Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-05-2024 13:46
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1242406758660706324/1242406880156979241/Revenge-RAT_v.0.2_Complete_Setup_By_Shozab_Haxor.rar?ex=664db913&is=664c6793&hm=4510031d315419267588364e6f80577ac03d5e399ab0f5d46ac5b46eb82031ea&
Resource
win11-20240426-en
General
-
Target
https://cdn.discordapp.com/attachments/1242406758660706324/1242406880156979241/Revenge-RAT_v.0.2_Complete_Setup_By_Shozab_Haxor.rar?ex=664db913&is=664c6793&hm=4510031d315419267588364e6f80577ac03d5e399ab0f5d46ac5b46eb82031ea&
Malware Config
Extracted
nanocore
1.2.2.0
haxorbaba.duckdns.org:1604
68d0d384-24c7-4c4a-b00a-25fe172797c1
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2016-05-25T14:42:31.650976636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
3994
-
connection_port
1604
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
68d0d384-24c7-4c4a-b00a-25fe172797c1
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
haxorbaba.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
Setup.exeSetup.exeChrome.exeChrome.exepid process 4908 Setup.exe 1356 Setup.exe 3344 Chrome.exe 2828 Chrome.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Chrome.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Service = "C:\\Program Files (x86)\\PCI Service\\pcisvc.exe" Chrome.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Chrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chrome.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Chrome.exedescription pid process target process PID 3344 set thread context of 2828 3344 Chrome.exe Chrome.exe -
Drops file in Program Files directory 55 IoCs
Processes:
Setup.exeChrome.exedescription ioc process File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Plugin\SC.dll Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Extensions\mpress.exe Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Plugin\RD.dll Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\How To Open Port All Tutorial.url Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\notify.wav Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Plugin\SI.dll Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Browser.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Opera.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\How To Setup a Rat.url Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Whatsapp.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Apple.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Archive.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Team Viewer.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Windows.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Word.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Plugin\PW.dll Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Plugin\SP.dll Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Stub.exe Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\TOR.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Ubuntu.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\RDP.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Plugin\WC.dll Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Skype.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Notepad.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Remote Connexion.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Android.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Plugin\PA.dll Setup.exe File created C:\Program Files (x86)\PCI Service\pcisvc.exe Chrome.