Analysis
-
max time kernel
1800s -
max time network
1801s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-03-2024 16:50
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://google.com
Resource
win10v2004-20240226-en
General
-
Target
http://google.com
Malware Config
Extracted
revengerat
Guest
0.tcp.ngrok.io:19521
RV_MUTEX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\Unconfirmed 887842.crdownload revengerat C:\Users\Admin\Downloads\RevengeRAT.exe revengerat C:\Users\Admin\Downloads\RevengeRAT.exe revengerat C:\Users\Admin\Downloads\RevengeRAT.exe revengerat C:\Users\Admin\Downloads\RevengeRAT.exe revengerat -
Downloads MZ/PE file
-
Processes:
resource yara_rule C:\Users\Admin\Downloads\Unconfirmed 133518.crdownload aspack_v212_v242 -
Drops startup file 3 IoCs
Processes:
RegSvcs.exeRegSvcs.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:SmartScreen:$DATA RegSvcs.exe -
Executes dropped EXE 50 IoCs
Processes:
RevengeRAT.exeRevengeRAT.exeRevengeRAT.exeRevengeRAT.exeRevengeRAT.exesvchost.exeRevengeRAT.exesvchost.exeRevengeRAT.exeRevengeRAT.exeRevengeRAT.exeRevengeRAT.exeRevengeRAT.exeRevengeRAT.exesvchost.exesvchost.exeFlasher.exeFlasher.exeFlasher.exeFlasher.exeFlasher.exeFlasher.exeFlasher.exeFlasher.exeFlasher.exeRevengeRAT.exeRevengeRAT.exesvchost.exeRevengeRAT.exeFlasher.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exepid process 2852 RevengeRAT.exe 2972 RevengeRAT.exe 4476 RevengeRAT.exe 3024 RevengeRAT.exe 4708 RevengeRAT.exe 1676 svchost.exe 4708 RevengeRAT.exe 3624 svchost.exe 64 RevengeRAT.exe 3300 RevengeRAT.exe 4532 RevengeRAT.exe 4068 RevengeRAT.exe 692 RevengeRAT.exe 5624 RevengeRAT.exe 1488 svchost.exe 524 svchost.exe 4824 Flasher.exe 4052 Flasher.exe 428 Flasher.exe 3960 Flasher.exe 448 Flasher.exe 2188 Flasher.exe 5268 Flasher.exe 3056 Flasher.exe 3556 Flasher.exe 6092 RevengeRAT.exe 2116 RevengeRAT.exe 6004 svchost.exe 524 RevengeRAT.exe 5768 Flasher.exe 5212 svchost.exe 3496 svchost.exe 720 svchost.exe 5524 svchost.exe 864 svchost.exe 6112 svchost.exe 5528 svchost.exe 5388 svchost.exe 3344 svchost.exe 4756 svchost.exe 1908 svchost.exe 3064 svchost.exe 4624 svchost.exe 2756 svchost.exe 3368 svchost.exe 6036 svchost.exe 3300 svchost.exe 5880 svchost.exe 684 svchost.exe 5220 svchost.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe" RegSvcs.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 38 IoCs
Processes:
flow ioc 674 0.tcp.ngrok.io 332 0.tcp.ngrok.io 564 0.tcp.ngrok.io 619 0.tcp.ngrok.io 659 0.tcp.ngrok.io 602 0.tcp.ngrok.io 694 0.tcp.ngrok.io 330 raw.githubusercontent.com 355 0.tcp.ngrok.io 418 0.tcp.ngrok.io 453 0.tcp.ngrok.io 402 0.tcp.ngrok.io 490 0.tcp.ngrok.io 714 0.tcp.ngrok.io 372 0.tcp.ngrok.io 547 0.tcp.ngrok.io 772 0.tcp.ngrok.io 778 0.tcp.ngrok.io 463 0.tcp.ngrok.io 638 0.tcp.ngrok.io 705 0.tcp.ngrok.io 745 0.tcp.ngrok.io 435 0.tcp.ngrok.io 581 0.tcp.ngrok.io 726 0.tcp.ngrok.io 529 0.tcp.ngrok.io 551 0.tcp.ngrok.io 599 0.tcp.ngrok.io 653 0.tcp.ngrok.io 329 raw.githubusercontent.com 471 0.tcp.ngrok.io 501 0.tcp.ngrok.io 516 0.tcp.ngrok.io 661 0.tcp.ngrok.io 795 0.tcp.ngrok.io 459 0.tcp.ngrok.io 508 0.tcp.ngrok.io 762 0.tcp.ngrok.io -
Suspicious use of SetThreadContext 64 IoCs
Processes:
RevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exesvchost.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exesvchost.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exesvchost.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exedescription pid process target process PID 2852 set thread context of 5668 2852 RevengeRAT.exe RegSvcs.exe PID 5668 set thread context of 4424 5668 RegSvcs.exe RegSvcs.exe PID 2972 set thread context of 2192 2972 RevengeRAT.exe RegSvcs.exe PID 2192 set thread context of 6020 2192 RegSvcs.exe RegSvcs.exe PID 4476 set thread context of 5620 4476 RevengeRAT.exe RegSvcs.exe PID 5620 set thread context of 4464 5620 RegSvcs.exe RegSvcs.exe PID 3024 set thread context of 6004 3024 RevengeRAT.exe RegSvcs.exe PID 6004 set thread context of 1944 6004 RegSvcs.exe RegSvcs.exe PID 4708 set thread context of 3920 4708 RevengeRAT.exe RegSvcs.exe PID 3920 set thread context of 4792 3920 RegSvcs.exe RegSvcs.exe PID 1676 set thread context of 5692 1676 svchost.exe RegSvcs.exe PID 5692 set thread context of 404 5692 RegSvcs.exe RegSvcs.exe PID 4708 set thread context of 5680 4708 RevengeRAT.exe RegSvcs.exe PID 5680 set thread context of 868 5680 RegSvcs.exe RegSvcs.exe PID 3624 set thread context of 4424 3624 svchost.exe RegSvcs.exe PID 4424 set thread context of 3368 4424 RegSvcs.exe RegSvcs.exe PID 64 set thread context of 4904 64 RevengeRAT.exe RegSvcs.exe PID 4904 set thread context of 5228 4904 RegSvcs.exe RegSvcs.exe PID 3300 set thread context of 4120 3300 RevengeRAT.exe RegSvcs.exe PID 4120 set thread context of 5724 4120 RegSvcs.exe RegSvcs.exe PID 4532 set thread context of 5316 4532 RevengeRAT.exe RegSvcs.exe PID 5316 set thread context of 4692 5316 RegSvcs.exe RegSvcs.exe PID 4068 set thread context of 1028 4068 RevengeRAT.exe RegSvcs.exe PID 1028 set thread context of 3820 1028 RegSvcs.exe RegSvcs.exe PID 692 set thread context of 5092 692 RevengeRAT.exe RegSvcs.exe PID 5092 set thread context of 5204 5092 RegSvcs.exe RegSvcs.exe PID 5624 set thread context of 1984 5624 RevengeRAT.exe RegSvcs.exe PID 1984 set thread context of 3880 1984 RegSvcs.exe RegSvcs.exe PID 1488 set thread context of 5088 1488 svchost.exe RegSvcs.exe PID 5088 set thread context of 1388 5088 RegSvcs.exe RegSvcs.exe PID 524 set thread context of 436 524 svchost.exe RegSvcs.exe PID 436 set thread context of 3788 436 RegSvcs.exe RegSvcs.exe PID 6092 set thread context of 368 6092 RevengeRAT.exe RegSvcs.exe PID 368 set thread context of 4820 368 RegSvcs.exe RegSvcs.exe PID 2116 set thread context of 180 2116 RevengeRAT.exe RegSvcs.exe PID 180 set thread context of 4124 180 RegSvcs.exe RegSvcs.exe PID 6004 set thread context of 1200 6004 svchost.exe RegSvcs.exe PID 1200 set thread context of 3360 1200 RegSvcs.exe RegSvcs.exe PID 524 set thread context of 3616 524 RevengeRAT.exe RegSvcs.exe PID 3616 set thread context of 1924 3616 RegSvcs.exe RegSvcs.exe PID 5212 set thread context of 2060 5212 