revengerat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
110s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 15:48

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

revengerat guest evasion persistence ransomware stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 692139.crdownload	revengerat

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe

Executes dropped EXE 3 IoCs

Processes:

RevengeRAT.exe000.exesvchost.exe

pid process

4996 RevengeRAT.exe
4516 000.exe
5936 svchost.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4996	RevengeRAT.exe
4516	000.exe
5936	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

000.exe

description	ioc	process
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\Z:	000.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

113 0.tcp.ngrok.io
90 raw.githubusercontent.com
91 raw.githubusercontent.com

flow	ioc
113	0.tcp.ngrok.io
90	raw.githubusercontent.com
91	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

000.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	000.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

000.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper 000.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper	000.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

RevengeRAT.exeRegSvcs.exesvchost.exeRegSvcs.exe

description	pid	process	target process
PID 4996 set thread context of 2524	4996	RevengeRAT.exe	RegSvcs.exe
PID 2524 set thread context of 2984	2524	RegSvcs.exe	RegSvcs.exe
PID 5936 set thread context of 4524	5936	svchost.exe	RegSvcs.exe
PID 4524 set thread context of 5220	4524	RegSvcs.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2104 4516 WerFault.exe 000.exe
4888 4516 WerFault.exe 000.exe

pid	pid_target	process	target process
2104	4516	WerFault.exe	000.exe
4888	4516	WerFault.exe	000.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegSvcs.exeRegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3004 taskkill.exe
232 taskkill.exe

pid	process
3004	taskkill.exe
232	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 2 IoCs

Processes:

000.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-566096764-1992588923-1249862864-1000\{7A13BC81-31BF-4F33-99D5-B5754A8DC868}	000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe

NTFS ADS 4 IoCs

Processes:

msedge.exeRegSvcs.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 873697.crdownload:SmartScreen	msedge.exe
File created	C:\svchost\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 692139.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 191745.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
1196	msedge.exe
1196	msedge.exe
3464	msedge.exe
3464	msedge.exe
3032	identity_helper.exe
3032	identity_helper.exe
5976	msedge.exe
5976	msedge.exe
5204	msedge.exe
5204	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exe

pid	process
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

RevengeRAT.exeRegSvcs.exetaskkill.exetaskkill.exe000.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4996	RevengeRAT.exe
Token: SeDebugPrivilege	2524	RegSvcs.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	232	taskkill.exe
Token: SeShutdownPrivilege	4516	000.exe
Token: SeCreatePagefilePrivilege	4516	000.exe
Token: SeIncreaseQuotaPrivilege	1648	WMIC.exe
Token: SeSecurityPrivilege	1648	WMIC.exe
Token: SeTakeOwnershipPrivilege	1648	WMIC.exe
Token: SeLoadDriverPrivilege	1648	WMIC.exe
Token: SeSystemProfilePrivilege	1648	WMIC.exe
Token: SeSystemtimePrivilege	1648	WMIC.exe
Token: SeProfSingleProcessPrivilege	1648	WMIC.exe
Token: SeIncBasePriorityPrivilege	1648	WMIC.exe
Token: SeCreatePagefilePrivilege	1648	WMIC.exe
Token: SeBackupPrivilege	1648	WMIC.exe
Token: SeRestorePrivilege	1648	WMIC.exe
Token: SeShutdownPrivilege	1648	WMIC.exe
Token: SeDebugPrivilege	1648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1648	WMIC.exe
Token: SeRemoteShutdownPrivilege	1648	WMIC.exe
Token: SeUndockPrivilege	1648	WMIC.exe
Token: SeManageVolumePrivilege	1648	WMIC.exe
Token: 33	1648	WMIC.exe
Token: 34	1648	WMIC.exe
Token: 35	1648	WMIC.exe
Token: 36	1648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1648	WMIC.exe
Token: SeSecurityPrivilege	1648	WMIC.exe
Token: SeTakeOwnershipPrivilege	1648	WMIC.exe
Token: SeLoadDriverPrivilege	1648	WMIC.exe
Token: SeSystemProfilePrivilege	1648	WMIC.exe
Token: SeSystemtimePrivilege	1648	WMIC.exe
Token: SeProfSingleProcessPrivilege	1648	WMIC.exe
Token: SeIncBasePriorityPrivilege	1648	WMIC.exe
Token: SeCreatePagefilePrivilege	1648	WMIC.exe
Token: SeBackupPrivilege	1648	WMIC.exe
Token: SeRestorePrivilege	1648	WMIC.exe
Token: SeShutdownPrivilege	1648	WMIC.exe
Token: SeDebugPrivilege	1648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1648	WMIC.exe
Token: SeRemoteShutdownPrivilege	1648	WMIC.exe
Token: SeUndockPrivilege	1648	WMIC.exe
Token: SeManageVolumePrivilege	1648	WMIC.exe
Token: 33	1648	WMIC.exe
Token: 34	1648	WMIC.exe
Token: 35	1648	WMIC.exe
Token: 36	1648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5740	WMIC.exe
Token: SeSecurityPrivilege	5740	WMIC.exe
Token: SeTakeOwnershipPrivilege	5740	WMIC.exe
Token: SeLoadDriverPrivilege	5740	WMIC.exe
Token: SeSystemProfilePrivilege	5740	WMIC.exe
Token: SeSystemtimePrivilege	5740	WMIC.exe
Token: SeProfSingleProcessPrivilege	5740	WMIC.exe
Token: SeIncBasePriorityPrivilege	5740	WMIC.exe
Token: SeCreatePagefilePrivilege	5740	WMIC.exe
Token: SeBackupPrivilege	5740	WMIC.exe
Token: SeRestorePrivilege	5740	WMIC.exe
Token: SeShutdownPrivilege	5740	WMIC.exe
Token: SeDebugPrivilege	5740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5740	WMIC.exe
Token: SeRemoteShutdownPrivilege	5740	WMIC.exe
Token: SeUndockPrivilege	5740	WMIC.exe

