revengerat | 92b2d2a44e57ae9d47806eba7e62ef0d0e3b152e822803845e9bfe74adb6efc3

Analysis

max time kernel
334s
max time network
339s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04/08/2024, 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rbxfpsunlocker.exe
Size

605KB
MD5

09d083f0e2c1e8a3561209902333ad8f
SHA1

d9692d3aba34a39aeb9e53cb3d25562b94e2e597
SHA256

83dfcb08ea4aa1b857d952a8a177db775d1a7e9cfc30b528848a4a29c8dbf0b9
SHA512

c71371263cacc4872a4bf621614940f08c9436062683be5de921ae6e509079e25ea380623e8945d40858819a664bd76590defb2a89949e8e5666190f1024ca6b
SSDEEP

12288:IKOjJsDc2+WC+D+4H/xeGofENaTSuGCC709:IKyacgDD+4fwG1NaTSw

Score

10^/10

revengerat warzonerat guest defense_evasion discovery infostealer persistence rat rezer0 stealer trojan upx

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

warzonerat

168.61.222.215:5400

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/5428-2343-0x00000000059D0000-0x00000000059F8000-memory.dmp	rezer0

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000400000002ab34-1095.dat	revengerat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/3176-2351-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/3176-2349-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat

Downloads MZ/PE file

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe

Executes dropped EXE 5 IoCs

pid	Process
5096	RevengeRAT.exe
6072	svchost.exe
3780	Floxif.exe
1012	svchost.exe
5428	WarzoneRAT.exe

Loads dropped DLL 1 IoCs

pid	Process
3780	Floxif.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3780-2257-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3780-2261-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
1	0.tcp.ngrok.io
11	raw.githubusercontent.com
11	0.tcp.ngrok.io
69	raw.githubusercontent.com
72	0.tcp.ngrok.io
147	0.tcp.ngrok.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 5096 set thread context of 4196	5096	RevengeRAT.exe	137
PID 4196 set thread context of 1368	4196	RegSvcs.exe	138
PID 6072 set thread context of 6040	6072	svchost.exe	208
PID 6040 set thread context of 6012	6040	RegSvcs.exe	209
PID 1012 set thread context of 5600	1012	svchost.exe	252
PID 5600 set thread context of 5676	5600	RegSvcs.exe	253
PID 5428 set thread context of 3176	5428	WarzoneRAT.exe	262

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	Floxif.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Floxif.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2216	3780	WerFault.exe	247

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133672378331592958"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2227988167-2813779459-4240799794-1000\{559D059D-6362-4271-AB27-F3793214B25D}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	msedge.exe

NTFS ADS 13 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 697326.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 164165.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\eicar_com.zip:Zone.Identifier	msedge.exe
File created	C:\svchost\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\Downloads\Floxif.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 541586.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Melissa.doc:Zone.Identifier	msedge.exe
File created	C:\svchost\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:SmartScreen:$DATA	WarzoneRAT.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3216	schtasks.exe
3756	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4832	WINWORD.EXE
4832	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4340	chrome.exe
4340	chrome.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe
4500	rbxfpsunlocker.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

pid	Process
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe
Token: SeShutdownPrivilege	4340	chrome.exe
Token: SeCreatePagefilePrivilege	4340	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4500	rbxfpsunlocker.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
4500	rbxfpsunlocker.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4340	chrome.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe
4900	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4832	WINWORD.EXE
4832	WINWORD.EXE
4832	WINWORD.EXE
4832	WINWORD.EXE
4832	WINWORD.EXE
4832	WINWORD.EXE
4832	WINWORD.EXE
4832	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 2632	4340	chrome.exe	82
PID 4340 wrote to memory of 2632	4340	chrome.exe	82
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 4624	4340	chrome.exe	83
PID 4340 wrote to memory of 2820	4340	chrome.exe	84
PID 4340 wrote to memory of 2820	4340	chrome.exe	84
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85
PID 4340 wrote to memory of 4620	4340	chrome.exe	85

C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe
"C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ff9d782cc40,0x7ff9d782cc4c,0x7ff9d782cc58
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1748,i,11398843976841578623,2025322416962073372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1740 /prefetch:2
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2112,i,11398843976841578623,2025322416962073372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,11398843976841578623,2025322416962073372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,11398843976841578623,2025322416962073372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,11398843976841578623,2025322416962073372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4484,i,11398843976841578623,2025322416962073372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4428 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4732,i,11398843976841578623,2025322416962073372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,11398843976841578623,2025322416962073372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4824,i,11398843976841578623,2025322416962073372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3268,i,11398843976841578623,2025322416962073372,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3416 /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:3176

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9c3ef3cb8,0x7ff9c3ef3cc8,0x7ff9c3ef3cd8
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:72
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3280 /prefetch:8
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4676 /prefetch:2
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7060 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3568 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2940
- C:\Users\Admin\Downloads\RevengeRAT.exe
  "C:\Users\Admin\Downloads\RevengeRAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5096
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Drops startup file
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    PID:4196
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      PID:1368
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k3bmlkbv.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1164
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F6B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A896E3053084F69B96A68307F26CCF7.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3500
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ee9dck9q.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4028
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2027.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2B52FB37A04BDCBB31AF353A62A764.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nxigbbem.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3636
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA453589352402FA03817936642720.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:884
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5jwqvzlb.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4868
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21EC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B31ECC0956C4AC5A37AF3F8B6DBB8A4.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eu11thc8.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1812
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2305.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc608456825A9048EA9B41EE5B931FF864.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0hqh-zg0.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4120
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23D0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40D98737136B4C5F828B8DD67BCDA4E.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4908
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jov8drdj.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5248
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2641.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED786C3793434B45A193DBFCFCC6ACBF.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5316
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bo7cjnaq.cmdline"
      4⤵
      PID:5356
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES276A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2FB52A19AE114B61B27F944C5A609F89.TMP"
        5⤵
        
        PID:5428
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cyraiuji.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5496
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2845.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9284953CA2343A98C22DF6F264D1828.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5564
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h44rc9z-.cmdline"
      4⤵
      PID:5604
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES293F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc33BE2C67AF6843FAAB795784F753DAF7.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5664
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2rb_ujje.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5704
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc32B70BDAFBB64ECB97E64107C617D29.TMP"
        5⤵
        
