revengerat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/Adwind[.]exe

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
23-03-2024 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/Adwind.exe

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 485364.crdownload	revengerat

Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe

Executes dropped EXE 2 IoCs

Processes:

RevengeRAT (1).exesvchost.exe

pid process

3960 RevengeRAT (1).exe
2432 svchost.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

2 raw.githubusercontent.com
3 0.tcp.ngrok.io
10 0.tcp.ngrok.io
27 raw.githubusercontent.com

pid	process
3960	RevengeRAT (1).exe
2432	svchost.exe

flow	ioc
2	raw.githubusercontent.com
3	0.tcp.ngrok.io
10	0.tcp.ngrok.io
27	raw.githubusercontent.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

RevengeRAT (1).exeRegSvcs.exesvchost.exeRegSvcs.exe

description	pid	process	target process
PID 3960 set thread context of 1432	3960	RevengeRAT (1).exe	RegSvcs.exe
PID 1432 set thread context of 2272	1432	RegSvcs.exe	RegSvcs.exe
PID 2432 set thread context of 2484	2432	svchost.exe	RegSvcs.exe
PID 2484 set thread context of 1496	2484	RegSvcs.exe	RegSvcs.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegSvcs.exeRegSvcs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133557070778865663"	chrome.exe

NTFS ADS 3 IoCs

Processes:

chrome.exechrome.exeRegSvcs.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\RevengeRAT (1).exe:Zone.Identifier	chrome.exe
File created	C:\svchost\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4440 chrome.exe
4440 chrome.exe
572 chrome.exe
572 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4440 chrome.exe
4440 chrome.exe
4440 chrome.exe
4440 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe

Suspicious use of FindShellTrayWindow 48 IoCs

Processes:

chrome.exe

pid	process
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

chrome.exe

pid process

4440 chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4440 wrote to memory of 4640	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4640	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2348	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2128	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2128	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4996	4440	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/Adwind.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd76a69758,0x7ffd76a69768,0x7ffd76a69778
2⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:2
2⤵
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:8
2⤵
PID:2128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:8
2⤵
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2920 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:1
2⤵
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2940 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:1
2⤵
PID:1964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:8
2⤵
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:8
2⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:8
2⤵
PID:340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5444 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:8
2⤵
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4952 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:8
2⤵
PID:3332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4032 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:8
2⤵
- NTFS ADS
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3460 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:8
2⤵
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=832 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:8
2⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1796 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:8
2⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4680 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:8
2⤵
PID:2536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5540 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:8
2⤵
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4744 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:8
2⤵
PID:4516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:8
2⤵
- NTFS ADS
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5296 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:8
2⤵
PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5268 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:8
2⤵
PID:3408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4448 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:8
2⤵
PID:5100

C:\Users\Admin\Downloads\RevengeRAT (1).exe
"C:\Users\Admin\Downloads\RevengeRAT (1).exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Checks processor information in registry
- NTFS ADS
PID:1432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
4⤵
PID:2272

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1bqmqzcz.cmdline"
4⤵
PID:2440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES361.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc61E0F8E8B5E442A9B5DE314F3AEA2CF.TMP"
5⤵
PID:1348

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vh4kyi_d.cmdline"
4⤵
PID:3788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB66BD05DC7B743ABBE10AAC1E6DB95FE.TMP"
5⤵
PID:1292

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\roxmsboq.cmdline"
4⤵
PID:5112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc927842EDF3847D8A5A3B2E1325E65C6.TMP"
5⤵
PID:280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pevurp3f.cmdline"
4⤵
PID:1296

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES555.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc223E487D175E4C5BADA2947243FE7389.TMP"
5⤵
PID:3008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lkgryhvd.cmdline"
4⤵
PID:2920

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6592B02B8F3F4FCA8C7E7EC232FC727.TMP"
5⤵
PID:3408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c8xkawj3.cmdline"
4⤵
PID:4756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES68E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5CBEBE893BCD491185FEA8B7B7172E42.TMP"
5⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fclddasw.cmdline"
4⤵
PID:3624

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2EC8D42B422849998A45F6AF1037FACD.TMP"
5⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uzewnjbg.cmdline"
4⤵
PID:4924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES797.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAECF094127584FDC9B39D83325211E9E.TMP"
5⤵
PID:2744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tengqr84.cmdline"
4⤵
PID:4600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES824.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc78F8344B42D2402DB24F2592EEF9CE3.TMP"
5⤵
PID:1332