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

msedge.exe

pid	process
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

000.exeLogonUI.exe

pid process

4516 000.exe
4516 000.exe
2016 LogonUI.exe

pid	process
4516	000.exe
4516	000.exe
2016	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3464 wrote to memory of 116	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 116	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4768	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 1196	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 1196	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3024	3464	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe62d346f8,0x7ffe62d34708,0x7ffe62d34718
2⤵
PID:116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
2⤵
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
2⤵
PID:3024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
2⤵
PID:2780

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
2⤵
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
2⤵
PID:5232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
2⤵
PID:5244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
2⤵
PID:5604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
2⤵
PID:5612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5900 /prefetch:8
2⤵
PID:5204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
2⤵
PID:5212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6320 /prefetch:8
2⤵
PID:4012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1940 /prefetch:1
2⤵
PID:5824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2668 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5976

C:\Users\Admin\Downloads\RevengeRAT.exe
"C:\Users\Admin\Downloads\RevengeRAT.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
4⤵
PID:2984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mrl-gfsg.cmdline"
4⤵
PID:5924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE068.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7CBA89DC12A541FD8B7BD9A8F7D6BFA3.TMP"
5⤵
PID:532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9siqcfp4.cmdline"
4⤵
PID:5588

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE124.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc646BB0D215541AA8C239D2865250.TMP"
5⤵
PID:4892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y76jm8le.cmdline"
4⤵
PID:4084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE22D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5751FF5D6E694BF689B756F399FE7712.TMP"
5⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iqglshry.cmdline"
4⤵
PID:3552

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc615639969D8B47F9BAAE70143299BC2E.TMP"
5⤵
PID:6012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fcuy7f15.cmdline"
4⤵
PID:988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF8ADAE54C2A0461E8CC1175276A1BD3.TMP"
5⤵
PID:740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\el_ziuev.cmdline"
4⤵
PID:4204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE48F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc634482265F1F42DFB4328980D85B67EB.TMP"
5⤵
PID:5112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wpoi33wb.cmdline"
4⤵
PID:3508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE579.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA46F6DB6D6B43E9A0E139532488146.TMP"
5⤵
PID:2752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q7_kba56.cmdline"
4⤵
PID:2660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE663.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1B03DA4022A44EAA9DBD7C4928D3F34.TMP"
5⤵
PID:3404

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gwissm6j.cmdline"
4⤵
PID:4792

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE71F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD7531656C3DC48CD9E081A45E9C679.TMP"
5⤵
PID:5604

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6rwpokpp.cmdline"
4⤵
PID:4996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE7BB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA4921378C88C4F83A4463AB966D93BD3.TMP"
5⤵
PID:5560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7oioejq5.cmdline"
4⤵
PID:3456

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE867.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D6C3E8D96AE495F9AACBFF34D554ED.TMP"
5⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hxe5jgzf.cmdline"
4⤵
PID:2332

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE7D0CB78A1D84BCBAE4EC6E1D405E45.TMP"
5⤵
PID:2768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0ph9jo_d.cmdline"
4⤵
PID:6088

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE990.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc45100EB8F9894828A4F5B4118167889F.TMP"
5⤵
PID:6076

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h0msmeia.cmdline"
4⤵
PID:5288

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc86CBEF653D2D44A99EDAFC0AA618C4B.TMP"
5⤵
PID:5524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5ichtyfn.cmdline"
4⤵
PID:5972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB07.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE7AE272BD1746D4B0EBB1AC9ADDDB5.TMP"
5⤵
PID:2700

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g2nszwr6.cmdline"
4⤵
PID:5820

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBD2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFBE1F650C1FD457CB636691E94C36952.TMP"
5⤵
PID:4852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\47iidxvf.cmdline"
4⤵
PID:4020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC5F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D1DC7A8BF6A45D195C9A4C981EC9659.TMP"
5⤵
PID:6020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qkq-t9_i.cmdline"
4⤵
PID:4876