        PID:5764
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\azfg_x5x.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5804
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AB6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC6EF7EB270D04A60AF37BDCD6F9BFD2F.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5864
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ojshiveu.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5900
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BC0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7100869494D43AD806154D1EC1D4F.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5960
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\33tlyrj4.cmdline"
      4⤵
      PID:6000
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C7B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F6FA3BCD1514B6599F89F31C239C8A6.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6060
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xck2f8rv.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6100
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D46.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B21BB1ED1F6433CBEF62AFCA8574CA0.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mfbzkkvm.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1812
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA78A6DFE78FF46AFB3F825EA614D99E.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3144
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\609k9cam.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5240
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F0B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D4E5E3E2E054559B5699B70A65FAAA.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5296
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ycsn-7s4.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5268
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3025.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA7385C8245A4895B537874ACD11960.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5432
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sa8yqtel.cmdline"
      4⤵
      PID:5392
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F0567BF7537426885ECD6B93A26C0F.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5544
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d4qbu8jk.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5600
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7A5A0BDCE95D4631AD3641CEBBFC01D.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5632
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sqec5faw.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5776
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3296.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1840D106E9194024971CCD93C0AEC42E.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5792
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:6072
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        Drops startup file
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:6040
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6012
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3216
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sgr7kwii.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC62.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCD32A8EDAA8D4B91B1B6A7A259EAD36.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ceyk1hw3.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDCEF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc731AEFA850F94AE1A114B0A028944E55.TMP"
        7⤵
        
        PID:5284
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9mqnfm3m.cmdline"
        6⤵
        
        PID:5260
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD5C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B1E7DE2A8004CB88EDCEDCC769D3BFF.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5476
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\spgwihal.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDD9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF51473FCC7AB45C7A1DBC1763B11ED1C.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1344
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kfb6d6wh.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE56.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA315A11FE7114F238226DAD2AE6BA4.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3740
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\khlz5cxn.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDED3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc77AB973669D94D2D8D8259E2FBB74EB.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t_y_flfs.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF50.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc91F0AEA4EE5547239D9B4A47BA15589.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ksb1m8en.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDFBE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC2E5F2CBAECF478FA57FB6278151F2C8.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5988
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vg7qumws.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE03B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A52A23E3154238B49CE61462AF9A3.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5892
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wopkkf3j.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3228
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0C7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC64E2EC514C48338F9A958FCA393C9.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1324 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2424
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Melissa.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1688 /prefetch:8
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7164 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5356
- C:\Users\Admin\Downloads\Floxif.exe
  "C:\Users\Admin\Downloads\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:3780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 456
    3⤵
    - Program crash
    PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,391836685898478641,7324230528213866135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6776 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5524
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:5428
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7B81.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3756
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4560
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3364

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x0000000000000420
1⤵
PID:1544

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3780 -ip 3780
1⤵
PID:3756

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1012
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5600
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
602ddd0c457eb622800ec2b65d1a3723

SHA1
e322f2927b3eb868f88f61318589cdbc9b5e4554

SHA256
6491b2ebfda073e601f99be125c6ce0c4a72162e0995c673605c673581023a82

SHA512
eb0cd42b7178ee205af959b3b811bf85c44343c2e3ead6678ece7bc340fd0efdde3067a583649d12aa2123b555a4cc2a7be7a587fb2874a9f9aa666093df782b

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico

Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\ProgramData\svchost\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

Filesize
4KB

MD5
28d98fecf9351c6a31c9c37a738f7c15

SHA1
c449dee100d5219a28019537472edc6a42a87db2

SHA256
39445a090b7ce086d5efb4ac35add13672fac9bf40eb481b54fa87302a3f45e0

SHA512
f5c2458348347798304393fdb5c77f4f7ed7245c0d4c7594deb0113262828cb8e210e7b48a4aa7c4d2fe1e31201b4e326cd60a6f9d4e3ba1a7fbef322dde0971

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
b5ab17d4f916b16f107429fbd0724c93

SHA1
39b2c6bd172c89440129f35b481538eb6e7dd54f

SHA256
cd67b64ae69f04d81477ae47f5fa7156d56a698721cd4d3e5e0ade91734084e5

SHA512
788dd105a5bb65532e3dd64f8091481dd7e9e6d37ff897fc1ececfd23e41cbd1065b79d583713cd035fef81ee677f22cef7aa969641826b1c222ea983481f9aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C38AC6B0EBDA4044A36E2ADF650F8E22

Filesize
283B

MD5
f593571af01a60591eca5d4013ae01f7

SHA1
c6990b290232320e295eb0e3b6b2b7d4d8c42154

SHA256
aa973698d07cac32dd33918aa44035cb742f78801b8ca974becab293bd18831f

SHA512
a92b777483a519eba642e0b1f780055b3eb76d4730a15c542d06ed4383ac49e60fe59a5c0cbaf9bc41fa6a81ce510a79eb51c772d02af38f18def95585127d79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
978B

MD5
fcd451d100451b87ac42092de358782e

SHA1
f701b9bc3fff61891b31ff0c826f33c874831384

SHA256
116d2c6230b40ac3a295209a862f90abb051b458d16f0a5cbab293935c6e2585

SHA512
1fd1ea3cd1d740d1ac9a25cd48dedb6bea007c89702de2799357a784680f60f649114367d9cbbb1f001e8a9edfa5c9301b00b30be5c63202fd330839be600062

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
4b7865e7d728afed6658edc3b24c3eae

SHA1
bc637d99deab24d7a96c42aecd53dbca2cc09edf

SHA256
572ea6c6add39c7fcf68d600744a579348b46b4ccbbfe71387fd29fb2703d2dd

SHA512
39281e9e680a83ccc264239fe47d61f8e9adf695cec445b02fbeea59be3ad2f9484ecb0dcfb81e5237e097a0fadd1b26be3ff24a1364ac8c1da5863ab30ceb6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C38AC6B0EBDA4044A36E2ADF650F8E22

Filesize
484B

MD5
5dfe4d221aad4b0c0eb3b9bd87aeae8b

SHA1
c1edb09ab26f02cb087b6c00485407761206e0ff

SHA256
cb9c12b11af57596d6f840c5dfa1ab650453345914758ac829a17fef8eb3d984

SHA512
34c46d8c85c17aa5039655b87682e79511b07f772b70ab5100f4521a166dc0f3ee6fdc06abfcb9294a7a8aa77dde38f78fc6e7e9b88993f00f0482133adee992

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
8ab6b4b0fd82920d0f19b76aff4e6171

