Analysis
-
max time kernel
1800s -
max time network
1801s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
05-03-2024 16:50
General
-
Target
http://google.com
Malware Config
Extracted
revengerat
Guest
0.tcp.ngrok.io:19521
RV_MUTEX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 5 IoCs
-
Downloads MZ/PE file
-
ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Drops startup file 3 IoCs
-
Executes dropped EXE 50 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 38 IoCs
-
Suspicious use of SetThreadContext 64 IoCs
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
NTFS ADS 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcdd9c46f8,0x7ffcdd9c4708,0x7ffcdd9c47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4748 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5908 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6624 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6348 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6284 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6112 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tkiyt3f5.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES309D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B329AF520424F0E947D999707313DD.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4f6cajqe.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3129.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFADF5DE5F3EA4B3D988ED9192F9BB15D.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hkbcw0_s.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCDD40B253B40433EB1F9E15C944D682D.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8ue1d7yv.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3243.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9453D629AA6C4AC5ABFB9CBFD6481E4.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\msfp_jak.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE438DBAFC5564B169E87776F5CEDBA6.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sau6dqze.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES333D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2BD2F9E93FDE451A93E660335C218FC.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\azr5djph.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES339A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2A90A6454744550B3973F106E315439.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tp3fmnop.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3417.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D57BE99E0924577918938E778679D6.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pdykvhfi.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34A4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC78FDB8A6CAC4869977E255121194E37.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bzadbbhh.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3531.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60308E2F618F41A0B9DA63B527466D6.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ociees-u.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES359E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16D4BBD0EB1142FDBCC873DA89C68C.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4k7cpaj1.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES362B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFDF344511554C5484892C6E1C2D77C.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7ksmzu5j.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3698.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC0657CA9A2624ED7A478B86324C36B6A.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xs0lyd2t.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3725.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7AED91BC8EB4C7EA03ABF9C67E2BFC7.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gazlmvbx.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3792.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB20A3358AFAA4CAC818BAA037D58D3.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5vs77ol9.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc32DA5F3D71BC41D6BF931C7F473FD595.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u7hgitnm.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES388C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB77F33FF5B7470A92FBED838319A685.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2cohqrf5.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3928.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA835033D3BF6466C87249A3CA47C6016.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zmezvqcn.