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECFB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFFA4E6B87CA749F7B062F78B29418B6.TMP"
5⤵
PID:1836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zyxqwmug.cmdline"
4⤵
PID:5440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED59.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E842ADF26BC4FF682F4E5B41963478.TMP"
5⤵
PID:2364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zzlh7v-p.cmdline"
4⤵
PID:2596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDB6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc73CB14EFF51D49FF92C8A5263C15469F.TMP"
5⤵
PID:4204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4un3r2m2.cmdline"
4⤵
PID:3800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE14.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA035FB1ACCB748778986706DB1199BF3.TMP"
5⤵
PID:1716

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\revxg12c.cmdline"
4⤵
PID:4880

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE62.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc631BB56F53B46C1BB7D8C9B73FC395.TMP"
5⤵
PID:2592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h4i44ov3.cmdline"
4⤵
PID:5724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEDF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF65075B09C534DFC8C1B354DF0F020F3.TMP"
5⤵
PID:3908

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
5⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
PID:4524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
6⤵
PID:5220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
2⤵
PID:5324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
2⤵
PID:5264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6180 /prefetch:8
2⤵
PID:5312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
2⤵
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3460 /prefetch:8
2⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,12897864047238595887,11073637989091106657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4216 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5204

C:\Users\Admin\Downloads\000.exe
"C:\Users\Admin\Downloads\000.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
3⤵
PID:4948

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' set FullName='UR NEXT'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename 'UR NEXT'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5740

C:\Windows\SysWOW64\shutdown.exe
shutdown /f /r /t 0
4⤵
PID:6048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 4364
3⤵
- Program crash
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 4364
3⤵
- Program crash
PID:4888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4516 -ip 4516
1⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4516 -ip 4516
1⤵
PID:3052

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4892

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38c3855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost\DumpStack.log.ico
Filesize
4KB

MD5
9430abf1376e53c0e5cf57b89725e992

SHA1
87d11177ee1baa392c6cca84cf4930074ad535c5

SHA256
21f533cb537d7ff2de0ee25c84de4159c1aabcf3a1ac021b48cb21bb341dc381

SHA512
dd1e4f45f1073fe9ab7fb712a62a623072e6222457d989ee22a09426a474d49a2fb55b393e6cbd6bc36585fa6767e7dca284fa960ea8cb71819f5e2d3abfaf78

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico
Filesize
4KB

MD5
0ade54f37cbbfbb17fd28f631cb63f87

SHA1
1df5ff7e80f502bd2b5ee3beead7b3d47efaa7e5

SHA256
4fdce1ee315bff8064f0dd0d767862b832fbcd8516cceb0454608acacdd5de57

SHA512
bdc4857517319696a436ede1b09c659ad86d05b1e43242c56141deb915cdf620aa68fd0340b6860c72535ec3cd42a4d39ae7fe2b66368b4a62cb6dd118568196

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico
Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\43990016-1d34-4eac-b82c-94c17a102597.tmp
Filesize
12KB

MD5
102dbda69594986f3910f02ffdf9ce82

SHA1
a0f4d80b6733273a9dd9a278fff1a750e1a68c58

SHA256
b77af2ed165218c7ebd4d696eb8b7691210918ed3dd0f3e41a42e4187a2bc98c

SHA512
f8becd65a82ad94a23318d9b4158d011601e8847ea9e7f7f654461525aa9725b3e185de5c927422035480a3ecfadc78a8f8f881a4cbabeef7aae7f7679a00e6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ffb5f81e8eccd0963c46cbfea1abc20

SHA1
a02a610afd3543de215565bc488a4343bb5c1a59

SHA256
3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

SHA512
2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
3129941e02e6dab2c71eb21d18b2e4c0

SHA1
cb413738e5d0fe385ad1098b57718a1e628fe731

SHA256
dd33173921911979711e344ae4af20d05bde801c0a6296611c22ac6502e40cf6

SHA512
4efe777e41b4d6d905dc49cbb0b2d6169aa39ba9dc8980315c631a1d50aa369e02eca312c7ab21aba8e478e19659cb5fdb5f1f1200d3ccc5c66b14251d79248d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
579B

MD5
a7d1701142cca705f833d70023ef4e1e

SHA1
1b76853132abfcddb4fefac42bf9df5d013c9815

SHA256
6c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7

SHA512
806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
579B

MD5
ed5f4213c17629776cd75510648fc019

SHA1
ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9

SHA256
e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87

SHA512
71bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f139466f7b36f1fa28009ffa0b776482

SHA1
88f822d5ebe8e1c477afbfa43f766e1391f7b36c

SHA256
9487481851099069aab30feda58d7d7fc5e38a8098cb38af7bbb47cdb8d9a1a2

SHA512
9c484324200fb2e5b22bd30eafa1e94d5fec8925867a4ff35e5d64de8cdf784244a96e9cd5a155c64d85d949c31520ce2bda469e9b1804262e2a8809c7ef84df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8c9303c7ff3abfd6dc20d133d63945e8