SHA1
7e543774e37d80d330931f83bc2a31d2b80ae560

SHA256
c51de2bf932512f2201f2a8862c03ba50efb8e2719c4290dab2133aadb75bf6b

SHA512
fb4c16cab7bb40385390e872cf64ddd8d93327f0ea024ea82e546f5e5345578c663a1307b0bcb1f4c2d5a7eb809c3e4853d4393cf11a37c35d84dd2baae1347c

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
197050f6558411063aa68b20cb1788af

SHA1
e889ff15477e074d719eda9684aa950dbb8303cf

SHA256
4d8c0f87c203e1ae5c1e3abbc781aa7691a160638663bd052bde7997a647f5ba

SHA512
a82070513eca364456bbdf5bf2913bdd067cfc7531cc36d2f840d301e260217cd96ff10fefc407c23f630f14189846d485fa349aaa8f66e6671a3ae5e933ff40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1ca5d293a06b8dd41dcf04f5fa259c18

SHA1
0f09e0ea846424e3cc7e044cd3c10cc9cc17565d

SHA256
6cefd1ee2c10e2f83a13a9fab41ae3d197ed52487e59929b50cbc1d797045b38

SHA512
d792e2eb396488d7b95be53b5d0f60d6c40b684404b46623863d4d79f4e1d487482938b7a27cfd2dcb319f6b785bfc9066c0d5e5b1162c7580a251c40a75f7d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1b7882da69c0725d96db6fadf5c61998

SHA1
4d95eb2c1dfd8ff2a3fbabe0d6bb19a842e5249f

SHA256
6cddc69fc7979794337a68b009dae3345a0882b495bfe4d4e9c680739cb58ce6

SHA512
9f9371fe239e1292ec63d46a2599c584860cd47e394c424635f2920deed64c49aa37323855be5c70a239e1e6c69f56176520c3ed9264bcb5f59b8faf6d9436e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ca1ef958ab6f4ccd09e8a2c4363847d5

SHA1
7a4b65854b4159860ffb0c46226ac738388e4ae7

SHA256
a6c61219d2b3fc1d6ee3ddaaca4acbac70838a9993edcfc3132a30996102548a

SHA512
95adb7549e74fda8f697a27afed3b0d486baf170383bb76e60a1949d96d60017de90a860f177d3606adcdad7363050528071ea23f4301d429fb8bf4ee87ba604

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7a1c93768ae6401d5e069741970ce252

SHA1
993530fdea647dedbe7b026c6b37025827a8e827

SHA256
5e90aa2832985c916a91ba5a25bac933b8d3c6521dcb2d972991458941b6562a

SHA512
4b71662a9bdffffad1650e010f36fe213eb5b24d6b7696fd21c398edbec5f4a063c9150b61de5fb416e3a8b197a362e3df7e35ecc73253ed1c125084488834c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
524fe99aa2ab5c323b969a8ba09ad6ab

SHA1
091d80bc525b3bcfc1525a020a49ec98e49e99ba

SHA256
07e49306a66dda2ab671e3b6acd3299734578001da7eb2e546945200b6915aa8

SHA512
7941bda06bf3fd647ea1fc8d2797388ee28a1c13906f33dd434f4926cd7b44d92e755f418a4231fd3df4c36e49209c840a71b1b2d47969d3ffb56bbdc19cfdf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e43c182df9b9c8d6d7dc2c80bbf6d0a4

SHA1
79090293fa05fdbfda2f1ec9cc202aa78e3c8cf1

SHA256
2a5dd5f47d7b5ec247847830b2cdca83640d2b911c903b8d4efb5b662d6677fd

SHA512
fcd1c87f0f8162fe682076f81aa94db794b54996a5f29f047ea161123e540188e8f2a0164354206dcf5f171478ad00c33a2d8fddefc604b55371b0a41b74ff02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
811628ba12df7c33345de6f87fba86ce

SHA1
e859ac61256ea21dd55687bfdcbc868f4e6e50d2

SHA256
c43cb233ed1c19bdccff82fd734ca1aa502aad0c62fc081fe8af2824f31985ff

SHA512
a2744b56d24130a9e6dfa164be1ca229dd56f69777ac5fdaffa2239b9bed76896e9c0c9b4630dd0da01117242598702e090857b945b25c8d6b1ce46b4b40df62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
18f96b59003df9a88f0c12475f7ad36e

SHA1
7982fd52146aa1ee16ec905841c800dc2c4aa5a4

SHA256
d34e72dee3bc7bba43b4f4baa9f0d85f746904669e0518692030840f8a637530

SHA512
3e54197cf4c0ab014b14deaac66cdd635a33e856622efa852e420d405161a9c365c3cbcec925eed74bdd58d4d8438e4ee04dd0f7060fb7a1a98d79027c11bfc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c3fa35bc81f52f0f99e6fcb07266b0e

SHA1
d42e1311aa9f435dc3a9dbb1cf582b513732525e

SHA256
e918fe73128191e2b149a7b80bead93c180ef330530ea82c94b4e2c9e9de7a8b

SHA512
f73742ce210a0cc376204a10a295f169ca582b699cc237f4b93c823d17761e3f333e5b922e3446ca79a28a45ad271c0ae9b255a8160428e5ebad23ba6554eb40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
023e6d53e897322198a7b94bb0776289

SHA1
4eee8c17d56fa320f2bfe9930accb4a9e83c8546

SHA256
6b3adbf0309a1c80d078cf18d184688efd9dcbb0283a96e1fdf6f3de4290a32d

SHA512
00333561c702bf59f71e443bf7a8b4329f5e82e3b56727c84258c3c022ede015a32b60dce5b361c43e73019f72f217d746df3aad72fac9dfd640d3a803d32c65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1853ddef57f259da79670559d898d07f

SHA1
85eb9dc064a24e169e685cb830477d4bb6d11a9f

SHA256
68b8b6b1eae88325df30d1f9505bade6ca5fe4e5c073506b5ebc70f0abee547d

SHA512
192258031470bd5519f4b5fe6b56e05386edaf20de18ed4a9899d74f2c471719fba52a038c1f27ac4a615a60ab84742a21ca71d888b93e9b3214da544d8e5b2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d609648b970409d5f3f864db00e33186