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF96EE99C60774D5FA568F31E90D47CFA.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n44vzgkh.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A22.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D01C1999244604B9BADD6F806F6919.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u47rvkud.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A80.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc902DEE553D84341BFD78FAEAC822587.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v3huktm9.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc617D9C30E26A4738828FF75ED7CE35D0.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nimaaywy.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BB9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCAF9187530AC47CB8322F98A5D10A8D3.TMP"5⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"5⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"6⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l-e--9po.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2E5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc896428B763E24A73BA4A1E289CD9AE22.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bmsvhlj6.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE382.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc41F50B99884F471D9C46C3AADEC8A82D.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t3umvzr5.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA1315BD2A9A42659FD372E289418A6.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_6xa6agh.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE47C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F66505666354A1A8FF57FFD8E4177E.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jkebvcle.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE537.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB4F3D0F773524DDB9A2F7FBA3858B8F1.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\owmpmtjz.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc68A7D043CAB7430AB11ADF2E1FC1D1EF.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p0rtaoyh.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE641.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF732B8089C5D4E79BB1624C5A7E1AAA.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q7a8fltp.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE69F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD97875101E354A7C8550D3154ADF7C17.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p7astr2u.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE73B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcABC6DD003FC541388A376FA936DBA1C.TMP"7⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5276 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5836 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1380 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1416 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7172 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5472 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault7da2c19chd9abh4244h982fh3ae997b2fc991⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcdd9c46f8,0x7ffcdd9c4708,0x7ffcdd9c47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,11391322940708911404,3689870888252840898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\svchost\DumpStack.log.icoFilesize
4KB
MD59430abf1376e53c0e5cf57b89725e992
SHA187d11177ee1baa392c6cca84cf4930074ad535c5
SHA25621f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381
SHA512dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78
-
C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.icoFilesize
4KB
MD5fde1b01ca49aa70922404cdfcf32a643
SHA1b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25
-
C:\ProgramData\svchost\vcredist2010_x64.log.icoFilesize
4KB
MD5bb4ff6746434c51de221387a31a00910
SHA143e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA5121e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.logFilesize
120B
MD550dec1858e13f033e6dca3cbfad5e8de
SHA179ae1e9131b0faf215b499d2f7b4c595aa120925
SHA25614a557e226e3ba8620bb3a70035e1e316f1e9fb5c9e8f74c07110ee90b8d8ae4
SHA5121bd73338df685a5b57b0546e102ecfdee65800410d6f77845e50456ac70de72929088af19b59647f01cba7a5acfb399c52d9ef2402a9451366586862ef88e7bf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5050e5e43397c8c9b85e9c863229d37cb
SHA10003f5862a9e0187442404f92bc7d6e0fbd83ec2
SHA25677e3b1fa5dad25ec5d9f0f91bb51fde3c683484f647288c190720a971ddae5fa
SHA5122a160d2715a1d47e657b0c0853787a24c48e720e69330c86bcc5a782f9f2fcab042f100d48866c5e79a92e93d448a161799adaea6a159316edcaa4e01fa4b258