SHA1
ae74f47044c815dd12b0009c8f04cc50e3f27f06

SHA256
3d4bd33734309b9b0dba50ffb0ffe4de3a9dacedeb9967b36e3b3b91f5ffd08c

SHA512
8e144e365fa120a0966ac0e5f349c04433035a1f9dbba1033a2e2af9524e84a0e0d1ff5453b2d51fc6767db4eff800d8f7c3ab3b32f79396a3e20352c06abda4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
6660fdd1ad978da8124f8bd6cdf4437e

SHA1
27f37eec26e82cbc819acc0159537945fdfe7fbe

SHA256
47dc219e5daaed65f0d81627252cba6131520ac32c3fb1afab1b1b83cddf27fb

SHA512
f95776386e716d832b1c8a244cd6a6f48a9ed686489f215a7147b7249f00a00c7c11718fc46e4ab7e59a4f0a7dd2caceb7764a135e85d4fcf0e264e909d49f53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8dad074aa50199433dd9d3b5d04151d9

SHA1
f256aea9e62f3e2f831b51d46e30c7dac0899afe

SHA256
c767001c4dfec814c2051634c72f444ae8296f8c158574ec65fac0d046e7024f

SHA512
0f8775f7abce64f84e4a73e8f0165e5d7a8f104508dee96935f1101666da56d095814c76468ab00d6039e333bc2f2086943612430d5db63d1bbafea67b073008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b74251fa74adea3eca109d5a2b164e93

SHA1
d4a61440ca8b4253464aafcf0d1b14fd2307535f

SHA256
8094480af87504f9b842f4d92733a6d43bf8bca1a24e76a5614afc864a6918dd

SHA512
c295a0a8bba891bb6e14c68361c259fdd8e863af251dee6edc461329107572652632d6a7fcdbb5f95f8679b3eafa54f9016179c246aaeab5fccfeba1fa8ea095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
243d451bd0629ee42d4b80eba20b6cbe

SHA1
79fc1f28aa74742a0e8006555e23617e18161168

SHA256
d9396e2f1ea1e06a823dd069e7bb7c5e545adcad7943d7f909f0f6020f75c884

SHA512
134c13af34365a4353a83e3b5bd9e2bd7cf1666b6b8a02e7453adde20b3a8f93b39d385a1e877aada0c60db70d80c9743f6151a636df712630cdc302c2cafffe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
156d3e203cdc1a45eac8d7e3f2ba6c4e

SHA1
6499a1a8da3198cb27a6138730cccbaeabd68be9

SHA256
b81e55c6f7393af65fab7c5ea5ed76107fc6aa726651b172123b560ff85789d0

SHA512
8f75adaa29b8807ebf39363aa29b7eb2833d1d49ed56711288d3a3a76844c24f05e3a0f672e6536cbd089ede36572098cdedfb9fa567219c253fa7bbadf01264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
42ff14f298f5d82c23a5fd29c6e5469f

SHA1
9283da40616b5f902992069d6108676479a33d24

SHA256
ade9e21975ba31fb90836eb9729a6b342b275031685919e1ce63089a9887880b

SHA512
4e8132821cf9808f0ca647850918a655f060ce0b3744153e9aa5124276ace1a476c4f60e21276c2cb937431e73dafa18a7d83d8c629a3be1423b245d9aad20b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
e01127eb8c92f53f3f5217e7f7c105ad

SHA1
8b7e9e1ceb9e9f0f989583ba0de7bb03e6cf8b02

SHA256
5bb2e995c6b3c51a66a63dbcb0fffb974c6731eb7ae9b7883d8afffecb781e15

SHA512
0ccb206682ee669ae33648b623904e7884cca48a5c3823c4e5d1e797ef14dce34484f1ea89954f00e22d93a77fa973fbee6d6ce0e27b2dfa0e4a8d0e1c90de63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
2a2d400efa1b408a7c7f36e2eb1a71ac

SHA1
e18c253926fd83d095ba5afcd1f9bfd19bd33920

SHA256
f825afdcc5b64ae2075a44f3e7d3b19e51e2b9777622eed4febd7e6f324bf453

SHA512
e003ee1b905135c1b7f2f05d40c13eebb5a634bef370f12039eb90399ec053d9c112433e710c3197f9589fcd93cfd5fa920eb98541fc18c7e691981ae65c3e50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e35b.TMP
Filesize
874B

MD5
7becb6a6a033dcafb430e6db98e97463

SHA1
9c22866a56cf628f33f1dd1a9ba3dcbedd240c90

SHA256
a44959dc30494cee7354af969f5b8480e73efd0b324d755d4bea59e3e3f343d3

SHA512
790cc36450345d0880afe6981990cd5d841b9fa9f51d4871f747c524a102fe8143e952aaf864d57e30b0bb1200c812291ea66a0ccd712534850f74ec631f8476

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ebd2d4f3-be37-42b7-b545-bbed6e9e07ba.tmp
Filesize
1KB