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\GeoIP.dat Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Plugin\SM.Dll Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Vmware.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Plugin\FM.dll Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Plugin\KE.dll Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Filezilla.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Rar.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Internet explorer.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Read Me First.txt Setup.exe File created C:\Program Files (x86)\Parrot Security\Revenge-RAT\Uninstall.ini Setup.exe File opened for modification C:\Program Files (x86)\PCI Service\pcisvc.exe Chrome.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Application.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Excavator.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Moon.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Onedrive.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Picture Folder.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Extensions\GoRC.exe Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Extensions\Resource Hacker.exe Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Torrent.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Mono.Cecil.dll Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Revenge-RAT v.0.2.exe Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\FB Messenger.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Firefox.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Microsoft.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Uninstall.exe Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Facebook.ico Setup.exe File opened for modification C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Google Chrome.ico Setup.exe -
Drops file in Windows directory 4 IoCs
Processes:
UserOOBEBroker.exedescription ioc process File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zOCDCAECD7\Setup.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\7zOCDCAECD7\Setup.exe nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3816 schtasks.exe 4764 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 4 IoCs
Processes:
msedge.exeOpenWith.exe7zFM.exetaskmgr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings 7zFM.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings taskmgr.exe -
NTFS ADS 4 IoCs
Processes:
msedge.exe7zFM.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Revenge-RAT_v.0.2_Complete_Setup_By_Shozab_Haxor.rar:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Local\Temp\7zOCDCAECD7\Setup.exe:Zone.Identifier 7zFM.exe File created C:\Users\Admin\AppData\Local\Temp\7zOCDCF0118\Read Me First.txt:Zone.Identifier 7zFM.exe File created C:\Users\Admin\AppData\Local\Temp\7zOCDC88049\Read Me First.txt:Zone.Identifier 7zFM.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe7zFM.exeChrome.exepid process 5108 msedge.exe 5108 msedge.exe 3856 msedge.exe 3856 msedge.exe 3732 identity_helper.exe 3732 identity_helper.exe 864 msedge.exe 864 msedge.exe 2288 msedge.exe 2288 msedge.exe 3292 7zFM.exe 3292 7zFM.exe 3292 7zFM.exe 3292 7zFM.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 3292 7zFM.exe 3292 7zFM.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 3292 7zFM.exe 3292 7zFM.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe 2828 Chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
OpenWith.exe7zFM.exeChrome.exepid process 3344 OpenWith.exe 3292 7zFM.exe 2828 Chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
Processes:
msedge.exepid process 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
7zFM.exeChrome.exeChrome.exeAUDIODG.EXEtaskmgr.exedescription pid process Token: SeRestorePrivilege 3292 7zFM.exe Token: 35 3292 7zFM.exe Token: SeSecurityPrivilege 3292 7zFM.exe Token: SeDebugPrivilege 3344 Chrome.exe Token: SeDebugPrivilege 2828 Chrome.exe Token: SeSecurityPrivilege 3292 7zFM.exe Token: SeSecurityPrivilege 3292 7zFM.exe Token: 33 4120 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4120 AUDIODG.EXE Token: SeDebugPrivilege 5124 taskmgr.exe Token: SeSystemProfilePrivilege 5124 taskmgr.exe Token: SeCreateGlobalPrivilege 5124 taskmgr.exe Token: SeSecurityPrivilege 3292 7zFM.exe Token: SeSecurityPrivilege 3292 7zFM.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exe7zFM.exetaskmgr.exepid process 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3292 7zFM.exe 3292 7zFM.exe 3292 7zFM.exe 3292 7zFM.exe 3292 7zFM.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe 5124 taskmgr.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
OpenWith.exeSetup.exeSetup.exepid process 3344 OpenWith.exe 3344 OpenWith.exe 3344 OpenWith.exe 3344 OpenWith.exe 3344 OpenWith.exe 3344 OpenWith.exe 3344 OpenWith.exe 3344 OpenWith.exe 3344 OpenWith.exe 3344 OpenWith.exe 3344 OpenWith.exe 3344 OpenWith.exe 3344 OpenWith.exe 3344 OpenWith.exe 3344 OpenWith.exe 4908 Setup.exe 1356 Setup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3856 wrote to memory of 1484 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 1484 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 2888 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 5108 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 5108 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe PID 3856 wrote to memory of 4616 3856 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1242406758660706324/1242406880156979241/Revenge-RAT_v.0.2_Complete_Setup_By_Shozab_Haxor.rar?ex=664db913&is=664c6793&hm=4510031d315419267588364e6f80577ac03d5e399ab0f5d46ac5b46eb82031ea&1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffad2853cb8,0x7ffad2853cc8,0x7ffad2853cd82⤵PID:1484
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:22⤵PID:2888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5108 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:82⤵PID:4616
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:4816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:3216
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3732 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:12⤵PID:408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:864 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2288 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:12⤵PID:1448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:12⤵PID:1180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵PID:4892
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:12⤵PID:1588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2536 /prefetch:12⤵PID:1164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:2420
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:12⤵PID:4372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1236 /prefetch:12⤵PID:1804
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3916 /prefetch:82⤵PID:4696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:12⤵PID:5388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:12⤵PID:5612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,12046753880658631526,1112989457431520678,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3360 /prefetch:22⤵PID:5208