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dhloguo3.cmdline"
4⤵
PID:336

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES891.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA80551F28950453882102BC2165273F.TMP"
5⤵
PID:3772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cquw7ost.cmdline"
4⤵
PID:4404

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc19B88AA9F586439A9231844E8976D81.TMP"
5⤵
PID:4992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x1y6nkyt.cmdline"
4⤵
PID:3568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc46E16C5E689B49BE81CB78321F119E30.TMP"
5⤵
PID:4180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j2fzo-pa.cmdline"
4⤵
PID:1444

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA18.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B54D4A6F8DB45B488835C6F3D1E280.TMP"
5⤵
PID:660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vynq7wgh.cmdline"
4⤵
PID:1076

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA95.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc11B82313779540AA9B72EC291378472.TMP"
5⤵
PID:4856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2bbyx7yr.cmdline"
4⤵
PID:2536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB22.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE2A1E10E312A41B89476732599B9B7BC.TMP"
5⤵
PID:232

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x8i4ga90.cmdline"
4⤵
PID:4616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF5E253501D1E40D7A7A9B5E636F1B1E.TMP"
5⤵
PID:3124

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jkhp1hvt.cmdline"
4⤵
PID:3780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc925BEAD59CFE4C88A8EC8DEBFDAAC2EE.TMP"
5⤵
PID:4704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b9lbgh0s.cmdline"
4⤵
PID:2436

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC99.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D24491082D54FF984DCA2BDAE597B39.TMP"
5⤵
PID:4904

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\umavopk3.cmdline"
4⤵
PID:4236

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD16.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4E7F5B7972F648C5AA4E6325828B48D1.TMP"
5⤵
PID:2120

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xyqadjnj.cmdline"
4⤵
PID:2392

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD83.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB85DF25D54BB43E195D69B28D0115739.TMP"
5⤵
PID:496

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rgozn2rm.cmdline"
4⤵
PID:1260

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF4F5D987DAFF4128B8AF8014F648B4BC.TMP"
5⤵
PID:1428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ya3-wo5g.cmdline"
4⤵
PID:3368

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAAB9238053564009A3CF9B88770428E.TMP"
5⤵
PID:5024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b18amtrp.cmdline"
4⤵
PID:5032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAD1B5636BCE4DA78A733B3289B8F4A1.TMP"
5⤵
PID:4692

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hp0c2llx.cmdline"
4⤵
PID:3004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF58.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5398EBEAD434158B867EC47AF2FFAB6.TMP"
5⤵
PID:2576

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
5⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
PID:2484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
6⤵
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5744 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:1
2⤵
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4800 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=3124 --field-trial-handle=1816,i,1639954072201184362,1574065475113731406,131072 /prefetch:1
2⤵
PID:952

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2872

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost\DumpStack.log.ico
Filesize
4KB

MD5
28d98fecf9351c6a31c9c37a738f7c15

SHA1
c449dee100d5219a28019537472edc6a42a87db2

SHA256
39445a090b7ce086d5efb4ac35add13672fac9bf40eb481b54fa87302a3f45e0

SHA512
f5c2458348347798304393fdb5c77f4f7ed7245c0d4c7594deb0113262828cb8e210e7b48a4aa7c4d2fe1e31201b4e326cd60a6f9d4e3ba1a7fbef322dde0971

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico
Filesize
4KB

MD5
602ddd0c457eb622800ec2b65d1a3723

SHA1
e322f2927b3eb868f88f61318589cdbc9b5e4554

SHA256
6491b2ebfda073e601f99be125c6ce0c4a72162e0995c673605c673581023a82

SHA512
eb0cd42b7178ee205af959b3b811bf85c44343c2e3ead6678ece7bc340fd0efdde3067a583649d12aa2123b555a4cc2a7be7a587fb2874a9f9aa666093df782b

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico
Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\12a22093-5fb4-49fb-937d-1593a455117c.tmp
Filesize
7KB

MD5
2d995c4a80242be1f97fddde112b0dbd

SHA1
c4bd14a31dce35c893a97bdb99641e3a12bb9004

SHA256
c8835e493cbbf6c10e316cbe298f51336f99021592c3d46ed916dcc0b1790740

SHA512
166d92876a8fd9f194b60b7d6492d74c7aab7fc99612d3dd5650b85eece4a4a7f84ab66ddef8c39aa51da2d1eb7b00102377ebbd085fbc3ba89c75369229b795