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3ca93e6d-518f-4c2c-82de-8537dd4444cb.tmpFilesize
7KB
MD57355e10073124cfe86a4f04888c405b9
SHA17f9f211e4d20dae24e64685339227428e6cad608
SHA25666e6de3d03d272f37029bf5df4d142befe663f2429a5ff835dcfdf2b5ab5103f
SHA5126b9d1b7a422bc68241a604456d334c5fa3641fda730a85ccd16bcc48cc78be240c603e1c8034acb9e9471084c3ee60fd0bde6e8e3a126158af8281e599667d25
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6cb603aa-cc5d-4bb5-adad-3df5b9a11f92.tmpFilesize
8KB
MD58633f2dd0a5a069bf9b61c61084e47d6
SHA1e3f7ba70c78f32894f1cec0ec6cf5c0ac8c83932
SHA25665fffc694285c7b95aa547390afe099044798dc9176d9bef3f646886fd993680
SHA5129ef9b194ec729eabc3bca5a7ad77dd7189e15de7d50bddb4b5e438dcff5a751db3151a31d5db127810073bb7045138e2a4fa9bba1ec881e31291da3003dac67e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003Filesize
195KB
MD589d79dbf26a3c2e22ddd95766fe3173d
SHA1f38fd066eef4cf4e72a934548eafb5f6abb00b53
SHA256367ef9ec8dc07f84fed51cac5c75dc1ac87688bbf8f5da8e17655e7917bd7b69
SHA512ab7ce168e6f59e2250b82ec62857c2f2b08e5a548de85ac82177ac550729287ead40382a7c8a92fbce7f53b106d199b1c8adbb770e47287fc70ea0ea858faba6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005Filesize
62KB
MD5c3c0eb5e044497577bec91b5970f6d30
SHA1d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA51283d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006Filesize
69KB
MD5a127a49f49671771565e01d883a5e4fa
SHA109ec098e238b34c09406628c6bee1b81472fc003
SHA2563f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6
SHA51261b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007Filesize
31KB
MD57757373a5ecc3cc8c8873175b7ad9d15
SHA10c84ccc4270c0ce81566c62edd4493f2bb671a99
SHA256a79400716a751714826128aa4a8f050493c1798f96319d7d3225e1bf923c4cbc
SHA51238f048abd876b3889b45f2a8efcccf6d73196880a9ee7388c4f6127311c640c15ef916474b2f72876fe30a0c29abb6438a3178d29af44b346ad2d6262074fc0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000aFilesize
84KB
MD574e33b4b54f4d1f3da06ab47c5936a13
SHA16e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA51279218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000bFilesize
1.1MB
MD5ae6fba4a8a4923ae8fb23bbe54365bb4
SHA1fb04d11d5f8433a5149dbbf05323cdbcbdfaf3c5
SHA256d3effbeee1babe87697c39dab95237973aef8f4755a273b3a04b6585d927f7f3
SHA512275b997c5819b5c360b1f5f1a8239e6f7e1631a0c75677a4d428c8a25e03400314e8eca58f54af524fb93c3b609b7c47e60ae05a7ba874651ed58b54281a2ed5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD586a446634201bf6669eab5fc34f5e05f
SHA183b7e275d3b62ce80279563341a2750b0e6538e9
SHA25663df5a1bdfe4954279acf3ab072c2f0af59f9d489d995fb0fcbd6a4afaa76c78
SHA5122b0dd41929283cf996673448c0ecaaf2115be5548b8e973345b3bdc3292e2c3b4cfe90903af32213fe7f70b626913ec71f7ab04b4ba7fe652532ca33d123221c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD57a6f2fec50cc27d696915aeab2ddc30f
SHA15e08bdb55e0b8710d0f2d623421d45f3e1d75397
SHA25633713b03abc5dd940d428b91a52ece580a4baa984a6e6f9f41e74c4bbb867bec
SHA512581928c25aaeb1b8e44e227fb6e5b558f8690b394fb7d6d57a5482777e9dcbe728777c59c28298132096f13acd333e71484d82dd353f0af139df3ddc812d72b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD56b7c461130826054ba766eb3e5376873
SHA182d4f29ced109ac93400c3e37eefadee966a32f7
SHA2566c06ea0c8cdc373d52136636ecd276baec89c39795c7b5640ac079d951b20e21
SHA512a422ee2a762e81e493a4fc646240f83da3b270a5f8455c8dc60e15a1c9f3e3e6757f8f990be3512944ed4ad8af57e9f468f78d92d986cb7269e8fc437a0c85d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD52c450c455cadc8b7265337c5ae0b3bde
SHA1fc7e9ae567255c0de732a4777dc772ccc5447741
SHA25613b7bc0d20a78be62beb1e237c49014f21f8c984b780544e420c0fa6e63bb439
SHA512e6413eee48ce1045b82fd4a3ca9ed4f6656fffebce0be6187849f6394b6e29a2f14bb4b18f2be83007c7b7b2cecb99b48a7d2284156c3ad09afe7f8d1573b89a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD5b5b592357b6db83f5712d986c0ebd8f5
SHA145fc619b3af7db01097bc196b67e5e126e16506b
SHA256ad4c93bfe8e27ee2e26336fc9ecbd31024d59d1268e7486501772e9a110f48b8
SHA512b8561d21d34c3fc7f8f6f46316649f93b9bc64fd945c0b22271a46129d637ba82c6fb7f9ffefa836cb815603ed0dac881784aaa742492f34fecd6ab7bc3c1611
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD53da986a9d18d68225bd8167b87ecce02
SHA1a8c59355a5592e963c085167375f75bbd05bd7ae
SHA256bfdf8b791b1f530bd596e8385ebe755f1cb071d86257c9723c61b246f1b1bf4a
SHA512043890c0887783a520839b7c4f4a32eb7ca6f62f6b9e98611314141eeae7b79962383ce70773e666eb86f92b5b031897a5d544da49fb5978f25b3c8c2e07a086
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5721758590b86e4b496f33abbb1d8051f
SHA18b7c3fd35f880233628993df4d17afa512f7a096
SHA256546cf2b0ea8349894050aec16bf2fc3af4ca4c58906c699d7cc79924524c24da