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:460
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3940
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4588
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3344
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Revenge-RAT_v.0.2_Complete_Setup_By_Shozab_Haxor.rar"1⤵
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\7zOCDCAECD7\Setup.exe"C:\Users\Admin\AppData\Local\Temp\7zOCDCAECD7\Setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\Chrome.exe"C:\Users\Admin\AppData\Local\Temp\Chrome.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\Chrome.exeC:\Users\Admin\AppData\Local\Temp\Chrome.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2828 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "PCI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD8CC.tmp"5⤵
- Creates scheduled task(s)
PID:4764 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "PCI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD90B.tmp"5⤵
- Creates scheduled task(s)
PID:3816 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOCDCF0118\Read Me First.txt2⤵PID:2440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/playlist?list=PLkoNiUTDHC49JF8aoemdNMuQGpWAFW9lX2⤵PID:3572
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffad2853cb8,0x7ffad2853cc8,0x7ffad2853cd83⤵PID:1980
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/playlist?list=PLkoNiUTDHC4_dakaSc7ePa5epYLx35DcV2⤵PID:5700
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffad2853cb8,0x7ffad2853cc8,0x7ffad2853cd83⤵PID:5676
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOCDC88049\Read Me First.txt2⤵PID:1932
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E01⤵
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:5476
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:5712
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:5744
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5124
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5044
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Parrot Security\Revenge-RAT\Icons\Microsoft.icoFilesize
361KB
MD5d3d3531d4bf5be053c2e5a970003f34f
SHA18c589076c17c2fbe09e34e67a8af3adee93cc8f4
SHA256d10f94716288e2a22e4dd61e6167f953dc096783da87ec2352b396229a54570b
SHA51250c4b0850fc575fe974cbcec4d394fac351a6a1091ecd1bcc4f18e7220c08b42e6c191e6376f5cd518e86f599f691db795df0ea772d0f133191f1689af37d933
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5de47c3995ae35661b0c60c1f1d30f0ab
SHA16634569b803dc681dc068de3a3794053fa68c0ca
SHA2564d063bb78bd4fa86cee3d393dd31a08cab05e3539d31ca9f0a294df754cd00c7
SHA512852a9580564fd4c53a9982ddf36a5679dbdce55d445b979001b4d97d60a9a688e532821403322c88acc42f6b7fa9cc5e964a79cbe142a96cbe0f5612fe1d61cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5704d4cabea796e63d81497ab24b05379
SHA1b4d01216a6985559bd4b6d193ed1ec0f93b15ff8
SHA2563db2f8ac0fb3889fcf383209199e35ac8380cf1b78714fc5900df247ba324d26
SHA5120f4803b7b7396a29d43d40f971701fd1af12d82f559dcfd25e0ca9cc8868a182acba7b28987142c1f003efd7dd22e474ac4c8f01fe73725b3618a7bf3e77801d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000bFilesize
20KB
MD5f218c31d967d7d050e360b26b39df4c3
SHA13a03e2ae75080ef0755bf1a1131640e3ed773d1d
SHA256791410a89899725c497f590cb9138f238713dcf1b318340c18cf0682d52b63aa
SHA512f97d6fa798fbfa27b3578777d938c327a0b1ea1379c4e0d50d640e4682fdd88dc210d30432320140d5ebdfb6ef721f0b844801a81305c877cba1d3e05d0097c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
624B
MD59411b250f223d16c182dc4a376e33bf0
SHA1a77942ce56fcbc9163b920957810ac2a33f1d955
SHA256939886c730f0f504c45523df3229017d56e19e03214335bc53df20d8dbba1fc5
SHA512aa98bdd4cf31da97d41ae7a679aa3483602526de9532da191e42d612a924ed90701b548fe4b3daaec210bc76c92bb29a2c52d22a8352b5cdb5507a911218a4a1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
288B
MD57df76d2bb828b9ea31945228432516ef
SHA1af8ca0eaee0d0d31f7096449e21de9520cef514f
SHA2563b930fce1cf167625df921f126fd8d20bc6536ede79040edc4e655be1f9e94ec
SHA51202640013f5df5ebd066eb1b8ba1bbe25607d3373468c319dcb5d473e81621fcd1b09eca9ec78a8b00d71312dfb7b42e2d65eb73f9b146bb9b9d89e367544494a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD538982ee789f62a40a5ec58e99176ae32
SHA160527d9b2cd26068adeac20060084a420735e1ce
SHA256433469f0053d4baef9450324d623e72171c122259b888a2eedbc15210bbaf995
SHA5125401b5caa84bd5cf3709a891ce8bfa083fd55bb4d0033dd6e3de5b8879903a35d0e678189ba2ac4dbf843efb695919c05668d8b1a7bf47be09feccbdefd100bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD50badbdf390984f72784a5c5f677b32d1
SHA1c928241b9937cd42aadd4e8a2858612c28daff14
SHA2567f5e15ec740c3152128d849a837fce24a4366858e2f621e19546d0ca5aaa3e6f
SHA51246d11c5c9338f5a90c919f2fe9d927997bc54186f080c27bec052213566e38614e4646186e624f28022e256d5702e32704bf7264541e552aea3cb1eae85acda1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e6500157a3f9a7d821b4402604aed109
SHA128cdb8ceb86a2fcfe8d5748419bd7b0d32fe98de
SHA256c4dba5a3ef312273e718f1835b7384ac369143505094b28c159032604af58ec3
SHA512f06f9e632a1731629c9e28e7c64b7819f987ee562ac6f744dfa904df8be0061ff830198e1792c886ef28770a6c0edf1590400fc9a605e2395b7c630a4b2fef3c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5db27bd6028d7696ec420d33836dfdf58
SHA1d31663dd8e50ef3053ba172eda42b834b12d906b
SHA25616d80307b921ed21d8ee36c6f1f059e9d8a721b46dae3a6bd93cb4b0029f5cc6
SHA5127e1f597b1a9cea798967432d9705d6947c0175b4f44210dae99c7f06ee4098be3ed7cb09525a3390df39ca0c318ed823dffd8dc10246d1d4c807eca7d32731fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5488b3284dfa8eabecbb0c9a0d6d59873
SHA16cbf6f8b46e6226a732996fba19e66c8b652722e
SHA256ffa93036c5444968f47ad347670938c8c728187651814de0843cb4e76be77dde
SHA512e7d355fd099c5d3c21edbf126f9f0717ff2a8a396de80c76e3b1a43b7a78205c90c669c3615bf90c4ada2bc7ca47e89e621c0db818e3c2363a648c570257bec4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5514c0fd8cf694507977123a809649d8f
SHA1e5bcdb70fe63ff4c14654e4a7bfef60f6a99bc0b
SHA2564a0660f987cf95577cba967e44a9fff7452f6695edcfaafbf2cfa9a307ce8aba
SHA51250e0c17e3d4f7b2d0d04d9e63557eda28a7fa3582303297f770f9ee212ad02d4d9eb9d3298636a6d7bab20db0e8896c080b35f565f4a9951a1a24d18dc2322dc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD50ec579bf5b3b56dcfed54f29641f9389
SHA1dec139957298f88c8f36b3ebb79b2804e6afb026
SHA256cc813b94ed37225f6797bf16d92c370d653299cf7579f928b144dba116ec1655
SHA5126eb551d05dc2143b4e814e23aad0f50903e9a86cffbbfb61d7ef1bf598add597c9514ad907b0309b0cb35a3199a59c1595f3c892ebc5bcb534a441af1ab48dd9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0f35ed56-4f15-478b-8cb8-bfc3d4462998\index-dir\the-real-indexFilesize
2KB
MD5030f23317c9d1e243d7d573c2c3d21de
SHA101b87dd6b8765f8d9048be569023a50c52ce782b
SHA256f831ca4ed20985102ce08ab70f4a1bb712cc6457f5aeab84c1e5af699e66904d
SHA512fc3be46cfe086bf8dd1a4c46fe69cd68726c045f55deb194a85c48113f15ad3d9d65c207684b76172027887cc5792d58f9e2948fc9df6aaaf84047596f12f9dd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0f35ed56-4f15-478b-8cb8-bfc3d4462998\index-dir\the-real-index~RFe589054.TMPFilesize
48B
MD5ec1c289fd38ffbe8835cc9ed910d9c3d