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e
Filesize
197KB

MD5
5e28e72b443ded036a4cf369d0dda3bf

SHA1
0500de4480a54243b12d096745c6ba04c9479e66

SHA256
15fc7a054efbb9f76d937448fbb4814d7b3f25a6d137e24c1a69e32947eae71e

SHA512
7d17a5248e54e4dda8fd17a4d662edbb274629161a1e25b3b7f7f5112541663a5040788177268c53b2c78bc7e6d2204ccfb342d93c2ceec0a12d8a41788c088b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
d55485a081480519de1b9db6692b3043

SHA1
018aeb4c48a59c95716d17cc0e0e432869f15d4e

SHA256
5615e1324013a9e5e82fbcf56b3dec98ea988b5a53aab84c55b4ae22366feea0

SHA512
f6657235a5767ee8fb02ca672bc31edead168a476080e0e1b79d060812dd56712703550e36c2e13e61aa6003f7fbe35da016166472d2223d3426c06c1dd20087

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
6a296ad5fff04f9ca0c6a7aef272caed

SHA1
c559dff829ffaf4b53f02efd5ea01963bd90af9c

SHA256
14439e2401db56543c8821cbaab999af4284fc05bf190a28634b0ac0be17bfd3

SHA512
c4dd7c1490c98524af1b911c4a61ef2ef09dff7c10d7ee2197c3b20f2cb78dab6192a43c630b7b1624f22ce54b8e9482dc4e9fd6bbd4075664d2b1361c2b28aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\41f43cab-13c8-4625-8b7c-54c1c2e3fa01.tmp
Filesize
1KB

MD5
c5266a5cbd639e57c0c18bc53932245d

SHA1
b586a36010f22999f99398ccd14292570e6fc1f9

SHA256
e1dfb20c948dbda74da8a0248ea7e1ff298acdeeaa9751e7c630ce05f9cf0a35

SHA512
7f4c8b93208a498570cbaf511a3a392ff642fe114922da6c0024ed591538f353b9a74050f245a76bc01eb7036e0a2f3d9d6dcffe3a9f77eb3c5fa640df0c8aef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
a51a5b7e62a7e6b4950e6ad21a252e3a

SHA1
6283ecf39c4febafbb4f2018ae876de9d39fd816

SHA256
35802ea6e46cbc6b198998f7498c2800db8891ca5266d2e9baf9d8b431ea849e

SHA512
58bcaaed35eab7f731f939621367ddcafefb7efcf49ec36473889309718189551aa569d46d0170e9bf5c9b1f94f73a8f206b9ddd8fb5c96311f0a3c2f9b3fbd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
ca30de58bdef5b8267f01aac59e4d807

SHA1
e005dc9a4a382678f432773c4ccbf3c13aff51ac

SHA256
8641d7338f52a5fdc4782666c833eeb8f22905b21f43bd2501eb6a1f5023ff76

SHA512
4c92f9b4441b1f5ff7e9fde6e9d668605c53ead64d5add4b8fb6c291a1f21aaf0c64bc5286b347aa6dfccdc5e7ac989113ac6ffae771bc4bfb76c6361db62a20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
64115210f5882d5708bf85532fa8088c

SHA1
e7b55d2170590a96b43440b7944ed79faf0d5225

SHA256
677b89c5f492b327307db0a5f9230866af6b2eee14d7a3148a4fbe18f2d99508

SHA512
baf4061aa3833d9da71877df3a1cb3683b69585c4495b1f1b54ca6122be8a0b06c20f2fbd0f343a4040087d027551fca84ff52246f8024b7e96b61f18a4b1c3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
b50a3d6fa81572faabd98b769659eb02

SHA1
2929d125a78f3ecf070892570a1560134a84c45a

SHA256
e11b2da0a2430fa283fccea655c1caa55bb5b9cb5f54c1d962b72b96c2ae0f1b

SHA512
ffc034b12fd279438e5dd7664d5ed3137cf2f1658553660e729b651c61c61dd497abd25c002a0268bf5702c048ee91daa4d2561bea7919189f4f7a92e773349a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
027a6a6f240c1865eb8f6984cb3b0ded

SHA1
b71296b03ae8173867bc48f6d941a882cf3187af

SHA256
e7f83d1dca8a578c7c109bbce04d57082a622fa80c28255ce69b795b008637e1

SHA512
054c8e5d9e968f6b009b0cc6f70a30f05a508991057db5ed84f9460fff3146e0cf0856e8a29c77542dd64e8f899b13f6a35df0d127c74ce70684a302e99c3d37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
fe37209945f354dfa644bcc27b400434