svchost.exe RegSvcs.exe PID 2060 set thread context of 2528 2060 RegSvcs.exe RegSvcs.exe PID 3496 set thread context of 1052 3496 svchost.exe RegSvcs.exe PID 1052 set thread context of 5236 1052 RegSvcs.exe RegSvcs.exe PID 720 set thread context of 5484 720 svchost.exe RegSvcs.exe PID 5484 set thread context of 5764 5484 RegSvcs.exe RegSvcs.exe PID 5524 set thread context of 3552 5524 svchost.exe RegSvcs.exe PID 3552 set thread context of 216 3552 RegSvcs.exe RegSvcs.exe PID 864 set thread context of 3804 864 svchost.exe RegSvcs.exe PID 3804 set thread context of 4324 3804 RegSvcs.exe RegSvcs.exe PID 6112 set thread context of 5516 6112 svchost.exe RegSvcs.exe PID 5516 set thread context of 5772 5516 RegSvcs.exe RegSvcs.exe PID 5528 set thread context of 1208 5528 svchost.exe RegSvcs.exe PID 1208 set thread context of 5620 1208 RegSvcs.exe RegSvcs.exe PID 5388 set thread context of 3096 5388 svchost.exe RegSvcs.exe PID 3096 set thread context of 5724 3096 RegSvcs.exe RegSvcs.exe PID 3344 set thread context of 4124 3344 svchost.exe RegSvcs.exe PID 4124 set thread context of 5780 4124 RegSvcs.exe RegSvcs.exe PID 4756 set thread context of 4516 4756 svchost.exe RegSvcs.exe PID 4516 set thread context of 5588 4516 RegSvcs.exe RegSvcs.exe PID 1908 set thread context of 5656 1908 svchost.exe RegSvcs.exe PID 5656 set thread context of 2528 5656 RegSvcs.exe RegSvcs.exe PID 3064 set thread context of 4484 3064 svchost.exe RegSvcs.exe PID 4484 set thread context of 5136 4484 RegSvcs.exe RegSvcs.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegSvcs.exeRegSvcs.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegSvcs.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 RegSvcs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegSvcs.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 2 IoCs
Processes:
OpenWith.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-275798769-4264537674-1142822080-1000\{278C0E96-A5EF-4C6D-902A-EE1F72898A7E} msedge.exe -
NTFS ADS 4 IoCs
Processes:
msedge.exeRegSvcs.exeRegSvcs.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 887842.crdownload:SmartScreen msedge.exe File created C:\svchost\svchost.exe\:SmartScreen:$DATA RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\svchost.exe\:SmartScreen:$DATA RegSvcs.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 133518.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exepid process 4612 msedge.exe 4612 msedge.exe 4496 msedge.exe 4496 msedge.exe 3276 identity_helper.exe 3276 identity_helper.exe 904 msedge.exe 904 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 5812 msedge.exe 5812 msedge.exe 4892 msedge.exe 4892 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
OpenWith.exeRegSvcs.exepid process 2888 OpenWith.exe 5692 RegSvcs.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs
Processes:
msedge.exepid process 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
RevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exesvchost.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exesvchost.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exesvchost.exeRegSvcs.exeRevengeRAT.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2852 RevengeRAT.exe Token: SeDebugPrivilege 5668 RegSvcs.exe Token: SeDebugPrivilege 2972 RevengeRAT.exe Token: SeDebugPrivilege 2192 RegSvcs.exe Token: SeDebugPrivilege 4476 RevengeRAT.exe Token: SeDebugPrivilege 5620 RegSvcs.exe Token: SeDebugPrivilege 3024 RevengeRAT.exe Token: SeDebugPrivilege 6004 RegSvcs.exe Token: SeDebugPrivilege 4708 RevengeRAT.exe Token: SeDebugPrivilege 3920 RegSvcs.exe Token: SeDebugPrivilege 1676 svchost.exe Token: SeDebugPrivilege 5692 RegSvcs.exe Token: SeDebugPrivilege 4708 RevengeRAT.exe Token: SeDebugPrivilege 5680 RegSvcs.exe Token: SeDebugPrivilege 3624 svchost.exe Token: SeDebugPrivilege 4424 RegSvcs.exe Token: SeDebugPrivilege 64 RevengeRAT.exe Token: SeDebugPrivilege 4904 RegSvcs.exe Token: SeDebugPrivilege 3300 RevengeRAT.exe Token: SeDebugPrivilege 4120 RegSvcs.exe Token: SeDebugPrivilege 4532 RevengeRAT.exe Token: SeDebugPrivilege 5316 RegSvcs.exe Token: SeDebugPrivilege 4068 RevengeRAT.exe Token: SeDebugPrivilege 1028 RegSvcs.exe Token: SeDebugPrivilege 692 RevengeRAT.exe Token: SeDebugPrivilege 5092 RegSvcs.exe Token: SeDebugPrivilege 5624 RevengeRAT.exe Token: SeDebugPrivilege 1984 RegSvcs.exe Token: SeDebugPrivilege 1488 svchost.exe Token: SeDebugPrivilege 5088 RegSvcs.exe Token: SeDebugPrivilege 524 svchost.exe Token: SeDebugPrivilege 436 RegSvcs.exe Token: SeDebugPrivilege 6092 RevengeRAT.exe Token: SeDebugPrivilege 368 RegSvcs.exe Token: SeDebugPrivilege 2116 RevengeRAT.exe Token: SeDebugPrivilege 180 RegSvcs.exe Token: SeDebugPrivilege 6004 svchost.exe Token: SeDebugPrivilege 1200 RegSvcs.exe Token: SeDebugPrivilege 524 RevengeRAT.exe Token: SeDebugPrivilege 3616 RegSvcs.exe Token: SeDebugPrivilege 5212 svchost.exe Token: SeDebugPrivilege 2060 RegSvcs.exe Token: SeDebugPrivilege 3496 svchost.exe Token: SeDebugPrivilege 1052 RegSvcs.exe Token: SeDebugPrivilege 720 svchost.exe Token: SeDebugPrivilege 5484 RegSvcs.exe Token: SeDebugPrivilege 5524 svchost.exe Token: SeDebugPrivilege 3552 RegSvcs.exe Token: SeDebugPrivilege 864 svchost.exe Token: SeDebugPrivilege 3804 RegSvcs.exe Token: SeDebugPrivilege 6112 svchost.exe Token: SeDebugPrivilege 5516 RegSvcs.exe Token: SeDebugPrivilege 5528 svchost.exe Token: SeDebugPrivilege 1208 RegSvcs.exe Token: SeDebugPrivilege 5388 svchost.exe Token: SeDebugPrivilege 3096 RegSvcs.exe Token: SeDebugPrivilege 3344 svchost.exe Token: SeDebugPrivilege 4124 RegSvcs.exe Token: SeDebugPrivilege 4756 svchost.exe Token: SeDebugPrivilege 4516 RegSvcs.exe Token: SeDebugPrivilege 1908 svchost.exe Token: SeDebugPrivilege 5656 RegSvcs.exe Token: SeDebugPrivilege 3064 svchost.exe Token: SeDebugPrivilege 4484 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