SHA5129b3abeecd37b7d6365518e246a2ffac0a7a29aef4ab42d925388d534cd7574c47299152c8b899e8ebb511ca218f276b758434b2cc52ccb2d360826379900f4ab
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD538e67f0e8ae4f6884b3d8dcf4e670f72
SHA1c01ecf7d039a93b328d2455f1a6a64b2871ad6e6
SHA256cb773b9b2bd05f254e24c758f720062dced7cc5ece5618e532c005c1f4ff372d
SHA51228b80052a94c8a82f243ca1f996e2dc67829fbcaebbce2332a0c73d12c095afa2b6428f1267aa83af6b51e8ee4446885598a677cf598743713d0c0bd7629e9db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b53b3e2df7817d3e7d9d99c2eedb508b
SHA1ce444c328857ca43fe9ca258d293a77b4c1f6b71
SHA25605bf62673976714169aa21adad63b4edfa76d783e5ac954a2d9cea231ed5aaac
SHA512f72023f255824bd238f768a0d161fd2ba31692b7ef99a6b850dcf3fa83d2069290027ecbf1e923a7cf9eef3aa9416145fa2cf22151b73caa25fcee793ca991da
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD554ff7cb5e0688b9aa406a567a58d155e
SHA14965dff49bfd32cc7e2c14e2eb9b05785884f177
SHA256e922208317a524f449890451c9d8a28fefd6a81f45e4ca22136fbc28e4b927af
SHA5129c7a227550a88cc7a24c451de18ef2e10130362451b24b05735a2f360109fc27a97cdd58beb21f1f8abb4cf1ddb22346d9f10675e0b5785a7f3e8d67910b978d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD58f0a4de7fdc81de659000ac77c83cf3a
SHA1b81ae015e4d6ca3bf514430d46bb62c4ab706465
SHA256b57a26d22b9b25d5b811baea129fae70962d39a6a715962ad013080034c57193
SHA51264dfd685f3f001d04ef5658e5f7fff030ace2ceed8e5dc5956efd5fbb035d248d679bf392ec14381a6809365a480d43c710ef746eec2ac7049b912e363349f63
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5430c2e8114dd583d525c16f1a30a5be3
SHA1b6877d960f7694f4e18db1e94f4799c309097c3e
SHA2564d7294bbee5d4e65a9cf16da86a9af103147bad2e4130d60e307c7639e721d72
SHA51243f493b4894655293bf6284661f0a26147131a99e90280ebcb9fdabba26092fae97f896e69f183624a57f80e4de6a03f7d2ac9a8dd7bdce726565a7d408451e6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD50ea73fa635d933bcd395f00951365870
SHA1442ce605f33199ab1e6e398ccc72d8c79b331b10
SHA2565284eeb2424900889a06b44d3c6e3b0e30d25960ab0b623d362fbdc3f2907d4c
SHA51230f27ed6d0a3d0866598c6007fb22d40d4684a648725f18433b88711f07225d1d8e7c269936baa37789d94b15f59e57e1efc477292cad59c3c15ace96a826d64
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5120927214ea722bb009b3065bf195904
SHA165d8a71a4fc07fce22fc23e4ebcf416d91825b19
SHA256f88ccb47b524071b1ca3b23396f831fcb13c585c4f7bc4ee778a208ff095a9cf
SHA512db956d9143983b3fb8a8744e1e57b30a427f5f3279054394efa1411f79ba2db897fed13fa4677808aae3e3518b912218a3244fa188bafa665357715fd998d4c5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5e62d3e95825a8ba586d50ee4ba1a5946
SHA193b8ab748c5fbe887d416893ee989bb6f2b69e23
SHA256702376543dec07958138fee2f7097d9dd9cb514c256e4b9b249cfe1dc6223714
SHA512c731d3a72153abe3130bb3f6223355cd5f8aee1cdf20a5ba237d03c7b1aef0ee41716cf6490949371fe2193686a6659a78f30bc56477978d8f4417f0bdd9252c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD50780b6b0dc013ee29ebb0843190eaca0
SHA19d5c519df02200fafb0708f7309a357c63341062
SHA256713ffaf68c7603f6c629ef835385b991fe99c06ae861c276022448c15a3189ae
SHA5129ea1b8019ca41eaa9fbbd10f7ff00c2f6e099f5c2970a20221d965c7463b8405f586bc61c0f400ce4eb9d882a6ce27b51066f344915d091aaf69fae4eb8bd550
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD54982d7c58547055bd46859635892fc46
SHA144ca607135edb9638867ad1bca77ed47b608b34d
SHA2564812fe23030404cf11642e4864ce7876ab948c3cae1e117e2608578833a70667
SHA512024d529b91acc150476611c3abb69fea177730428c07559339f814b5bda33edcc7bfc96fce446b5b21bc8b6ef04c6661ce930cd393a35c7443c6860010db01cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD537a9c0bd44ddc9acd7253281db1ef55f
SHA184f6c0b10c19cdbfe63ece9c83fd7a3e88f7799e
SHA25615da8b5998b35fb66fab82f7cfafd7bdefc88444b42d7052352026af786ae7e9
SHA512316e6744fc2d8ad19ff390dde1cc83fadc36b82c48baec40aabf709cd72b00e3d9446c89ff24634d0c6a29c5aef6a0e9fa6a457cf9a800ca7bebee9f528945cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD558382d54e1411f1535073c97730117a1
SHA1b8f61c31eb40ea665af7251008b994321186a590
SHA256820148ac500420e17761770ee16bbcebb966e19087919c58ac21c570695f827e
SHA5123313a8284d20f15831a12e8732e6478328457f50d2c975eb2404897201dea54ff869355fad02390bb9cb18bd79c03b3ff82c0d80c35453ac4991a94bd0578ceb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD54eedd7ddad9068dd50bf5c4e4d0ccbd4
SHA12c032bc97ce99a059bd4c5d78957dae8f8a3c1ca
SHA25603ff6d855a2c57bc55c27b744971093ee5b744ca81364316256d12ef77504fb5
SHA5126e06616f25eeffc71250a62ad76cbc21f26d978f6ce15bac919ea132682dea1d7ef1804c87d1c09afc0e999717e47421c1c610601a7a4dd1d95361deafe42f5f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD544bae4a03c04dc021c99d8db4583f56a
SHA14c22797dea45cbfc59fe14985d0958abced81921
SHA256f0b7d45abb7128b011d31eb75ecde7dd966ce8be5e15449dc8ff757954fe1a9d
SHA512a74ecd0a0acdc3edc32bf580645f77baa81f489eadd53fd188c9bd26ce9eb3283d229912be3ce4f638021ab81cc69e412ed7dfa3d2d029f5d5a6d45716f83577
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5a9f0345d9adecc423845fdd2989889d9
SHA12c9881efc51e49ce6377d65bb10a898757e1760b
SHA25666934ea9fdf97f58bb48ccfcdbcec868cedbafdab496331050d3d66df9c201eb
SHA512081dc1c28ded473bf34d42f438ce238d7ecc5a27fe05362fb9fb17f4806443a2087d2002ce5a803b1666c576ccf81728637a4f187b307c0f44e380604a1b5850
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5a3531be3fb578eef326208b1c0fbab65
SHA19ec44bf71ccd7139d676c55b32d9ed83943c5333
SHA2564ab89ef50daaaa2400f6f3a6f5999d9fa37b77c69e51ae96259a23d4baf44694
SHA5129260863ee4919bfa5bd81bbb6ddeb0ec64355f1daf0b589548845b7b2d30fc002b16dfd35dffc77f2ae3a76bbbb58b32f56b476e8f65ddebb94328d115937fd2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD53d3ece2976a87ad28d9f0ad4d0530f00
SHA13b29676e38ab50c63cf6aae7e2e809fee129f428
SHA256bc518fc594c02dd650be438e84feda3e3da4d7c19ee2f02c2a632ba3892759db
SHA51235da19d513cd30788797528bad599f37cc6493ce596a77ac28b1880991d8f33393fe5912bb9373a89deab164c7a70a74923bc3f4987dbf8b09e8850c0ceffdbc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59b377.TMPFilesize
536B
MD57713adbf1d4d23e3bc8bcc4ec47df0b2
SHA199e9787f4d8144f996db7235940929f79f808638
SHA256a518a836951191ec6af3749300ee5d9c986365ed5954bcc8d91c964a24142317
SHA5120f9b452512731b364a490900ed2243c2ed1b7ed0abaa906e0d2c204d78e6e788a3981e8bdc7c3f26456540e4815f55f4b2f02c24ab48cba9ae2d32c56c65b286
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD52f592050336a6a514d19ac117245cd7d
SHA1ec4e2db2865873da4819ed27fa84f6a23cf06ac3
SHA2562fba8eb1215f514bafda2d0add8007900e86062accd77f11661c4bf550628dd3
SHA512b5a379789b7cb14fbbefd8f1fd33c2bb49e9a94ebee8d56e51c26fa39bb34f9de4c49fbf4b875c9f61353af3dcf4f858f379fc571f36b09d246e13fc3079496c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5911a67789fd3ba74ce8670eca6b48bdc
SHA1349331fc407c590709e9d24a1bda80a3a7e4f726
SHA2562a2afbe1b0384ed1bb6e5ddecf6d59bce2db106e15fd162e5f7251a901f433d9
SHA5121779756416926ff7a6a7b223ed273db4c91f0902641baa40f1eb9a7fdfde2f717dd53db66b5475b439d25b07807869fcd91e052d6411934b33f0330e164c8552
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5bd4db83fea7a75b2d625992268f737b9
SHA1ab3f84edaf748b80f70648bd70656f23931e0936
SHA25638f1ad507b74d386be5bbb53eda885b2ac33e44c7761a3fea0facd7c1310a93b
SHA51280eaa30b35153d9bf61713c36e11c79144a11413ad31b35a33a44d6043e7358b0e3f78ac830ada14dfc583878bfaf37f2ad710d73a656bcf90c76c614c191c5b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD526c826fec54d1d84db330fd48de5be82
SHA1ca162c3c700c67d450f92e60b583c162c23e0eeb
SHA256247e059ef8593e4362696da22deea18048378365eb8ae103509d5d5354e0d3d5
SHA512a0aaddef6cafccaf7920807308423d00fb7203577761b3e7917f8be06940fe61c56aca3715da7b0eb3cf9fec6b41311dd8cd73840c51e25d73d468424b8f164b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD58bc9c948de69f8fed316801fef44ef63
SHA15aef593cab07d7b86645c92a01e9e19dbd00d4fd
SHA2563d31afd3f10e32f1bbe52cb042ac468e3c293a2fba492b70eaebf33aa249bd37
SHA512ad62452d467b8d0b7c3d7769fd6682951f8a2c19fab4d8e0f6def1c19c69645f9230438de7c4fbc5382b3fa72bc604734b0158984a85de586dfc7b12916195d0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5caf1e670f9838ef38441995407f9897c
SHA1042d7596036af79296858d5e0c9b7940ab557f9a
SHA25620b716ed606bde4d085592b8490e39b10d1d9f588b157e139cc456ae2453da82
SHA512fada483598e4c36029b035e186d2572fe6b3531697dcacf1b945b1b7bc3e3ff9b66a4abcae3cda7c6a7724c2ec96d6764c91094ca20950ffef258830c0219c3d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD50539c285b98010f2bd095a2752543f25
SHA18f9ec428316a55e0bb61c870c3ca235cb8cf0fac
SHA256b87ad38e0cb149c62871d306cf3bda83b17e85923432349aea07922d9d81439a
SHA5122e017cf5e8252f8656b1b6498f3373db850909a9c4cfdc2ab995bb4c7e789c1be7a63abd4af69293368c783c70829a3700e60d4c6a76a5d4b7a86e2e1cb3d67f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5598265c2cea1c3bff61c081bc9e54b77
SHA1e579a0f597c1b67d49ee407bf35da707badf7bc1
SHA2568a5da653a4667407b0ac2c10e1ea4bfa6171579d281fc51f304fdfad03cc55e8
SHA51299701acb92995b5a56cbee50d710251a378f0910da0200438c1bc5cc1cae0606ddbdfddd2525553a678ea8a53cbafccf3fd45d625f94c840329a9b47fbeb8882
-
C:\Users\Admin\AppData\Local\Temp\4f6cajqe.0.vbFilesize
369B
MD5e4a08a8771d09ebc9b6f8c2579f79e49
SHA1e9fcba487e1a511f4a3650ab5581911b5e88395d
SHA256ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6
SHA51248135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1
-
C:\Users\Admin\AppData\Local\Temp\4f6cajqe.cmdlineFilesize
253B
MD56ffc8457674ace120f97fe6b4a66b677