SHA10db7d01a881d3d0e758aabbea93086b2e268da3a
SHA256b662e286bdbba5d32e402eadaab3655ae49045699054d2feba3ced6e3494e101
SHA5122c8fc81661eb7cf83da3c6a48d79517adfd7d72b8f8646d15ac5f6c64634b3ed7d1d078472f644ad6f74711dd80d5ad54c1b24037a07074275ee0752f822d790
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\6cce51a5-7736-47df-9203-d4c97ada9f68\indexFilesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f7b19a31-e1d3-4091-b020-4bbd466b01b1\index-dir\the-real-indexFilesize
624B
MD556f15920acbff1e8b2b7706fbd85f78f
SHA17b348057fcc634a4d724d59c3c6b8ecf5ad238d4
SHA25662417120170c2ff40aa93de3201d3d4e37691b6d8631056fd15f355f9cd7c072
SHA5128ad3ecf1102a0e77fbacc647a0390d939692a05257e1feac798c1c390e164ac39e25e2db33d2623bbb567f15177de62a41324db84b9a796f89f7b2b13db386ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f7b19a31-e1d3-4091-b020-4bbd466b01b1\index-dir\the-real-index~RFe58946b.TMPFilesize
48B
MD59460ca4446be8c11985ea636eb1dfd85
SHA13d343d0564033e1f22df863f67256ca5b7058657
SHA256f233c07f02782773f831e0b5d83ae90fb36c21053b943f002b8676919fdaf503
SHA512afc84204a5b5f30baa2a506d8b2f41e8588181461eb72f3239d536ca5779a9b91225ff966e9ff61878b18efff7737a4f36e5ec6ea72564febac1c1343be2b423
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
89B
MD5310bac87624e8b73add36b6d1218831f
SHA12099e9e9439e6dfb5f366e07f35df2413b2f2131
SHA256b87c4eb0c95fba0a6ca6b31fa9f7b1d1fe405f930fc5fb1a66f3286b7dd92e4d
SHA512aa3e64a8514d187872fbf4bb4f7a23d266ada3c668ca02e7b684aa5248dd16ca2424da2f290b40eb01b275383d1b767e337a5e85a6c88f63797882941a11febc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
146B
MD590e3a0a92ff266c9b17663105d9ba533
SHA1778d1c7aae5d2ca12a39f21b90d18525e6bb4458
SHA2560bfa17eb88a2c8fc0b2109b1c136d48d4ce96bd20fb69e7b3b4666af56275c8c
SHA5129c274efdddfc4d4f5fb2db9091f7a0b2c70cafb468b182ca66de079ff8fa74654597a43565ded1740bba1db59640e2509dc8c4b809b88c03be7bcb91a8d91b51
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
155B
MD5f85f68a740799bb478e63ccee14317fd
SHA1b19299246815cc2e375d6e0030b6532b7d5f9345
SHA256e6cc979eedc74ab15dde63635a239002868b53c1b03535b9bc955beb70b617ab
SHA5126a17ea8d82c18f7c16c7455a805668dc9c8825f34a00e6f079f11643730172ee2496503290d5470da2283e50fc2384c7b25e5eae8f6e81fa9ac883ca63267c69
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
217B
MD5f03bb0a4d38530c7cbdecac3f2ee3881
SHA106d8028f83d2e4cf94c502c096d112edb107d005
SHA2567b55e4e75149570fedcbefa25ce076ae2bca78be01bf3b9b9fc372960c32f26c
SHA51256832d628ed5fcf8fd43d7446d265e8005b25c2fcce98ea291e1ce7986baaafda18cbd1109a9038c3ad0c188c6b565360f97459c1f04654324de5af9609541ab
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
82B
MD5da8c19963909b2033155e31faa9dfc46
SHA14067cd4dba98ebd4cc061c3e3dab932605802fb7
SHA25667fd0a27cd84845279b554c2f90eaa7989a55239cc3ca5ad547bb8f032df07b6
SHA51295d6dbbe18dc44048c13b6721af48e3fa2b57d588ed30cd4a4d2eaffc4f42f30dc5cef7a80f3d6f62eb3c8e421cfeafddd8df5de3297c58073880c7acd076fe2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
153B
MD52d83869a833ce5493bc8937632476d82
SHA1636959975af3a887196cc6437a7cc293dc78aa53
SHA25661c661f3616e3cd51cf2932e6ce5a640c24b210b34fe2fbd79a092e4a5a4bd45
SHA512a4a6395cbcabdc2af3a16a15470ebc80ce2cf9dac5e98cea8fc19b4ac93f8e73cb4e5cdc64165bd64d180aace37c896c06cfc7d59733de2f1a14a014a709c90b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
96B
MD5c3c7ef0c192d8ec7433e54bf3245c981
SHA1c1340b48e95b28edd1374ab887fd892443424e20
SHA256808685b53969e5a476098afdd91643e050125a3e6c4d66dce72d2648b3f48f77
SHA512485f13fde8553b26347be5b223f37a688d71e640c29879c8c448843baac393dc406072f8671ea3dccaeee6470b7d00d75f167c695fe1fbae8542a695674da802
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe588bd0.TMPFilesize
48B
MD5c0b6b248918a80ea036a9a1e16cb1b8b
SHA1066fbc4e385ab0ba6b3850e611102f31c65ec3bb
SHA256fa0e1f89f8c8da9a471518bb0add02d65966f7e4ed74676e00ee4410171a2336
SHA512842e540c5d622a5ed35dd6623e91aab7494dcf7af7e0263d115da8207685051ab3fac5aedd7c09ae6f4c8fcbba6a62df0055c66af6df0911afafd0921a1ad486
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
702B
MD5ce644380d0d05350787f27a42f0e2405
SHA13784bc67d8f1e75902e4c368c2c70f7ec2bc2ce9
SHA256f8ef899e9518c730d79d9a13e918c79a964662d1015c04030ea1e27aee01be88
SHA512d51b9273dfc90783ffe0aa569817df6372cfaca51377a8dab464ff83681b26a220315f100c6711d303ec9daef494a2559a72658cefb351e8ea34c566a59ae489
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593c73.TMPFilesize
702B
MD54ab303f86f583ab5e784d0f50b6d06a3
SHA1c283132c0bcdb38ea91461821758e969e24bd1fb
SHA256218d68d4f4bfb673339e3c61444e95a4b7a99b9d88620575717c8af25a457ebc
SHA51283b97a09ee6902018396d83a2896c579d99a17bbbcc4e72774acd60f930be12e78636f165c1858be9c56eb66bc08167052025ae86d8ac7d87b3eb60a3ed99378
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD52ab09f3e9a036bf74b36554050ddb177
SHA192875c5a3b58f236705930cb26c8ff694ef2bb1e
SHA2567b0048ec2a499aa06f286a68d7c9a17ce22c37152cdbccd5256021920f515238
SHA5121df55622d66fd55be2bccd56c4260f0900e4853de275c65e884d951275135a40d946ce915d6c6efd093b126d153691139305097226f4955d1395bae4f6061de3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD51f27e061f4cc34e56b3215c97104542d
SHA17313b14acdf3e2e32590224a458b0ecbbe3fb2ee
SHA2566ae6071979517752c4a64cb4bf981b0cc561dd3b636cc12f1d785a34ce645f9b
SHA51221b80e62c160d6f968e6e0ccd36eea60b71e1d35c9c8f61472bce78e363abc0b10ed90d848d53a1110dfea5d0cfc628dbd78148d8dd0e72f77487782a88ae213
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5a158f1e69b1f13d5e0fe18d8d04193e4
SHA1b26f2ea215ce014f1be7d0d66f3b1c0643776355
SHA256312afc87f0232191b93feac3a870f4050bdc66dd91bf2e86d920f46cfb9e215c
SHA512b6c4d87f3ab1fc0ef37282899e8d93d9594dc2683ea93bd61b418b69c8f436d91065fd4ab5d41c676f29a7b60b9616ecfc6dca05cf17fc1fecc7322846761db9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD585f82d84ca844465aa9cb0b461bc438f
SHA1bd035d967ce36459e153b0a68b36469c8062c978
SHA256954b56bb99f9963dc1a28bbc05a2c1c47cf0e3dc8886ac86c219bc4697ed952f
SHA5123ef7c54c2e07eda7a34a17564dfbc22b22ea4f561984a9ddeca9f31976b38f55d7a3fe0eaa481f87227bb142fa9c10b946323affb1d6516679acd39e8e9509d5
-
C:\Users\Admin\AppData\Local\Temp\7zOCDC58538\How To Setup a Rat.urlFilesize
96B
MD58d61646db59cc7460b40bc79001a40a1
SHA1e43cdfb3d27a0cb4b4532053c27810abf06d415e
SHA256c5d1bc7427609e082195ad8db57c9b35b274e3df63a92d78917334425730d1e7
SHA5129eef7dcaa96a52d52caff6b9709f8377437ff201e976761eec8c35669f946ef111d7da9528c8f253f469969513e4ec5e6a5d0b861665254a6564f8c2d85d9f99
-
C:\Users\Admin\AppData\Local\Temp\7zOCDCAECD7\Setup.exeFilesize
5.4MB
MD540051c0c72c3a595c043a36176790982
SHA1fe80449ab8e54b170b3edd87b3a0e4bc42a3455d
SHA2568c3e4bad225ee870b94204e46767d2e7de83644bdfa8293612136be34bf9ed7e
SHA51252a7762dbbe6c87e72dba30f13fc5ab4d71be0a5bdd5b37637dca50cdc2d494143ec2c0f84df9bf58f316775c26ac3c06bb1fb081a3491a14a9526c56207beef
-
C:\Users\Admin\AppData\Local\Temp\7zOCDCAECD7\Setup.exe:Zone.IdentifierFilesize
260B
MD5601c6105b363c6c102b4b1de135220fb
SHA1160e2536c311cf88c610d38a88376a0f261ea3ea
SHA256fb30db3640425050b433c76111278fe4a9de2033bfddf180833a6e1e24a11987
SHA5128f98f57c296b60343761c7d0dd5dc3068458588da513248afed8bc0f83f158b4feca0e8b7cbf8f4fa179dbdd014b5642625190a9242bdd1bc460fc1ab70bc044
-
C:\Users\Admin\AppData\Local\Temp\7zOCDCEE339\How To Open Port All Tutorial.urlFilesize
96B
MD5e6e103fb45cbe55836826bc3410efcc0
SHA1ff589e9f655d3368571562711b954f301615d457
SHA25699e7a2772fa7b583be865188c49e15d8294569d820bb29be95cee538a6a5f494
SHA512d41fa5eb682f9c2a1eddcac0a79cdda9f7228b9080c843ce5e7aa1ef027f8c773733faa471e44ca76a37e405d5488c29f34e1785f149115bd65f01fb3b52acb7
-
C:\Users\Admin\AppData\Local\Temp\7zOCDCF0118\Read Me First.txtFilesize
2KB
MD5c57dc84dd685fd4aeb3232e207fa5309
SHA1e12167393b0ec3245a5089bccf172841fcf22964
SHA256b8214c2073adf389495794253843b64d594d6b579f03ad7bfa824a50b2b35773
SHA512cbb2ebe5e0b90ced99f879a14d94ff5a9805e0f0727f6d57633fddca4ec942cea56c90c6f5ffd8ae4b83bdda9e486b79eb61c952a20dcb8eb1a13059bee4c0a9
-
C:\Users\Admin\AppData\Local\Temp\Chrome.exeFilesize
711KB
MD5ec4bf11a6689c525a9c02342919b81d2
SHA13e762f4bcfe9325548b50349bdc270bdd8a111f3
SHA2564480ba3f495510f75d218068c22164d98d275199ccdaf6e0f5b53cf355b8be80
SHA512c23360725bb6dcbe23106f5206a8e1e97366e6ef4baea5c81fe7d0c50916ae7e19cc85a4b9545c7c723aef9fee5ff0e845700a7ee3626530da1a0739df5b716c
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeFilesize
5.1MB
MD5793becaa5c12f7e53866099e3eb47c67
SHA13400571dd489e51b20a7ec94fd33b697582325c4
SHA256cd7f39bc287566d487326c2d031f37795efcc15a51d9441a1c02464e99324ad0
SHA512175b3ba6ada54b85b0505d64f034970a36941a6395bb9e15cf9555277a8aa0297182028fbbd31f5f0d545cb38231b6c8510c6fd1867f3cdedc6a8f9931b301ff
-
C:\Users\Admin\AppData\Local\Temp\tmpD8CC.tmpFilesize
1KB
MD557ef41cc35a47d5ff922ec5a0d06aaa7
SHA10ae2172ca0e2578109243328ee57a68190252578
SHA256ba13669de506ecfb43f5dc2b2acb6f392ad3d7daf9c9ad1c56359c6405de3a07
SHA51258bdff3f27838934400b3bc21e69d8c2dfdcb0d5afc9ef5f4b0b5da83df603952abd6e804c3abcd50657f1c91dabc647d999f3d24b0b73990e3bd3abffddfa47
-
C:\Users\Admin\AppData\Local\Temp\tmpD90B.tmpFilesize
1KB
MD5a4f6fa4537e2dcf0d3e2802c0f070a4d
SHA103545095bfeddd7656b5b8547ab84a810324a94f
SHA256192ac26e1895b267149bde35c55327f4a441693495239da5899062924d45bd11
SHA512a4293123d718b0511a8301a7f536e403cecf8bc89f25f9dc4692b293eb8a554a8eb67993a26fe0e96792b6eb3573b34e9b270777cafe95c2383268da6d40fd2e
-
C:\Users\Admin\Downloads\Revenge-RAT_v.0.2_Complete_Setup_By_Shozab_Haxor.rarFilesize
5.4MB
MD5c560d5f45ad5afdebefef38744c86116
SHA1e957552ab4b41ecb26a7b515bcf9922063421308
SHA25687ce5afc546db895cf1e8dab630d6a6ad2583d38073101c19f4a8725f040d777
SHA5126c26362742eca5ca9b8f993ff84e93003d0a50d8d872b204f840e3a8e7c1bac68696a27b955bb87e8de3eb335fff44a65dc303da0f74d69c58d16b595e9764a7
-
C:\Users\Admin\Downloads\Revenge-RAT_v.0.2_Complete_Setup_By_Shozab_Haxor.rar:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
\??\pipe\LOCAL\crashpad_3856_PPTJFHFGRJGHVVYKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1356-315-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2828-139-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/5124-760-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB
-
memory/5124-752-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB
-
memory/5124-751-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB
-
memory/5124-750-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB
-
memory/5124-762-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB
-
memory/5124-761-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB
-
memory/5124-759-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB
-
memory/5124-756-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB
-
memory/5124-757-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB
-
memory/5124-758-0x0000029B26050000-0x0000029B26051000-memory.dmpFilesize
4KB