c9dd4e5f2f4356fd8afac90a33c4b1b9f18db0ad5a2bd4a306bd50b7dfd500b2c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
70f912a0e349270a9a919ad965948aa4

SHA1
ee7233e56e74c93001458733772f8610f503e52c

SHA256
858bc67015561a193fffa37ec6e8f03f4e20cb27ccadea5ab9f1896115502437

SHA512
3133e87364eeeb3e4d4d074db6f9f85424aebdc8a0f4a5b4504911372c3222316f810ffa194adae3bce5fb0ac571ca70ff5c9b007ab523c8e4e18f5de31dae6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
3e22da94db791c32cce9ebdb68358fa8

SHA1
fa9d6cf59a2be2a56f85105d6b2254fe7165a690

SHA256
e61fd7f487dd0af143bf2ef9566529cbd351b65637680a758bde82126005299f

SHA512
2c886e6235eb9a3e55340b95ac3135b78f471b59cab0e6f1d8eb4630f2fc8b34112c26d7ae5a411dae1df06d1503f69887078067aa45154fe4df0194386b5a29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9facc774a1c862393b9e003783ca64f7

SHA1
2e265a78dffdfe68049cdf1198bbc971c51b9180

SHA256
99ea6f1d14fc958a67b4d0d60f9c7b51273d5d06b6dcba137d30f10e79c4c269

SHA512
7b0eba17f5949022c8b8dfa112e221ea50789599b8afbf0dfec26162a2dfa09b84a25f8725de3807cfaef94cf22e829e388e3a06951077f8f17fcf839ced261d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
4a078fb8a7c67594a6c2aa724e2ac684

SHA1
92bc5b49985c8588c60f6f85c50a516fae0332f4

SHA256
c225fb924400745c1cd7b56fffaee71dce06613c91fbbb9aa247401ccb49e1ee

SHA512
188270df5243186d00ca8cc457f8ab7f7b2cd6368d987c3673f9c8944a4be6687b30daf8715429bd1b335391118d0ce840e3cb919ff4138c6273b286fb57b2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
2868e62f3ff8b43b9d5f4963f4045a51

SHA1
e403ea4c5f6a68af387dc81a0ae08e95ccbd2467

SHA256
d9ded0ff6a49d53fb507e2dd78e033ba384866c9af4f27d9f56b1694c5c6098d

SHA512
d405afaad97a36977c8be0a3a6c99a41800d3098cfcca869ff5079a2c0483337c5c163dc2177f2b6894f8567b917d6146a89732f0746cacfe85762b08ebcc9a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
9abac42646560b65545996acb77d13b2

SHA1
98cc1c288abb06773974832ad29b2a5409a62362

SHA256
03bff35fa8b792ea356582ebbbf72587b4c1b7fb3adeecc66b08ec5be4b816ce

SHA512
e506a8306ddef8ca61e439f4513fa978e55e137c8dd878cf55d18d21100e1aac4fb610ea8f1b7631cad542d48bba3fe7a6a78f5eda1019afddcae2f6e7ab8d38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
0fc6f1283f002bd75d99b75a7246e206

SHA1
38f52e10b3e0e1d7a9dc1df50563ac52d5f2d658

SHA256
b7e43c03983d7227fcf00f85d5439786342b3961f06f13b5ced3aab4ea46c4e8

SHA512
2b33e9e0de6ad71ea06858e7562e4fb4fd1f13c4783152ce11f9ddee6c78dfbe1065b0a8e34712402a152905af8af64a538441ce01829fa95e057b59d229dd9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
bbf8993140caa8b1fa69159dda5fcb78

SHA1
ed1be3f6f661e3795c0824e0a172eb9abdffeccd

SHA256
a73bd24bd7ff0875e5c13490be1fb8e93bde152b55a09bea37f250c31305b06c

SHA512
f5bd635cb68f2d1a9a2abb0ac8ece181dd54a00e4e32e6b13524c6b8cc4368fbb7ba168a38de402d7d26f031d96b255c8deae1530c5397fef29a64ef3fee1a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
6e3df857fdfa8b14815d245ab47cb52c

SHA1
308e3a02e963c89e12bbbf9761350905073f7cae

SHA256
f01021249326f8ebd0e6d274126116e2f648857bfaac7e35a3e48fa02b4090e5

SHA512
d8078f291e43ba474f03322762233e1ddc8825f1869438b8a95605ab405dd658f8130393adc7a2b1545cb4c3bf586d43e4c52ceb11210461c5e261652cccca25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c488.TMP
Filesize
537B