SHA169808ac80f614198685c4644525c82392798ebe9
SHA2561b85d4ea2e7eaea01ff67d1f419536350c72176c8c896649b5a16cd8bd779369
SHA512e878b5add8827963c5100d654dffa4aedf90730def17e1bcba66c97cd6814b9d73d93bbf9275b106277a7aafddd58fafd398ca1ad27718db93b7b013a8bae6a5
-
C:\Users\Admin\AppData\Local\Temp\8ue1d7yv.cmdlineFilesize
253B
MD5e7e1246605069f52b54e64187c029928
SHA1babda1e6d3c52b0ef2acddbe30200c465a14798b
SHA25650415c7264b5bb06a079c6ccdae356456efc038504d237a3ac6a0768f958201f
SHA5126717c097ec9b9db8d0156713073902c335972d0b00d0ae861754a3adb45117a0b708764fd434affba8cd1e00cb4070359295c0f72eebc979ae2097dfb4e19db1
-
C:\Users\Admin\AppData\Local\Temp\RES309D.tmpFilesize
5KB
MD5967e5cbc7820bf1c996b80609cdea38e
SHA1770ab4b72c638fd539f2b08e88d944dfeb98fc1d
SHA256383a3f408cb8e254c2823dda910979d8b08794a3807885133dd2622eaa75263e
SHA51295fa315245c68dc5948d097fbf8e72be7b6617a1fba7b5aa8053a85ee268ad7a4c6efafa42d2fd572e5344793d16c47e741867275d65ef728353e63243ab21ae
-
C:\Users\Admin\AppData\Local\Temp\RES3129.tmpFilesize
5KB
MD5f4268ec69fc482a168ae4928bb426a18
SHA1ea9b97280c01e1585734c4c6ca805cbe9bb52032
SHA256283f7a0035b9372c2503227b5383556b7e57285fb13a9e4c837be029f761f492
SHA512f71f05d71af00212331a6445930596049de280289e194eddddac186fb3b9de990fcc32e29af53df7d0178cd5ad9566334e634aac77f822ab456c6145c4b0c77b
-
C:\Users\Admin\AppData\Local\Temp\RES31C6.tmpFilesize
5KB
MD557bd2622c8b8208380da07be134e88dd
SHA1bc70a791d61375c859abdce6c443c021f9677a30
SHA2569e534a1b0c660a0c85d0d6c614d9b73d375b26087a60ee12c47cbc36aec69b31
SHA51242c648044b47c04131e84786150962accb5288f47c4f52c5a643a90bba519928422e4bcc49b912fa0fbe52d9976172e6171466f73bab51470bba111bbe6360ef
-
C:\Users\Admin\AppData\Local\Temp\hkbcw0_s.0.vbFilesize
355B
MD5acd609faf5d65b35619397dc8a3bc721
SHA1ba681e91613d275de4b51317a83e19de2dbf1399
SHA2564cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518
SHA512400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c
-
C:\Users\Admin\AppData\Local\Temp\hkbcw0_s.cmdlineFilesize
224B
MD5426d46dca8498fe34c6dd19f70dae5f7
SHA1a773f9e478bd6eaa97d14bb0b904414da4b32270
SHA256995d7420a8445cca42e67fced5dcef840201164ea259142c8d3e0e6ab1b883b7
SHA512eb4e127b9ad4342e1f0ad55a7536a567e2c328a286c0a23ae0606915b431d6f0d68bd795783f11dcacb591b1f212e0bbaac694c5b16ec9bd8f97375ca69ea909
-
C:\Users\Admin\AppData\Local\Temp\tkiyt3f5.0.vbFilesize
347B
MD58a280ce703f3d84f1c87d2039cfa73b0
SHA124d7d6172c2a210579852e5c40e273a4ab31dd1c
SHA2566abc297b9266ff140ff94573067be7dded9a27b340ca986d88c21d94cb912dbf
SHA5123eb698c12c854e22f65cc0e93f37319057f7e1c797ff3faf1fc1c0ae5edbca6c8788605b05662af73d810c390c6050f9cf8efed48e8240097d1222b6bcd3c3a3
-
C:\Users\Admin\AppData\Local\Temp\tkiyt3f5.cmdlineFilesize
209B
MD5befdb971d6f28dda3b88c60302eb2e1c
SHA1febd247417725113c3324906a13cdd8b918b23df
SHA256715f6d54c1d7675a6473de779f606b9c702880e8d67689f3e868ef2d932f5e7e
SHA512323e73aff674a83b1829458265b93a499cadcb5e8481e2000dbf19db4dfe1a2c6483d226b4322aa38899be87193956f7be28b87f24d6afee1b122828b96bbc60
-
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txtFilesize
88B
MD5afcdb79d339b5b838d1540bf0d93bfa6
SHA14864a2453754e2516850e0431de8cade3e096e43
SHA2563628cee0bef5a5dd39f2057b69fbf2206c4c4a320ea2b1ef687510d7aa648d95
SHA51238e7e92f913822cc023e220035ada6944ffbc427023687938fe5cbb7a486abad94808239f63577c195afb520fe1a1a1b14e1050c0c03c7d324ddbf7cffdc304c
-
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txtFilesize
39B
MD5502984a8e7a0925ac8f79ef407382140
SHA10e047aa443d2101eb33ac4742720cb528d9d9dba
SHA256d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c
SHA5126c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17
-
C:\Users\Admin\AppData\Local\Temp\vbc2B329AF520424F0E947D999707313DD.TMPFilesize
4KB
MD57f2155903d9d46630c04b924131c70d6
SHA15c64cf895433b593496e5de7fe9f5c77ec98d33e
SHA256496f2dd424b829f0ad914d9a78a686ac68c3c1ce5dd2412424c5ee0aecd4e18e
SHA51232cb5486d97328f1001801d7d364f4cd56557af71331d60d4e8c78bb3bb1ec7040b14740f02e467041cef179db5e775cff8d2399badfa591bfb5f1f0a121d0a1
-
C:\Users\Admin\AppData\Local\Temp\vbc68A7D043CAB7430AB11ADF2E1FC1D1EF.TMPFilesize
644B
MD5dac60af34e6b37e2ce48ac2551aee4e7
SHA1968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA2562edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA5121f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084
-
C:\Users\Admin\AppData\Local\Temp\vbc9F66505666354A1A8FF57FFD8E4177E.TMPFilesize
676B
MD585c61c03055878407f9433e0cc278eb7
SHA115a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA5127099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756
-
C:\Users\Admin\AppData\Local\Temp\vbcCDD40B253B40433EB1F9E15C944D682D.TMPFilesize
5KB