SHA1
dd5cff1f3c1e04bdbccb7fa70a38802b12100bb0

SHA256
701bf70664e614b81f851187eb23a4404bcf868fbea8d332ee99832fbeae2ad3

SHA512
65b8fcaa741fb5334f2e82b85502d5708b9eafd9a15935b76ab6842c7182b45384f5a41cf6f26f1c8b41cb2f6d459216b061114610fa59b9888924ca1a7fcafc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
aadfea738b4b99a10abc4d585d6bae86

SHA1
cb65461416a347109f64e6e4c5bb9fa37f914fe1

SHA256
338ab8cb69ff563a1cb9b152f9b1a1391ba25a19b7846d9f42871b53ee883fe5

SHA512
5a37d502a45b14752e1a9f0d98e885fe461a5d012da094107065f4afcd2b32f27b1f3b68e6ce206eec183b7172304a1a366331d831e666a90528a5d97edd5733

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
7e84ff35b3099f7fe8114124b9fd0b50

SHA1
23ebb9360e9de2ecc6350a0a0ae0505b9ee5495c

SHA256
288853d48bd6b086f8e5a87152ededcf3fd307d1dee9e426c08cc3ad9616abf6

SHA512
468313b4c8964bf5a42cbe00ae4bcf2c7f7ab2f09036ed54e5e9d7a8652b020081be68593224a3a549f80e810c599b8e20e1b5f9c5a19374ce5a4945f97180f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a1628af88c37c3a2298533a1f29e1426

SHA1
1df529ea48be6a229696258f8d3c9248bae1be67

SHA256
4ed0da0c1e7df585607158e5a8563868c15fd21ee8989dd7e65f3fa51c9fbb9b

SHA512
113bbf937361d2399a35981a1723ad3fe6fa4eac263399230e5b5a49be0e1206fa99f38a1143506a691354f1a01e7089ffe266e97422002504e8b19f59eaff01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
718b45ba6c56c6fe665eb8a3f9da9bc4

SHA1
d4852881b5e66d96b8cfa5dd74e419976ba9b147

SHA256
c6debc07db9858b1f8a83cc83111bbaa9e2867d351e70a4c7765d39e7936e872

SHA512
669f3d89d463c658308924a8c9cd070ed4460b4acd9e7be33c0b798eaefc648fd59d87baa6033d488d1f0f779766a5157f8d7a439ef0171517883af7b92d8117

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
088d0e06c8c6df77f22383baa1946639

SHA1
1a300f9cdf965014efcce62acf507220838f72ee

SHA256
15bd2a308f7afc6c01f6bb3044b52db25256c3a0f5a510732730ecb52520d530

SHA512
ee5a8ac4ecc7658f9df1d51c0523305d15c27cac0f555d0b0a2c0d1e54740bd06331698c05e230b4fa20be56c7588d03a21b1ea7dc6dd8a42654831207d9f878

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
bd3a9362e3b1428050fec400f376c36c

SHA1
8f43d6f266815d20af92ed49820f27c1729c18b9

SHA256
da9e6a7334e5c96fec081c5320ddae6dbf504c10c0208db56af7ab90e0ac1568

SHA512
5f4979a1442cc556dda43ce1be37028955870e6ec2279740729bc1bb3fd1a5bf5a7a4ecfc84abff3d9ca87b1b5e168a7dab012a173fe36a9957fed6935ac6fcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
121KB

MD5
1b3bd1d295d3b4e556f99effd44d3473

SHA1
a003577748a6222603c29e50d70efa476dbb865f

SHA256
975fa2b29ed5adf7c6944f8be455011a9b106fb97cf560e7cb7206095f940802

SHA512
db5553b8172715d617710ca25b499ea308fa333fddf07025f567e600e9f54ba313e9c407cb23165152b908aad9fa6daa4149a5310cc1342417dbf2543c193453

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
117KB

MD5
e8a018d435051900ba83a1ed83932c2e

SHA1
49666364a5f31b1998d9b81fe7a3c2d8b5c28783

SHA256
2b9ff3697efdac5907add76f294d7b95847882ddcff0e1961616f5c8508ca076

SHA512
eb9702423490d6ecfdb32faef793ab6e56543f1df587b1ca870440a1e102c6461f9eda1d5ba3bd2fad2b8b3f1f811dc88017d5d75e6a1079c3067f7b5c3194af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580450.TMP
Filesize
93KB