MD5
a5f5ff2a879e5dc52655ec46ef91a2d0

SHA1
f65fa320219763dfaee15d10fc38d99916b7769c

SHA256
e027d4d3897e3d18e0abe57d82df897a8e8a4e0e0dcac66d10dc61249ba71007

SHA512
6fa4f6df59fab641dea32ab4010dc65e173f94c2bb5b091b294c19af639adcd9a9d74fe8d6361528a26d424751223352e530ef50248fa3f67dd715d4907f7a62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
1a834ca4f3231e102740a5fe51b264a5

SHA1
d2ba3625d594fa8c6032f19af95babfd42639e1a

SHA256
16b9e8ae574156d79febd783c1934b97d0aab1767a645e6209eeb972d4e80a4a

SHA512
b8e9c8f8f422eed744a0b0ba66566b5c2d861881097fd0b5d49c3f099c39e3df334dbd7455070efe064b443b9387159968b7e09b3170163ea278e98657e56e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
3bdf88c9e7226a2b715d54f173f32b3c

SHA1
1183acff55824ba14d7b7ff55aaa2faf462d372e

SHA256
75bd00541b35a6f77edbd7fc83fb1fc43f03e46b1cc95b4237886b405be14fbd

SHA512
3de723ee8ca10fbdb1b24dec918592546e8076ccd9f8a84070568bd29b2c6faa4fcf2cbc18793d5661c40233a842fb8b92a1ade7dc96775abf984759f7bec05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
080ab534442421019b664d653f0facb0

SHA1
01cc365346b42e7691c56b738da6e02cd5caa5bb

SHA256
cc7036ec14b3279899527ca46b5f712071b711ab76904cfd4e797318a1647b69

SHA512
85f14faf8cf0b97fa196c5b00538e676fce3cd0d4a92969b0b482991ccb1cb3525cd9d1cf773c502cc4bd5ec56bf20ebda0860617397da440cc7e1542bc95776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
896KB

MD5
9d09ae6714938cd27b16cc949a35362a

SHA1
0ae0492bab07e53ef75ccae8e22a07d935f8b46c

SHA256
45e98620e6e84b0dd4a67058e48f510212b4ab1dafe87417ef2f72248ed54f4d

SHA512
253b3725eebdae25f61e3b377aad7114b94e05f1d2d7635dcb33256b0061720b5dc2c2587c07349e82c754875e5920def957be6624e0fc1e31bc2d9b55955dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9siqcfp4.0.vb
Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9siqcfp4.cmdline
Filesize
253B

MD5
a53269b1b7939a10a51d137fd138581c

SHA1
b5958da11329f3c26234d91016eccea7137f8285

SHA256
a23b689f49a4e4a26b0ff35b63c4c7853fc5c8831c521a807b9700d5e293613d

SHA512
29c1b4a5e0bf9e0db06ca4e311b80801b96091a1076da11a90fdb813afa8ede1e58b6e649d1d5418514d3067ed55673b0f25aad6bf410187992fb1ca28acbd07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE068.tmp
Filesize
5KB

MD5
21f8afea468474fee436e9602890184f

SHA1
532e5b3db68fc1ae7a872a447a2c9428cc132708

SHA256
320c1e67294f3c66e26437989c3affc1618c910f356d8214129d8ce2b2f5449b

SHA512
60b2e8a1366ce98786e014c0a168c07d7d74c2f2f17f87e2c728c5cd49fff49ed41182a6b48fd9044031a431cfe96c7eb9bb52bc6cf48f177d7c9496dcc0d4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE124.tmp
Filesize
5KB

MD5
602f67fe16afea92b3f0e5a73118dcea

SHA1
62d3386cb262c0e1c8a72a33e19582478d1082d8

SHA256
fdb1dad06a49b1788cd69aa1c78f436de3cdadf979e7c590a4574c33ecbe89c5

SHA512
95294ccc244b9a829abf7c806815a61ba669982741b844484dbaf7d703ce42806b29a29219042de28fcae34e6811e99c3542b9e6be3ad8be59e873699d6a3630

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE22D.tmp
Filesize
5KB

MD5
a358d0c26ecf8997541ccb92a9b8093c

SHA1
6286fbe76731f7e74103b6bf78cc73775bd8e118

SHA256
e0a8e3c778add31b9efb2232a1dc1c93e973be1693dd34d17762227e86208326

SHA512
f7b24a93394e3919bb1df329acc417d1cec89950e8cf363a02fbfeac2fef0c205f5991dace6ff2063d44f5c49960775ce4dc532ff768ad7ba1004a4df1e4e5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE2E9.tmp
Filesize
5KB

MD5
93bd063f229de0c2076b4bc661554d07

SHA1
7125c80d34c214a8753c7171e6af1753f5b53f18

SHA256
5a5ffb08c909b3578123b9cc318513155b01a882c61896185df1fddace112a94

SHA512
8322a09af0667c7d7232867d98fa468a24f3be6370ed7c81770461b3fc7bdc20cb41435f01e2ce36a5f2f27536426fdd41c7d5f74791691eb430b5126743df07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE3C4.tmp
Filesize
5KB