MD5abeaa4a5b438ffa58d07d9459e5c1d6c
SHA169631de7891162dd4840112a251f6531feae7509
SHA256ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd
SHA512c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4
-
C:\Users\Admin\AppData\Local\Temp\vbcF732B8089C5D4E79BB1624C5A7E1AAA.TMPFilesize
668B
MD53906bddee0286f09007add3cffcaa5d5
SHA10e7ec4da19db060ab3c90b19070d39699561aae2
SHA2560deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA5120a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0
-
C:\Users\Admin\AppData\Local\Temp\vbcFADF5DE5F3EA4B3D988ED9192F9BB15D.TMPFilesize
5KB
MD5249d49f34404bfbe7ed958880be39f61
SHA151ec83fb9190df984bf73f2c5cd1edc0edf1882a
SHA256fcb5a4d24f24fbeaf4dc9d8e29f2701b2bb71411acb13c4fa67fe7025892912b
SHA512082f47f59b9184dd6c88f64214e10b82656a09c5a5cf3f0eccbf7935505db473eeb9a395cb5b59ec5009e731f2aa1891670c94ff6315a0b2d4fcc0392cff0e98
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
10KB
MD5a4aac64ff76b194b340b88370727f6f8
SHA1fa71ea568e5b9ed34d1b7b489d49776b62b90a67
SHA2560e4ce75e448e1fb5e5dcb2767fad29af098dd0323e20a1ab74183cb56e8f8262
SHA51259d9ddf2b81bb691d2d944ed312ff9a2ab030f7221c6832e17f8007d72de38655f9a142e9456b90698b002d43baa1e4007825a81023dc541964d787d41b4ee4e
-
C:\Users\Admin\AppData\Roaming\svchost.exe:SmartScreenFilesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
C:\Users\Admin\Downloads\RevengeRAT.exeFilesize
3.4MB
MD51015f62df8f33a6f42655af19649ce57
SHA1b727755273adb47dd89e8d8b35b5eafe3d7ad799
SHA25690f79cfd07899c76f4c1f57250d333f985000b2188897bf9dd77c2c893a6bb5f
SHA51296ea4fbc8ef2a36e244ed491574d38de2e3e7fa1c874548bf75e59d4b76ad118d9423ab41f42614b42f21138b14959068c85b2701dbda1eb89dce301aa72f2bd
-
C:\Users\Admin\Downloads\RevengeRAT.exeFilesize
3.7MB
MD51e668d6f2db7f94dec8d2dacf7232dca
SHA10e85a0fe01e672262c35de0471045e5d29fada26
SHA256dde43a9dedc0bdbf03b140c924e682b2182e586fa6163af2fb44ea13d44064b0
SHA512fd141cebfce566ec5add8c6ae7b542ea5d143f7d6b3387fde3f1ff785faf4d25bfc51584d2567ef5c96ea37e1f355b2ff35244d3012f90a92a3ce7cdc391e13c
-
C:\Users\Admin\Downloads\RevengeRAT.exeFilesize
1.0MB
MD545c8313d37fa7ad30ff4810b1c24b45e
SHA1c869c611edb44f658710dfebcb3da9fbdb02513f
SHA256605450019bae5a839f3fd3ae8b7bb22a312a07659b1bbe0185b6df786a69af9d
SHA512ed2674b270d7035bd872787af1e6eea30949063efdbd36beef0cb1187a7388f57c351ee407710cef8f27ba78791db9957d3b15f19d5d54f2db724bf135eed01f
-
C:\Users\Admin\Downloads\RevengeRAT.exeFilesize
832KB
MD5880c7048980beb78e98d3ed2a437d07f
SHA1c0cf66eb32dd8b00a6018fcf6013876acbb1fa6a
SHA256712786b3091c4ebc61e68e9d9d501bdd7e5a824b9795ed2e55b8661d4ae9c779
SHA5121d2107b3ebe04c61f27f3653ebf5ec65a5acd3a75b7083c78d3a61f0d8ac8c027b8c0a484f95ef37c36dbef7d2cc346bb16a4eb402a10eedb6986ef380a8aaf4
-
C:\Users\Admin\Downloads\Unconfirmed 133518.crdownloadFilesize
246KB
MD59254ca1da9ff8ad492ca5fa06ca181c6
SHA170fa62e6232eae52467d29cf1c1dacb8a7aeab90
SHA25630676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6
SHA512a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a
-
C:\Users\Admin\Downloads\Unconfirmed 878511.crdownloadFilesize
3.2MB
MD5f6cff4e8e066b5a291f3c08e449aa7d1
SHA12591c70e314df0b7c3e1015f7c537c11a89209a2
SHA256d059c1f1ab9c702994d8210dcd21a78a77c1a864c4dba30babca4fb1c790f640
SHA512178c5a434ec7e126895d31242f64d5735f8dac3b8ea6e802ddef144e4a0fc281ed45f06e8f6ff61f2ba0baf5b6777831fd93608101cc26285659041b443802e0
-
C:\Users\Admin\Downloads\Unconfirmed 887842.crdownloadFilesize
4.0MB
MD51d9045870dbd31e2e399a4e8ecd9302f
SHA17857c1ebfd1b37756d106027ed03121d8e7887cf
SHA2569b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA5129419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909
-
\??\pipe\LOCAL\crashpad_4496_UZPNLHOBKEQMAHQFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/372-1070-0x00000000006B0000-0x00000000006C0000-memory.dmpFilesize
64KB
-
memory/428-2000-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/428-2099-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/448-2011-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/448-2102-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/884-1132-0x0000000002210000-0x0000000002220000-memory.dmpFilesize
64KB
-
memory/1476-1087-0x00000000021D0000-0x00000000021E0000-memory.dmpFilesize
64KB
-
memory/1692-1121-0x0000000002700000-0x0000000002710000-memory.dmpFilesize
64KB
-
memory/1756-1213-0x0000000000A60000-0x0000000000A70000-memory.dmpFilesize
64KB
-
memory/1944-1046-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/1944-1047-0x0000000000F50000-0x0000000000F60000-memory.dmpFilesize
64KB
-
memory/1944-1049-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/1944-1048-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/2188-2025-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/2192-1001-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/2192-994-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/2424-1160-0x0000000002390000-0x00000000023A0000-memory.dmpFilesize
64KB
-
memory/2852-967-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/2852-975-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/2852-969-0x000000001B980000-0x000000001BE4E000-memory.dmpFilesize
4.8MB
-
memory/2852-971-0x000000001BE50000-0x000000001BEF6000-memory.dmpFilesize
664KB
-
memory/2852-972-0x000000001BFC0000-0x000000001C022000-memory.dmpFilesize
392KB
-
memory/2852-968-0x0000000000F60000-0x0000000000F70000-memory.dmpFilesize
64KB
-
memory/2852-970-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/2972-988-0x0000000001590000-0x00000000015A0000-memory.dmpFilesize
64KB
-
memory/2972-987-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/2972-993-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/2972-992-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/3024-1029-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/3024-1030-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/3024-1026-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/3056-2034-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/3556-2046-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/3728-1275-0x0000000000AD0000-0x0000000000AE0000-memory.dmpFilesize
64KB
-
memory/3920-1043-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/3920-1042-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/3920-1052-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/3960-2100-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/3960-2001-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/4052-2097-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/4052-1999-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/4424-981-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/4424-982-0x00000000016D0000-0x00000000016E0000-memory.dmpFilesize
64KB
-
memory/4424-979-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4424-983-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/4424-985-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/4464-1023-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/4476-1016-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/4476-1013-0x0000000001460000-0x0000000001470000-memory.dmpFilesize
64KB
-
memory/4476-1012-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/4476-1107-0x00000000021E0000-0x00000000021F0000-memory.dmpFilesize
64KB
-
memory/4708-1039-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/4708-1041-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/4708-1035-0x0000000000BD0000-0x0000000000BE0000-memory.dmpFilesize
64KB
-
memory/4792-1050-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/4800-1195-0x00000000023B0000-0x00000000023C0000-memory.dmpFilesize
64KB
-
memory/4824-1998-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/4824-2095-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/4904-1254-0x0000000002370000-0x0000000002380000-memory.dmpFilesize
64KB
-
memory/5148-1294-0x00000000025D0000-0x00000000025E0000-memory.dmpFilesize
64KB
-
memory/5268-2029-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/5620-1024-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/5620-1020-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/5620-1018-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/5620-1017-0x0000000001860000-0x0000000001870000-memory.dmpFilesize
64KB
-
memory/5620-1015-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5668-1022-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/5668-978-0x0000000000DA0000-0x0000000000DB0000-memory.dmpFilesize
64KB
-
memory/5668-977-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/5668-976-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/5692-1333-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5780-1171-0x00000000009E0000-0x00000000009F0000-memory.dmpFilesize
64KB
-
memory/6004-1051-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/6004-1031-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/6004-1033-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/6004-1034-0x00000000010F0000-0x0000000001100000-memory.dmpFilesize
64KB
-
memory/6012-1265-0x00000000024D0000-0x00000000024E0000-memory.dmpFilesize
64KB
-
memory/6020-997-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/6020-1000-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/6020-999-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/6020-998-0x0000000001A80000-0x0000000001A90000-memory.dmpFilesize
64KB