MD5
7d7767c9d0906feb09e9d798166783f4

SHA1
5724a4e21755608c87654d94e8d63ab589039ca8

SHA256
d8906e383272f50223d930c3d2ff8a458040eb95b2c202a99e6bfefee624f2eb

SHA512
07535201e274f22f289ae65af4a49f730d6588f5ec1b5e9ce2d7b59f6b22648325cdcd5eddbc36136e3237970b0aa794b859ce71c29fe9411896d648249542c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bqmqzcz.0.vb
Filesize
347B

MD5
8a280ce703f3d84f1c87d2039cfa73b0

SHA1
24d7d6172c2a210579852e5c40e273a4ab31dd1c

SHA256
6abc297b9266ff140ff94573067be7dded9a27b340ca986d88c21d94cb912dbf

SHA512
3eb698c12c854e22f65cc0e93f37319057f7e1c797ff3faf1fc1c0ae5edbca6c8788605b05662af73d810c390c6050f9cf8efed48e8240097d1222b6bcd3c3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bqmqzcz.cmdline
Filesize
209B

MD5
edd8649c10da19190361f6527b400f10

SHA1
4b39a1a83a9ccada0f9920c6295b7dfe5b2390bc

SHA256
e68400f3362cb957d31777607b57dee3384a0dad31b59b1702af50d45df16285

SHA512
de910c648e98bd8171a0c97bee038810a352cd6f8afb473e5c105632a1c6f4de791f8d88734438943de9f36378505124ab21503e88c7c4f18a259d8d78c7cc1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES361.tmp
Filesize
5KB

MD5
9f6b3033bacdeb7298cc15a886350447

SHA1
fe8117fd498824a3ad5bba05663bd444417be91a

SHA256
fd58de2a5937bfe7497639662226904dd9508660620608a32d398d6cdd6eca04

SHA512
188be803ac7bfa24ef8a8f064eab2c7d7694d7f5f9ac947f2c1b40c8b9d4657317634533d3c073ebb8971fb70f12fdc73dfa8f814f7699362f218ccd321805a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES42C.tmp
Filesize
5KB

MD5
35e3699258aa34829dac80e71c925bb3

SHA1
f38a81e08282480774159e290f7c8fae8ec23ccb

SHA256
6a86a2827d1ed1dedf7e5f03906472ce91829af3dc949e922dd7be8d13c32b6b

SHA512
90f3365f7de1bea4a00c55f3ac052bbd68367b87ef4b0dabe389988ace34b512bafaedc0f802e63fe6fa96d83cb48c47233a80e3f56ba330ec23e0448681d1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C9.tmp
Filesize
5KB

MD5
7424660c51494b860243b9258d432e52

SHA1
0c62f6daaaf9dcb1b20793c23e24b93a32c819ac

SHA256
cf36d11dd7bdb5f4b4a6334fb8bc9f70f7a8cd960bcc753ea7dbc17b34ebec13

SHA512
f064e2dffef2dd384323490bb1c5094b66d402050ca4b86e89646cdfb44477943848db17cc3ff9ac837fe00dc7d3909748155c226e850a18e9c1802b31f22d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES555.tmp
Filesize
5KB

MD5
99baa7c50527a43f2cdba38a37538215

SHA1
fda6c4ee008ae802625ca4c4c66777c00db1639c

SHA256
975bf60ebd83835f192245d0ceade0b30957ca659e3378ff5bc955cfe1d4eb5d

SHA512
0e86aabb9987a587dd07369ea6d955b42ddb4c4530e4e8f39707d61fc0f2636ced1045478f4e9ac3b987a3808b945a61e811b97d74143b4be1cefab153849f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5F2.tmp
Filesize
5KB

MD5
448fb61b1d4a0571fd77f89f1103ca15

SHA1
28e42698e97bb4844c60a66de8b287869129c13c

SHA256
c7d8d326df06279aed8d21a37e7f1597b4b8ccbd20c40e0e8717cc87921aac7f

SHA512
c0eb78ecda38ac97b3f1479192e3718388a8fd6fc375895b3b014e71822573f40b6c4bc15fa4f7c126a1cad26c18b6bc9e75df16586625e63d54598198d6b802

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES68E.tmp
Filesize
5KB

MD5
2a3cda67c9012ab13eb08f7051f4f875

SHA1
9ef693baac8e89982333bd576caa1b61df2cc865

SHA256
3605ff4e5bbcac8adf98ce0db1953c3c00b14a2e27fab96158fda411ede88789

SHA512
981188f415575019cdaf1d88db76da636348c1f61425747c4284fd9a1c1c1b64b3d41e9bf2a874f4ca964a76f4182a0c08e196b309dbbf7493e38b804c432219

