modiloader | hxxps://github[.]com/topics/risepro

Analysis

max time kernel
213s
max time network
422s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
07-07-2024 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/topics/risepro

Score

10^/10

modiloader revengerat evasion macro macro_on_action persistence privilege_escalation rezer0 stealer trojan

Malware Config

Extracted

Family

modiloader

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

ModiLoader First Stage 2 IoCs

resource	yara_rule
behavioral3/files/0x000600000002ab2c-1246.dat	modiloader_stage1
behavioral3/memory/3380-1278-0x0000000010410000-0x000000001047E000-memory.dmp	modiloader_stage1

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral3/memory/4516-2606-0x0000000005C80000-0x0000000005CA8000-memory.dmp	rezer0

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral3/files/0x000100000002ab4b-2218.dat	revengerat

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1972	netsh.exe

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral3/files/0x000100000002ab2e-1131.dat	office_macro_on_action

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:SmartScreen:$DATA	NJRat.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:Zone.Identifier:$DATA	NJRat.exe

Executes dropped EXE 1 IoCs

pid	Process
3920	NJRat.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1300643590-245460719-3687711119-1000\Software\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
46	raw.githubusercontent.com
71	0.tcp.ngrok.io
3	raw.githubusercontent.com
3	0.tcp.ngrok.io
5	raw.githubusercontent.com
5	camo.githubusercontent.com
28	raw.githubusercontent.com
3	drive.google.com
54	drive.google.com
91	0.tcp.ngrok.io

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1300643590-245460719-3687711119-1000\{F233D8AF-FE92-4674-8735-1BAB21FA5E76}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1300643590-245460719-3687711119-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
5160	reg.exe
6592	reg.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NetWire.doc:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NetWire (1).doc:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BlackMart.apk:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 5724.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5964	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
7088	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4844	WINWORD.EXE
4844	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2916	msedge.exe
2916	msedge.exe
2564	msedge.exe
2564	msedge.exe
4628	identity_helper.exe
4628	identity_helper.exe
400	msedge.exe
400	msedge.exe
3408	msedge.exe
3408	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
2632	msedge.exe
4380	msedge.exe
4380	msedge.exe
4180	msedge.exe
4180	msedge.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe
3920	NJRat.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3920	NJRat.exe
Token: 33	3920	NJRat.exe
Token: SeIncBasePriorityPrivilege	3920	NJRat.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4844	WINWORD.EXE
4844	WINWORD.EXE
4844	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 1548	2564	msedge.exe	80
PID 2564 wrote to memory of 1548	2564	msedge.exe	80
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 3976	2564	msedge.exe	81
PID 2564 wrote to memory of 2916	2564	msedge.exe	82
PID 2564 wrote to memory of 2916	2564	msedge.exe	82
PID 2564 wrote to memory of 1940	2564	msedge.exe	83
PID 2564 wrote to memory of 1940	2564	msedge.exe	83
PID 2564 wrote to memory of 1940	2564	msedge.exe	83
PID 2564 wrote to memory of 1940	2564	msedge.exe	83
PID 2564 wrote to memory of 1940	2564	msedge.exe	83
PID 2564 wrote to memory of 1940	2564	msedge.exe	83
PID 2564 wrote to memory of 1940	2564	msedge.exe	83
PID 2564 wrote to memory of 1940	2564	msedge.exe	83
PID 2564 wrote to memory of 1940	2564	msedge.exe	83
PID 2564 wrote to memory of 1940	2564	msedge.exe	83
PID 2564 wrote to memory of 1940	2564	msedge.exe	83
PID 2564 wrote to memory of 1940	2564	msedge.exe	83
PID 2564 wrote to memory of 1940	2564	msedge.exe	83
PID 2564 wrote to memory of 1940	2564	msedge.exe	83
PID 2564 wrote to memory of 1940	2564	msedge.exe	83
PID 2564 wrote to memory of 1940	2564	msedge.exe	83
PID 2564 wrote to memory of 1940	2564	msedge.exe	83
PID 2564 wrote to memory of 1940	2564	msedge.exe	83
PID 2564 wrote to memory of 1940	2564	msedge.exe	83
PID 2564 wrote to memory of 1940	2564	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/topics/risepro
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x48,0x10c,0x7ffff7b73cb8,0x7ffff7b73cc8,0x7ffff7b73cd8
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6392 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6396 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6652 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7048 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6220 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6164 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4180
- C:\Users\Admin\Downloads\NJRat.exe
  "C:\Users\Admin\Downloads\NJRat.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3920
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7096 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\NetWire.doc" /o ""
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7280 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7480 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6756 /prefetch:8
  2⤵
  PID:1020
- C:\Users\Admin\Downloads\NetWire.exe
  "C:\Users\Admin\Downloads\NetWire.exe"
  2⤵
  PID:3380
- - C:\Users\Admin\Downloads\NetWire.exe
    "C:\Users\Admin\Downloads\NetWire.exe"
    3⤵
    PID:2592
  - - C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      4⤵
      PID:7128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1572 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7448 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6328 /prefetch:8
  2⤵
  PID:5140
- C:\Users\Admin\Downloads\Remcos.exe
  "C:\Users\Admin\Downloads\Remcos.exe"
  2⤵
  PID:5376
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:5476
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:5160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    PID:3944
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:5964
  - - C:\Windows\SysWOW64\Userdata\Userdata.exe
      "C:\Windows\SysWOW64\Userdata\Userdata.exe"
      4⤵
      PID:6164
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:6200
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        Modifies registry key
        
        PID:6592
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
  2⤵
  PID:6344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6028 /prefetch:8
  2⤵
  PID:6540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7668 /prefetch:8
  2⤵
  PID:6628
- C:\Users\Admin\Downloads\RevengeRAT.exe
  "C:\Users\Admin\Downloads\RevengeRAT.exe"
  2⤵
  PID:6768
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:6936
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      PID:6968
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4uzdbhkp.cmdline"
      4⤵
      PID:5752
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5B69514F75449BB95DF25F016F7E09D.TMP"
        5⤵
        
        PID:5956
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\adfzc1oz.cmdline"
      4⤵
      PID:6112
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES68C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CED85004F94863A0E119B073DD4413.TMP"
        5⤵
        