SHA1
40378d2cf0feb407f8101ea35f53152d55fc8bd6

SHA256
f86b171cecf37e8e00d0a61d49dfd7ff8175fcb05972d827a44f2f2429598592

SHA512
450dd98a57ca48623409bb7d5afe7cd39ba826bfc5e0abea70828c98fc90ba075228f92db3597bfa3a54536d6144d6c645e99df9f1d9b69877ebb47d82e31088

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
84466e556fa95bb8242408663a37bb9a

SHA1
0c4c025cbc6e4ee433efd7bfaef4e1a5c8eaf3cc

SHA256
353c2c955b1e18f57fe075830ab83770c342fb67db5fc231f109159361c2ff33

SHA512
ced1f665309f2e994d05881bb38b4056faef885c462eab6cf46cdb8f834a0ebd9b44731bc3d74869e1c456e9f75954a93318c76f6f58ddc867b47725b41fc7e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d3fc174ad8add75d9f5b59f17d98cfac

SHA1
756fabec0d87e3b9f3f2ed11e767b7871f1f3707

SHA256
6494ad0c821b20d65ff763321a67fb981e958dcc4f4cd11278d217baa3bce4e2

SHA512
02d617d48d69237fd83c10417c0e7337e8b1f94895645189a2f0ce66abe6a28f5ecd9af28266c580ae140a6e40849b7a4ec4fe3d4ca6f03ec001b40c790a61f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
36d41679f2c29aa13dcc168be814f8a7

SHA1
96461cc4628e13158869810126c8b365fac4e9ec

SHA256
43de850a8e2b1b49e5ce3643703f8145e160bcabfbeb108248309edfcf378e3b

SHA512
169bc02b05e32aa0379058c13ccff4e536e95c3071b86249228b6cb4dcd77ffc40cd5758dce6a56cfa994462218b100ced405097a78f304ad50c1168182ff861

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6e9a273fb09706ccc2736c8797bd3fe7

SHA1
ece15342aaea8f5d5bb9e027e28f90d17792a268

SHA256
5a6c738650f8bbace609b8da4ae84ccdf58aadc66d0aafcc58317927da7f1932

SHA512
26c498b18ea51b46876d66f477cf6f9dfa576e50832b5979bda9f6abf7d959abd59cba325e7b592dcfa8ab84f76c35057882b0e847e980008a6b7b674114e843

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4295213bc8305ff7e57188fd9915d92f

SHA1
85765b0c48497e58a9cf01be75dea3e4447df7f7

SHA256
1d2798a675410f73f615d92af6839f55f95cc8ac12400f9a5705179258c4a925

SHA512
7e2685b49549b3fa72b080934e5cc16c3296a4256c2cdf4b5e7d551cea4e25a92977d7cb4b337865810cec4bfb82083f99e9d68e45740bda0af64f8e0b89ecc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
61ee040c727700e4265db669cfc4847f

SHA1
fa9e90f8005a28f1cd85fc4ef5e6eed2bb3f8f2c

SHA256
57dc68c4988a6904657df4c7f7270d238e6a1fe28d84425b97354b81d34fcd1a

SHA512
1d82025cf9199877969a0e28424eb57cd9c1e68d0bb73830a793d075b26299854bd2ee586278c3a9c613a13628d0b2e6f32555489b82359b45bd6e51751cda57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f4a92e6a72f99328ee71892f0f92ae41

SHA1
16766545296cb4ff5615bc6070ca9a685d91b772

SHA256
fda621eaf62df719c9a7cef3f9affdfde159f4ce6c91d1213ef8f9c777f84871

SHA512
5b5a4e0137c92bc5dad2a8155bb52e8cb2330206d0697d1ce97b44315e83c37c47ba613af08f351ce53ccc99a16f2c9de20e212f62dea44799ceca5c0a4bde60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
01480e1a81a72022e22e6265869b0e29

SHA1
3437412beb6f5fca511d695f16a7ae5434f568c9

SHA256
f0c827a1e4988d8aa4e54dacd9cb32932ac36a171e546ccfc809bdb577cf1a55

SHA512
051ce0f30cb473e336624fe86978d8ae11e8181ce58341198dff567ad9d6593a8163f7c335e3188b84b908c15d466633bb356c5d88233d459410faecd6153178

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
da1f703d2149a0fb1f6d1ebcefa4bf29

SHA1
9a135cef139c305d02f68c07b6348c544fc45cfd

SHA256
6b286c7c345b58435039d3a9efffafab67af19a6e1d2b3c10bb06c689611e259

SHA512
d4419e22b1b723afc3eba66bd6d381f957c543bdd04c9dec3ba840fbac8344fa29ad735bc7590b3e833876f28459be803603d20fea0461908ef70f295e90290f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
af9e8639c647a67a9642a535cd3c3d55

SHA1
964c1d54587c49d3ac1e7462a6595797c0d9c119

SHA256
cd1dbd236de0cba6141a39cd6b9e612fa70f168f066c3fa4d32dd0bb41b9c264

SHA512
eb43a3bcc1c4f3acdb8bfe07fc097aaab8f398ebabfb32acea5e733cb176fd4e988f2fe79cee4d848c3a10495609ce9c7d9aec692ba2f6eac249a73eeea8be6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a458d2e785d2fb5069112c3607b5809

SHA1
a39c531af6d5d9bcfbe220844b3b35ce18fa1fea

SHA256
6274ce1b9668e3acbb36f30fb2303b18767a873cccef5e99f250027a86f0f2be

SHA512
87694f3e33dd07808ec5605a5938c58689116e7491d99209c263b090eb81ac6695c941d38782bdd6d685bc7cc92f8fc50b97da49b675977c929267693d72617a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cbb6c37cd4cf112d6ae54088349fd3f0

SHA1
49c583c08994f81818624afa2aaa12c3a60745b8

SHA256
3dd037efd9d79fac200c3d0aeacd14ccbace5e35c7e7a0faf4a26d54f4b20e25

SHA512
ba428dd1f1c1bb3a4516641ae3abe695179e6fce7ffcb7999f5317f533cce2d8f54445d278c8e2318b11fcaec1003da5900678ec31dee822ab2c4cb3e817fac7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
75814c49727ae9f43624b7474af01558

SHA1
8fade7b7f97a63792086d406d4641808a46b8e62

SHA256
61e31ed5a37389a89defcf13959ef4137ca9b785464ea85baa20531c8eda23ab

SHA512
604e67fcbab4081c1f09458bd1e37390340eafa1f7add840fcb2ebe7717e710470a882a9972f9475e82b9f52af2500c6a55f44829dd0ff411ef50d79035694d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
bab4c3cae6f115e5848c32f313537323

SHA1
94fbefd1b85aa60ef0616b5f16f874dd66d80dc4

SHA256
21eb92545a8234dd7f482a9631cabc9c47abb8e3fc9a4fb3ade0d1580df5bd11

SHA512
0e2e3263444ef1d81f9c543e83832a5096e892e88ccb4f93a29ec6d8176a0fc7315ac24902f7e52d7d3765b3866336b3303d1b67f9d192c54e187ea7506eada6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
b4e78c93b78dd991b24ec67f5ceda49c

SHA1
5a775271f3a9271e8cd1bfc0b995a335f39ca184

SHA256
6f7453f5480754566f374bc3e8d0d1dda7189df4c9c2d850121bb80cb65f84de

SHA512
6a3279bd559de24b490b4a32a0b1c91d447c2bca9955a419137a0a6d59555ba91a23ec20e1838dd8232d49053d43f5e638cc5e47f40183623794f08966d88430

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
9147c5fd7a4be4934769212928e3e4c2

SHA1
c0c40f4484d2cb046cd31451e98711766cfc123b

SHA256
a5e5759efc615c44f36d944865be4287c1bbc3d269223fed3d11516d456b63fe

SHA512
1aa03bd2a9b96bdfc2cd6c8ecbb9a3561fb4597129e411f4aeab6dafb7286c16574a92e6f2a553b83651383a60296c823d82377e94663f9c1d349c9755e793f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
1d9097f6fd8365c7ed19f621246587eb

SHA1
937676f80fd908adc63adb3deb7d0bf4b64ad30e

SHA256
a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf

SHA512
251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
41KB

MD5
ed3c7f5755bf251bd20441f4dc65f5bf

SHA1
3919a57831d103837e0cc158182ac10b903942c5

SHA256
55cbb893756192704a23a400bf8f874e29c0feee435f8831af9cbe975d0ef85d

SHA512
c79460ded439678b6ebf2def675cbc5f15068b9ea4b19263439c3cca4fa1083dc278149cde85f551cd2ffc2c77fd1dc193200c683fc1c3cdac254e533df84f06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
027a77a637cb439865b2008d68867e99

SHA1
ba448ff5be0d69dbe0889237693371f4f0a2425e

SHA256
6f0e8c5ae26abbae3efc6ca213cacaaebd19bf2c7ed88495289a8f40428803dd

SHA512
66f8fbdd68de925148228fe1368d78aa8efa5695a2b4f70ab21a0a4eb2e6e9f0f54ed57708bd9200c2bbe431b9d09e5ca08c3f29a4347aeb65b090790652b5c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5e0210f86f0a3e1f2fbebfbc93d7bca4

SHA1
233df4e378dcd0b3102ac52e59b495039965516e

SHA256
9a48883bfa529a6a3c601d506f006d35e17e0fa6e963339dd7d6147254f36106

SHA512
1b4366b9a5d0e9f1bf5a8513b9daceb50da2bcbc5cc24770a7cd1461fc7b26673d50304f5bfc3c4c1424be6e46c8c35fb53898c94caab04b0d1b865ade51f283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
74c3dc24780d72d4f5bd65ca80c369f4

SHA1
60f778dd8764b5934f75fd5ad2510f7178f2f1f0

SHA256
267910b18ed65a1e9022ba567a23c61d964268d967ae6af3857c5e1f87d667b4

SHA512
06661722a1a4ebde3d4f05a213fc015adb5fa64da427b88da02c6d06ee8df73febd5c24caf646edcde95f99573c9b85cf5c8d149f776d90487ff65f3a76722c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
6689c59e26e703f356e240a0b16dacbf

SHA1
b79700640b1a009208c79190e57f8b850dcfc7bd

SHA256
1c6ce065a94b17396b24d14bb0f44e91648945f330d46dc7d76582c14df82645

SHA512
b4db7d2d76e4fc92bb3ae60ee4597e24b8b398660d12c94ea3558f351294f8eb275c8d8daef3d35b6f86b5c715a50d37ae247a6908e4977bacfc8454817e9170

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
da678b22b90151f09939fa025e70aa18

SHA1
1fc3ccc614c0ad564b39bf1e155b76d9aaf911f2

SHA256
94f3bd6fd894c61dc56aab15f32581ef4aca97655edb46e3cd7a916747443de2

SHA512
3958327e981a79d72b04e075fc5f226c0f6bc0047bb7e3d649844e15d1833764ca1aea548e375a4c902973ca479b04933891bf65bf16d9e940b2a69e0c3825b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
392f2e178715cf7abcb9bb723849a3f7

SHA1
a9bf4dabb2fe9eeb15a022d6d7081e602f2efaf0

SHA256
706575ec1888b0481f8b6d6f80f41760380daeb2a400d4f78b3f7ee96c02b704

SHA512
9b9c0e7a5a014f5c13d670ac7678b7058ce0aba30d30cdd490651e352a2f8890bf55b9b648b024a31d6a8d046dbed8577c31e12e25e6cea33d59075d6a359f79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
564B

MD5
2ebfc5e1ac8f9e1a571e05f35a42f3de

SHA1
589550203657b1643236f4f4351f9ca4719cc1a0

SHA256
a4c814682f06c919d573b00fa9fc44ddc8183e0b985b963b7f1b5c0f34d0fb75

SHA512
98611b77023a7531c44e1855895edc17a2918c03c5a64ff94aea94c071f634ad056b6f8d591e58c0b06a5f1b63f2bedda310c5de003aee5f65ff48fbd55debb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e2f4fb4e9653acd5f01434fdf7f53c90

SHA1
0d60cd25ac6addf92e07403e227f5c911e02dd65

SHA256
7e03febd5598105b4b5b13efc8b884cfb20abf731d3a227069611ac5a82e4d20

SHA512
43a8f2f12658b7da3f082b364a2d31e9071281938963d1418a58f351a9cf5950dfc52850bbf39d381b4183f9ecdd9726fc938b82b9df9bbe8ca5879e860a8acd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1784e0ea152976410aa17f7b2c85f662

SHA1
cfac61604387304305ed8d582962d3476b1620a2

SHA256
1d647ffb559f1378db3a1cebc0f93e6495712a71cd4f34c6584b9e8a0657a53f

SHA512
53659b2f1605e8ea2f9c5d6a57a05aab1a82039b42855d3ab1d0ba51b94e4f04f3bba8aae055ebfa4ef0616a29240332da8012461fdef434882209fe419d9d9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
667fef083f0606dfd0b961f8bb926108