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES70B.tmp
Filesize
5KB

MD5
ce34cb61d9f510119bb0d643e2f061cf

SHA1
65de753a656698ba36395deb3970b0bad2371189

SHA256
469ff5280946b80d045e2a04b4406d1dba9cad0ad44eac9959dde4f09bcd2cf6

SHA512
d323b1d99af8192d66ffa4b3a64fd264643d6426a0a3d312983a55cae4f10c60635cc8dabea6941b46ce8196efccb112a443bbc8105e72d8b23eed6ce29239b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8xkawj3.0.vb
Filesize
373B

MD5
197e7c770644a06b96c5d42ef659a965

SHA1
d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc

SHA256
786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552

SHA512
7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8xkawj3.cmdline
Filesize
261B

MD5
e9cc2f3ad8f1ca9cdca189efe01492d6

SHA1
f7b28e1527cbe53545d7550c0101d2c422e2511c

SHA256
039d0278bf7e37fc6a6def410e1f9cdc7374aff882a5524be3b4e2a9c1629eaa

SHA512
e86b532fde23c6d96c7b5f6418a241e5dd16dbb7f97b6f4f56b98204e179757a6797b28b79902eb4c9d1efe1980d5d17f95a13e90ebbd89c52aa7a99e1418f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\fclddasw.0.vb
Filesize
376B

MD5
7a8e43324d0d14c80d818be37719450f

SHA1
d138761c6b166675a769e5ebfec973435a58b0f4

SHA256
733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909

SHA512
7a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715

Download Submit
C:\Users\Admin\AppData\Local\Temp\fclddasw.cmdline
Filesize
267B

MD5
adfabf97af77b88e85518d7b88d33010

SHA1
5d6c4466c859aab3cf66f9982f41dc81e40500b4

SHA256
dff2e07abb80def9b27625d1d1e3cc1d5ce68fc8b30704c131c0ebcab8f0f55a

SHA512
e2876fd5e4d2050bd5b56015999d90320ee22f3ee37c1a53fe66833bb2c8948a66f3bda2316ae337b2c3d4192052ee9c761620e4c58ac96bd976ad0d704a0189

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkgryhvd.0.vb
Filesize
355B

MD5
6e4e3d5b787235312c1ab5e76bb0ac1d

SHA1
8e2a217780d163865e3c02c7e52c10884d54acb6

SHA256
aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706

SHA512
b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkgryhvd.cmdline
Filesize
224B

MD5
c2d6c78d15aa0cfccc20f0cf7919db18

SHA1
7f369f161a2c0f1bfc24fbd89bf425a6596f7b72

SHA256
c5557ff86e103dc7b2ff01b2a31d452adcbeaa576fa7a19d40fc446ed715a1bf

SHA512
6cfd5ec6abf5d0f9a81ad88a44d5c70dc7648939f33872cdef498580780b239cccefd2c051495873b0049282e32bd7d7b8be84221526917181c829a0da3b2f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pevurp3f.0.vb
Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\pevurp3f.cmdline
Filesize
253B

MD5
f2f64aa052784f807052e0122a479430

SHA1
f1520b07ae88537d399c7a8eee003db8d3bb7811

SHA256
63a233921f0cfdf3a0724f7d1f2afa1fa4ac677af14937b6f51ad90491a9f7a2

SHA512
a19a3430e60949b971898b9c31c9116c6961725400a1cfdc1b850a724e2608a9386977d81032a7da4718a0ee3c33c12ce8e349b07cf476f72f6f2b262dcd0c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\roxmsboq.0.vb
Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\roxmsboq.cmdline
Filesize
224B

MD5
c1958f08c7d4393aabf3822b06adbc9d

SHA1
6b4d634bdf7c442c4974e356d5c25b16ea8e082a

SHA256
c49feac63702796db8ebbd8e4f73f293fae0bb221f1f8f18a3f4c1601e4933a0

SHA512
51ef12ed1c590bbc6dc4e3ef46dfaa80e46ded74349107512a02c9258cf1c0373458ffd70dc94bcdf4e8abe329274227504f102a188b94bba1e00203cd4434fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt
Filesize
43B

MD5
5acbc874379d0d1a2b4b708f40bad156

SHA1
c86f2cb979412a8587833db1d1c421686ffe5759

SHA256
af720af30a0fd7a2348cb79bf3d79b427c63b782e20e1cbb425c54a6fea8060f

SHA512
72b248be50b7281b880a3ae5a2ef0a51fbea88e6ce16ff70fb2f70f42e601cb41659e095305ddab4b139acf5870d0c4671367cc3a136bb5d0f5b093047d8169f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzewnjbg.0.vb
Filesize
373B

MD5
7d0d85a69a8fba72e1185ca194515983

SHA1
8bd465fb970b785aa87d7edfa11dbff92c1b4af6

SHA256
9f78b435099106c2c3486c5db352f7d126b3532c1b4e8fe34ef8931c7b8968d5

SHA512
e5ef339dc329dbba2ab06678a9e504aa594d2f21ade45e49bccd83a44a76dc657f5f44dcf368f4d112bb3b01af2e577a487c6078751943770e90780fad202989

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzewnjbg.cmdline
Filesize
261B

MD5
ae24b2dbe5c3ce3b9a7bdada762a1339

SHA1
91dafef243cb7dae304146e23d2c0ddf0b6c5cdd

SHA256
f2a8b1a077c8aa9458ccdbdc2cc6717eb00f274ab9a8b8f0971b4f5283bb4876

SHA512
01e9f596c03ab7e82404e508226bb14be4a10a3ec72d628798c7d6b5d0379a3b3e0f9e551e40971f934cc8a0a5973a4c6e417cef27527678630142d6da6f90c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc223E487D175E4C5BADA2947243FE7389.TMP
Filesize
5KB

MD5
11cb9aba8820effebbb0646c028ca832

SHA1
a64d9a56ee1d2825a28ce4282dac52c30137db96

SHA256
2a1e197c5f17c60b3085782d3c8c97bd9aa2ac1e3a4a721122c0b5ec56d276c8

SHA512
d227b39d5d67c18703730fd990ac41077321054d4f24198cafbc0b7af1ed6c72e7ef7eb626fb558f9407e11b5b9f0d194237400d248a80560d715c88971ad375

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2EC8D42B422849998A45F6AF1037FACD.TMP
Filesize
5KB

MD5
0d43c4212c75578ea7eeb11e292cb183

SHA1
30b2ba3ad685b03fe365fd5a78801f039c8cd26c

SHA256
c6eb948ff4f2359dce5d80890ea50516c48a6599fd522744ec0dcb5da8da7495

SHA512
1adc9f10811af124048c36c9f41b48c3e777b6807aa61f148f52448d79d3eaac533fe4b9e7f887c6ab64cf99e9664113dd7fbc98353a1b57fb98db1d7f865b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5CBEBE893BCD491185FEA8B7B7172E42.TMP
Filesize
5KB

MD5
4a0d9970022b9e7d0066dea49c7639f4

SHA1
6a576f471355762c7dec0b258fa8268c06b352d4

SHA256
b9fc51192ec614b38899c981eb6cfe47429047df1af56226e87da01f95089cc9

SHA512
92bcbbbbade44c91abe5bc4b4633892036b19ea6b0c5007a98ddc102aa41dca5d83568a9a243060a9a5153fea77bf7a56c7612d80881341358b1dcf190d42c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc61E0F8E8B5E442A9B5DE314F3AEA2CF.TMP
Filesize
4KB

MD5
33bbefcdccdaf60eed04963e79a70616

SHA1
05b74d77bb3c5896e6551a7d3008535011667ad9

SHA256
3b19c69d21da8c4db7a7f37f620863990ff449454f483a550aca0064d887e609

SHA512
6d7ec2991563a1f0d9db547d949d42b7db227fe7f65cc3373943024b47867a38d1d3432747cae1fcca7960014a825057b56e8a9a76ba5008f58890a9efa0b8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6592B02B8F3F4FCA8C7E7EC232FC727.TMP
Filesize
5KB

MD5
d56475192804e49bf9410d1a5cbd6c69

SHA1
215ecb60dc9a38d5307acb8641fa0adc52fea96c

SHA256
235e01afd8b5ad0f05911689146c2a0def9b73082998ac02fd8459682f409eee

SHA512
03338d75dd54d3920627bd4cb842c8c3fefad3c8130e1eeb0fa73b6c31b536b3d917e84578828219b4ffd2e93e1775c163b69d74708e4a8894dd437db5e22e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc927842EDF3847D8A5A3B2E1325E65C6.TMP
Filesize
5KB

MD5
abeaa4a5b438ffa58d07d9459e5c1d6c

SHA1
69631de7891162dd4840112a251f6531feae7509

SHA256
ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd

SHA512
c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB66BD05DC7B743ABBE10AAC1E6DB95FE.TMP
Filesize
5KB

MD5
84e9754f45218a78242330abb7473ecb

SHA1
3794a5508df76d7f33bde4737eda47522f5c1fdd

SHA256
a979621de3bcabf9a0fa00116bcd57f69908b5471341f966c2930f07acfee835

SHA512
32b51e82e505e9124fa032bfd02997de6d6f56e0c0dfb206aec2124199048168ec0f7927a0a289f4653662bdeb5089d91db080019a9556491ef111df99b12623

Download Submit
C:\Users\Admin\AppData\Local\Temp\vh4kyi_d.0.vb
Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vh4kyi_d.cmdline
Filesize
253B

MD5
7f2640538568de48b9a003f21e486c36

SHA1
c491e571468518a4b75217503964531838149f49

SHA256
d18de3fb18ecbb73ab87d2a09cdb9182c47fcd7a0175a8790a752dd2b555acfa

SHA512
3299c68915f9710c2827c944be313250be45751c8ee2c10fea3cbda3da9ca81a08e296403898df4806ff3fb305fc39846c48e8fc8d12d1b02ee1f17b18fa0e46

Download Submit
C:\Users\Admin\Downloads\Adwind.exe
Filesize
5KB

MD5
fe537a3346590c04d81d357e3c4be6e8

SHA1
b1285f1d8618292e17e490857d1bdf0a79104837

SHA256
bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a

SHA512
50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce

Download Submit
C:\Users\Admin\Downloads\RevengeRAT (1).exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 485364.crdownload
Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
F:\svchost\svchost.exe:Zone.Identifier
Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
\??\pipe\crashpad_4440_CJQCTILJOCPRZKHR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/336-504-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/1076-547-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/1296-415-0x00000000022B0000-0x00000000022C0000-memory.dmp

Filesize
64KB

Download
memory/1432-350-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/1432-289-0x0000000000410000-0x0000000000430000-memory.dmp

Filesize
128KB

Download
memory/1432-691-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/1432-291-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/1432-293-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/1432-676-0x0000000000FA0000-0x0000000000FB0000-memory.dmp

Filesize
64KB

Download
memory/1432-292-0x0000000000FA0000-0x0000000000FB0000-memory.dmp

Filesize
64KB

Download
memory/1496-700-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/1496-701-0x00000000016A0000-0x00000000016B0000-memory.dmp

Filesize
64KB

Download
memory/1496-702-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/2272-308-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/2272-306-0x0000000001120000-0x0000000001130000-memory.dmp

Filesize
64KB

Download
memory/2272-294-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2272-296-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/2392-610-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/2432-696-0x00007FFD62860000-0x00007FFD63201000-memory.dmp

Filesize
9.6MB

Download
memory/2432-692-0x00007FFD62860000-0x00007FFD63201000-memory.dmp

Filesize
9.6MB

Download
memory/2432-690-0x00007FFD62860000-0x00007FFD63201000-memory.dmp

Filesize
9.6MB

Download
memory/2436-591-0x0000000000C70000-0x0000000000C80000-memory.dmp

Filesize
64KB

Download
memory/2484-699-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/2484-697-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/2484-695-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/2536-558-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/2920-436-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/3004-651-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/3568-529-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/3624-463-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/3780-580-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/3788-384-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/3960-282-0x00007FFD62860000-0x00007FFD63201000-memory.dmp

Filesize
9.6MB

Download
memory/3960-290-0x00007FFD62860000-0x00007FFD63201000-memory.dmp

Filesize
9.6MB

Download
memory/3960-287-0x000000001C4F0000-0x000000001C552000-memory.dmp

Filesize
392KB

Download
memory/3960-286-0x00007FFD62860000-0x00007FFD63201000-memory.dmp

Filesize
9.6MB

Download
memory/3960-285-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/3960-284-0x000000001BE10000-0x000000001BEB6000-memory.dmp

Filesize
664KB

Download
memory/3960-283-0x000000001B890000-0x000000001BD5E000-memory.dmp

Filesize
4.8MB

Download
memory/4404-515-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/4600-493-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/4616-569-0x0000000002550000-0x0000000002560000-memory.dmp

Filesize
64KB

Download
memory/4756-447-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/4924-479-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/5032-638-0x0000000002550000-0x0000000002560000-memory.dmp

Filesize
64KB

Download
memory/5112-399-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download