        PID:4532
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\brvl3psr.cmdline"
      4⤵
      PID:5512
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E61.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc31984B52D5449D0B63F4B7C519A410.TMP"
        5⤵
        
        PID:6048
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\th81ml2n.cmdline"
      4⤵
      PID:5128
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A0A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B21BA3E944E4804926F3B7C8EF7F5DC.TMP"
        5⤵
        
        PID:6096
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kvz3x9dj.cmdline"
      4⤵
      PID:5704
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5D973F0A3EE54BB188A22C4B7E321EB0.TMP"
        5⤵
        
        PID:4948
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\klf5pqyl.cmdline"
      4⤵
      PID:6196
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5E8E6FF37E4F65B56C221867B0272.TMP"
        5⤵
        
        PID:6388
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bfnvnrxs.cmdline"
      4⤵
      PID:2500
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E7C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE8044F5BA8D4A60B91256D94CEC1F46.TMP"
        5⤵
        
        PID:5708
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fc3vuf-u.cmdline"
      4⤵
      PID:6604
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97E2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A95C6C69D334EE6A2FC8F764D1B4EB0.TMP"
        5⤵
        
        PID:4968
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tcu5r2js.cmdline"
      4⤵
      PID:6688
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FF1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C417D4FC71C441992D0D4A5C2ECB326.TMP"
        5⤵
        
        PID:400
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\akqdzkvj.cmdline"
      4⤵
      PID:6628
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD6E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4B3165571B24307BB3255A921B1F37.TMP"
        5⤵
        
        PID:7072
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rexc5bsa.cmdline"
      4⤵
      PID:7116
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB761.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEEC469EEC9A345E8BB016A34490B38F.TMP"
        5⤵
        
        PID:1584
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uomcxycn.cmdline"
      4⤵
      PID:3340
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCDF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5446F1266F0A40519F803314C6B41BA3.TMP"
        5⤵
        
        PID:6172
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lfinwnnm.cmdline"
      4⤵
      PID:2132
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC413.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc14B37E081DC142CC98334B541713BD8B.TMP"
        5⤵
        
        PID:6404
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zad9h0wy.cmdline"
      4⤵
      PID:6536
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCBE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF6BF7C04A70D4B429CD1B08D92AD50CA.TMP"
        5⤵
        
        PID:6084
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zopp7evw.cmdline"
      4⤵
      PID:2704
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc469BB061A5414C7AB12E34F4426B49B2.TMP"
        5⤵
        
        PID:3348
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mgiz3xd4.cmdline"
      4⤵
      PID:3748
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD578.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD7EF388C2E2343A38B9C58BD4A10713.TMP"
        5⤵
        
        PID:748
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fuoa2hwv.cmdline"
      4⤵
      PID:4628
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc89A1B1AF204418BA34713B0B8CDB9AA.TMP"
        5⤵
        
        PID:2872
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fet6w7zb.cmdline"
      4⤵
      PID:5484
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDD5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc28EBB74C63DF4F0E8F7450C611A82078.TMP"
        5⤵
        
        PID:2008
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m2bjnda3.cmdline"
      4⤵
      PID:6016
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE372.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5C5AAEA6E8B743808193509A6EF7457E.TMP"
        5⤵
        
        PID:5176
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7mi0pb9b.cmdline"
      4⤵
      PID:4032
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE864.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3585B0EC6165405CBA9D617F7A2F98B.TMP"
        5⤵
        
        PID:2604
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k1yotekt.cmdline"
      4⤵
      PID:4076
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECC9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC602CCC6EA84D7B96ACDFE83B723BC.TMP"
        5⤵
        
        PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6416 /prefetch:8
  2⤵
  PID:3692
- C:\Users\Admin\Downloads\VanToM-Rat.bat
  "C:\Users\Admin\Downloads\VanToM-Rat.bat"
  2⤵
  PID:196
- - C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
    "C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
    3⤵
    PID:6080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6028 /prefetch:8
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7300 /prefetch:8
  2⤵
  PID:6224
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  PID:4516
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA976.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:7088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5632
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:6160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7552 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8144 /prefetch:8
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6216 /prefetch:8
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8096 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7212 /prefetch:8
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,13432004678236121668,15279331557685859329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:8180
- C:\Users\Admin\Downloads\Nople.exe
  "C:\Users\Admin\Downloads\Nople.exe"
  2⤵
  PID:5884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1872

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004E0
1⤵
PID:6284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

Filesize
4KB

MD5
28d98fecf9351c6a31c9c37a738f7c15

SHA1
c449dee100d5219a28019537472edc6a42a87db2

SHA256
39445a090b7ce086d5efb4ac35add13672fac9bf40eb481b54fa87302a3f45e0

SHA512
f5c2458348347798304393fdb5c77f4f7ed7245c0d4c7594deb0113262828cb8e210e7b48a4aa7c4d2fe1e31201b4e326cd60a6f9d4e3ba1a7fbef322dde0971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4af3ab7cb0460a8ca1bc42c663f441ea

SHA1
47603056b2829b869fbab04884da29544077fc3e

SHA256
e4c2390de67f4be3f7a84f4ef879a25c15c68c62a226ab9c9007c03597184369

SHA512
9c4cb6eee3f90f4cf46c0544d371cbe3b93a092f0057963e54bdbc6c6e584564aa4e3e8cc0085360ac7661a18c929c37cdabaa35035d925fc23446dba609323a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f9e5616c068d89c288975cccf486ba9

SHA1
049ff88576a2a7c47740819b750a2f8edfa0d0b7

SHA256
680a4ebe591a39c80dc406530a6e51aa0bdee8ab91b8d326f90616435b595e26

SHA512
98147f31a4d6372e73970295464c8943709632e78b15f581436f30d63f9cbdcbaaf9c80e2cce366f95709f52c7bb2283770de686dac7d1c0b7e2cb704b7a0383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\89c15674-2fb1-4941-9fa3-dbf3fb7a5c7a.tmp

Filesize
579B

MD5
26aa153f9bdcc4f3ea5c36c066b8f2d9

SHA1
de8ad805fbb2ee1c6387b9aaa883fea656576e25

SHA256
6b891e42a617f6456aafb8808a371ce171907bd9037128c151b9f0b731496152

SHA512
313d24f55d9451d18c96ed71d02c58c1a181c942a4502f87f9eb10eddbc4e2616cc323e070f880c5bc03fffa584e3d8b5645e1c676f801bc64c43237829a9e30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
20KB