MD5
ac4ad0846863abc81c056738a99322cd

SHA1
c569569d6a5d3ed7aad16933a54ce1cc5d79bd3d

SHA256
b2471d546b2271d4a3e38412a3257eccee100d30c1c4dae6c979833bf92d4f84

SHA512
795e76d7946f6c55966044fe208918c45351e5fcfd6712c1db0f77e28e6451751c35d54c51ddb1d369bb15958aaaa1c337f568477412fb4a6995b4633b8a7ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE48F.tmp
Filesize
5KB

MD5
dc230997cb56328dda44194365af30db

SHA1
492c5767e1f581c48a25aa3336db6c78f19200a3

SHA256
a800b7579649ade4a2c6c886ec3f911b7da030edeba8ad3b2b7497ab165f9c77

SHA512
842bbf04972e2d691685b0e013ddc499005bc5eb536151395570d610d206682341bf624106d86a452570150fcad1a17649843865a099d35cea0b5ce74592064c

Download Submit
C:\Users\Admin\AppData\Local\Temp\el_ziuev.0.vb
Filesize
373B

MD5
197e7c770644a06b96c5d42ef659a965

SHA1
d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc

SHA256
786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552

SHA512
7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\el_ziuev.cmdline
Filesize
261B

MD5
468618e7a5e0ff3dadb5b435c5591132

SHA1
051fb94c296d995cc2f506d6fbb02dc4a26684fa

SHA256
3a655bcb9b90f695952dfb1302b253a8371f03511a2c26fb750325a32bd8134e

SHA512
15bf6c255e7f1ca6aa1280acfacaa1a82a1210ad327c78e84a6c8a413399ff7dac98a43599ab10a2f24810c33ade6d98a6b58ee6033d1fa5e4633fea90d922ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcuy7f15.0.vb
Filesize
355B

MD5
6e4e3d5b787235312c1ab5e76bb0ac1d

SHA1
8e2a217780d163865e3c02c7e52c10884d54acb6

SHA256
aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706

SHA512
b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcuy7f15.cmdline
Filesize
224B

MD5
c4b49b3e9adeee0a8082e9de29f626f4

SHA1
85af1ea11c25837f2aaf9cb8727b2538ea5ef73b

SHA256
56a3cd7080bd9bcf70afd880d43da83b55e9a632907079edf77a7d054e858056

SHA512
3ba4c4f353aefbf9e6d622a106970ec51c9fa673640a2e81b0fce2e0e4a60d3ab10625572830c15e23e250ce6c4cf0ee50a8c276b2e95e44f561c45eb9f32283

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqglshry.0.vb
Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqglshry.cmdline
Filesize
253B

MD5
d55e893f699ae6ca97d28e2e47f69131

SHA1
0fb304d347b2dddac8e0c161a70ffe45deb040f7

SHA256
53129da484adaf2007333c71d69542fba0a16f4b098c8aaa43addff54129da70

SHA512
b6d54e5ef6e89bdd8b6bd6db59ad3a2dff70c88cf971b9bcf4c78cf7a6ed0b21d33a1abd589e8ac5756fec2ab5d729ff096ebd498deafc2d420cf5cbf8c4be32

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrl-gfsg.0.vb
Filesize
347B

MD5
8a280ce703f3d84f1c87d2039cfa73b0

SHA1
24d7d6172c2a210579852e5c40e273a4ab31dd1c

SHA256
6abc297b9266ff140ff94573067be7dded9a27b340ca986d88c21d94cb912dbf

SHA512
3eb698c12c854e22f65cc0e93f37319057f7e1c797ff3faf1fc1c0ae5edbca6c8788605b05662af73d810c390c6050f9cf8efed48e8240097d1222b6bcd3c3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrl-gfsg.cmdline
Filesize
209B

MD5
ec952a43ad8e80853ac76db9a65b2b46

SHA1
5154416b3843f21934c3a01bb7152315928d8aaf

SHA256
85db257482a2723e8e01e9900cba9ef18382a2946a836c9536340950f003ab3f

SHA512
0dd81257393574311ade5e7bede4436f0c9210195e4eeafd2df1988caec71312a4e2e23d7d9019f2bf3fb87f89e4d6caaac6175bc79da3473d4597884ea71c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf
Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe
Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt
Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5751FF5D6E694BF689B756F399FE7712.TMP
Filesize
5KB

MD5
abeaa4a5b438ffa58d07d9459e5c1d6c

SHA1
69631de7891162dd4840112a251f6531feae7509

SHA256
ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd

SHA512
c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc615639969D8B47F9BAAE70143299BC2E.TMP
Filesize
5KB