SHA1
7b7fbcfdbcc91141c4ade7e37e37e90920b657e8

SHA256
7687fece501211f943fcfe5bbdade3d8ca74d8144ec015703b98af106fe0a64d

SHA512
30458a333c60fb5d8a5e40de88f4f229032275a2da7fdd6a4189401d805229893ed0ccc5d699a59cee0b37d73693766f40e8996e172e4c53f5427ef48d8aca85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
87b61833aa52b4d562e19bdacc340907

SHA1
e0278eec67c42d602ac628fec41a95d73c564154

SHA256
d5a30afec557b14b9cf6660bcb928159f3e89a3cf3c5e54a03c0173407f6bca2

SHA512
b59a069c412ae66f84f8fa570e525550d4e0edd4f627896735ca9742c06792fcbbf62bc9cd3b5d235ee4012db8ab0defcaea158767ced6ff051ef846a50a3cbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3a3fbf7acc77aae657d1117cc891ff07

SHA1
dd153f4c7c27562dd5574f5999fdd310c38efa48

SHA256
14ec5951cd69bc3d7155636ef3c17a32a635e9b2db487491a47cd63287c2634e

SHA512
d5a994611fd467a9bf63c5bb0e5c562b7379bc7db9738ff6b22660988c892bc1effcec94934aae7d2bd3a0ccd0bdcc34de57fcf17da093f39c59e49138f1858d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
504515a794484a3dc741fcef299abd57

SHA1
9a279774ce120edcf480a745a23096701460fdd9

SHA256
034c7cde6c4252f847f1dcbde473408b7cf5fef687fb90da3ddab35082d538b7

SHA512
2dd046d73474fb3979673e044b36d10c084c637ae489c512426be8fb17da3dc2d08b56f1e4fc5abe860093b510853fa9de6ccee753a97955deda772e86491604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8b470650dc613f306cb82b9188e4da37

SHA1
3f4d6e4f0ddc652928a6f602a8926ad8998a0541

SHA256
7d85d69a24b719b78dca4184b9b3a173d7793699da6b3f82cec888d0c8dc0d65

SHA512
8f6cfa1e321007ceaedab2370ef892f52843a390fad0347af615f8294e5043887773ad8306960fcecbe9686f25b35dceefd1a4ff5168aa1fbcffec65e064881c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
24237245b96eede50b7c2aee7935075f

SHA1
36e96f3e643bac42548b74e00f2d57a77edab788

SHA256
08fd0b9372da68c14f5f68eed4c2878b0d03c93035a520421c2dbfcf3ce095a7

SHA512
e54eba263d67c92af5f89b450bde1e0f2d708fe4fa7b6c8c0cdc4d748649cb725d314fe1ce51e34347b782d00b848bcae708e16e346c0a42c9f61966a4babe0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a54562e72433bfc967ccfdd498a894f0

SHA1
ab21d865e2c7b2494c68762155c58064e5e780bf

SHA256
2e1337de4c3d2ca798fa9fadcbb9146bdf1699649184e8f26f7c158af748a82b

SHA512
9dcbd2c58e99fb00f9b8d19f023e65f95b71f898802bd35f970ee3c9efa6829bc39b799e9b90740b76755ba401e28caa134bb2ccc129e270dfd7fd9bdcb1fae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
0bb649b8820efb5a6c497963dbafc07a

SHA1
eafb1fbbe7a8dcd16f98b434fba213eee6515446

SHA256
d8fa8020c5ac5c774789eacfd2aab35b3e1b8abf05f8f34fe1db0e3279539dae

SHA512
9f9894f8e294e3a075144d2ffe509e7bbf86022793a6dd0b04df0af66b768dea87408ad64e0c26144ea5d8dadf591d606ec9154dc3c036e6ebc24518e797336e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3df4747f65e310b722089d9f24049b52

SHA1
a0de47f26d06d04c6f5fb53f1f2d639941fb164f

SHA256
3538805d5e1833aeb570a9c55c4b6f92d9626a7ab4887cefd22b962b89aa111c

SHA512
1b92b73148ee86860cef091cce163eb9f3be2967c4ea8394e3efced69a609e988bb663f541a643226f1b7f2fb16816dd7214f7eca6ae20582ef8fe8c67a14e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0f8f60e0459d82ed8d86548f459b75c7

SHA1
c9dab5f9ee9def54d542d2b4b7a234c377f55670

SHA256
d044e34c94e82820836d635b7d5515f9f34a4f3c66b3c629b608c454c1a99411

SHA512
a617758c520bbd7b3f4351d76a549548123cac2dc8b555f76f07466df473e4596adc8a48251e487a68a96e5a463c19bcfc405bef70fc8b31cd06ab4255d12c52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8c94970c02c08ed35cd8e7e35db99eb4

SHA1
7d37fa9420d7b25c593bc2c3e228e61cf5483af0

SHA256
a48aca9abed2fbdbdc6cae16cf75b8459d1da077668b417d881301fbb61fad4d

SHA512
be62a8e2427422c5a9966864d0be87b20c2d93a2511e3f0e9cfb9b38850160d28f8c84f51aa4985635c78cf6afbe6ee80a28a4e725cac43f24fbb98b3e5e8a85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1e94bc8c8dee722f512aa372d046833e

SHA1
12907968142c59d4995046a93868c25929df0f4c

SHA256
d4e043d0a1bef790ffac7f621c5148db1c0bbe80e7bf8f7fdb7b16d61d6eed26

SHA512
d6bd83f6c3964decd13d58e7620e869bd41153ebd6eb391cb8e5ff3cb74ccfb1b11a3410720099bb17c79b38f84e37801f10759d0bcbda83f8ac793cac1b3500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
420f755fb112df1689942143c1fb4fac

SHA1
76adedda7db2a9fbffc1a3254001e6a1325d19ec

SHA256
186e0391b44a0ccb9b1cd6c31907db4956aef5fadc9bc5301e41fa69c69ec83a

SHA512
fe4050545f3386a735366b84dfeaf6d3ae4bff0b3604d752d09c9c06715f404b98fdf0cdf3aa98b6e0e574a984b2b71c839dbf051f94029755055dc7b82bd02a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
08703f41340fe174c6994c2edada4e79

SHA1
1482315aac9442fe248ba43082fb54a1acfa78e5

SHA256
fb16592c25b2a0c46ed456498abbb621a065253b5be30b67c325009ba647aa36

SHA512
67a9e4594b68cd10666d815fc3534a92c6f9dfc6ded19a1f75ef5aca597e858f0196d43efc39d4c434dc84fd21d977c84c2eb9d3007435a712ba91963e6fa014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589c99.TMP

Filesize
536B

MD5
3681e8d30f9b6f0598dd7131c0af2270

SHA1
4910acc89bcb9fff7b8da366baa3c8b3c15ea762

SHA256
cc88eadd649d352597081bbf59a6f586a111b24b3c89c60c41fa4332170c6237

SHA512
a579b10f1fb86478935b2865fc1b02e605ba1f23cde8dd62243ee6b1a0bbbc82618805558450d436d91b77c4a38b0b087ab2ab7655e7abc0bd466a821c813756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9fa9199f5dadf05415e912d9e7acd7a9

SHA1
d1d9a0f98b94c7468568dba3643377703df7cc26

SHA256
20c4539e5bf7f4ccdab84aaa42d40b67e5405b43ee6b4249c5e7780504d44397

SHA512
dca2ff62462607ed64987bced8c9754c9b7b6756c5c58e6746d276617f057e0c10f66d0922431c302e1f425e055c7a5d65a4529d667e60f74a0dee2e0b5f0c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cdf1d261d77a89756793620d873fffb8

SHA1
baf9f6048efafafe39bca05ac667ca9f42f514f6

SHA256
b28a2f6ba434d40515850c6a3c2c523b9e0e3f702b5c95a027453b0e2c181a4c

SHA512
2f1f7d6b8e7a8995d41bfa56aac6979861bfc83fe2348d0f46bd3f268559139227d9f82979fb9f015da24dca31ad3b56875f4157fb484c46ab01450b6bd7d60a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
13450ffc76342b93ac8c92e6e0e24a8b

SHA1
b99c4ea4e283833e2cd1c64319bcc89d0b15aef9

SHA256
92f45c0901e71b11787951a9b6ff7b95a9316782aafcca4fdc0d4b8c4a6e2cbe

SHA512
098619c30a007d3ada8697f2688d37ec2bd1e126b9fad85ffe27622c5bca44bbffe78c9ae61e59336516651fe7dbc7494df24b1f584aef2189b19c5e9edfe1bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
34ff2bbefbc42d76dc7d0b6d03223f91

SHA1
19dc79dfb6c0fbf6cd23fae0d38dba3ed854df43

SHA256
b257b5b9d157e91e495ea9e8b13b9744d6800ad78a5d972516592a27fb0c7224

SHA512
ff35f2a2371c3756ff30640c3f4e3153581a505eec8178edbe6567576c16b6570201ef1670f5c7750d390405b86d4f10f2d100cd9678e206c467b8e3e9adb327

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fd081bde32e6f608f03028c6d7cdcbd4

SHA1
bdd76fbd7c9467fe42d8eff00b82edafcd0da55d

SHA256
db5d567f6cba22e64ffdc50aa9c4240f7f7187407026f8402e4d5f58288489f7

SHA512
70569b2edc3fbd6cc1b7dab921ac16eadf109c1d5d8e63e4553a0131a72fc982cfe1b678771ee9b343dd6a05e45639292e0b640d51c52b92442dc86f80337a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1F6B.tmp

Filesize
5KB

MD5
95a27dd7c22bb84ffc15458b1b831d3e

SHA1
54d4b5288fb00110735ed4f7c4346a9d7af3535a

SHA256
28810b02a66e5ced3e07295b5a054e0a444b6a66b3b0231f2b7881d4156ab4c9

SHA512
efdfb6e945b0ecc789778c119936df2c4798fbb6941b837d45a35412bbc5af4cd69e3f476b9e9c3a6713fa929741cc3f24408c0cbc30da317604e95d8d8534e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD66A8.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee9dck9q.0.vb

Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee9dck9q.cmdline

Filesize
224B

MD5
5e191ad80e35041cbfc9c9858b116e5f

SHA1
0e4c36ae79e4f8153d96da1fda72079ac6f6093b

SHA256
3a28ae26079b8f82003da4ba0cd415dcefa688b0c6edf2e45b09fffb06e1fbbe

SHA512
d6e3bb0565c0b0f7fde89c4a35ee393b1d932350cb62af04ae8c2610f724f916e615d532494f3f01569743804fc318e409a356fb80e448572cf51a45262e3b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\k3bmlkbv.0.vb

Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\k3bmlkbv.cmdline

Filesize
253B

MD5
b6a4452360ee0998dc5e4661aae46ea7

SHA1
cbddcb177cba33ec08aa5f38c30654fe4f9e42ba

SHA256
4140a0a34eccd7c34493082cdc2f094952b225c2d352125b4e30e58803f31aa7

SHA512
bb79311ef2551f7973940f4ce8c49c005f68fc12bd292b7fa1ed69dacae3bc8eb19e9797ef49235cc84494f3585f3726e529decf89e4993f8d662a80f9a56692

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3A896E3053084F69B96A68307F26CCF7.TMP

Filesize
5KB

MD5
84e9754f45218a78242330abb7473ecb

SHA1
3794a5508df76d7f33bde4737eda47522f5c1fdd

SHA256
a979621de3bcabf9a0fa00116bcd57f69908b5471341f966c2930f07acfee835

SHA512
32b51e82e505e9124fa032bfd02997de6d6f56e0c0dfb206aec2124199048168ec0f7927a0a289f4653662bdeb5089d91db080019a9556491ef111df99b12623

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA315A11FE7114F238226DAD2AE6BA4.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC2E5F2CBAECF478FA57FB6278151F2C8.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD2B52FB37A04BDCBB31AF353A62A764.TMP

Filesize
5KB

MD5
abeaa4a5b438ffa58d07d9459e5c1d6c

SHA1
69631de7891162dd4840112a251f6531feae7509

SHA256
ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd

SHA512
c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF51473FCC7AB45C7A1DBC1763B11ED1C.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
234B

MD5
042d411333f2e67e8d761a1bd7206713

SHA1
c43139243ad64265bebb366a3128d10225703c79

SHA256
7a3628b6ea0ad61b0274a8b0abfe27a0b9b1d24a63bfeab3602e313e24ce5275

SHA512
e8aafbb7b9580fe81a3d355c39a0b0956b71ffd6b93b7e4372417ecd2fbe67f6519599d0c259e0f6e752338ee6a5f300f9912b4876814e72e9862d06baa76570

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
658B

MD5
b8e74af3c6d2b6194bafc006e444d03b

SHA1
d9d92420aa65ac7a9c9992b53a0c26183baebe9d

SHA256
26eb57845f801e098195492c2671045023d731c8ac6c252cf63a78b8228c196a

SHA512
fbd8c12db1343bbd57b331a982ab53ae9608676ceb133a080e46044e444ea2172107413a900aa440de0e05c9804479501e1bcad7dc8939b9375b56cc51ba2fa9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe:Zone.Identifier

Filesize
210B

MD5
65e461f54bc05ba66464d19d6473db6c

SHA1
0ac06324758b10528c27d715c92172c2b9daeaa8

SHA256
1e2b9800e69a11b334463e0c2994bb2b3ac6b8279d29d8b6629a58269724a0c8

SHA512
49e528198e9a2f3adf9f5a546b33eb8ede7afca04068870ffd0f5005b2473eacc951a8a5072019bdb255316ce51a3b3e27679560d59f1de4458bc06878a20264

Download Submit
C:\Users\Admin\Downloads\Melissa.doc

Filesize
40KB

MD5
4b68fdec8e89b3983ceb5190a2924003

SHA1
45588547dc335d87ea5768512b9f3fc72ffd84a3

SHA256
554701bc874da646285689df79e5002b3b1a1f76daf705bea9586640026697ca

SHA512
b2205ad850301f179a078219c6ce29da82f8259f4ec05d980c210718551de916df52c314cb3963f3dd99dcfb9de188bd1c7c9ee310662ece426706493500036f

Download Submit
C:\Users\Admin\Downloads\Melissa.doc:Zone.Identifier

Filesize
208B

MD5
f27c5acf452b6a8123583c079af7373a

SHA1
f2dc1fbb364415482f26678fd20ffc078af7c323

SHA256
92e8925c5af069c183a6258367afb036bfd186852985a9fca8af4098a144e6ab

SHA512
2c9cc3ebe5e19070c11ee72d586cc1170ae804482cbdc69a33c4931cfe0b0aa6dc42b5ac94701c8da62144d87bb3c45e10362c75fb3a8a4252b909cc516549c5

Download Submit
C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 164165.crdownload

Filesize
321KB

MD5
600e0dbaefc03f7bf50abb0def3fb465

SHA1
1b5f0ac48e06edc4ed8243be61d71077f770f2b4

SHA256
61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2

SHA512
151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 541586.crdownload

Filesize
532KB

MD5
00add4a97311b2b8b6264674335caab6

SHA1
3688de985909cc9f9fa6e0a4f2e43d986fe6d0ec

SHA256
812af0ec9e1dfd8f48b47fd148bafe6eecb42d0a304bc0e4539750dd23820a7f

SHA512
aaf5dae929e6b5809b77b6a79ab833e548b66fb628afeb20b554d678947494a6804cb3d59bf6bbcb2b14cede1a0609aa41f8e7fe8a7999d578e8b7af7144cb70

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 541586.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 697326.crdownload

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\eicar_com.zip

Filesize
184B

MD5
6ce6f415d8475545be5ba114f208b0ff

SHA1
d27265074c9eac2e2122ed69294dbc4d7cce9141

SHA256
2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad

SHA512
d9305862fe0bf552718d19db43075d88cffd768974627db60fa1a90a8d45563e035a6449663b8f66aac53791d77f37dbb5035159aa08e69fc473972022f80010

Download Submit
C:\Users\Admin\Downloads\eicar_com.zip:Zone.Identifier

Filesize
101B

MD5
6d8d5714e5765d400dfd2a4e5b325759

SHA1
bee50e3c4c190f8073ae1367d72e4be2cae3893c

SHA256
40ecd5aef9b1ca24049c881a90b31aeafbc38f0741a98785975e60bd3a1951f7

SHA512
1fc49e20ff4b2e413ca77b6b6ac25a9f4f4d5f88cd318173ae84d5fb3d508613e0efe842fbd9af99066973c227a39aa2fe405b5a43f162b410ba3d1ed0cbbe4e

Download Submit
memory/1368-1159-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3176-2349-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3176-2351-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3780-2259-0x0000000000120000-0x0000000000195000-memory.dmp

Filesize
468KB

Download
memory/3780-2257-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3780-2261-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4832-1271-0x00007FF9A7210000-0x00007FF9A7220000-memory.dmp

Filesize
64KB

Download
memory/4832-1268-0x00007FF9A7210000-0x00007FF9A7220000-memory.dmp

Filesize
64KB

Download
memory/4832-1282-0x00007FF9A4830000-0x00007FF9A4840000-memory.dmp

Filesize
64KB

Download
memory/4832-1269-0x00007FF9A7210000-0x00007FF9A7220000-memory.dmp

Filesize
64KB

Download
memory/4832-1270-0x00007FF9A7210000-0x00007FF9A7220000-memory.dmp

Filesize
64KB

Download
memory/4832-1283-0x00007FF9A4830000-0x00007FF9A4840000-memory.dmp

Filesize
64KB

Download
memory/4832-1267-0x00007FF9A7210000-0x00007FF9A7220000-memory.dmp

Filesize
64KB

Download
memory/5096-1147-0x000000001C600000-0x000000001C662000-memory.dmp

Filesize
392KB

Download
memory/5096-1146-0x000000001C4E0000-0x000000001C586000-memory.dmp

Filesize
664KB

Download
memory/5096-1145-0x000000001BF60000-0x000000001C42E000-memory.dmp

Filesize
4.8MB

Download
memory/5428-2338-0x0000000000790000-0x00000000007E6000-memory.dmp

Filesize
344KB

Download
memory/5428-2340-0x0000000005670000-0x0000000005702000-memory.dmp

Filesize
584KB

Download
memory/5428-2341-0x0000000005220000-0x0000000005228000-memory.dmp

Filesize
32KB

Download
memory/5428-2342-0x0000000005A70000-0x0000000005B0C000-memory.dmp

Filesize
624KB

Download
memory/5428-2343-0x00000000059D0000-0x00000000059F8000-memory.dmp

Filesize
160KB

Download
memory/5428-2339-0x0000000005B40000-0x00000000060E6000-memory.dmp

Filesize
5.6MB

Download
memory/6040-1574-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download