MD5
628ba8d31375849e0943894669cd033c

SHA1
4fa6d50a37fa2dadec892474d3e713ef9de2d8a1

SHA256
80e3440c312f921afe33a7d4a3d11d1d2dc7162f8f50b748b796f424441d10d6

SHA512
d4406493dc8767c479460f3039b038866549feebf392280384da08adbcad2e871720d046220cb67ebe3ab75c14e06a31df2fa7c0f2c17f91eda26ba0a709d27f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
37KB

MD5
f31a1ab9f483d9db21349522e39dd16e

SHA1
01a275d7fc1c4f578fa506c8e0bf9b7787dd4806

SHA256
463800c9ec072ae72a4f6fdc1f2f779c792cb7ceb6f57c7d1231eabefad2bd9d

SHA512
cab9bf13c36b854bef939e1d09c8d896caf1d7c20f6948f70f27eaf2869e49c8b9be728b4c95926ba869a987516a79d3193d416b0582b7570a58269c8caa7603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
37KB

MD5
669b1563b95fce26d9ddc3c7e9bdc538

SHA1
275e4ae2606a0da908003b77ea06b24ea8b66214

SHA256
d46765072d87d9892a0f6f8f9849eafe0abecee9d662e99f8b45d8c5b22ac667

SHA512
09e066f5a1974927b2cb607a8b953f2732928c7347f65cdfcdb573170840562de6eae091a61108827b3ae0799c16bfbd41d858ee1a8bc57d9bb1fac814438302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
21KB

MD5
8680ad8cc782b74ee7a15f0a042c76f1

SHA1
ec430c456dedd9a2360703a826491fcd69f6dd8b

SHA256
af745264049ea73c66c1dc7783e59fcfe94c0506337867380ae638e694cfe5e7

SHA512
7869afe9f737bc31a9c33b03014f4d5239cc48a798deabc0fdc835fd6736a99b17d181e57866ac960bbdb0d1e3e8610cf97bb01762435d8808ca56f1e74dc2be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
640KB

MD5
356cb9b4e482ba6b9b8db024652a169a

SHA1
08244a901f3868ae1b50b7bc25a52bfc1f2c80fe

SHA256
c5d7d0d073b2ff0b78afb83e4ad9bf0023868e3e94d8effa9ecb76119e17bff3

SHA512
3ad75efc156e0299e9a438a3740a767e5b7cd94fe248952757d3d64bf9d4e195d3433c356d30d2635757fe5d7082aba058437e0c52a3cd92a94b9d93f01bc187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
4bc27d4c4b2ea85207e3db6c5d7b23fb

SHA1
de3829e288dbae52438c2504a2dddeaaaa124c75

SHA256
c89336f304cb76098dc9ff9370a5d1d1f2e20c3d75c39b19e5d04d001511361c

SHA512
26614f9bed61981ca69b6c841445140f370182b8b6ca640fec3d1b47996d8f0cc26a3d69b6ad3eb57d4f988394e55899420be2619d25f89228b8b0f89cc9ca64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2e7596dbc3dc0c4680688fa7a547aa0b

SHA1
3235892e0d599ed8be97028e9f88363d5a43ccce

SHA256
0e5010e5c3863e3729581a756e516cb0e2d04d97e5e94d13eab3c436f69197a4

SHA512
43bf2970d268591bb027b69a0e3a6e631cfc7165f2f832a5cfaf9dc6b7b68d843bb783591c50fa066d44a23f675ac31701e3fce3fc71dda4d72b343b27821172

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6b515ca7dcc4a1c9cce122430b78ffd6

SHA1
39e8c0e53d928075d372e64d60dfc17f1d3a187c

SHA256
b30ae3835a070ac08ff50288ecce994f26df66b3014cf080ec745d0a8e36e856

SHA512
d83fad284209223fa6cddd19d533df7c65210f288ff259a63e09b22afbd4801b317bc015d901404d27e25dac0b21acf8113edc9fa01205a4e1432a6f7f5f6836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
082b05f4d9b8e2b0a73cc53421f1a6ff

SHA1
5bc0d7493ac9db951d784d80e014b48deaf7f51c

SHA256
fe50daaa6f0380438341ef0399d39358d3552991f4167e5cf09f60baa0cfad52

SHA512
41acebea0b94ec9df935b282bd34e66485e731473843a96b024cf0b0a15cd7b9a469c37331dc581de3ffeeab1f73c37ed5a7d4d16af1ffb75765922dcc78e944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
53461b1222c90cac10a10d2b72434839

SHA1
27bccfc21649e3104795299f2627cdd619a68704

SHA256
08741feef671956f9631c54105d4f5506c52d901d6368078f2845449e1c83b78

SHA512
34a8d42be80380faf8abca3882197c9a386266f95269c2c70cfb1f85664d760f293e41788117dfbf7a7abd61a7be646fc15831240c125de65c25f3a2e9a5b54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7e295da76b7b71fdffe7a741ae9448d2

SHA1
5bb00eb85d4ca7a46645f00c314caad8466c13e4

SHA256
d34e6ce04067483a9f970cdb21b7f70352810c7b3db3624380b411e64de5b253

SHA512
881f4a4d1da6c8b7a240bfb456d826fe34210bc4d53921929b47daa7e1510b54242ec52d6785cd2b5cd4a3a796e93d095215dfc508ce15bffff2330691a92112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a1bbf6a55af8706e777204bc111f9339

SHA1
45a1155e7d028922b84383af08cf3e02a8241614

SHA256
1a36a27b8c619695d402e82db79494442b70d770c33111c1421033a14232cefb

SHA512
caf53e63b7a792d83d57d99fc4851772399cbf239cbef01015a14444af6693853ba58c0ba3684b3b1babbbb77019b4d551cadc5c2604d9e2061bd4d9ecee4b73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2d6e0292cc181e9cffc3df132069caf0

SHA1
fd24b03350a7b74d6fdc9dadf7d86890779c1a0f

SHA256
f2d6ef1ac0a86d63299b7facf2ff952bb57c75808ed41e9ac39ed6f13dd77e3d

SHA512
e5ff606bc1a93d331416e8cf2222138fca5673450d8fd8bcdb18492ba26c49f13817360d874fb5895261f1145695e74b9498c6836e442b90b26f850328284ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
553825a694ca93aea602a1e2d443e80e

SHA1
b93e304ebfe87ffaed4833fff363a7633dc3f72a

SHA256
cb1df76df5bb0ab7e390ca80a332a5a236eec39cf082427ca1f050c8590ed007

SHA512
64d32037b6efa856249c27f9446cf123c32863c711069254054504ed7687aef46b12f5ac01c17b85ec7eb209f98ea1c9796eec4ef22a55cc7500534851243287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b6cb0d7a3ebe799801934400e76e2b2c

SHA1
7ae1e7ccc28b1659100667d29a7ad1aeeed98057

SHA256
3929ac9633c68a735a5200eeb548ac17c88bf25e94b24325e184d082e412a04e

SHA512
5710805afd30f6aebd6b0132f8300287f644436bc558e63c479c9bdb10e2bc68e3b6db652efc77d3f86d2717dc6e369a2cdf1c3c2389378f8f7f13eaf60ba69c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4b127e7fb746545ca6b6da3535f7576c

SHA1
e5430cebacb9e1524fabda7de5523cf8606bc201

SHA256
c3125d324f9efcecdb26d770631cfe9edef3a199c56dfe6a33b8416d9528c940

SHA512
266280bc860c141140da4733dd9d97aaf3e12ad5904fbe4707b1ba8089517cc1a7b1450fe11e8a336fb3874e2c84dd6ba82e4e63ebde9334db34da358a9b3d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c74d175da29be4fdb2aaa98ccad8c4d7

SHA1
9840d5916c4d70e058fda20916f179fcb3f293da

SHA256
ab3437d52c7ec94d4b1da31f4bf7939e2c0fc953637fccaee55aa5557cc94511

SHA512
0905553672af8b716fe3d8ad8ac1f1a003501a4cbe7308f65bc522868fccd5f0018c6be81a0c46b0a4e00a817c518712d91ecd0fd2c7cd505672b867bc14307e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
57125eb31e75120470f4a8fdeb16c0ee

SHA1
12a4667af19eaa98b20f7b4b2b2a45b45c8c0aa8

SHA256
9027d2267ce041d9085bb6aa65539d7695f448679cce701b182edbfe7c4c490c

SHA512
efe58b1ca6c9c29b35308b8656d8b4c7bd1c8540747512edeea7528403c985e28c780329e58b0bf155465290fc598cb76bced3d768d6918e1ee9034c4b46e888

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2e9d25ffe41d35aafd7b363b30677c77

SHA1
90562de95d1e8fd9a5f43371f01fc3fd360bbddf

SHA256
c851af12add456e10b66404a44b07d73bd9356b6b54f3abc7309a2285417d2f6

SHA512
a6a750623344ad450623b17dcd57e51934c58d51dfbf7b992f51f2ae6ce8d78bf70a2ecd9a1873975e64073a71550350726645ce9c21f2a38144cb2f8049b0a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
05df0aa651050702fb97871a2248ced7

SHA1
84732a65b8e98f2925e175c86b94bb3f2f9b54ce

SHA256
a4b0578f95edcd70c495282130e8053d38f261fc10f5460c9acaa7043347e21a

SHA512
a7d5f12719357de869b3f427bd5b200c55d67004193583942648b55e13c3657bc8541d7e65a453b446e2bca4175120ce99b13dee67d7acca2b7cc06bd665550d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
24074678f7147390bd9800f650091119

SHA1
17d501f6d3399c74f31ad4d0b4e86f4f0afc23df

SHA256
8c545cf3aa6237e1aa7857ed7ac65a86b87482ac7483f6b35b474c8ef6315ad1

SHA512
87255ce460bdff7a88dc001b1ffba5c9f16f208eb378002ee00ce19a0144cce04421ca6a780a30aab386020beee5218498a61d834cec650712ca9160835ceac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
23370afbe2f7c227a3dc3adcc415964f

SHA1
ea55769cef5e1d4ec318b5855a8a0104e172783d

SHA256
f8d041989cbb911db411c23114b2d05986aa53f0a51d64e42602aff275760545

SHA512
88d6886cc1633bc58d337190f3c932ae0a966608bb49fb946727b585bfca453dece8ef8355c6dc3e466531db6cd5544babc27db65c5e4c6bfb905f6b801e1a4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2df40176ec629fa4c973f0ff78c448f7

SHA1
351802672c300d26f0b5cba2aee39bd844561ebc

SHA256
05d72ec69c239198a129a9fe48837665fa8ad10bc6360d8681aad66a11085921

SHA512
4abe41e7e57cbc6636f8121572230d1bcfb7dfc22c9506afd0521d63c78b7093a11e9dd03c212c51675d5dd48b899a8e60d25a8f5851b7ca7e3c0c4360a9325a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f5d4f3192f2704988f745afe1b7c51d6

SHA1
f44a7ce893fee6c6360a4dbfa48a3bbfc6b12314

SHA256
dacde68b45d52cb73a6659f564a0529ee565e8e43516afcc17fee5081faa38e6

SHA512
c1cbfb2a60a2d24d39381493eb33ea9e15d78e2c5124a268a5c894a13d1b4f1d7fefda861b37d78d8f438ab94ba0b2e05b7006036e104ff02e31595f98e54216

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
62140ff94466fdfbecae9fa198cc36ed

SHA1
897515bc0910ab254525f49127131c2917cf6307

SHA256
5784dd0bc1a19a5c0fd2a6f141a69d5a54d63896f13f3cff08f76ee8b34da408

SHA512
c8a986774525ce54dd9e6affb340c9b0539803acc5e0312c2d4ac9e69964b874501739d7ac647413d32febfab4423e8b7da59d392e086472f207424292505e89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
448cc097ab3a300699faacb82c20df7f

SHA1
98a14492dc6434ab79f1cc461bab93cc71d7f6d7

SHA256
b9cd6418cba0d3cc0b02087f74c424ee2da79d4e1bc803483bea3ad449c94b90

SHA512
66c03d3a9e408e06ca73d26e76a946e0381c9e441a046b8bd2f57cfb99c1013d68c9c49d8e2be67f9de3f7f57b456113fe0bf33542a5d28ccc0a82ac3ab1a842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bca6403b8311733b393f23ec2a8ea609