MD5
7e4ce7580c3bc327c53410cddb42d152

SHA1
8e995291b6e9f5627b683ab7607482c8d9465a28

SHA256
5f8fef687758dcc5bd26c06764e339f5eb82a8ed068ce65480a9f09941488cea

SHA512
9e68a888e337f4190a0756c43d3c67e28f6e1c6f6909115ffe931b87c53bad4c8e1ace4ae2b0ce085791ee2331894610de1ef278da81143a90b2c79ed6d6ca92

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc634482265F1F42DFB4328980D85B67EB.TMP
Filesize
5KB

MD5
0fe41c44eaaf7ded50fe09d330260492

SHA1
54b154b781c1bf68c3b545013f5cb6e4fd2a13a1

SHA256
7a14471409b282ce36b7a80d55259cd77eaac5383c048789d93ff9340b334dc0

SHA512
4c1b5426fc96ea97b127ce672446edc290d7237f900047e4836921ba305752d1858275cf6d8791b237fdda4a1d01c958da1473ae263c928a04753425f5290f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc646BB0D215541AA8C239D2865250.TMP
Filesize
5KB

MD5
df0393aed93cd03bae7647c37d7d9e49

SHA1
da2f26aebc827980e9b1e44f7937b0851a854882

SHA256
0ad159c1c4fdd6c87cd64ea57f09386789447518abfa3c5dcf3d926d2ecac8fd

SHA512
9e0226083f511f72dc4cb387858fa4ae747f201bb5d9942ca6a94fdce86e97bac68c98165bc5f60914e8ae1d3c5595f4fee367400babba9aa13ad582e80d8f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7CBA89DC12A541FD8B7BD9A8F7D6BFA3.TMP
Filesize
4KB

MD5
7f2155903d9d46630c04b924131c70d6

SHA1
5c64cf895433b593496e5de7fe9f5c77ec98d33e

SHA256
496f2dd424b829f0ad914d9a78a686ac68c3c1ce5dd2412424c5ee0aecd4e18e

SHA512
32cb5486d97328f1001801d7d364f4cd56557af71331d60d4e8c78bb3bb1ec7040b14740f02e467041cef179db5e775cff8d2399badfa591bfb5f1f0a121d0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF8ADAE54C2A0461E8CC1175276A1BD3.TMP
Filesize
5KB

MD5
d56475192804e49bf9410d1a5cbd6c69

SHA1
215ecb60dc9a38d5307acb8641fa0adc52fea96c

SHA256
235e01afd8b5ad0f05911689146c2a0def9b73082998ac02fd8459682f409eee

SHA512
03338d75dd54d3920627bd4cb842c8c3fefad3c8130e1eeb0fa73b6c31b536b3d917e84578828219b4ffd2e93e1775c163b69d74708e4a8894dd437db5e22e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFA46F6DB6D6B43E9A0E139532488146.TMP
Filesize
5KB

MD5
bbc52a959093a79d06ba07a59ace82d7

SHA1
4f793aa3ce5b0cd991d242998d54e267445dce20

SHA256
4ee2802b4283bc1d5a21e52947edfadee997da6d1a2aeee7b4dff9e4fc444c9c

SHA512
39161cb68b8da7c47d3034bf16d2fe5edfddcd88b36bcafd48923e5dc022883d45b07a9d78f57f0361a57a55d8046f958cc6deb785ef833221c2319743e7666c

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat
Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpoi33wb.0.vb
Filesize
376B

MD5
7a8e43324d0d14c80d818be37719450f

SHA1
d138761c6b166675a769e5ebfec973435a58b0f4

SHA256
733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909

SHA512
7a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpoi33wb.cmdline
Filesize
267B

MD5
7cc93de6bd73158dc70dc01f454fe67d

SHA1
6554589f126e9ce3e12a706397bbc23fabe1eefb

SHA256
7ddbf4cd4667df5bb71df761a3f500d0e50912a5486ede61043b954fce67ae75

SHA512
7ec111b8338aa3a2293a4e468f6ba0f59a5b30e4ca441f2e16c94b5ea9446fcf5accaf97c66ce7f9ce4f1c868dbd8f994c781e8d135abcdb4896b8c64e06e6fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\y76jm8le.0.vb
Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\y76jm8le.cmdline
Filesize
224B

MD5
8909578783fe0cab323eb0ebe38f7e1e

SHA1
c0290a48b6a6015f2a2d73dc4f40dc27f26cb348

SHA256
13755fce0b1e920a9cb08e3e400d4577575d0563b1cab4134289c142c80be761

SHA512
c2ae6611f0680324b1827ffc782c9c654f47132c807fab061836dc83c7f57037447a05f037bfb971676f34b0f87f78b1c797065405eaecefc796ba7bb0aa70e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe:SmartScreen
Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt
Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 191745.crdownload
Filesize
6.7MB

MD5
f2b7074e1543720a9a98fda660e02688

SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca

SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 692139.crdownload
Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
\??\c:\users\admin\appdata\local\temp\icon.ico
Filesize
361KB