msedge.exepid process 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe 4496 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 2888 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4496 wrote to memory of 1440 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1440 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 1516 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 4612 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 4612 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe PID 4496 wrote to memory of 912 4496 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcdd9c46f8,0x7ffcdd9c4708,0x7ffcdd9c47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4748 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5908 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6624 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6348 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6284 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6112 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tkiyt3f5.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES309D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2B329AF520424F0E947D999707313DD.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4f6cajqe.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3129.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFADF5DE5F3EA4B3D988ED9192F9BB15D.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hkbcw0_s.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCDD40B253B40433EB1F9E15C944D682D.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8ue1d7yv.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3243.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9453D629AA6C4AC5ABFB9CBFD6481E4.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\msfp_jak.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE438DBAFC5564B169E87776F5CEDBA6.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sau6dqze.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES333D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2BD2F9E93FDE451A93E660335C218FC.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\azr5djph.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES339A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2A90A6454744550B3973F106E315439.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tp3fmnop.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3417.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D57BE99E0924577918938E778679D6.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pdykvhfi.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34A4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC78FDB8A6CAC4869977E255121194E37.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bzadbbhh.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3531.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60308E2F618F41A0B9DA63B527466D6.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ociees-u.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES359E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16D4BBD0EB1142FDBCC873DA89C68C.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4k7cpaj1.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES362B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFDF344511554C5484892C6E1C2D77C.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7ksmzu5j.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3698.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC0657CA9A2624ED7A478B86324C36B6A.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xs0lyd2t.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3725.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7AED91BC8EB4C7EA03ABF9C67E2BFC7.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gazlmvbx.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3792.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB20A3358AFAA4CAC818BAA037D58D3.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5vs77ol9.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc32DA5F3D71BC41D6BF931C7F473FD595.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u7hgitnm.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES388C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB77F33FF5B7470A92FBED838319A685.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2cohqrf5.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3928.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA835033D3BF6466C87249A3CA47C6016.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zmezvqcn.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF96EE99C60774D5FA568F31E90D47CFA.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n44vzgkh.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A22.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D01C1999244604B9BADD6F806F6919.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u47rvkud.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A80.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc902DEE553D84341BFD78FAEAC822587.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v3huktm9.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc617D9C30E26A4738828FF75ED7CE35D0.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nimaaywy.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BB9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCAF9187530AC47CB8322F98A5D10A8D3.TMP"5⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"5⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"6⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l-e--9po.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2E5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc896428B763E24A73BA4A1E289CD9AE22.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bmsvhlj6.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE382.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc41F50B99884F471D9C46C3AADEC8A82D.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t3umvzr5.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA1315BD2A9A42659FD372E289418A6.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_6xa6agh.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE47C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F66505666354A1A8FF57FFD8E4177E.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jkebvcle.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE537.