SHA1
f2a9f0a0eb283b62507615fdf4e309f02cf6e883

SHA256
deba249fc17ee45486dc6c4464498f485649649a8142a303bb72cc6d62225c1e

SHA512
6810edcbbe1fc79cb50b540b078958b2250b65c7cc1f16cd638f23e3e33b20181a776e51d88a65728f89a6220bacac6a25ff7b1976109c3c0753ae49c7805f90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e3b5f89513d2163ee21eb088b4e11d06

SHA1
565d58a68811adf3ba80e3f91d18f56239934ff9

SHA256
7ecf10f098b8061445ff461fce3cf1c97e727822cde29cb379ac7fb92f364a0c

SHA512
5632db5a9e2df6200c1481c9b1eacfaa9b93a0df1b796f0549ebfbde443f866058c5d3b79cf9f23bbce87492410841ffd771c632aa23590900a2c8085b1114e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
83b0a9ef7895642b011b1270328c2b40

SHA1
b7e7ee8bf42f323f25eee6c4c14d31b217967670

SHA256
b3b2dbbecd4bf638656ae4bb23c6752131c36a6af2b04ec42f559258a78c8abf

SHA512
1b4ffc82a2b062e80a530aef06264ecef4779f46321c87ea563518b0beb7e506e1150b5f6b027779b955aadbf261896e6cca9d03c41d37efe3e4afea80c2428d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7f7d8b1c1ba54f62c1c356a9f115e17f

SHA1
9698b7a42374c31e5742563c418b4d7e4bc02a3f

SHA256
2e0e4ccbdd794f19db87931830c69d09eecc878981cc362f2066e30d592414f0

SHA512
7a9a644b517906d519eaad1196e5807756f7146a0bcb0aaa76e4bb452a477a12e78ac578c321798391a6b2b862e6a2f42a232b9af15f89689acafe64ee0ffa11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d7ab87eea0340a7c71097f7b919c2608

SHA1
96a83c426876ba255c2757557be33df6ec511341

SHA256
14f4e21bf4077328888601f0e27ad74921864f76ab14083d3d72fa965457d586

SHA512
10c5e1d937b0883a2c8263d1fc3e9db456f5e6376b5b5fb503bfa6e33d36b16a4007fcade8edffb76226b93b64e5febe92a570e2ff35884188a3ced74990ade4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
08ae540bd87e507eec51b868a2ed64cd

SHA1
8d9b6d6eb8d3b2bfaeb7174985ebf6c888e62970

SHA256
1eb429c85466634b5bfe50cac3a1952920fa61c1f804be6c171fa44a75be8a67

SHA512
613c6847237c0f595ad3dc3fe46092e580e0cf5e80327cdfa98591f7fb2573276165c9ba30a0687e5c265ffec4dacda3b6bcd63971ab458aed12157ad8217ba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
53d4ddb5c8bcd8a4c660d93c96c71c23

SHA1
e1a0a169493a65db82b268f4e88ba1168d8d4934

SHA256
63e8361d6090ae5f7fee432fcbac97f46e604d8b9030cf0b1ac5d1dbc9fbb5dc

SHA512
cb049e25e508f4927c7274ae761031399e61d9a85fc87be502d6288407f73f5794e156231cb499e24bc2498b0608ba2c69ba2ecb47731a5163ad31abe9657f08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d016f29714e3f856bc96d8d982d55c34

SHA1
63e49fe5994bc29902a97104ba49674c95dc64bd

SHA256
4632eed85f8fb1e032f7fe6e423fc0d60cb695e54cab22c37aa8843084db4f8d

SHA512
ad515310a7733372232a50682143541aa4012a14406d9989fa0f2e568fe659f7ae938208a874ae3656e3c9c2a048241e8132e738c2e0a9c1975a36618f644a78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
905d7d9b741c8e5d08efa3d1314a70f2

SHA1
d42dff5c9b20dac31e950ac583f763e6722adb1f

SHA256
271f74360a28059fe93770d495fb1f8af9707f0cf22b6790912af6189dbaff85

SHA512
33210e7e85f25815915553ebfe7d35b8baa2a01000fa66dcca61908bbd3c71d1e688445be3db98051699ac600c53a68b835fff0dafdbd5948bea88485db149f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5ca2f223ae5f62646e45ad0a661e12a5

SHA1
bdb3a7a1665fa43b2cbdc0dcd3af150c7ed6c67a

SHA256
bbbb683dcfedf0a7a6539fcab945b250c8b678f48b6efd65d7db528895bc068b

SHA512
416aef6eb682a83dfaa69183230c6c8d7c0a644993cb12e42dddb49dacd3eb86d45e3ae1abd1d4a02972d99fcb9dad69a6641d229666bd40bc97bee57814385a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5a0612959f44e78919c4694648ac1613

SHA1
75aa5d0660de0a156c9b7da272ba4d37c9090528

SHA256
263ffe204e230c34b1323ec8e8904ba54f87601cf8e102b64ebdf81357cd9e71

SHA512
76c4164e31f85ad1da8008de189ae1495041cb7d4291f8bfac259de6a29778962b1142465bbec3ef7d0097cbb2d9077cb829010385289b65028465c9e9a6eba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4e9395ae782cc30a5747166aa5429ea0

SHA1
c9a9ce01aaaf59a1163f59dc158b3e137a25c11d

SHA256
d05691c6b2cf3a45f9a083945bfe78b8966cb6bac79e5e4462fe3d404d06355e

SHA512
2d6268ee0fcd58380cf2fdd1f8ce4f632234c04449079e96bc293f7ac2e36b592bf7430d2b4deee19789a31bcd5424376a55ba29e7e5395248e33e0502b901fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cfdc2ceb681cebc29db53bb5e1b6cc7d

SHA1
221243dd9756f5b35a3526953a4e81eee36fbded

SHA256
6f72193c2e559f9f68c1cc152e9bd889ce01681051a37ede71708d0eeb719649

SHA512
1674c5dc94e367c2b303ae52fb051d0da75195d83927f36c3d7f7ee18da4aca75605fe4f1735bc2a38b0a3a3e89f6d3fc30784dc5f62ec02a0c5b263114508cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
042c042f471731917b8481085f341631