MD5
2e80f43905246ebf867b93c8d2808cb1

SHA1
f35a1ecda0ffa96843e901beb03015a9dd7168cb

SHA256
10cd293b85d5def28f9fab184a3c9915cb7e42753b41e7c69b1cfa1939ebd388

SHA512
4a3c478160761af79dd2bd5082c2947bead6f76f8c9513598c4a0bbc9b46f7a45bfb22eb13f45504ecd002237900361fd987d66f3f5272c0d0efb04337f0e622

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
dc8eb37a072d172470d7e2ae81eccd6b

SHA1
21dae447c3dbca50679e127ce599da548fe1892d

SHA256
cb6ddc2dbd1a75e10715769b07b4811df6f9444a2574dfe8a98b8b3589e2864d

SHA512
16d880136c6c53ecf5fdc8c837cf11b5215bf8382bee3900e879e847e7898d6e356de4fa37572bfe89bd99b1cf334e78836f4deb727f5307988010108e28c011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
de6498b43d462c8f7732e600238e37b0

SHA1
16f670221941c00420506ba77627b6ffcaf0a594

SHA256
ada2c56e7de0019c9e5d5f9d519c927c867ffbb5d421dac5e33dad21049f024c

SHA512
87f59c67ad85d58681459713ea311bc60d75ca14f2ab9adf1e3f34684a9eea6c2902b6eecad3b110954f46c3f4929f1eea2d81fb040c750638b1dc40a6a56b81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
ec8503cf58fb303b6b500d3a9c337f36

SHA1
29c2af438b755aca7bba4bca01207397da69e75c

SHA256
0b60f021e2fb78cd1a4d80520a42d1a0b71f5698933153b9906127545c7b146e

SHA512
a0e0869af4d77aa865f84a8103193d65532a1bea34f79a96c671cb75c96a9477f0a609a22954198eb6b501c13892c85a7793d56442e78c808ca34d74334d96d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7tv4zmwf.0.vb
Filesize
347B

MD5
8a280ce703f3d84f1c87d2039cfa73b0

SHA1
24d7d6172c2a210579852e5c40e273a4ab31dd1c

SHA256
6abc297b9266ff140ff94573067be7dded9a27b340ca986d88c21d94cb912dbf

SHA512
3eb698c12c854e22f65cc0e93f37319057f7e1c797ff3faf1fc1c0ae5edbca6c8788605b05662af73d810c390c6050f9cf8efed48e8240097d1222b6bcd3c3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7tv4zmwf.cmdline
Filesize
209B

MD5
5401afa5e5ae2866edc684298ebaaff6

SHA1
a12183e809ce0de681333cce305e9831d0f41050

SHA256
71152fa2b32afa2d86ec3a3fabcfd0f3dedb46975084977170e7e1589925eb45

SHA512
04a937811de58c7f8c3e8b31455c4bc825d78e4e7de33b91f4ccb5a5c2b97a09b08c2844cf4fc11cc1a1f730ddb00f3cf16e2223533c9f8c7855b7d270dc19bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES41A3.tmp
Filesize
5KB

MD5
0d0a8ce6edd0da0c40d7a7003c2835f6

SHA1
6a18ad4597ed7645475ea84305936466c56de740

SHA256
f5845b8ac29e5f9c2fdff746b0771634ffa80b5c66977e7faaf1fa5d1117fe2a

SHA512
763f23b7c9a3f734bd3cc9d69bb48e63a57a3a7ee118adffbb1ab0ac8764713c0ca964aaf178c211a1ac37f00e4a223e01d14fb8e37a5df5872dfa2fb06ba2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES427E.tmp
Filesize
5KB

MD5
cf426fb693a9a3b906f382efd65b5ced

SHA1
44e79ae59449eacf414ccae20188e3120d593c41

SHA256
0e3b9d6d083d93afad4783b46ab0810603b7f9d9a590b398971c5f422c3366d5

SHA512
504615c5dda088cb69e1f19dc7d4a7830b3424fe5d16ccaead2dbc5a180abe85d3debdee38e1c32d3fa51b09779e432d5016507fe4852f751be85834557bea0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4358.tmp
Filesize
5KB

MD5
523eb590b7b64a8c8d3c70ba6e0cd7af

SHA1
8f774676d25614e41350f840fe38ac530fb57c58

SHA256
61da9440fd44bbd399059a1f84d6a3c45933f018f7064fb0c0a0a9ff83b467e5

SHA512
6737c0dbcdfce47d1a658ff4f4e4352d30eaf0ad85dbc3195cb291ae5bc6318353c88ace87c6bd9891ad45ff4b9c2479ad14c4e44b501e5dc87db40b6b319902

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4414.tmp
Filesize
5KB

MD5
84eed96690349ec26b4d3e3ef028266b

SHA1
ae5a63ab0864a0164f2b430e7247fa5341a168f7

SHA256
23fccb766097d88b6c395fe5e48ed792f7d9651c7d2d44fab7dd4c4b355235b3

SHA512
9be9e169c5142856f51ce61ae51f4fba97c720dafde95b5e639ff3de61f6daa67ed3b84d8b57884bae3270983474b1263e7b144ba3a2dee08162d3dd10b7dfa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fyca9_ux.0.vb
Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fyca9_ux.cmdline
Filesize
224B

MD5
6c3feaff229e4cc33da26871252ef097

SHA1
64be0b3f72f54a9ea0a8e7752209acc65e0bf612

SHA256
79ad5837889dcff178bd1e16991c42cc7e3bc0675fc74ad65c8249250c927beb

SHA512
0faa644855b5775297e8eda18e8efef667a0c24c818539e90ac284a0bcf1bbf62a36d8264928279cef739f8ae85e0e0c0499c3eb69ed79a879235877a9c56fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\h4qo3kmc.0.vb
Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\h4qo3kmc.cmdline
Filesize
253B

MD5
beb8fc76fb57dc1268614b9308e64d47

SHA1
9070f5ea696a22e1917d30c43f77fba9576fac85

SHA256
2f552a0843a7b42b529f45154e0a85eaeede45685ea15f4e4ce30009bcf96038

SHA512
cac3117749cc36c487afb7d497085714f863e0625ac1baaebe84c80f7613635cc6aad4da208fd3fa0ae8c578c9060467b73e9e8e3a103095fc2df9fc89cd6697

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxxis7na.0.vb
Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxxis7na.cmdline
Filesize
253B

MD5
fafe3c8217fa16455be5d86f63ba6b93

SHA1
1b926e02ee3a97d4c4f01cadb1f15d3bbd7f2dd1

SHA256
faed456b66a3c309c6cc2cdc7cf860d8f4cf73a96f848aaa759269848a48a6ca

SHA512
2e62a759e494001274108ae7bcbc689aa0c20b65af30551226ec488e31f98cc947cda4687ab75f360c3b2eb538f2d2b4907f947b288de98b70f8f81bf04e5994

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt
Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt
Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt
Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt
Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt
Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt
Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt
Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt
Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt
Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt
Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc58145949B694167ABABFC6929502CC5.TMP
Filesize
5KB

MD5
d01de1982af437cbba3924f404c7b440

SHA1
ccbd4d8726966ec77be4dbe1271f7445d4f9b0ce

SHA256
518d9922618db6eea409cee46b85252f0d060b45c2f896cb82eeca22eb715598

SHA512
a219cd3df17bcf16cb57bdeea804e206a60be50084e2cb99d6d5e77d88957d79535d110b34735a4b549d3fcae528cdff8bfa5286582028ef22e8b4d60e146878

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc69777DAEAFBD4858A1EA428745FFF1A.TMP
Filesize
4KB

MD5
7f2155903d9d46630c04b924131c70d6

SHA1
5c64cf895433b593496e5de7fe9f5c77ec98d33e

SHA256
496f2dd424b829f0ad914d9a78a686ac68c3c1ce5dd2412424c5ee0aecd4e18e

SHA512
32cb5486d97328f1001801d7d364f4cd56557af71331d60d4e8c78bb3bb1ec7040b14740f02e467041cef179db5e775cff8d2399badfa591bfb5f1f0a121d0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB3D991236524A67BC48BAE48E9EAD6.TMP
Filesize
5KB

MD5
249d49f34404bfbe7ed958880be39f61

SHA1
51ec83fb9190df984bf73f2c5cd1edc0edf1882a

SHA256
fcb5a4d24f24fbeaf4dc9d8e29f2701b2bb71411acb13c4fa67fe7025892912b

SHA512
082f47f59b9184dd6c88f64214e10b82656a09c5a5cf3f0eccbf7935505db473eeb9a395cb5b59ec5009e731f2aa1891670c94ff6315a0b2d4fcc0392cff0e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCF17F45F81BE40FCAF338D618294D5B9.TMP
Filesize
5KB

MD5
abeaa4a5b438ffa58d07d9459e5c1d6c

SHA1
69631de7891162dd4840112a251f6531feae7509

SHA256
ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd

SHA512
c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4

Download Submit
C:\Users\Admin\Downloads\RevengeRAT.exe
Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\RevengeRAT.exe
Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\RevengeRAT.exe
Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\RevengeRAT.exe
Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\RevengeRAT.exe
Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\RevengeRAT.exe
Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\RevengeRAT.exe
Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\RevengeRAT.exe
Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\RevengeRAT.exe
Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\RevengeRAT.exe
Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 797657.crdownload
Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
\??\pipe\LOCAL\crashpad_4780_JZNKUOGMOFNHJVVU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/468-877-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/468-896-0x00007FFB2D4A0000-0x00007FFB2DE41000-memory.dmp

Filesize
9.6MB

Download
memory/468-883-0x00007FFB2D4A0000-0x00007FFB2DE41000-memory.dmp

Filesize
9.6MB

Download
memory/544-865-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/544-867-0x00007FFB2D4A0000-0x00007FFB2DE41000-memory.dmp

Filesize
9.6MB

Download
memory/544-858-0x00007FFB2D4A0000-0x00007FFB2DE41000-memory.dmp

Filesize
9.6MB

Download
memory/1432-869-0x0000000000B70000-0x0000000000B80000-memory.dmp

Filesize
64KB

Download
memory/1432-870-0x00007FFB2D4A0000-0x00007FFB2DE41000-memory.dmp

Filesize
9.6MB

Download
memory/1916-954-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/1916-941-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/1916-942-0x0000000001560000-0x0000000001570000-memory.dmp

Filesize
64KB

Download
memory/2140-936-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/2192-974-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/2192-973-0x00000000016D0000-0x00000000016E0000-memory.dmp

Filesize
64KB

Download
memory/2192-972-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3068-957-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3068-923-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3068-919-0x0000000000D50000-0x0000000000D60000-memory.dmp

Filesize
64KB

Download
memory/3180-897-0x00007FFB2D4A0000-0x00007FFB2DE41000-memory.dmp

Filesize
9.6MB

Download
memory/3180-899-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/3896-953-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/3896-952-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/4056-962-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/4056-961-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/4056-960-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

Filesize
64KB

Download
memory/4112-886-0x0000000000940000-0x0000000000950000-memory.dmp

Filesize
64KB

Download
memory/4112-893-0x00007FFB2D4A0000-0x00007FFB2DE41000-memory.dmp

Filesize
9.6MB

Download
memory/4264-931-0x00007FFB2D4A0000-0x00007FFB2DE41000-memory.dmp

Filesize
9.6MB

Download
memory/4296-916-0x0000000000E00000-0x0000000000E10000-memory.dmp

Filesize
64KB

Download
memory/4296-951-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/4296-879-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4296-937-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/4644-975-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/4644-976-0x0000000001070000-0x0000000001080000-memory.dmp

Filesize
64KB

Download
memory/4700-943-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/4700-955-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/4856-924-0x00007FFB2D4A0000-0x00007FFB2DE41000-memory.dmp

Filesize
9.6MB

Download
memory/4888-956-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/5348-851-0x00007FFB2D4A0000-0x00007FFB2DE41000-memory.dmp

Filesize
9.6MB

Download
memory/5348-868-0x00007FFB2D4A0000-0x00007FFB2DE41000-memory.dmp

Filesize
9.6MB

Download
memory/5348-849-0x00007FFB2D4A0000-0x00007FFB2DE41000-memory.dmp

Filesize
9.6MB

Download
memory/5348-850-0x000000001BBB0000-0x000000001C07E000-memory.dmp

Filesize
4.8MB

Download
memory/5348-852-0x00000000011A0000-0x00000000011B0000-memory.dmp

Filesize
64KB

Download
memory/5348-853-0x000000001B620000-0x000000001B6C6000-memory.dmp

Filesize
664KB

Download
memory/5348-856-0x000000001C190000-0x000000001C1F2000-memory.dmp

Filesize
392KB

Download
memory/5464-934-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/5464-935-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/5524-949-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/5524-871-0x0000000001330000-0x0000000001340000-memory.dmp

Filesize
64KB

Download
memory/5524-873-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/5524-950-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/5544-863-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5544-946-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/5552-918-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/5604-947-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/5604-959-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/5604-948-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/5692-938-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/5692-944-0x0000000001740000-0x0000000001750000-memory.dmp

Filesize
64KB

Download
memory/5692-945-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/5692-958-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/5724-915-0x00007FFB2D4A0000-0x00007FFB2DE41000-memory.dmp

Filesize
9.6MB

Download
memory/5724-930-0x00007FFB2D4A0000-0x00007FFB2DE41000-memory.dmp

Filesize
9.6MB

Download
memory/5908-926-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/6128-940-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/6128-939-0x0000000001230000-0x0000000001240000-memory.dmp

Filesize
64KB

Download