MD5
a4b9662cf3b6ea6626f6081c0d8c13f3

SHA1
946501d358e5e3b10223431e474607e0eb248796

SHA256
84a1c2713642090523f05d9fb015c537fd210d3200cadaf442bb67cf1834b356

SHA512
4e94dcf9200bfd6d685f93acaa0bd93d49bb0fe2229f3105e22b8893e0d530ad15e8dce5be6db1c1db393fcc169defc43f12e35308be30b054631487d16cbf33

Download Submit
\??\pipe\LOCAL\crashpad_3464_WETYNPFYXPRZUILJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/988-1379-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/2524-351-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download
memory/2524-350-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/2524-346-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2524-352-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/2524-422-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/2524-1693-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/2660-1420-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/2984-355-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/2984-354-0x0000000001610000-0x0000000001620000-memory.dmp

Filesize
64KB

Download
memory/2984-347-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3508-1406-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/4020-1515-0x0000000002220000-0x0000000002230000-memory.dmp

Filesize
64KB

Download
memory/4204-1391-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/4516-1577-0x0000000071FA0000-0x0000000072750000-memory.dmp

Filesize
7.7MB

Download
memory/4516-445-0x000000000B1C0000-0x000000000B1F8000-memory.dmp

Filesize
224KB

Download
memory/4516-463-0x000000000C030000-0x000000000C040000-memory.dmp

Filesize
64KB

Download
memory/4516-423-0x0000000005AB0000-0x0000000006054000-memory.dmp

Filesize
5.6MB

Download
memory/4516-1330-0x0000000071FA0000-0x0000000072750000-memory.dmp

Filesize
7.7MB

Download
memory/4516-431-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4516-1363-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4516-464-0x000000000BEF0000-0x000000000BF00000-memory.dmp

Filesize
64KB

Download
memory/4516-446-0x000000000B190000-0x000000000B19E000-memory.dmp

Filesize
56KB

Download
memory/4516-458-0x000000000C030000-0x000000000C040000-memory.dmp

Filesize
64KB

Download
memory/4516-469-0x000000000C030000-0x000000000C040000-memory.dmp

Filesize
64KB

Download
memory/4516-459-0x000000000C030000-0x000000000C040000-memory.dmp

Filesize
64KB

Download
memory/4516-462-0x000000000C030000-0x000000000C040000-memory.dmp

Filesize
64KB

Download
memory/4516-460-0x000000000C030000-0x000000000C040000-memory.dmp

Filesize
64KB

Download
memory/4516-467-0x000000000BEF0000-0x000000000BF00000-memory.dmp

Filesize
64KB

Download
memory/4516-470-0x000000000C030000-0x000000000C040000-memory.dmp

Filesize
64KB

Download
memory/4516-420-0x00000000002E0000-0x000000000098E000-memory.dmp

Filesize
6.7MB

Download
memory/4516-421-0x0000000071FA0000-0x0000000072750000-memory.dmp

Filesize
7.7MB

Download
memory/4516-471-0x000000000BEF0000-0x000000000BF00000-memory.dmp

Filesize
64KB

Download
memory/4516-465-0x000000000BEF0000-0x000000000BF00000-memory.dmp

Filesize
64KB

Download
memory/4516-466-0x000000000C030000-0x000000000C040000-memory.dmp

Filesize
64KB

Download
memory/4516-1343-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4516-472-0x000000000BEF0000-0x000000000BF00000-memory.dmp

Filesize
64KB

Download
memory/4524-1705-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/4524-1700-0x0000000001530000-0x0000000001540000-memory.dmp

Filesize
64KB

Download
memory/4524-1702-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/4524-1698-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/4996-340-0x000000001B930000-0x000000001BDFE000-memory.dmp

Filesize
4.8MB

Download
memory/4996-343-0x000000001BEC0000-0x000000001BF22000-memory.dmp

Filesize
392KB

Download
memory/4996-349-0x00007FFE4F310000-0x00007FFE4FCB1000-memory.dmp

Filesize
9.6MB

Download
memory/4996-342-0x0000000000F20000-0x0000000000F30000-memory.dmp

Filesize
64KB

Download
memory/4996-344-0x00007FFE4F310000-0x00007FFE4FCB1000-memory.dmp

Filesize
9.6MB

Download
memory/4996-339-0x00007FFE4F310000-0x00007FFE4FCB1000-memory.dmp

Filesize
9.6MB

Download
memory/4996-1441-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/4996-341-0x000000001B330000-0x000000001B3D6000-memory.dmp

Filesize
664KB

Download
memory/5220-1703-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/5220-1704-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/5588-1331-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/5924-1308-0x0000000000700000-0x0000000000710000-memory.dmp

Filesize
64KB

Download
memory/5936-1699-0x00007FFE53AC0000-0x00007FFE54461000-memory.dmp

Filesize
9.6MB

Download
memory/5936-1695-0x00007FFE53AC0000-0x00007FFE54461000-memory.dmp

Filesize
9.6MB

Download
memory/5936-1694-0x00007FFE53AC0000-0x00007FFE54461000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads