Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
21-05-2024 13:46
General
-
Target
https://cdn.discordapp.com/attachments/1242406758660706324/1242406880156979241/Revenge-RAT_v.0.2_Complete_Setup_By_Shozab_Haxor.rar?ex=664db913&is=664c6793&hm=4510031d315419267588364e6f80577ac03d5e399ab0f5d46ac5b46eb82031ea&
Malware Config
Extracted
nanocore
1.2.2.0
haxorbaba.duckdns.org:1604
68d0d384-24c7-4c4a-b00a-25fe172797c1
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2016-05-25T14:42:31.650976636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
3994
-
connection_port
1604
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
68d0d384-24c7-4c4a-b00a-25fe172797c1
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
haxorbaba.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 55 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 4 IoCs
-
NTFS ADS 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 17 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1242406758660706324/1242406880156979241/Revenge-RAT_v.0.2_Complete_Setup_By_Shozab_Haxor.rar?ex=664db913&is=664c6793&hm=4510031d315419267588364e6f80577ac03d5e399ab0f5d46ac5b46eb82031ea&1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffad2853cb8,0x7ffad2853cc8,0x7ffad2853cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2536 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1236 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3916 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3360 /prefetch:22⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Revenge-RAT_v.0.2_Complete_Setup_By_Shozab_Haxor.rar"1⤵
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7zOCDCAECD7\Setup.exe"C:\Users\Admin\AppData\Local\Temp\7zOCDCAECD7\Setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Chrome.exe"C:\Users\Admin\AppData\Local\Temp\Chrome.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Chrome.exeC:\Users\Admin\AppData\Local\Temp\Chrome.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "PCI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD8CC.tmp"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "PCI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD90B.tmp"5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOCDCF0118\Read Me First.txt2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/playlist?list=PLkoNiUTDHC49JF8aoemdNMuQGpWAFW9lX2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffad2853cb8,0x7ffad2853cc8,0x7ffad2853cd83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/playlist?list=PLkoNiUTDHC4_dakaSc7ePa5epYLx35DcV2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffad2853cb8,0x7ffad2853cc8,0x7ffad2853cd83⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOCDC88049\Read Me First.txt2⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Microsoft.icoFilesize
361KB
MD5d3d3531d4bf5be053c2e5a970003f34f
SHA18c589076c17c2fbe09e34e67a8af3adee93cc8f4
SHA256d10f94716288e2a22e4dd61e6167f953dc096783da87ec2352b396229a54570b
SHA51250c4b0850fc575fe974cbcec4d394fac351a6a1091ecd1bcc4f18e7220c08b42e6c191e6376f5cd518e86f599f691db795df0ea772d0f133191f1689af37d933
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5de47c3995ae35661b0c60c1f1d30f0ab
SHA16634569b803dc681dc068de3a3794053fa68c0ca
SHA2564d063bb78bd4fa86cee3d393dd31a08cab05e3539d31ca9f0a294df754cd00c7
SHA512852a9580564fd4c53a9982ddf36a5679dbdce55d445b979001b4d97d60a9a688e532821403322c88acc42f6b7fa9cc5e964a79cbe142a96cbe0f5612fe1d61cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5704d4cabea796e63d81497ab24b05379
SHA1b4d01216a6985559bd4b6d193ed1ec0f93b15ff8
SHA2563db2f8ac0fb3889fcf383209199e35ac8380cf1b78714fc5900df247ba324d26
SHA5120f4803b7b7396a29d43d40f971701fd1af12d82f559dcfd25e0ca9cc8868a182acba7b28987142c1f003efd7dd22e474ac4c8f01fe73725b3618a7bf3e77801d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000bFilesize
20KB
MD5f218c31d967d7d050e360b26b39df4c3
SHA13a03e2ae75080ef0755bf1a1131640e3ed773d1d
SHA256791410a89899725c497f590cb9138f238713dcf1b318340c18cf0682d52b63aa
SHA512f97d6fa798fbfa27b3578777d938c327a0b1ea1379c4e0d50d640e4682fdd88dc210d30432320140d5ebdfb6ef721f0b844801a81305c877cba1d3e05d0097c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
624B
MD59411b250f223d16c182dc4a376e33bf0
SHA1a77942ce56fcbc9163b920957810ac2a33f1d955
SHA256939886c730f0f504c45523df3229017d56e19e03214335bc53df20d8dbba1fc5
SHA512aa98bdd4cf31da97d41ae7a679aa3483602526de9532da191e42d612a924ed90701b548fe4b3daaec210bc76c92bb29a2c52d22a8352b5cdb5507a911218a4a1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
288B
MD57df76d2bb828b9ea31945228432516ef
SHA1af8ca0eaee0d0d31f7096449e21de9520cef514f
SHA2563b930fce1cf167625df921f126fd8d20bc6536ede79040edc4e655be1f9e94ec
SHA51202640013f5df5ebd066eb1b8ba1bbe25607d3373468c319dcb5d473e81621fcd1b09eca9ec78a8b00d71312dfb7b42e2d65eb73f9b146bb9b9d89e367544494a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD538982ee789f62a40a5ec58e99176ae32
SHA160527d9b2cd26068adeac20060084a420735e1ce
SHA256433469f0053d4baef9450324d623e72171c122259b888a2eedbc15210bbaf995
SHA5125401b5caa84bd5cf3709a891ce8bfa083fd55bb4d0033dd6e3de5b8879903a35d0e678189ba2ac4dbf843efb695919c05668d8b1a7bf47be09feccbdefd100bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD50badbdf390984f72784a5c5f677b32d1
SHA1c928241b9937cd42aadd4e8a2858612c28daff14
SHA2567f5e15ec740c3152128d849a837fce24a4366858e2f621e19546d0ca5aaa3e6f
SHA51246d11c5c9338f5a90c919f2fe9d927997bc54186f080c27bec052213566e38614e4646186e624f28022e256d5702e32704bf7264541e552aea3cb1eae85acda1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e6500157a3f9a7d821b4402604aed109
SHA128cdb8ceb86a2fcfe8d5748419bd7b0d32fe98de
SHA256c4dba5a3ef312273e718f1835b7384ac369143505094b28c159032604af58ec3
SHA512f06f9e632a1731629c9e28e7c64b7819f987ee562ac6f744dfa904df8be0061ff830198e1792c886ef28770a6c0edf1590400fc9a605e2395b7c630a4b2fef3c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5db27bd6028d7696ec420d33836dfdf58
SHA1d31663dd8e50ef3053ba172eda42b834b12d906b
SHA25616d80307b921ed21d8ee36c6f1f059e9d8a721b46dae3a6bd93cb4b0029f5cc6
SHA5127e1f597b1a9cea798967432d9705d6947c0175b4f44210dae99c7f06ee4098be3ed7cb09525a3390df39ca0c318ed823dffd8dc10246d1d4c807eca7d32731fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5488b3284dfa8eabecbb0c9a0d6d59873
SHA16cbf6f8b46e6226a732996fba19e66c8b652722e
SHA256ffa93036c5444968f47ad347670938c8c728187651814de0843cb4e76be77dde
SHA512e7d355fd099c5d3c21edbf126f9f0717ff2a8a396de80c76e3b1a43b7a78205c90c669c3615bf90c4ada2bc7ca47e89e621c0db818e3c2363a648c570257bec4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5514c0fd8cf694507977123a809649d8f
SHA1e5bcdb70fe63ff4c14654e4a7bfef60f6a99bc0b
SHA2564a0660f987cf95577cba967e44a9fff7452f6695edcfaafbf2cfa9a307ce8aba
SHA51250e0c17e3d4f7b2d0d04d9e63557eda28a7fa3582303297f770f9ee212ad02d4d9eb9d3298636a6d7bab20db0e8896c080b35f565f4a9951a1a24d18dc2322dc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD50ec579bf5b3b56dcfed54f29641f9389
SHA1dec139957298f88c8f36b3ebb79b2804e6afb026
SHA256cc813b94ed37225f6797bf16d92c370d653299cf7579f928b144dba116ec1655
SHA5126eb551d05dc2143b4e814e23aad0f50903e9a86cffbbfb61d7ef1bf598add597c9514ad907b0309b0cb35a3199a59c1595f3c892ebc5bcb534a441af1ab48dd9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0f35ed56-4f15-478b-8cb8-bfc3d4462998\index-dir\the-real-indexFilesize
2KB
MD5030f23317c9d1e243d7d573c2c3d21de
SHA101b87dd6b8765f8d9048be569023a50c52ce782b
SHA256f831ca4ed20985102ce08ab70f4a1bb712cc6457f5aeab84c1e5af699e66904d
SHA512fc3be46cfe086bf8dd1a4c46fe69cd68726c045f55deb194a85c48113f15ad3d9d65c207684b76172027887cc5792d58f9e2948fc9df6aaaf84047596f12f9dd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0f35ed56-4f15-478b-8cb8-bfc3d4462998\index-dir\the-real-index~RFe589054.TMPFilesize
48B
MD5ec1c289fd38ffbe8835cc9ed910d9c3d
SHA10db7d01a881d3d0e758aabbea93086b2e268da3a
SHA256b662e286bdbba5d32e402eadaab3655ae49045699054d2feba3ced6e3494e101
SHA5122c8fc81661eb7cf83da3c6a48d79517adfd7d72b8f8646d15ac5f6c64634b3ed7d1d078472f644ad6f74711dd80d5ad54c1b24037a07074275ee0752f822d790
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\6cce51a5-7736-47df-9203-d4c97ada9f68\indexFilesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f7b19a31-e1d3-4091-b020-4bbd466b01b1\index-dir\the-real-indexFilesize
624B
MD556f15920acbff1e8b2b7706fbd85f78f
SHA17b348057fcc634a4d724d59c3c6b8ecf5ad238d4
SHA25662417120170c2ff40aa93de3201d3d4e37691b6d8631056fd15f355f9cd7c072
SHA5128ad3ecf1102a0e77fbacc647a0390d939692a05257e1feac798c1c390e164ac39e25e2db33d2623bbb567f15177de62a41324db84b9a796f89f7b2b13db386ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f7b19a31-e1d3-4091-b020-4bbd466b01b1\index-dir\the-real-index~RFe58946b.TMPFilesize
48B
MD59460ca4446be8c11985ea636eb1dfd85
SHA13d343d0564033e1f22df863f67256ca5b7058657
SHA256f233c07f02782773f831e0b5d83ae90fb36c21053b943f002b8676919fdaf503
SHA512afc84204a5b5f30baa2a506d8b2f41e8588181461eb72f3239d536ca5779a9b91225ff966e9ff61878b18efff7737a4f36e5ec6ea72564febac1c1343be2b423
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
89B
MD5310bac87624e8b73add36b6d1218831f
SHA12099e9e9439e6dfb5f366e07f35df2413b2f2131
SHA256b87c4eb0c95fba0a6ca6b31fa9f7b1d1fe405f930fc5fb1a66f3286b7dd92e4d
SHA512aa3e64a8514d187872fbf4bb4f7a23d266ada3c668ca02e7b684aa5248dd16ca2424da2f290b40eb01b275383d1b767e337a5e85a6c88f63797882941a11febc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
146B
MD590e3a0a92ff266c9b17663105d9ba533
SHA1778d1c7aae5d2ca12a39f21b90d18525e6bb4458
SHA2560bfa17eb88a2c8fc0b2109b1c136d48d4ce96bd20fb69e7b3b4666af56275c8c
SHA5129c274efdddfc4d4f5fb2db9091f7a0b2c70cafb468b182ca66de079ff8fa74654597a43565ded1740bba1db59640e2509dc8c4b809b88c03be7bcb91a8d91b51
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
155B
MD5f85f68a740799bb478e63ccee14317fd
SHA1b19299246815cc2e375d6e0030b6532b7d5f9345
SHA256e6cc979eedc74ab15dde63635a239002868b53c1b03535b9bc955beb70b617ab
SHA5126a17ea8d82c18f7c16c7455a805668dc9c8825f34a00e6f079f11643730172ee2496503290d5470da2283e50fc2384c7b25e5eae8f6e81fa9ac883ca63267c69
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
217B
MD5f03bb0a4d38530c7cbdecac3f2ee3881
SHA106d8028f83d2e4cf94c502c096d112edb107d005
SHA2567b55e4e75149570fedcbefa25ce076ae2bca78be01bf3b9b9fc372960c32f26c
SHA51256832d628ed5fcf8fd43d7446d265e8005b25c2fcce98ea291e1ce7986baaafda18cbd1109a9038c3ad0c188c6b565360f97459c1f04654324de5af9609541ab
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
82B
MD5da8c19963909b2033155e31faa9dfc46
SHA14067cd4dba98ebd4cc061c3e3dab932605802fb7
SHA25667fd0a27cd84845279b554c2f90eaa7989a55239cc3ca5ad547bb8f032df07b6
SHA51295d6dbbe18dc44048c13b6721af48e3fa2b57d588ed30cd4a4d2eaffc4f42f30dc5cef7a80f3d6f62eb3c8e421cfeafddd8df5de3297c58073880c7acd076fe2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
153B
MD52d83869a833ce5493bc8937632476d82
SHA1636959975af3a887196cc6437a7cc293dc78aa53
SHA25661c661f3616e3cd51cf2932e6ce5a640c24b210b34fe2fbd79a092e4a5a4bd45
SHA512a4a6395cbcabdc2af3a16a15470ebc80ce2cf9dac5e98cea8fc19b4ac93f8e73cb4e5cdc64165bd64d180aace37c896c06cfc7d59733de2f1a14a014a709c90b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
96B
MD5c3c7ef0c192d8ec7433e54bf3245c981
SHA1c1340b48e95b28edd1374ab887fd892443424e20
SHA256808685b53969e5a476098afdd91643e050125a3e6c4d66dce72d2648b3f48f77
SHA512485f13fde8553b26347be5b223f37a688d71e640c29879c8c448843baac393dc406072f8671ea3dccaeee6470b7d00d75f167c695fe1fbae8542a695674da802
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe588bd0.TMPFilesize
48B
MD5c0b6b248918a80ea036a9a1e16cb1b8b
SHA1066fbc4e385ab0ba6b3850e611102f31c65ec3bb
SHA256fa0e1f89f8c8da9a471518bb0add02d65966f7e4ed74676e00ee4410171a2336
SHA512842e540c5d622a5ed35dd6623e91aab7494dcf7af7e0263d115da8207685051ab3fac5aedd7c09ae6f4c8fcbba6a62df0055c66af6df0911afafd0921a1ad486
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
702B
MD5ce644380d0d05350787f27a42f0e2405
SHA13784bc67d8f1e75902e4c368c2c70f7ec2bc2ce9
SHA256f8ef899e9518c730d79d9a13e918c79a964662d1015c04030ea1e27aee01be88
SHA512d51b9273dfc90783ffe0aa569817df6372cfaca51377a8dab464ff83681b26a220315f100c6711d303ec9daef494a2559a72658cefb351e8ea34c566a59ae489
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593c73.TMPFilesize
702B
MD54ab303f86f583ab5e784d0f50b6d06a3
SHA1c283132c0bcdb38ea91461821758e969e24bd1fb
SHA256218d68d4f4bfb673339e3c61444e95a4b7a99b9d88620575717c8af25a457ebc
SHA51283b97a09ee6902018396d83a2896c579d99a17bbbcc4e72774acd60f930be12e78636f165c1858be9c56eb66bc08167052025ae86d8ac7d87b3eb60a3ed99378
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD52ab09f3e9a036bf74b36554050ddb177
SHA192875c5a3b58f236705930cb26c8ff694ef2bb1e
SHA2567b0048ec2a499aa06f286a68d7c9a17ce22c37152cdbccd5256021920f515238
SHA5121df55622d66fd55be2bccd56c4260f0900e4853de275c65e884d951275135a40d946ce915d6c6efd093b126d153691139305097226f4955d1395bae4f6061de3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD51f27e061f4cc34e56b3215c97104542d
SHA17313b14acdf3e2e32590224a458b0ecbbe3fb2ee
SHA2566ae6071979517752c4a64cb4bf981b0cc561dd3b636cc12f1d785a34ce645f9b
SHA51221b80e62c160d6f968e6e0ccd36eea60b71e1d35c9c8f61472bce78e363abc0b10ed90d848d53a1110dfea5d0cfc628dbd78148d8dd0e72f77487782a88ae213
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5a158f1e69b1f13d5e0fe18d8d04193e4
SHA1b26f2ea215ce014f1be7d0d66f3b1c0643776355
SHA256312afc87f0232191b93feac3a870f4050bdc66dd91bf2e86d920f46cfb9e215c
SHA512b6c4d87f3ab1fc0ef37282899e8d93d9594dc2683ea93bd61b418b69c8f436d91065fd4ab5d41c676f29a7b60b9616ecfc6dca05cf17fc1fecc7322846761db9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD585f82d84ca844465aa9cb0b461bc438f
SHA1bd035d967ce36459e153b0a68b36469c8062c978
SHA256954b56bb99f9963dc1a28bbc05a2c1c47cf0e3dc8886ac86c219bc4697ed952f
SHA5123ef7c54c2e07eda7a34a17564dfbc22b22ea4f561984a9ddeca9f31976b38f55d7a3fe0eaa481f87227bb142fa9c10b946323affb1d6516679acd39e8e9509d5
-
C:\Users\Admin\AppData\Local\Temp\7zOCDC58538\How To Setup a Rat.urlFilesize
96B
MD58d61646db59cc7460b40bc79001a40a1
SHA1e43cdfb3d27a0cb4b4532053c27810abf06d415e
SHA256c5d1bc7427609e082195ad8db57c9b35b274e3df63a92d78917334425730d1e7
SHA5129eef7dcaa96a52d52caff6b9709f8377437ff201e976761eec8c35669f946ef111d7da9528c8f253f469969513e4ec5e6a5d0b861665254a6564f8c2d85d9f99
-
C:\Users\Admin\AppData\Local\Temp\7zOCDCAECD7\Setup.exeFilesize
5.4MB
MD540051c0c72c3a595c043a36176790982
SHA1fe80449ab8e54b170b3edd87b3a0e4bc42a3455d
SHA2568c3e4bad225ee870b94204e46767d2e7de83644bdfa8293612136be34bf9ed7e
SHA51252a7762dbbe6c87e72dba30f13fc5ab4d71be0a5bdd5b37637dca50cdc2d494143ec2c0f84df9bf58f316775c26ac3c06bb1fb081a3491a14a9526c56207beef
-
C:\Users\Admin\AppData\Local\Temp\7zOCDCAECD7\Setup.exe:Zone.IdentifierFilesize
260B
MD5601c6105b363c6c102b4b1de135220fb
SHA1160e2536c311cf88c610d38a88376a0f261ea3ea
SHA256fb30db3640425050b433c76111278fe4a9de2033bfddf180833a6e1e24a11987
SHA5128f98f57c296b60343761c7d0dd5dc3068458588da513248afed8bc0f83f158b4feca0e8b7cbf8f4fa179dbdd014b5642625190a9242bdd1bc460fc1ab70bc044
-
C:\Users\Admin\AppData\Local\Temp\7zOCDCEE339\How To Open Port All Tutorial.urlFilesize
96B
MD5e6e103fb45cbe55836826bc3410efcc0
SHA1ff589e9f655d3368571562711b954f301615d457
SHA25699e7a2772fa7b583be865188c49e15d8294569d820bb29be95cee538a6a5f494
SHA512d41fa5eb682f9c2a1eddcac0a79cdda9f7228b9080c843ce5e7aa1ef027f8c773733faa471e44ca76a37e405d5488c29f34e1785f149115bd65f01fb3b52acb7
-
C:\Users\Admin\AppData\Local\Temp\7zOCDCF0118\Read Me First.txtFilesize
2KB
MD5c57dc84dd685fd4aeb3232e207fa5309