SHA1
fd9557168bc0f68e0e1d319f47c12bc86091f75a

SHA256
eaa0e77feea9e826401ef02c9ea054d8881ec3842daf85a8927b806f99d62c8b

SHA512
ab84cbf0a4ac17b308a4840a9d9d3e3683cdc20b8f57d648364fe860f8cf87f0c3dd97111ed6e24e9b754ed6bc7aad2284ea25ae15be5922071195998601cb8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7e6d8e5277c7aa937c38770826f28cab

SHA1
9b4e7c57f1faf0c87a4f2f36cc2a4dd6a5ff4eba

SHA256
617f6b1b91192f94b10bd4c99b1c03163d283ca8753e79fb8c046baa376afd01

SHA512
a3c4ac63d03ac866e8c2063b410900f34d80eff80852a485a625f98d7bd02468ca21dff0041258be10bc37a0cb157cca086e63dafd009ce8850128a06a996cd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582565.TMP

Filesize
706B

MD5
850cac2f16b0a6b66a063ce6e40539b4

SHA1
a0e16a738e56fda55e6ef63cadbbdedb7e000a0a

SHA256
e61a2f70c201b54faef67e2ccdfca3ca6991b3ee4bcc88a74079014046172b8c

SHA512
33cb4208b6629f4055ee1bfa8f534bb4e0a76c474b9c35b9e095daa57768d71b9ea7a32cf872def261b9e1583acbcc8ac40d0142d50f14371833603dd6277369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9b89b62262bbe1a8e1e46af1aa55af34

SHA1
72c12e9d27a051fbf157af575d13c3ce56707eb5

SHA256
1738e05aefba6ec00779fa99d62034bfc55afadf9071fe9e02564fd9d2da371f

SHA512
6553017b1b71153bf08b11787560dd4f335d7613942e6d3b67853ef71028fd354ebe40f56aa02f63f4a35e56632410d562883a1846e99068b007f247af49d7df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a0136292903e9a03d068bdbea21edc59

SHA1
0eca8ee3f748b9015fe800b316e15c1c1ba2f18c

SHA256
ef3fedbfea672ae4f063b122f161080dfff659acfe0a03c1f59be5b834e39716

SHA512
445d5c0446845149747411592b0ad565d3b70db1970b55f313c65b46c6551309de437097d0cd78a5622d27017b83a79c4b351e4535d145233c849234926877c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4780339e97f68485e1594a8a2b198372

SHA1
fa7906b62107fa0d749065e087a0aaa653f9197e

SHA256
b60e847c44d1c319c23ac1cf809eea93de9e20ddcbe759cbf9e62ec7d72fac82

SHA512
7dc97089781c816bfeedb32debd10e869a8f34dbb0aac5331bc97f67f44f119e04b021f5cab612011806a3a2fa1fda25272174d15610b26830a5111ad2955868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bc0a99f5f6b82674b40a6503f64f7a9b

SHA1
fce77172c1bd4c8e7fcac786f37b8babc3089f91

SHA256
a991d0594ba08adcf2a0e18790fff7040c34a37621fad5367ddfcf3f62a56fc8

SHA512
dfebf5f58eaa14f14d9a545a06a21c5a9a4658c735f73757b8b28a7c611aa34ea2a1f45ff35f94a7675d40e55a053fc28729cacbf1e00da0c901575f46ef0aa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7d092e97df69e517fc15a8c525171a1a

SHA1
eab2499de2443bce958a2060e37666f58e4294d3

SHA256
3876e1e7326cdacdf11714216295b0f8b0954e80c71f10aeb965ce47a0d8b148

SHA512
a6351d4d80c38e35af31f74ca71a40c066e64ea3788642fca737fa13ccf0d86dd0b9060c8a938380c57c0936c0d2fd8140088cedb681a590a75b8eac9b16b6e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
dc8347de09521ea053c15cfa0d59f596

SHA1
cb3e44a8d7208a9fdd12a31359683aef1ab27159

SHA256
802bb70b67c204794a610756d64806abfc6754be99c124db178b5ba64e971601

SHA512
644d558a77c5eed1ef1101508889c9f6ab1ed11b2d965ba5646b5ab65a144e277ed22501d4b375308c44c7ece6b69739a332209d7fe43f344ae509b6554ad3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
135B

MD5
90022f82afe48963cc42547209f18f96

SHA1
e60698c77e7df4cccc493f2cfa6d76f7553d71e2

SHA256
046509f2b672f0f5da1b5441649873c736d81853701b67094bb319b025afb2cc

SHA512
6743f17da515c61ba1ab3df53077929d6f480f84978bcf8ae61880015221f245fde6e3a2ffe3dc937f80b37e8774dcc61838ee4ed461658b3a44f02cc0469208

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
319B

MD5
d48880f51490bdbfc6563f3193b3177b

SHA1
57beaa251b145ddb264e883a5992619387b4f0c7

SHA256
119c63f930f6226ecaaf74c62b2c8a91838fd3c0a10892552aea12ce66af7a9e

SHA512
7b8587eee63dc733ae12264a84b96ef6cb056226027145cc4186544d4be74e6382ae79b4540732be1657a2ce974933e3112d16c8546d3a72eb986dbb60ab8536

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
684B

MD5
8901669fad5b7596863ee3ff5060d382

SHA1
01ab6f7168aee5610812f4deaff41e32044382d6

SHA256
80f3bda6c00088860a12786b83dc5af9b5e6403c4a7591c808a3e6270065c787

SHA512
8e2ca15e18c1d41556f2b9dc35ab47b9dd89a98945ead94276169e64748139828ae1bc4fad9304d427cc4b5e13b6496834019a12a76e89eef9a14a6b544a73bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
e965ea147d8f0db8d2d790caba5a88db

SHA1
a8c94374f84b59a82ef35a3232ef4f55958fd50e

SHA256
7925be7d2b99c80db197ae1b7b0c3d6bc8b89f0e8fe6747991c6c00be8e8e895

SHA512
be9cb01a9a0834832e8679dcdc6e10fe6ab9913d0281c9627fc0f60aee7733f14a7e039fbda8ee0e70f836eadd411c809b5295890228b7e4ba93739e5ce8a588

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe:Zone.Identifier

Filesize
210B

MD5
65e461f54bc05ba66464d19d6473db6c

SHA1
0ac06324758b10528c27d715c92172c2b9daeaa8

SHA256
1e2b9800e69a11b334463e0c2994bb2b3ac6b8279d29d8b6629a58269724a0c8

SHA512
49e528198e9a2f3adf9f5a546b33eb8ede7afca04068870ffd0f5005b2473eacc951a8a5072019bdb255316ce51a3b3e27679560d59f1de4458bc06878a20264

Download Submit
C:\Users\Admin\Downloads\BlackMart.apk:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier

Filesize
110B

MD5
de4ea3696161fb41e099797aec717e52

SHA1
db1abef3e61bf2c5ad06911a6c24b2a119afac21

SHA256
90223956367e6087088f57f7770fc5f86fe9e6a9c1721e49a88dd61dec6456dc

SHA512
6e6315279354cc86b742ff9cb65e766fa9c06c7b1f117c0ec1b95d9ec8ece44e72f02e25207f9bce21ac29bd6765bab091540b38feb868aa4e62988ff1f4f15b

Download Submit
C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier

Filesize
112B

MD5
f35531f8bbc0b3e0410931725369fcfb

SHA1
96c9b244ba2e12b3d927ade863d542ba7ed16f04

SHA256
242e7dcb9ff166b886240c5650172e436f734a2802902c9361af2aefb0d8cf0c

SHA512
7a0716e8f133db7f120765c0478bdd17960d033ee8d6c3daa04dc18818bc3a84789c06fae488c753904bb188e907ac324d38d0c8433c27467f3b595d4d8a1dca

Download Submit
C:\Users\Admin\Downloads\Remcos.exe:Zone.Identifier

Filesize
202B

MD5
f86ec1549ccacf425e3fd13917e0dd9a

SHA1
828661bb04235f3889ed553f1eb4de28be6179ac

SHA256
238eedf634997f20fabf83cf6ce1961d9c10746240a164a3a28c215b761c06e2

SHA512
bbf03a6386714c226b579f7ac91b8c27d8c8a7151a73e2819ac30f96f68d7ef6d534016edb20ecc34da9b7e32e1271fa3ba8454ddb71f757b0ebe9e51a4e5550

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 131790.crdownload

Filesize
183KB

MD5
3d4e3f149f3d0cdfe76bf8b235742c97

SHA1
0e0e34b5fd8c15547ca98027e49b1dcf37146d95

SHA256
b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a

SHA512
8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 246977.crdownload

Filesize
92KB

MD5
fb598b93c04baafe98683dc210e779c9

SHA1
c7ccd43a721a508b807c9bf6d774344df58e752f

SHA256
c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4

SHA512
1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 328720.crdownload

Filesize
50KB

MD5
7d595027f9fdd0451b069c0c65f2a6e4

SHA1
a4556275c6c45e19d5b784612c68b3ad90892537

SHA256
d2518df72d5cce230d98a435977d9283b606a5a4cafe8cd596641f96d8555254

SHA512
b8f37ecc78affa30a0c7c00409f2db1e2fd031f16c530a8c1d4b4bffaa5d55ac235b11540c8a611ae1a90b748b04498e3954cfb1529236937ef693c6b20e893b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 334993.crdownload

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 345087.crdownload

Filesize
321KB

MD5
600e0dbaefc03f7bf50abb0def3fb465

SHA1
1b5f0ac48e06edc4ed8243be61d71077f770f2b4

SHA256
61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2

SHA512
151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 465995.crdownload

Filesize
2KB

MD5
a56d479405b23976f162f3a4a74e48aa

SHA1
f4f433b3f56315e1d469148bdfd835469526262f

SHA256
17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

SHA512
f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 5724.crdownload

Filesize
31KB

MD5
29a37b6532a7acefa7580b826f23f6dd

SHA1
a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

SHA256
7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

SHA512
a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 606605.crdownload

Filesize
1.2MB

MD5
7621f79a7f66c25ad6c636d5248abeb9

SHA1
98304e41f82c3aee82213a286abdee9abf79bcce

SHA256
086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

SHA512
59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 725710.crdownload

Filesize
7.3MB

MD5
6b23cce75ff84aaa6216e90b6ce6a5f3

SHA1
e6cc0ef23044de9b1f96b67699c55232aea67f7d

SHA256
9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15

SHA512
4d0705644ade8e8a215cc3190717850d88f4d532ac875e504cb59b7e5c6dd3ffae69ea946e2208e2286e2f7168709850b7b6e3b6d0572de40cfe442d96bba125

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 780151.crdownload

Filesize
9.0MB

MD5
5909be3db980803493a09350bf381fd2

SHA1
f18c88bb6705a97f8878e5cd685bc06275c42c23

SHA256
e7fe5cae5b5a5561e3aae30996e1c23bae6a16b8fce29865dc06aed1c1924c47

SHA512
768df287ae6094f59e2eda2edaa2e5c30d687f4f379527f883d970e11aa3c72c71efb540385e4d1961de5aaad1b6ab23c370b260ce654be268c0defeeaa84ea7

Download Submit
C:\Users\Admin\Downloads\VanToM-Rat.bat:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Windows\BreakTart

Filesize
47B

MD5
081c6d16a42da543e053d56b41e011a4

SHA1
7c3b4b079e17988aef2deb73150dda9f8b393fdc

SHA256
7a4a7fc464c0e33f4959bbfad178f2437be9759ec80078a1b5b2f44656830396

SHA512
5a65a2b81c0d001be174a100363adae86bdc9af02360fbd2c87ebdb45d62833104e4cca90473f1156792473af5922e947677585c55052a99868e6a395aa457ff

Download Submit
C:\Windows\SysWOW64\Userdata\Userdata.exe:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Windows\_CutButterball

Filesize
1KB

MD5
f2e01790b786970613443192004ee335

SHA1
cf92239758b7793a15b4a9365089859aa0fd579f

SHA256
d9c08372f4bd1e68be3081693f318a4d2d70c49f60d41be3476d51e147a20537

SHA512
e18bae03febbd9337ec75185ef99c30b1addf9d5dba6f76fff60bc8a0d958a614b85ac8725a7c39a5fe89771cada9e7cb61d0db940e7f3ead01c99c26b28630c

Download Submit
C:\Windows\_CutButterball

Filesize
2KB

MD5
7c7e329cf323ffabe7accb9885e0c224

SHA1
29570fd8eb27b37180d44da0d771e7c23ce32818

SHA256
36ccbc9ac7f7efeb6fe51f538e7b6379cd8aa28ed16b442973135b5a7d4ab46c

SHA512
73c5ca8a3d08494f2274fcdb36da70f42076bdc6a8ac0ae0ae14e536a24e8b5fd92adf2f57425ea4d6d0ef0ffa05239166311255ce59e2d483dd1c3acd34fe63

Download Submit
C:\Windows\_CutButterball

Filesize
6KB

MD5
9d2326444c633d682a7c118c1d1b8e3d

SHA1
ab33e4ed3fb33f917bf9421ce90564201368de92

SHA256
691ef7a95d6109737754f28840d8294fcbce413fa6a3d2d6d6398f667070e24e

SHA512
9af5774dabfed843b9161ba379acee44e36b9095e084700ccce83ae6ec337b9f3b1485d2884a250dea5a99c9fff7b51efbbe1b6a3f4eb389a24e41e764a39196

Download Submit
C:\Windows\_CutButterball

Filesize
7KB

MD5
9c213421143c3ee9ab4919812bfca2a6

SHA1
2a9aad4a7f79e9a0ebafb063a4b6f6f26ab55ad8

SHA256
34e514d111789b49daa3c43b9b378f1e184cfd46d3f4b4ae6060d175edc3834c

SHA512
3ab64034ae4004a50ee63d13f05eecd0ee43df3090344e39d9ccece6b38b7d58dc7a54e4ec41e9585413b5cef3b93a1239bac76f08f17c6ba0486914b42cdcd0

Download Submit
C:\Windows\_CutButterball

Filesize
41KB

MD5
91c40e63cb25ea98fd2eb6c16c22a476

SHA1
a8166def06e29aff14b921218822b531affca06b

SHA256
0774357ff3c43f9221322004b94302958770c9a1e9ae6e5fc08caf0436dab9b2

SHA512
71ec0e06a7886d8a42290640f378ad1a5b1cc3cd3f0dbd2cbf9f8c490c551f4a14cd508cf94afdcdfbcbb033e7320f8d55849f322f7ea1ae0d0d82c7d8d16083

Download Submit
C:\Windows\_CutButterball

Filesize
42KB

MD5
4b5271c66676e14578d78c13e4c407a5

SHA1
8c05d31630bea126b8d0c8664461336a202c9707

SHA256
1746773e97c956523cdacd4859f2786c86e040b9d3f256b654cfe5c5c4fe9bc9

SHA512
aeb205f6f31294a76837a6235811a69b7d70f7d26729e80629395338e3a3710aa84586457bc3359a5a3cba68ccd4918a100d3865584134958b456d3e199135b6

Download Submit
C:\Windows\_CutButterball

Filesize
42KB

MD5
ff88ef07146352bf0f9933e0e4d5f237

SHA1
d7a503aafc464730756495431d8ec8e453ae151a

SHA256
dede7378d208e2c99cb1ff04ddc36d8db9d7ee8fb6f609d76df61cc1c1dde8ed

SHA512
e0d4d3b7d055dd8fa59d4f87782d266d763820772450642307dfc6618422888eb0cf919452db8457dc1a08e1525c12117028d0c8dc10241f1c99ab4514cf6a6b

Download Submit
C:\Windows\_CutButterball

Filesize
42KB

MD5
d84f776dee06141b100eaa7cb108c1bf

SHA1
95f182aa25d638e2ea44675c4db72bbaeb5fc9c1

SHA256
9bdcb39bb55676997db6602bcffd99facea1c89c5bb3db7a8ab824b8d5053bd7

SHA512
35b7ef720845eadc2c05ea9d4bd0d513dc473d0cfe55aaa2495fd1383381076fdebaa11f4ffbf2b5014a215f88b2363f4b56c4e8655cb8c8e884828fe7ae3996

Download Submit
memory/196-2364-0x000000001C8F0000-0x000000001C98C000-memory.dmp

Filesize
624KB

Download
memory/196-2368-0x000000001CB50000-0x000000001CB9C000-memory.dmp

Filesize
304KB

Download
memory/196-2367-0x000000001BDC0000-0x000000001BDC8000-memory.dmp

Filesize
32KB

Download
memory/196-2369-0x000000001ECD0000-0x000000001EFE0000-memory.dmp

Filesize
3.1MB

Download
memory/2592-1280-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2592-1279-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3380-1278-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/4516-2578-0x00000000058F0000-0x0000000005982000-memory.dmp

Filesize
584KB

Download
memory/4516-2581-0x00000000058D0000-0x00000000058D8000-memory.dmp

Filesize
32KB

Download
memory/4516-2587-0x0000000005D10000-0x0000000005DAC000-memory.dmp

Filesize
624KB

Download
memory/4516-2606-0x0000000005C80000-0x0000000005CA8000-memory.dmp

Filesize
160KB

Download
memory/4516-2577-0x0000000005DB0000-0x0000000006356000-memory.dmp

Filesize
5.6MB

Download
memory/4516-2565-0x0000000000B80000-0x0000000000BD6000-memory.dmp

Filesize
344KB

Download
memory/4844-1149-0x00007FF7C6950000-0x00007FF7C6960000-memory.dmp

Filesize
64KB

Download
memory/4844-1156-0x00007FF7C3DB0000-0x00007FF7C3DC0000-memory.dmp

Filesize
64KB

Download
memory/4844-1148-0x00007FF7C6950000-0x00007FF7C6960000-memory.dmp

Filesize
64KB

Download
memory/4844-1150-0x00007FF7C6950000-0x00007FF7C6960000-memory.dmp

Filesize
64KB

Download
memory/4844-1151-0x00007FF7C6950000-0x00007FF7C6960000-memory.dmp

Filesize
64KB

Download
memory/4844-1152-0x00007FF7C6950000-0x00007FF7C6960000-memory.dmp

Filesize
64KB

Download
memory/4844-1155-0x00007FF7C3DB0000-0x00007FF7C3DC0000-memory.dmp

Filesize
64KB

Download
memory/6768-2272-0x000000001C2F0000-0x000000001C7BE000-memory.dmp

Filesize
4.8MB

Download
memory/6768-2273-0x000000001C7C0000-0x000000001C866000-memory.dmp

Filesize
664KB

Download
memory/6768-2283-0x000000001C930000-0x000000001C992000-memory.dmp

Filesize
392KB

Download