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB4F3D0F773524DDB9A2F7FBA3858B8F1.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\owmpmtjz.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc68A7D043CAB7430AB11ADF2E1FC1D1EF.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p0rtaoyh.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE641.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF732B8089C5D4E79BB1624C5A7E1AAA.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q7a8fltp.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE69F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD97875101E354A7C8550D3154ADF7C17.TMP"7⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p7astr2u.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE73B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcABC6DD003FC541388A376FA936DBA1C.TMP"7⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5276 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5836 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1380 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1416 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7172 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5472 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,3611164816789463827,13725765752879140616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault7da2c19chd9abh4244h982fh3ae997b2fc991⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcdd9c46f8,0x7ffcdd9c4708,0x7ffcdd9c47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,11391322940708911404,3689870888252840898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\svchost\DumpStack.log.icoFilesize
4KB
MD59430abf1376e53c0e5cf57b89725e992
SHA187d11177ee1baa392c6cca84cf4930074ad535c5
SHA25621f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381
SHA512dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78
-
C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.icoFilesize
4KB
MD5fde1b01ca49aa70922404cdfcf32a643
SHA1b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25
-
C:\ProgramData\svchost\vcredist2010_x64.log.icoFilesize
4KB
MD5bb4ff6746434c51de221387a31a00910
SHA143e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA5121e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.logFilesize
120B
MD550dec1858e13f033e6dca3cbfad5e8de
SHA179ae1e9131b0faf215b499d2f7b4c595aa120925
SHA25614a557e226e3ba8620bb3a70035e1e316f1e9fb5c9e8f74c07110ee90b8d8ae4
SHA5121bd73338df685a5b57b0546e102ecfdee65800410d6f77845e50456ac70de72929088af19b59647f01cba7a5acfb399c52d9ef2402a9451366586862ef88e7bf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5050e5e43397c8c9b85e9c863229d37cb
SHA10003f5862a9e0187442404f92bc7d6e0fbd83ec2
SHA25677e3b1fa5dad25ec5d9f0f91bb51fde3c683484f647288c190720a971ddae5fa
SHA5122a160d2715a1d47e657b0c0853787a24c48e720e69330c86bcc5a782f9f2fcab042f100d48866c5e79a92e93d448a161799adaea6a159316edcaa4e01fa4b258
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3ca93e6d-518f-4c2c-82de-8537dd4444cb.tmpFilesize
7KB
MD57355e10073124cfe86a4f04888c405b9
SHA17f9f211e4d20dae24e64685339227428e6cad608
SHA25666e6de3d03d272f37029bf5df4d142befe663f2429a5ff835dcfdf2b5ab5103f
SHA5126b9d1b7a422bc68241a604456d334c5fa3641fda730a85ccd16bcc48cc78be240c603e1c8034acb9e9471084c3ee60fd0bde6e8e3a126158af8281e599667d25
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6cb603aa-cc5d-4bb5-adad-3df5b9a11f92.tmpFilesize
8KB
MD58633f2dd0a5a069bf9b61c61084e47d6
SHA1e3f7ba70c78f32894f1cec0ec6cf5c0ac8c83932
SHA25665fffc694285c7b95aa547390afe099044798dc9176d9bef3f646886fd993680
SHA5129ef9b194ec729eabc3bca5a7ad77dd7189e15de7d50bddb4b5e438dcff5a751db3151a31d5db127810073bb7045138e2a4fa9bba1ec881e31291da3003dac67e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003Filesize
195KB
MD589d79dbf26a3c2e22ddd95766fe3173d
SHA1f38fd066eef4cf4e72a934548eafb5f6abb00b53
SHA256367ef9ec8dc07f84fed51cac5c75dc1ac87688bbf8f5da8e17655e7917bd7b69
SHA512ab7ce168e6f59e2250b82ec62857c2f2b08e5a548de85ac82177ac550729287ead40382a7c8a92fbce7f53b106d199b1c8adbb770e47287fc70ea0ea858faba6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005Filesize
62KB
MD5c3c0eb5e044497577bec91b5970f6d30
SHA1d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA51283d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006Filesize
69KB
MD5a127a49f49671771565e01d883a5e4fa
SHA109ec098e238b34c09406628c6bee1b81472fc003
SHA2563f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6
SHA51261b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007Filesize
31KB
MD57757373a5ecc3cc8c8873175b7ad9d15
SHA10c84ccc4270c0ce81566c62edd4493f2bb671a99
SHA256a79400716a751714826128aa4a8f050493c1798f96319d7d3225e1bf923c4cbc
SHA51238f048abd876b3889b45f2a8efcccf6d73196880a9ee7388c4f6127311c640c15ef916474b2f72876fe30a0c29abb6438a3178d29af44b346ad2d6262074fc0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000aFilesize
84KB
MD574e33b4b54f4d1f3da06ab47c5936a13
SHA16e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA51279218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000bFilesize
1.1MB
MD5ae6fba4a8a4923ae8fb23bbe54365bb4
SHA1fb04d11d5f8433a5149dbbf05323cdbcbdfaf3c5
SHA256d3effbeee1babe87697c39dab95237973aef8f4755a273b3a04b6585d927f7f3
SHA512275b997c5819b5c360b1f5f1a8239e6f7e1631a0c75677a4d428c8a25e03400314e8eca58f54af524fb93c3b609b7c47e60ae05a7ba874651ed58b54281a2ed5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD586a446634201bf6669eab5fc34f5e05f
SHA183b7e275d3b62ce80279563341a2750b0e6538e9
SHA25663df5a1bdfe4954279acf3ab072c2f0af59f9d489d995fb0fcbd6a4afaa76c78
SHA5122b0dd41929283cf996673448c0ecaaf2115be5548b8e973345b3bdc3292e2c3b4cfe90903af32213fe7f70b626913ec71f7ab04b4ba7fe652532ca33d123221c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD57a6f2fec50cc27d696915aeab2ddc30f
SHA15e08bdb55e0b8710d0f2d623421d45f3e1d75397
SHA25633713b03abc5dd940d428b91a52ece580a4baa984a6e6f9f41e74c4bbb867bec
SHA512581928c25aaeb1b8e44e227fb6e5b558f8690b394fb7d6d57a5482777e9dcbe728777c59c28298132096f13acd333e71484d82dd353f0af139df3ddc812d72b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD56b7c461130826054ba766eb3e5376873
SHA182d4f29ced109ac93400c3e37eefadee966a32f7
SHA2566c06ea0c8cdc373d52136636ecd276baec89c39795c7b5640ac079d951b20e21
SHA512a422ee2a762e81e493a4fc646240f83da3b270a5f8455c8dc60e15a1c9f3e3e6757f8f990be3512944ed4ad8af57e9f468f78d92d986cb7269e8fc437a0c85d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD52c450c455cadc8b7265337c5ae0b3bde
SHA1fc7e9ae567255c0de732a4777dc772ccc5447741
SHA25613b7bc0d20a78be62beb1e237c49014f21f8c984b780544e420c0fa6e63bb439
SHA512e6413eee48ce1045b82fd4a3ca9ed4f6656fffebce0be6187849f6394b6e29a2f14bb4b18f2be83007c7b7b2cecb99b48a7d2284156c3ad09afe7f8d1573b89a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD5b5b592357b6db83f5712d986c0ebd8f5
SHA145fc619b3af7db01097bc196b67e5e126e16506b
SHA256ad4c93bfe8e27ee2e26336fc9ecbd31024d59d1268e7486501772e9a110f48b8
SHA512b8561d21d34c3fc7f8f6f46316649f93b9bc64fd945c0b22271a46129d637ba82c6fb7f9ffefa836cb815603ed0dac881784aaa742492f34fecd6ab7bc3c1611
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD53da986a9d18d68225bd8167b87ecce02
SHA1a8c59355a5592e963c085167375f75bbd05bd7ae
SHA256bfdf8b791b1f530bd596e8385ebe755f1cb071d86257c9723c61b246f1b1bf4a
SHA512043890c0887783a520839b7c4f4a32eb7ca6f62f6b9e98611314141eeae7b79962383ce70773e666eb86f92b5b031897a5d544da49fb5978f25b3c8c2e07a086
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5721758590b86e4b496f33abbb1d8051f
SHA18b7c3fd35f880233628993df4d17afa512f7a096
SHA256546cf2b0ea8349894050aec16bf2fc3af4ca4c58906c699d7cc79924524c24da
SHA5129b3abeecd37b7d6365518e246a2ffac0a7a29aef4ab42d925388d534cd7574c47299152c8b899e8ebb511ca218f276b758434b2cc52ccb2d360826379900f4ab
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD538e67f0e8ae4f6884b3d8dcf4e670f72
SHA1c01ecf7d039a93b328d2455f1a6a64b2871ad6e6
SHA256cb773b9b2bd05f254e24c758f720062dced7cc5ece5618e532c005c1f4ff372d
SHA51228b80052a94c8a82f243ca1f996e2dc67829fbcaebbce2332a0c73d12c095afa2b6428f1267aa83af6b51e8ee4446885598a677cf598743713d0c0bd7629e9db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b53b3e2df7817d3e7d9d99c2eedb508b
SHA1ce444c328857ca43fe9ca258d293a77b4c1f6b71
SHA25605bf62673976714169aa21adad63b4edfa76d783e5ac954a2d9cea231ed5aaac
SHA512f72023f255824bd238f768a0d161fd2ba31692b7ef99a6b850dcf3fa83d2069290027ecbf1e923a7cf9eef3aa9416145fa2cf22151b73caa25fcee793ca991da
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD554ff7cb5e0688b9aa406a567a58d155e
SHA14965dff49bfd32cc7e2c14e2eb9b05785884f177
SHA256e922208317a524f449890451c9d8a28fefd6a81f45e4ca22136fbc28e4b927af
SHA5129c7a227550a88cc7a24c451de18ef2e10130362451b24b05735a2f360109fc27a97cdd58beb21f1f8abb4cf1ddb22346d9f10675e0b5785a7f3e8d67910b978d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD58f0a4de7fdc81de659000ac77c83cf3a
SHA1b81ae015e4d6ca3bf514430d46bb62c4ab706465
SHA256b57a26d22b9b25d5b811baea129fae70962d39a6a715962ad013080034c57193
SHA51264dfd685f3f001d04ef5658e5f7fff030ace2ceed8e5dc5956efd5fbb035d248d679bf392ec14381a6809365a480d43c710ef746eec2ac7049b912e363349f63
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5430c2e8114dd583d525c16f1a30a5be3
SHA1b6877d960f7694f4e18db1e94f4799c309097c3e
SHA2564d7294bbee5d4e65a9cf16da86a9af103147bad2e4130d60e307c7639e721d72
SHA51243f493b4894655293bf6284661f0a26147131a99e90280ebcb9fdabba26092fae97f896e69f183624a57f80e4de6a03f7d2ac9a8dd7bdce726565a7d408451e6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD50ea73fa635d933bcd395f00951365870
SHA1442ce605f33199ab1e6e398ccc72d8c79b331b10
SHA2565284eeb2424900889a06b44d3c6e3b0e30d25960ab0b623d362fbdc3f2907d4c
SHA51230f27ed6d0a3d0866598c6007fb22d40d4684a648725f18433b88711f07225d1d8e7c269936baa37789d94b15f59e57e1efc477292cad59c3c15ace96a826d64
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5120927214ea722bb009b3065bf195904
SHA165d8a71a4fc07fce22fc23e4ebcf416d91825b19
SHA256f88ccb47b524071b1ca3b23396f831fcb13c585c4f7bc4ee778a208ff095a9cf
SHA512db956d9143983b3fb8a8744e1e57b30a427f5f3279054394efa1411f79ba2db897fed13fa4677808aae3e3518b912218a3244fa188bafa665357715fd998d4c5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5e62d3e95825a8ba586d50ee4ba1a5946
SHA193b8ab748c5fbe887d416893ee989bb6f2b69e23
SHA256702376543dec07958138fee2f7097d9dd9cb514c256e4b9b249cfe1dc6223714
SHA512c731d3a72153abe3130bb3f6223355cd5f8aee1cdf20a5ba237d03c7b1aef0ee41716cf6490949371fe2193686a6659a78f30bc56477978d8f4417f0bdd9252c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD50780b6b0dc013ee29ebb0843190eaca0
SHA19d5c519df02200fafb0708f7309a357c63341062
SHA256713ffaf68c7603f6c629ef835385b991fe99c06ae861c276022448c15a3189ae
SHA5129ea1b8019ca41eaa9fbbd10f7ff00c2f6e099f5c2970a20221d965c7463b8405f586bc61c0f400ce4eb9d882a6ce27b51066f344915d091aaf69fae4eb8bd550
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD54982d7c58547055bd46859635892fc46
SHA144ca607135edb9638867ad1bca77ed47b608b34d
SHA2564812fe23030404cf11642e4864ce7876ab948c3cae1e117e2608578833a70667
SHA512024d529b91acc150476611c3abb69fea177730428c07559339f814b5bda33edcc7bfc96fce446b5b21bc8b6ef04c6661ce930cd393a35c7443c6860010db01cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD537a9c0bd44ddc9acd7253281db1ef55f
SHA184f6c0b10c19cdbfe63ece9c83fd7a3e88f7799e
SHA25615da8b5998b35fb66fab82f7cfafd7bdefc88444b42d7052352026af786ae7e9
SHA512316e6744fc2d8ad19ff390dde1cc83fadc36b82c48baec40aabf709cd72b00e3d9446c89ff24634d0c6a29c5aef6a0e9fa6a457cf9a800ca7bebee9f528945cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD558382d54e1411f1535073c97730117a1
SHA1b8f61c31eb40ea665af7251008b994321186a590
SHA256820148ac500420e17761770ee16bbcebb966e19087919c58ac21c570695f827e
SHA5123313a8284d20f15831a12e8732e6478328457f50d2c975eb2404897201dea54ff869355fad02390bb9cb18bd79c03b3ff82c0d80c35453ac4991a94bd0578ceb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD54eedd7ddad9068dd50bf5c4e4d0ccbd4
SHA12c032bc97ce99a059bd4c5d78957dae8f8a3c1ca
SHA25603ff6d855a2c57bc55c27b744971093ee5b744ca81364316256d12ef77504fb5
SHA5126e06616f25eeffc71250a62ad76cbc21f26d978f6ce15bac919ea132682dea1d7ef1804c87d1c09afc0e999717e47421c1c610601a7a4dd1d95361deafe42f5f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD544bae4a03c04dc021c99d8db4583f56a
SHA14c22797dea45cbfc59fe14985d0958abced81921
SHA256f0b7d45abb7128b011d31eb75ecde7dd966ce8be5e15449dc8ff757954fe1a9d
SHA512a74ecd0a0acdc3edc32bf580645f77baa81f489eadd53fd188c9bd26ce9eb3283d229912be3ce4f638021ab81cc69e412ed7dfa3d2d029f5d5a6d45716f83577
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5a9f0345d9adecc423845fdd2989889d9
SHA12c9881efc51e49ce6377d65bb10a898757e1760b
SHA25666934ea9fdf97f58bb48ccfcdbcec868cedbafdab496331050d3d66df9c201eb
SHA512081dc1c28ded473bf34d42f438ce238d7ecc5a27fe05362fb9fb17f4806443a2087d2002ce5a803b1666c576ccf81728637a4f187b307c0f44e380604a1b5850
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5a3531be3fb578eef326208b1c0fbab65
SHA19ec44bf71ccd7139d676c55b32d9ed83943c5333
SHA2564ab89ef50daaaa2400f6f3a6f5999d9fa37b77c69e51ae96259a23d4baf44694
SHA5129260863ee4919bfa5bd81bbb6ddeb0ec64355f1daf0b589548845b7b2d30fc002b16dfd35dffc77f2ae3a76bbbb58b32f56b476e8f65ddebb94328d115937fd2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD53d3ece2976a87ad28d9f0ad4d0530f00
SHA13b29676e38ab50c63cf6aae7e2e809fee129f428
SHA256bc518fc594c02dd650be438e84feda3e3da4d7c19ee2f02c2a632ba3892759db
SHA51235da19d513cd30788797528bad599f37cc6493ce596a77ac28b1880991d8f33393fe5912bb9373a89deab164c7a70a74923bc3f4987dbf8b09e8850c0ceffdbc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59b377.TMPFilesize
536B
MD57713adbf1d4d23e3bc8bcc4ec47df0b2
SHA199e9787f4d8144f996db7235940929f79f808638
SHA256a518a836951191ec6af3749300ee5d9c986365ed5954bcc8d91c964a24142317
SHA5120f9b452512731b364a490900ed2243c2ed1b7ed0abaa906e0d2c204d78e6e788a3981e8bdc7c3f26456540e4815f55f4b2f02c24ab48cba9ae2d32c56c65b286
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD52f592050336a6a514d19ac117245cd7d
SHA1ec4e2db2865873da4819ed27fa84f6a23cf06ac3
SHA2562fba8eb1215f514bafda2d0add8007900e86062accd77f11661c4bf550628dd3
SHA512b5a379789b7cb14fbbefd8f1fd33c2bb49e9a94ebee8d56e51c26fa39bb34f9de4c49fbf4b875c9f61353af3dcf4f858f379fc571f36b09d246e13fc3079496c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5911a67789fd3ba74ce8670eca6b48bdc
SHA1349331fc407c590709e9d24a1bda80a3a7e4f726
SHA2562a2afbe1b0384ed1bb6e5ddecf6d59bce2db106e15fd162e5f7251a901f433d9
SHA5121779756416926ff7a6a7b223ed273db4c91f0902641baa40f1eb9a7fdfde2f717dd53db66b5475b439d25b07807869fcd91e052d6411934b33f0330e164c8552
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5bd4db83fea7a75b2d625992268f737b9
SHA1ab3f84edaf748b80f70648bd70656f23931e0936
SHA25638f1ad507b74d386be5bbb53eda885b2ac33e44c7761a3fea0facd7c1310a93b
SHA51280eaa30b35153d9bf61713c36e11c79144a11413ad31b35a33a44d6043e7358b0e3f78ac830ada14dfc583878bfaf37f2ad710d73a656bcf90c76c614c191c5b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD526c826fec54d1d84db330fd48de5be82
SHA1ca162c3c700c67d450f92e60b583c162c23e0eeb
SHA256247e059ef8593e4362696da22deea18048378365eb8ae103509d5d5354e0d3d5
SHA512a0aaddef6cafccaf7920807308423d00fb7203577761b3e7917f8be06940fe61c56aca3715da7b0eb3cf9fec6b41311dd8cd73840c51e25d73d468424b8f164b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD58bc9c948de69f8fed316801fef44ef63
SHA15aef593cab07d7b86645c92a01e9e19dbd00d4fd
SHA2563d31afd3f10e32f1bbe52cb042ac468e3c293a2fba492b70eaebf33aa249bd37
SHA512ad62452d467b8d0b7c3d7769fd6682951f8a2c19fab4d8e0f6def1c19c69645f9230438de7c4fbc5382b3fa72bc604734b0158984a85de586dfc7b12916195d0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5caf1e670f9838ef38441995407f9897c
SHA1042d7596036af79296858d5e0c9b7940ab557f9a
SHA25620b716ed606bde4d085592b8490e39b10d1d9f588b157e139cc456ae2453da82
SHA512fada483598e4c36029b035e186d2572fe6b3531697dcacf1b945b1b7bc3e3ff9b66a4abcae3cda7c6a7724c2ec96d6764c91094ca20950ffef258830c0219c3d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD50539c285b98010f2bd095a2752543f25
SHA18f9ec428316a55e0bb61c870c3ca235cb8cf0fac
SHA256b87ad38e0cb149c62871d306cf3bda83b17e85923432349aea07922d9d81439a
SHA5122e017cf5e8252f8656b1b6498f3373db850909a9c4cfdc2ab995bb4c7e789c1be7a63abd4af69293368c783c70829a3700e60d4c6a76a5d4b7a86e2e1cb3d67f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5598265c2cea1c3bff61c081bc9e54b77
SHA1e579a0f597c1b67d49ee407bf35da707badf7bc1
SHA2568a5da653a4667407b0ac2c10e1ea4bfa6171579d281fc51f304fdfad03cc55e8
SHA51299701acb92995b5a56cbee50d710251a378f0910da0200438c1bc5cc1cae0606ddbdfddd2525553a678ea8a53cbafccf3fd45d625f94c840329a9b47fbeb8882
-
C:\Users\Admin\AppData\Local\Temp\4f6cajqe.0.vbFilesize
369B
MD5e4a08a8771d09ebc9b6f8c2579f79e49
SHA1e9fcba487e1a511f4a3650ab5581911b5e88395d
SHA256ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6
SHA51248135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1
-
C:\Users\Admin\AppData\Local\Temp\4f6cajqe.cmdlineFilesize
253B
MD56ffc8457674ace120f97fe6b4a66b677
SHA169808ac80f614198685c4644525c82392798ebe9
SHA2561b85d4ea2e7eaea01ff67d1f419536350c72176c8c896649b5a16cd8bd779369
SHA512e878b5add8827963c5100d654dffa4aedf90730def17e1bcba66c97cd6814b9d73d93bbf9275b106277a7aafddd58fafd398ca1ad27718db93b7b013a8bae6a5
-
C:\Users\Admin\AppData\Local\Temp\8ue1d7yv.cmdlineFilesize
253B
MD5e7e1246605069f52b54e64187c029928
SHA1babda1e6d3c52b0ef2acddbe30200c465a14798b
SHA25650415c7264b5bb06a079c6ccdae356456efc038504d237a3ac6a0768f958201f
SHA5126717c097ec9b9db8d0156713073902c335972d0b00d0ae861754a3adb45117a0b708764fd434affba8cd1e00cb4070359295c0f72eebc979ae2097dfb4e19db1
-
C:\Users\Admin\AppData\Local\Temp\RES309D.tmpFilesize
5KB
MD5967e5cbc7820bf1c996b80609cdea38e
SHA1770ab4b72c638fd539f2b08e88d944dfeb98fc1d
SHA256383a3f408cb8e254c2823dda910979d8b08794a3807885133dd2622eaa75263e
SHA51295fa315245c68dc5948d097fbf8e72be7b6617a1fba7b5aa8053a85ee268ad7a4c6efafa42d2fd572e5344793d16c47e741867275d65ef728353e63243ab21ae
-
C:\Users\Admin\AppData\Local\Temp\RES3129.tmpFilesize
5KB
MD5f4268ec69fc482a168ae4928bb426a18
SHA1ea9b97280c01e1585734c4c6ca805cbe9bb52032
SHA256283f7a0035b9372c2503227b5383556b7e57285fb13a9e4c837be029f761f492
SHA512f71f05d71af00212331a6445930596049de280289e194eddddac186fb3b9de990fcc32e29af53df7d0178cd5ad9566334e634aac77f822ab456c6145c4b0c77b
-
C:\Users\Admin\AppData\Local\Temp\RES31C6.tmpFilesize
5KB
MD557bd2622c8b8208380da07be134e88dd
SHA1bc70a791d61375c859abdce6c443c021f9677a30
SHA2569e534a1b0c660a0c85d0d6c614d9b73d375b26087a60ee12c47cbc36aec69b31
SHA51242c648044b47c04131e84786150962accb5288f47c4f52c5a643a90bba519928422e4bcc49b912fa0fbe52d9976172e6171466f73bab51470bba111bbe6360ef
-
C:\Users\Admin\AppData\Local\Temp\hkbcw0_s.0.vbFilesize
355B
MD5acd609faf5d65b35619397dc8a3bc721
SHA1ba681e91613d275de4b51317a83e19de2dbf1399
SHA2564cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518
SHA512400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c
-
C:\Users\Admin\AppData\Local\Temp\hkbcw0_s.cmdlineFilesize
224B
MD5426d46dca8498fe34c6dd19f70dae5f7
SHA1a773f9e478bd6eaa97d14bb0b904414da4b32270
SHA256995d7420a8445cca42e67fced5dcef840201164ea259142c8d3e0e6ab1b883b7
SHA512eb4e127b9ad4342e1f0ad55a7536a567e2c328a286c0a23ae0606915b431d6f0d68bd795783f11dcacb591b1f212e0bbaac694c5b16ec9bd8f97375ca69ea909
-
C:\Users\Admin\AppData\Local\Temp\tkiyt3f5.0.vbFilesize
347B
MD58a280ce703f3d84f1c87d2039cfa73b0
SHA124d7d6172c2a210579852e5c40e273a4ab31dd1c
SHA2566abc297b9266ff140ff94573067be7dded9a27b340ca986d88c21d94cb912dbf
SHA5123eb698c12c854e22f65cc0e93f37319057f7e1c797ff3faf1fc1c0ae5edbca6c8788605b05662af73d810c390c6050f9cf8efed48e8240097d1222b6bcd3c3a3
-
C:\Users\Admin\AppData\Local\Temp\tkiyt3f5.cmdlineFilesize
209B
MD5befdb971d6f28dda3b88c60302eb2e1c
SHA1febd247417725113c3324906a13cdd8b918b23df
SHA256715f6d54c1d7675a6473de779f606b9c702880e8d67689f3e868ef2d932f5e7e
SHA512323e73aff674a83b1829458265b93a499cadcb5e8481e2000dbf19db4dfe1a2c6483d226b4322aa38899be87193956f7be28b87f24d6afee1b122828b96bbc60
-
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txtFilesize
88B
MD5afcdb79d339b5b838d1540bf0d93bfa6
SHA14864a2453754e2516850e0431de8cade3e096e43
SHA2563628cee0bef5a5dd39f2057b69fbf2206c4c4a320ea2b1ef687510d7aa648d95
SHA51238e7e92f913822cc023e220035ada6944ffbc427023687938fe5cbb7a486abad94808239f63577c195afb520fe1a1a1b14e1050c0c03c7d324ddbf7cffdc304c
-
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txtFilesize
39B
MD5502984a8e7a0925ac8f79ef407382140
SHA10e047aa443d2101eb33ac4742720cb528d9d9dba
SHA256d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c
SHA5126c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17
-
C:\Users\Admin\AppData\Local\Temp\vbc2B329AF520424F0E947D999707313DD.TMPFilesize
4KB
MD57f2155903d9d46630c04b924131c70d6
SHA15c64cf895433b593496e5de7fe9f5c77ec98d33e
SHA256496f2dd424b829f0ad914d9a78a686ac68c3c1ce5dd2412424c5ee0aecd4e18e
SHA51232cb5486d97328f1001801d7d364f4cd56557af71331d60d4e8c78bb3bb1ec7040b14740f02e467041cef179db5e775cff8d2399badfa591bfb5f1f0a121d0a1
-
C:\Users\Admin\AppData\Local\Temp\vbc68A7D043CAB7430AB11ADF2E1FC1D1EF.TMPFilesize
644B
MD5dac60af34e6b37e2ce48ac2551aee4e7
SHA1968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA2562edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA5121f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084
-
C:\Users\Admin\AppData\Local\Temp\vbc9F66505666354A1A8FF57FFD8E4177E.TMPFilesize
676B
MD585c61c03055878407f9433e0cc278eb7
SHA115a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA5127099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756
-
C:\Users\Admin\AppData\Local\Temp\vbcCDD40B253B40433EB1F9E15C944D682D.TMPFilesize
5KB
MD5abeaa4a5b438ffa58d07d9459e5c1d6c
SHA169631de7891162dd4840112a251f6531feae7509
SHA256ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd
SHA512c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4
-
C:\Users\Admin\AppData\Local\Temp\vbcF732B8089C5D4E79BB1624C5A7E1AAA.TMPFilesize
668B
MD53906bddee0286f09007add3cffcaa5d5
SHA10e7ec4da19db060ab3c90b19070d39699561aae2
SHA2560deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA5120a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0
-
C:\Users\Admin\AppData\Local\Temp\vbcFADF5DE5F3EA4B3D988ED9192F9BB15D.TMPFilesize
5KB
MD5249d49f34404bfbe7ed958880be39f61
SHA151ec83fb9190df984bf73f2c5cd1edc0edf1882a
SHA256fcb5a4d24f24fbeaf4dc9d8e29f2701b2bb71411acb13c4fa67fe7025892912b
SHA512082f47f59b9184dd6c88f64214e10b82656a09c5a5cf3f0eccbf7935505db473eeb9a395cb5b59ec5009e731f2aa1891670c94ff6315a0b2d4fcc0392cff0e98
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
10KB
MD5a4aac64ff76b194b340b88370727f6f8
SHA1fa71ea568e5b9ed34d1b7b489d49776b62b90a67
SHA2560e4ce75e448e1fb5e5dcb2767fad29af098dd0323e20a1ab74183cb56e8f8262
SHA51259d9ddf2b81bb691d2d944ed312ff9a2ab030f7221c6832e17f8007d72de38655f9a142e9456b90698b002d43baa1e4007825a81023dc541964d787d41b4ee4e
-
C:\Users\Admin\AppData\Roaming\svchost.exe:SmartScreenFilesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
C:\Users\Admin\Downloads\RevengeRAT.exeFilesize
3.4MB
MD51015f62df8f33a6f42655af19649ce57
SHA1b727755273adb47dd89e8d8b35b5eafe3d7ad799
SHA25690f79cfd07899c76f4c1f57250d333f985000b2188897bf9dd77c2c893a6bb5f
SHA51296ea4fbc8ef2a36e244ed491574d38de2e3e7fa1c874548bf75e59d4b76ad118d9423ab41f42614b42f21138b14959068c85b2701dbda1eb89dce301aa72f2bd
-
C:\Users\Admin\Downloads\RevengeRAT.exeFilesize
3.7MB
MD51e668d6f2db7f94dec8d2dacf7232dca
SHA10e85a0fe01e672262c35de0471045e5d29fada26
SHA256dde43a9dedc0bdbf03b140c924e682b2182e586fa6163af2fb44ea13d44064b0
SHA512fd141cebfce566ec5add8c6ae7b542ea5d143f7d6b3387fde3f1ff785faf4d25bfc51584d2567ef5c96ea37e1f355b2ff35244d3012f90a92a3ce7cdc391e13c
-
C:\Users\Admin\Downloads\RevengeRAT.exeFilesize
1.0MB
MD545c8313d37fa7ad30ff4810b1c24b45e
SHA1c869c611edb44f658710dfebcb3da9fbdb02513f
SHA256605450019bae5a839f3fd3ae8b7bb22a312a07659b1bbe0185b6df786a69af9d
SHA512ed2674b270d7035bd872787af1e6eea30949063efdbd36beef0cb1187a7388f57c351ee407710cef8f27ba78791db9957d3b15f19d5d54f2db724bf135eed01f
-
C:\Users\Admin\Downloads\RevengeRAT.exeFilesize
832KB
MD5880c7048980beb78e98d3ed2a437d07f
SHA1c0cf66eb32dd8b00a6018fcf6013876acbb1fa6a
SHA256712786b3091c4ebc61e68e9d9d501bdd7e5a824b9795ed2e55b8661d4ae9c779
SHA5121d2107b3ebe04c61f27f3653ebf5ec65a5acd3a75b7083c78d3a61f0d8ac8c027b8c0a484f95ef37c36dbef7d2cc346bb16a4eb402a10eedb6986ef380a8aaf4
-
C:\Users\Admin\Downloads\Unconfirmed 133518.crdownloadFilesize
246KB
MD59254ca1da9ff8ad492ca5fa06ca181c6
SHA170fa62e6232eae52467d29cf1c1dacb8a7aeab90
SHA25630676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6
SHA512a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a
-
C:\Users\Admin\Downloads\Unconfirmed 878511.crdownloadFilesize
3.2MB
MD5f6cff4e8e066b5a291f3c08e449aa7d1
SHA12591c70e314df0b7c3e1015f7c537c11a89209a2
SHA256d059c1f1ab9c702994d8210dcd21a78a77c1a864c4dba30babca4fb1c790f640
SHA512178c5a434ec7e126895d31242f64d5735f8dac3b8ea6e802ddef144e4a0fc281ed45f06e8f6ff61f2ba0baf5b6777831fd93608101cc26285659041b443802e0
-
C:\Users\Admin\Downloads\Unconfirmed 887842.crdownloadFilesize
4.0MB
MD51d9045870dbd31e2e399a4e8ecd9302f
SHA17857c1ebfd1b37756d106027ed03121d8e7887cf
SHA2569b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA5129419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909
-
\??\pipe\LOCAL\crashpad_4496_UZPNLHOBKEQMAHQFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/372-1070-0x00000000006B0000-0x00000000006C0000-memory.dmpFilesize
64KB
-
memory/428-2000-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/428-2099-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/448-2011-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/448-2102-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/884-1132-0x0000000002210000-0x0000000002220000-memory.dmpFilesize
64KB
-
memory/1476-1087-0x00000000021D0000-0x00000000021E0000-memory.dmpFilesize
64KB
-
memory/1692-1121-0x0000000002700000-0x0000000002710000-memory.dmpFilesize
64KB
-
memory/1756-1213-0x0000000000A60000-0x0000000000A70000-memory.dmpFilesize
64KB
-
memory/1944-1046-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/1944-1047-0x0000000000F50000-0x0000000000F60000-memory.dmpFilesize
64KB
-
memory/1944-1049-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/1944-1048-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/2188-2025-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/2192-1001-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/2192-994-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/2424-1160-0x0000000002390000-0x00000000023A0000-memory.dmpFilesize
64KB
-
memory/2852-967-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/2852-975-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/2852-969-0x000000001B980000-0x000000001BE4E000-memory.dmpFilesize
4.8MB
-
memory/2852-971-0x000000001BE50000-0x000000001BEF6000-memory.dmpFilesize
664KB
-
memory/2852-972-0x000000001BFC0000-0x000000001C022000-memory.dmpFilesize
392KB
-
memory/2852-968-0x0000000000F60000-0x0000000000F70000-memory.dmpFilesize
64KB
-
memory/2852-970-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/2972-988-0x0000000001590000-0x00000000015A0000-memory.dmpFilesize
64KB
-
memory/2972-987-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/2972-993-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/2972-992-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/3024-1029-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/3024-1030-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/3024-1026-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/3056-2034-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/3556-2046-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/3728-1275-0x0000000000AD0000-0x0000000000AE0000-memory.dmpFilesize
64KB
-
memory/3920-1043-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/3920-1042-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/3920-1052-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/3960-2100-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/3960-2001-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/4052-2097-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/4052-1999-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/4424-981-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/4424-982-0x00000000016D0000-0x00000000016E0000-memory.dmpFilesize
64KB
-
memory/4424-979-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4424-983-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/4424-985-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/4464-1023-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/4476-1016-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/4476-1013-0x0000000001460000-0x0000000001470000-memory.dmpFilesize
64KB
-
memory/4476-1012-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/4476-1107-0x00000000021E0000-0x00000000021F0000-memory.dmpFilesize
64KB
-
memory/4708-1039-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/4708-1041-0x00007FFCC9380000-0x00007FFCC9D21000-memory.dmpFilesize
9.6MB
-
memory/4708-1035-0x0000000000BD0000-0x0000000000BE0000-memory.dmpFilesize
64KB
-
memory/4792-1050-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/4800-1195-0x00000000023B0000-0x00000000023C0000-memory.dmpFilesize
64KB
-
memory/4824-1998-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/4824-2095-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/4904-1254-0x0000000002370000-0x0000000002380000-memory.dmpFilesize
64KB
-
memory/5148-1294-0x00000000025D0000-0x00000000025E0000-memory.dmpFilesize
64KB
-
memory/5268-2029-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/5620-1024-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/5620-1020-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/5620-1018-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/5620-1017-0x0000000001860000-0x0000000001870000-memory.dmpFilesize
64KB
-
memory/5620-1015-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5668-1022-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/5668-978-0x0000000000DA0000-0x0000000000DB0000-memory.dmpFilesize
64KB
-
memory/5668-977-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/5668-976-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/5692-1333-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5780-1171-0x00000000009E0000-0x00000000009F0000-memory.dmpFilesize
64KB
-
memory/6004-1051-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/6004-1031-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/6004-1033-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/6004-1034-0x00000000010F0000-0x0000000001100000-memory.dmpFilesize
64KB
-
memory/6012-1265-0x00000000024D0000-0x00000000024E0000-memory.dmpFilesize
64KB
-
memory/6020-997-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/6020-1000-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/6020-999-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/6020-998-0x0000000001A80000-0x0000000001A90000-memory.dmpFilesize
64KB