SHA1e12167393b0ec3245a5089bccf172841fcf22964
SHA256b8214c2073adf389495794253843b64d594d6b579f03ad7bfa824a50b2b35773
SHA512cbb2ebe5e0b90ced99f879a14d94ff5a9805e0f0727f6d57633fddca4ec942cea56c90c6f5ffd8ae4b83bdda9e486b79eb61c952a20dcb8eb1a13059bee4c0a9
-
C:\Users\Admin\AppData\Local\Temp\Chrome.exeFilesize
711KB
MD5ec4bf11a6689c525a9c02342919b81d2
SHA13e762f4bcfe9325548b50349bdc270bdd8a111f3
SHA2564480ba3f495510f75d218068c22164d98d275199ccdaf6e0f5b53cf355b8be80
SHA512c23360725bb6dcbe23106f5206a8e1e97366e6ef4baea5c81fe7d0c50916ae7e19cc85a4b9545c7c723aef9fee5ff0e845700a7ee3626530da1a0739df5b716c
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeFilesize
5.1MB
MD5793becaa5c12f7e53866099e3eb47c67
SHA13400571dd489e51b20a7ec94fd33b697582325c4
SHA256cd7f39bc287566d487326c2d031f37795efcc15a51d9441a1c02464e99324ad0
SHA512175b3ba6ada54b85b0505d64f034970a36941a6395bb9e15cf9555277a8aa0297182028fbbd31f5f0d545cb38231b6c8510c6fd1867f3cdedc6a8f9931b301ff
-
C:\Users\Admin\AppData\Local\Temp\tmpD8CC.tmpFilesize
1KB
MD557ef41cc35a47d5ff922ec5a0d06aaa7
SHA10ae2172ca0e2578109243328ee57a68190252578
SHA256ba13669de506ecfb43f5dc2b2acb6f392ad3d7daf9c9ad1c56359c6405de3a07
SHA51258bdff3f27838934400b3bc21e69d8c2dfdcb0d5afc9ef5f4b0b5da83df603952abd6e804c3abcd50657f1c91dabc647d999f3d24b0b73990e3bd3abffddfa47
-
C:\Users\Admin\AppData\Local\Temp\tmpD90B.tmpFilesize
1KB
MD5a4f6fa4537e2dcf0d3e2802c0f070a4d
SHA103545095bfeddd7656b5b8547ab84a810324a94f
SHA256192ac26e1895b267149bde35c55327f4a441693495239da5899062924d45bd11
SHA512a4293123d718b0511a8301a7f536e403cecf8bc89f25f9dc4692b293eb8a554a8eb67993a26fe0e96792b6eb3573b34e9b270777cafe95c2383268da6d40fd2e
-
C:\Users\Admin\Downloads\Revenge-RAT_v.0.2_Complete_Setup_By_Shozab_Haxor.rarFilesize
5.4MB
MD5c560d5f45ad5afdebefef38744c86116
SHA1e957552ab4b41ecb26a7b515bcf9922063421308
SHA25687ce5afc546db895cf1e8dab630d6a6ad2583d38073101c19f4a8725f040d777
SHA5126c26362742eca5ca9b8f993ff84e93003d0a50d8d872b204f840e3a8e7c1bac68696a27b955bb87e8de3eb335fff44a65dc303da0f74d69c58d16b595e9764a7
-
C:\Users\Admin\Downloads\Revenge-RAT_v.0.2_Complete_Setup_By_Shozab_Haxor.rar:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
\??\pipe\LOCAL\crashpad_3856_PPTJFHFGRJGHVVYKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1356-315-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2828-139-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/5124-760-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB
-
memory/5124-752-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB
-
memory/5124-751-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB
-
memory/5124-750-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB
-
memory/5124-762-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB
-
memory/5124-761-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB
-
memory/5124-759-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB
-
memory/5124-756-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB
-
memory/5124-757-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB
-
memory/5124-758-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB