revengerat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/raw/master/RAT/RevengeRAT[.]exe

Resubmissions

09/08/2024, 14:32

240809-rwb5fa1hkn 10

09/08/2024, 13:52

240809-q6tlssvfkf 10

Analysis

max time kernel
131s
max time network
135s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
09/08/2024, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/raw/master/RAT/RevengeRAT.exe

Score

10^/10

revengerat guest defense_evasion discovery persistence privilege_escalation stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000400000002aade-26.dat	revengerat

Downloads MZ/PE file

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe

Executes dropped EXE 4 IoCs

pid	Process
4168	RevengeRAT.exe
4612	RevengeRAT.exe
960	svchost.exe
5028	svchost.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
3	0.tcp.ngrok.io
7	raw.githubusercontent.com
8	0.tcp.ngrok.io
3	raw.githubusercontent.com

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File created	C:\Windows\system32\NDF\{B2FF1D27-2048-43AD-8581-B70C916ECECE}-temp-08092024-1434.etl	svchost.exe
File opened for modification	C:\Windows\system32\NDF\{B2FF1D27-2048-43AD-8581-B70C916ECECE}-temp-08092024-1434.etl	svchost.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 4168 set thread context of 3596	4168	RevengeRAT.exe	106
PID 3596 set thread context of 3096	3596	RegSvcs.exe	107
PID 4612 set thread context of 1412	4612	RevengeRAT.exe	111
PID 1412 set thread context of 1420	1412	RegSvcs.exe	112
PID 960 set thread context of 2636	960	svchost.exe	183
PID 2636 set thread context of 2752	2636	RegSvcs.exe	184
PID 5028 set thread context of 3504	5028	svchost.exe	240
PID 3504 set thread context of 1160	3504	RegSvcs.exe	241

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5560	ipconfig.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	msedge.exe

NTFS ADS 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 544659.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	msedge.exe
File created	C:\svchost\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File created	C:\svchost\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4644	msedge.exe
4644	msedge.exe
4680	msedge.exe
4680	msedge.exe
4824	identity_helper.exe
4824	identity_helper.exe
1912	msedge.exe
1912	msedge.exe
1412	msedge.exe
1412	msedge.exe
4304	msedge.exe
4304	msedge.exe
1220	msedge.exe
1220	msedge.exe
3608	msedge.exe
3608	msedge.exe
3576	identity_helper.exe
3576	identity_helper.exe
6064	sdiagnhost.exe
6064	sdiagnhost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4168	RevengeRAT.exe
Token: SeDebugPrivilege	3596	RegSvcs.exe
Token: SeDebugPrivilege	4612	RevengeRAT.exe
Token: SeDebugPrivilege	1412	RegSvcs.exe
Token: SeDebugPrivilege	960	svchost.exe
Token: SeDebugPrivilege	2636	RegSvcs.exe
Token: SeDebugPrivilege	5028	svchost.exe
Token: SeDebugPrivilege	3504	RegSvcs.exe
Token: SeDebugPrivilege	6064	sdiagnhost.exe
Token: SeShutdownPrivilege	4428	svchost.exe
Token: SeCreatePagefilePrivilege	4428	svchost.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
2268	msdt.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 2836	4680	msedge.exe	80
PID 4680 wrote to memory of 2836	4680	msedge.exe	80
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 5108	4680	msedge.exe	81
PID 4680 wrote to memory of 4644	4680	msedge.exe	82
PID 4680 wrote to memory of 4644	4680	msedge.exe	82
PID 4680 wrote to memory of 1340	4680	msedge.exe	83
PID 4680 wrote to memory of 1340	4680	msedge.exe	83
PID 4680 wrote to memory of 1340	4680	msedge.exe	83
PID 4680 wrote to memory of 1340	4680	msedge.exe	83
PID 4680 wrote to memory of 1340	4680	msedge.exe	83
PID 4680 wrote to memory of 1340	4680	msedge.exe	83
PID 4680 wrote to memory of 1340	4680	msedge.exe	83
PID 4680 wrote to memory of 1340	4680	msedge.exe	83
PID 4680 wrote to memory of 1340	4680	msedge.exe	83
PID 4680 wrote to memory of 1340	4680	msedge.exe	83
PID 4680 wrote to memory of 1340	4680	msedge.exe	83
PID 4680 wrote to memory of 1340	4680	msedge.exe	83
PID 4680 wrote to memory of 1340	4680	msedge.exe	83
PID 4680 wrote to memory of 1340	4680	msedge.exe	83
PID 4680 wrote to memory of 1340	4680	msedge.exe	83
PID 4680 wrote to memory of 1340	4680	msedge.exe	83
PID 4680 wrote to memory of 1340	4680	msedge.exe	83
PID 4680 wrote to memory of 1340	4680	msedge.exe	83
PID 4680 wrote to memory of 1340	4680	msedge.exe	83
PID 4680 wrote to memory of 1340	4680	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/raw/master/RAT/RevengeRAT.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe24fe3cb8,0x7ffe24fe3cc8,0x7ffe24fe3cd8
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,6662739182730959233,16569315281850057930,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,6662739182730959233,16569315281850057930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,6662739182730959233,16569315281850057930,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6662739182730959233,16569315281850057930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6662739182730959233,16569315281850057930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6662739182730959233,16569315281850057930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,6662739182730959233,16569315281850057930,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,6662739182730959233,16569315281850057930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,6662739182730959233,16569315281850057930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,6662739182730959233,16569315281850057930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1412
- C:\Users\Admin\Downloads\RevengeRAT.exe
  "C:\Users\Admin\Downloads\RevengeRAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4168
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Drops startup file
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    PID:3596
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3096
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h09vx1jb.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:884
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7412.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5736EE1A953F4E04B058BCFEEC2033A0.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ah6vefln.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4412
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES749E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB765E184DCA74590A5CACBF629387EBA.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4836
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oy5ro-np.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1920
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES750C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE5126A7D9FF246B68313C1AB9A56FB.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3892
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vmhsynti.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2384
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7579.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1720C8CA12994F86901F8055E52066F8.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3700
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j1_z2rcr.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1220
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7625.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2D32F63BCD34E19964EC3CDB21D503E.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\swo2c6ei.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2992
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF3671E9E22843F1B7FFA5D97F0FA12.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:860
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mdliq9va.cmdline"
      4⤵
      PID:3000
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7700.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3994FBD97E6B4964929FD9241CD8102D.TMP"
        5⤵
        
        PID:1412
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\elcabvau.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:888
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES777D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBE8323847C364269957039232DA3A26A.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4272
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4c_xgbru.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:668
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc252C7C2E1B4E579E562860A66DC1DD.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vi6pfo4i.cmdline"
      4⤵
      PID:1944
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7858.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc13198D79C4947BCA07FEB7264477A9B.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x6z75jsn.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2244
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78B5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF3033FBFA94016BDA24410632F7A72.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3612
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\27xjedte.cmdline"
      4⤵
      PID:2816
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7923.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD1573CEE4DBD4236AF906E9F59411174.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:132
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\whvlogiv.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1920
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7990.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5AA6123D8A514A05B88E1CA9754CE011.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:720
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r5s3hodp.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2016
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79FD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc689340C0C7145DAAB95706893AC5FE6.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1164
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9w6mgkhk.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2768
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A7A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D7217564274C248051C79BA29561F8.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4508
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0dagdnu2.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1096
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AD8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D8A95DCD5AD494DB33DD7EDADC9B77.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4644
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_vzbskxk.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4620
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B55.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc61A3E2BDD4914F5498E770755DCC8124.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3616
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3a2btffo.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1772
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7BB3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9854E051B0C143B7847FE17665B838B2.TMP"
        5⤵
        
        PID:4016
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\catblix3.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2564
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C11.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDBBF3F6A8DC647FDB651B7643EE07E67.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ldtfif-7.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1912
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C7E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C576282FB464335B92E9DA1C578304C.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cku26--a.cmdline"
      4⤵
      PID:2204
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D0B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc86E8BDA7EB314ADEA0DD59DBB53BE40.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:896
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:960
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        Drops startup file
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4404
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hahde5nd.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8078815CE2FB40C285F4E07496BA38E4.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ejdu2xoj.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4099.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6EEC55D33E194A28A2B928EED7E53B0.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lisl8sfk.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40F7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB7C2520C5C824D80B3D047523F9713E2.TMP"
        7⤵
        
        PID:3000
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hsylhk37.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4174.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC11B032579D148B9B85E72773BF75EE6.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\owfyqzrb.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3132
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70C901FA48A64872831977FB61E51C23.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rpoo3_vd.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES428D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5B12411A9E394B1BBA5B233AD8464820.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9qrfo6dn.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc37A7B8053D674FAB9282327ACD7CD09F.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i3fonfid.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4358.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF1CD3923C78E46AEB9C2F9412F4CD61.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4696
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\itcjpbqw.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES43C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc49E9A5732CED4F28AD2AB91C406E35F1.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ln_cppd9.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4433.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCD8491727524909BF8071CDC1BF6020.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6662739182730959233,16569315281850057930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6662739182730959233,16569315281850057930,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6662739182730959233,16569315281850057930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,6662739182730959233,16569315281850057930,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:2832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1652

C:\Users\Admin\Downloads\RevengeRAT.exe
"C:\Users\Admin\Downloads\RevengeRAT.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4612
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe24fe3cb8,0x7ffe24fe3cc8,0x7ffe24fe3cd8
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,1931412500536475438,1711306046123444942,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,1931412500536475438,1711306046123444942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,1931412500536475438,1711306046123444942,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1931412500536475438,1711306046123444942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1931412500536475438,1711306046123444942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1931412500536475438,1711306046123444942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1931412500536475438,1711306046123444942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,1931412500536475438,1711306046123444942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,1931412500536475438,1711306046123444942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1931412500536475438,1711306046123444942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1931412500536475438,1711306046123444942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1931412500536475438,1711306046123444942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1931412500536475438,1711306046123444942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1931412500536475438,1711306046123444942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1931412500536475438,1711306046123444942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:4880
- C:\Windows\system32\msdt.exe
  -modal "524812" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF7025.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1931412500536475438,1711306046123444942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:4712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4880

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5028
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3504
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1160

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6064
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1392
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3612
- C:\Windows\system32\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe" /all
  2⤵
  - Gathers network information
  PID:5560
- C:\Windows\system32\ROUTE.EXE
  "C:\Windows\system32\ROUTE.EXE" print
  2⤵
  PID:5596
- C:\Windows\system32\makecab.exe
  "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
  2⤵
  PID:5624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:3700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5156
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
  2⤵
  PID:5412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
602ddd0c457eb622800ec2b65d1a3723

SHA1
e322f2927b3eb868f88f61318589cdbc9b5e4554

SHA256
6491b2ebfda073e601f99be125c6ce0c4a72162e0995c673605c673581023a82

SHA512
eb0cd42b7178ee205af959b3b811bf85c44343c2e3ead6678ece7bc340fd0efdde3067a583649d12aa2123b555a4cc2a7be7a587fb2874a9f9aa666093df782b

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico

Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\ProgramData\svchost\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

Filesize
4KB

MD5
28d98fecf9351c6a31c9c37a738f7c15

SHA1
c449dee100d5219a28019537472edc6a42a87db2

SHA256
39445a090b7ce086d5efb4ac35add13672fac9bf40eb481b54fa87302a3f45e0

SHA512
f5c2458348347798304393fdb5c77f4f7ed7245c0d4c7594deb0113262828cb8e210e7b48a4aa7c4d2fe1e31201b4e326cd60a6f9d4e3ba1a7fbef322dde0971

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024080914.000\NetworkDiagnostics.debugreport.xml

Filesize
141KB

MD5
85745b85d289f02e7910b3999353aa6f

SHA1
c52b108bf118b21b386888212d92bd9332efbd3d

SHA256
dadea5b3180bde52736f4e112deb2a0e9f267dd992dbee13f79eaa17ea1abfdc

SHA512
32088346b4f94e48c838e4cfbd7e89395e87562dfbb1c978c9dd9199c179e51599fa7ad2327054cca60d6c02d607bda65e916e4eb7728fc9c20c4e14bcfc0bf8

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024080914.000\ResultReport.xml

Filesize
37KB

MD5
dc52fe53a31403eb32ef656e52ad08fe

SHA1
6cd0584e3c13b67defb1927235d84ba02a477302

SHA256
fc9bc2a228d9f674edd387f9ab2688b9379e8bb010fdb8630dae3fb4a22405a8

SHA512
9e4016eb537d4d067f3bc7ddd45d5ff628df320f5932e4b08b9a0948e625fa936f38367fa04671af5db1990450018c65c943d53ed81eb82d0c7cccbd2bfa8a32

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024080914.000\results.xsl

Filesize
47KB

MD5
90df783c6d95859f3a420cb6af1bafe1

SHA1
3fe1e63ca5efc0822fc3a4ae862557238aa22f78

SHA256
06db605b5969c93747313e6409ea84bdd8b7e1731b7e6e3656329d77bcf51093

SHA512
e5dcbb7d8f42eabf42966fccee11c3d3e3f965ecc7a4d9e4ecd0382a31c4e8afea931564b1c6931f6d7e6b3650dc01a4a1971e317dab6c1f03932c6b6b7d399f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log

Filesize
120B

MD5
50dec1858e13f033e6dca3cbfad5e8de

SHA1
79ae1e9131b0faf215b499d2f7b4c595aa120925

SHA256
14a557e226e3ba8620bb3a70035e1e316f1e9fb5c9e8f74c07110ee90b8d8ae4

SHA512
1bd73338df685a5b57b0546e102ecfdee65800410d6f77845e50456ac70de72929088af19b59647f01cba7a5acfb399c52d9ef2402a9451366586862ef88e7bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eb7fce5e80eadb43c354820bdcecbcb1

SHA1
9dafc5d8194ea4390629c436116826d79630eb27

SHA256
32a4384f1f73f7ef49ce5b8aa6776e211d016b21ed2c68cbe7d89215a0789f6b

SHA512
cd2ce25587c9e3bde2c406771789ee23995b41a36b7a76eed33057d823dccd500787be379483ccde2a11fb65b082fea37db0e5ea12cc1b5a4227636435c336b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1156f28f30c7fc5543f022303b5270ab

SHA1
c87e90fb5c391d6e222a4c767a8fefbe7ceab256

SHA256
fce9f52683f4e416708f138aab902bf3a9719270e12f30c5af266132820a9554

SHA512
6680ea4610e4ea928ca02234f843534d5b5c600f8f01102c2966c3cddbb50c3c2cbbc41d20457422e2cf3c5e9e5ac27d4f20642b32803536fd8e877cfdc06fc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
87349acd9c0e035f76ba612e8c1be714

SHA1
9b13d20d87cca447957d75703d7a3af60c21463d

SHA256
ffe70f4079fd6e5852defbf134511d66279ad9476d580b0db66cbec1981c6255

SHA512
a740b84a6d9d9396023c44489d44266a3c6f0a77c311055acd6197489e25db6702e852f1a0f2c2a07547d8eaf2f3012d6d893a7435ab19d9b71b65becc6ca835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b1880feafe51b1fa692730d0380438c0

SHA1
cfcb999b20b1f67652705c59ffc35be7547d13f1

SHA256
cea4a8b94c6c48ee2774e953476719cec73f08a2a09780aaa402a4a29fce1763

SHA512
90f5d19af99be44ee61fd1d3a6e8acda846faa148a757b09393220d993966725c4052c4d05f588d7f460c0039bd12f8e2df02fa004dbbe0297ea27449a242104

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c80608506c60bdb6a798f1df974ebc2

SHA1
463d711c62ca8513d0af137b48dbd1233bdd80cc

SHA256
de29b3ee3fb316719fcb1050721963f48ed86418b66052276ff6d5464d49c8b5

SHA512
02f1554d1788b694201ee145c5805bf88267faf52c30bae970c5d1104b68ef7a8c63f19fdc1dbebe47443df3556a6beed9c94206c973b6c7f89b57cadfb0ec79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
90939131baffc803707971dceb31e93f

SHA1
d73597dae2fffe6830d1c2cb126bbb5f288850a5

SHA256
bc45547885349cfce617c27069c6a578ccfccaaa0d2948d2088d3cfdc19a9d9d

SHA512
433159a42a55fd836bb4f2184f555e530a2a081aa48eeb90319a08239d58ea9c1fdfb32dabfdce793e8550cc5236bbdb5af2b5dd91029856d51e9dd1f34af06c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c843c647152d4c1a09f78cade80d670

SHA1
221cb9f179214529c314e5d174d30940f9a10df4

SHA256
67ec2efee0d3774190474ea2a9fad916263504b07fba9e04f37505e1fb536894

SHA512
08e20bbfcce5c0d4d3bbef8f5c7dbe5c3d4f6f2d4a6f04e2d4b5967fa00d979fb17c68989cf9310f43575b9337d150939551687ddc5d4c645e68bd331b15f4c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
76990ea36fcf44a240711377c37fa355

SHA1
d0e789dc5c720b58338a3185308ec2b6a9ecfb33

SHA256
acd63c502998382216b8e0c3212fb1ea93f24017ed3329c37de41cbd1d9f35a8

SHA512
925b32d5c4d8726cde623e6c6abe00e4657c0e7a240af479222a74d07a5537cf3645563995c0c6634fb7bc69a1da582509ca33bd5fc8a6b198b0bc573c9b814a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c0fd744fd2596d3bac5bb82c223a69a6

SHA1
fc67afbce41926d96d0ae3f08e26550ba5a6d6eb

SHA256
b005881986a1eff3a678d607eca5fbca82a3b76a84956f903149e32a3f08cf8c

SHA512
afdd95b08734124cb73715a105c0ac5d318e31c901d5c6a1a93a9fd43c57b2578c1356fc758a6bc8573795078e1bd55ad89fb189af27d138e96d0c448109ec6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7ae10329f8e3f641e455ea39a5f8770b

SHA1
6635d7e57d41e8c8f7f59901fa852e302b8d9654

SHA256
f42a69cadb4cbc09001c0bdabf65e8c378389141f27c18c61404cc7e12548f63

SHA512
ebfcb8680846a9cb0164242b4fde3dccae714622e3de26af4bd5bd471dd3bfd0a5e0cd5919825ce601b02697dedf12b9d4e3a5f4aca8a32f24cf8ebfed5cc16e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1f17be27049df78505cf6dbe447025fc

SHA1
37ed019e455dae7ac9bd6f17f9172247d1e5177f

SHA256
2a5ad4dd547ec3e84ccaa8013f607b64364c84d07e1c71dc54e3a47a0d6018dc

SHA512
74f3bae686912fae501c386ee1051615fa6c1638432402660830a5751c06ca96319f9e83c276262574e799f461f0b04a0df6531e9141bafd0994b1dc39987206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
10018968c418b0e3d691404ea4dc2e6b

SHA1
3938b638ff8d849f76a3afb4d2128a1c31f82770

SHA256
7f184a28f7526c80ad00fbc09278008bd8f8006fc6d46133816aa7f137a4c094

SHA512
f1ffb82db9c451a82aaf29d3b9af2f4435924c88dd30b96d28ee7563bf2c233e6d09da711d32d7ac26419042281a48ec8a3263aa287989d02b7f744bd9040711

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c_xgbru.0.vb

Filesize
375B

MD5
085f35c737b484465e1799359126ee1c

SHA1
f51feaf15af726cb9cbc151cd86b9913e428abcb

SHA256
940fb15c66dc34a66b192569ec3588a11285af4f7230c27d54191dcff5dd5b1e

SHA512
8314ec82f79a6dbd1e946be25984635c149ef6689e33d8010680f5bdf3bc8803bc14d8dbaa92717fec261d7f27e8f87384478130c3fe5ee37f3ec84fa2bf1402

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c_xgbru.cmdline

Filesize
265B

MD5
79c0ddf8e15fc9135d5889c7099f48a2

SHA1
c3961b6c09e0bf4bd3a1a969c33036cf3fb75ba1

SHA256
1b849d0a15b2dffa84ab9299883cd23f95e2e1a04cf14256dc5b3aaf7e81cdca

SHA512
5f06184a250bb4c5ede25238657857acf1cb619c8bc7d387e2bf45084d38b5eab0b11033e878f6dc86056c630029554815db292e517798b18acdb2e0922d2022

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7412.tmp

Filesize
5KB

MD5
2a5b2c6f84bcaad1ce5991cc78b7ef49

SHA1
7a6ef657ade080a68859d18023fe53b921ea6942

SHA256
522d0d671a26a2819001a45a6f64f7aeb38cedb68e19daed64b79e223dfbe247

SHA512
23dce423c9013532b481c2b734c3f99c58246223389d0035af20a5d2b88c0d2bc53ac418edb80664f467980a5bb27bf9c74e5dc0c15301b72e4f57f8f0c398ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES749E.tmp

Filesize
5KB

MD5
a7fb5bb85497ffdc75ae1a746c4af048

SHA1
0eaccfb94de9b1ca27614c1f05af176e373c70fa

SHA256
443c312e811adc0250a3840dc83d436d08b19bc6993fffaa33ace7b8b8912f0d

SHA512
8ff8d84a0464a9e30362b847941bf1d2ac7c82b0f8d53c1b210c18cbe82755473cd432b8225f1e3a0a785d35d41e108534dbbaeecfd3417dda043538e22e596b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES750C.tmp

Filesize
5KB

MD5
9abe877e8c7037ca19519b12aa110d51

SHA1
948f22f4c1083644b6d4b3813016c5fb548a7497

SHA256
2d4ae3e9ead00a8a9cda5be361cea5e253b462ace020bed0610d644aa77f8b36

SHA512
b92674fa10510e8c891fb5dc9b626d0bc2a4911799d200916a4a3c40e8989e04df59eda23260b98fa819e0088fe3f3606ad65828c83b883fa06ca82f73bca441

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7579.tmp

Filesize
5KB

MD5
401b2c8fa06b0d27f81a63069a8b0d67

SHA1
01f9b32f1018fcdcc27eeb92650406d44b6b6a97

SHA256
8e160c8e0b90c7199469984cd784ac6c213be88a224e92727a3e82d1ea3923d4

SHA512
e486beea49bc90decec0f3660536686f3d08a64ef6cb4e20ae4ddd9b2445743e2ae8a2ec996584da861813e10418a6c499fd21ef3591aa39027a47563b8cda6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7625.tmp

Filesize
5KB

MD5
fc1f56c94249ae29e84152ce209634ae

SHA1
c40add5949dd76d46b507f6366e4a98ee67fbfd6

SHA256
588bbe284bff57152efc379f383001ad86af2421e3204180663522081114b386

SHA512
4f0b5dd6524b29a7586638c2b41e95d3f8ed35143216188998c91321225a28249945858a328c0e10ffc6f3aa09fa532cb2844e57701dd7e583a7d5dddeece62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES76A2.tmp

Filesize
5KB

MD5
5b8c6c0247794911eb0694750ad9e142

SHA1
6a006d39efbabd35370f3a3fb8efd729199172ea

SHA256
e24c16ddb7e4144800ba163a85927ff672fe224a9c9a4992fc4eb662a619c38a

SHA512
3521f2f2f33cd3bd11ecb02958609e26c9ab6d6008f434a53369514df20b6a6a341e18c9d25ef2b9cced0814793a8e2ab54ce4471eae83c574031f32fd76c89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7700.tmp

Filesize
5KB

MD5
a1d5da7d8f037045fc155676a0d1f261

SHA1
901b6458631ac4e96b3438167829d0c36f8ac70d

SHA256
e65161d4a5b839996a92634e227c4a0483f5aba1b5fd2aeecdeff9afa8c730b1

SHA512
eef2997a32d0e4a8f00cd761a7ec81175dd3d22201cb8b92176afdc1b8cfd3b61aefdd791da05510a3ec952193f020ec69c3ee73c6b9b36d84413e92ffee6c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES777D.tmp

Filesize
5KB

MD5
3854c0e57b7f82ec4cd6dd636279da81

SHA1
8f6464e67ee3f2c683d81f77ad882b5b290c6730

SHA256
fb525ff4175f316fff9f4178cf809938ec43b58412596208a66bb6974e235f69

SHA512
132b761b436b200df15da758ee7c98fbd6befc98238d9894b1e3fb204f620489803ed68176fd203ab4a8ac18882bf25f2a63dae71c1573bda0c96a26e21516dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jkcdk2ph.qj1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ah6vefln.0.vb

Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ah6vefln.cmdline

Filesize
224B

MD5
98c7a837b18bb4913b6e39c1e0064db7

SHA1
c56d0f866db7591c0156e95ffbdc617fc05c8f8d

SHA256
45f32848654789384d67ac5bd5ef3adb95d056f00843138ae62158eb314d0fc3

SHA512
b546ca71842e000a959d6319bd79d14ff97aa359e27c910f41d030c5b9dfeecb56eef207bd45d81f43c522b0ebb8ea4eccee4d037cce7cfba124c89c1ee7ee29

Download Submit
C:\Users\Admin\AppData\Local\Temp\elcabvau.0.vb

Filesize
376B

MD5
688ef599a13c30230d9c00287511e084

SHA1
496834103ac52660dd8554590a2f92cbda8ab759

SHA256
9ce0d8e22177e91d78bf3e578b8b5f0d22d724ae17931195de2e3b5b46255051

SHA512
0f244536f83308c7db23337dadcef882fd258954d7e3c8a5f3f66ee0861fec0cd6ea7b3310db65a306de380da410af1e8e4041fabbc917b6af4b94d9424cec8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\elcabvau.cmdline

Filesize
267B

MD5
56ae40a0e78ce9f2ab35067e8012a435

SHA1
2b9f48b5446748d47c92335266866e46fba40a8b

SHA256
1059daa6542d4872d499506e8ceaa25e26def5e0b72292bdaaf5bef43b8c4174

SHA512
4cdfb9fa3f86d3315819db2416eb0ce4e198614b424d45f63f799319ce3fdbf17445fe8022b43dcf5823e742d95dbc7ec97cf327b7d1bfcc8cdb6d2f3c0cf325

Download Submit
C:\Users\Admin\AppData\Local\Temp\h09vx1jb.0.vb

Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\h09vx1jb.cmdline

Filesize
253B

MD5
a26eb7f8edf2b582d2d662c526b6a268

SHA1
ce500ed33fec5a216583cac9ddf53d141a36399f

SHA256
9e2527612682dc6f026837573655509e180c7db75ccc3096b8a1512072ed39d3

SHA512
09025ef5349c72de8ba8f8d9d7f75711f68d578aaabfadc89e96d1841b6646a717b165f48938a7457ddb4be310fe49da98f852ddb1cfd3f22a731672b7b61cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\j1_z2rcr.0.vb

Filesize
373B

MD5
197e7c770644a06b96c5d42ef659a965

SHA1
d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc

SHA256
786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552

SHA512
7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\j1_z2rcr.cmdline

Filesize
261B

MD5
6b3d41b40d8dccaf98e9cb72de1e1bc4

SHA1
6db0653bb3a34bd0e35d0f8b1606ac5856474b06

SHA256
18ae4e5671af9f47af6534aa7f50ad9f14c0f14bb90f0ac3e26a2ff8af460e97

SHA512
09c87d2c6d1811e22c33069ffaf676e268b4706b9c55be861aab4afb5feae9d77aede6997827f867b2249617b8bd1212a76db4a78aeb4c760cd4cafad43d3fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdliq9va.0.vb

Filesize
373B

MD5
7d0d85a69a8fba72e1185ca194515983

SHA1
8bd465fb970b785aa87d7edfa11dbff92c1b4af6

SHA256
9f78b435099106c2c3486c5db352f7d126b3532c1b4e8fe34ef8931c7b8968d5

SHA512
e5ef339dc329dbba2ab06678a9e504aa594d2f21ade45e49bccd83a44a76dc657f5f44dcf368f4d112bb3b01af2e577a487c6078751943770e90780fad202989

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdliq9va.cmdline

Filesize
261B

MD5
0d0c4a0c5e2e4324fdbcf019a6544560

SHA1
2aeb064244455a731cc40d20d5118389c7466597

SHA256
c1281d59333cc16bcbaf7106632949a85154cfa61fd831e6a1a9d8975ec7a83e

SHA512
bb77e6956d66ad1085c9df468c8833d93f767667f47792514e31c6a72ddd70e7049a2e8b13b57d7901dd0e2b544b1a4b6932f61ef5288d810443915eee2ccced

Download Submit
C:\Users\Admin\AppData\Local\Temp\oy5ro-np.0.vb

Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\oy5ro-np.cmdline

Filesize
253B

MD5
31e4b3cbd91194c4e65a87802a15145e

SHA1
8199234b797cad99f5db84dbc7f87bc6c452dfa3

SHA256
23999d238716e0d23643084fbff901ea0351c7987246a73a5e21a9671c277cca

SHA512
e417a460a12266f83f7f99ed323d6b315d46f36a1625d7249a1cfaff1687fb48bf29f26ce9195b41cb16b6cd74cc784ef7a70a5333c540433fdc9c003a596145

Download Submit
C:\Users\Admin\AppData\Local\Temp\swo2c6ei.0.vb

Filesize
376B

MD5
7a8e43324d0d14c80d818be37719450f

SHA1
d138761c6b166675a769e5ebfec973435a58b0f4

SHA256
733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909

SHA512
7a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715

Download Submit
C:\Users\Admin\AppData\Local\Temp\swo2c6ei.cmdline

Filesize
267B

MD5
d69eb4792c8faa291caaaf3da458dc0a

SHA1
3015937c6cc474b8c36f4407a3644a7ba222ca74

SHA256
978b39c2b1ec6a3a928c5fd5628cdf064ccc3c3f079eb5bbe58003af8c8c019c

SHA512
79836d38c11f634c920962de3b376195009801b60a45dd24e1b6cb6ccb929d023d2311d4f7ca6f5a6002469c1e6b9bdbcecb3204641556d5e05c643938482816

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1720C8CA12994F86901F8055E52066F8.TMP

Filesize
5KB

MD5
d56475192804e49bf9410d1a5cbd6c69

SHA1
215ecb60dc9a38d5307acb8641fa0adc52fea96c

SHA256
235e01afd8b5ad0f05911689146c2a0def9b73082998ac02fd8459682f409eee

SHA512
03338d75dd54d3920627bd4cb842c8c3fefad3c8130e1eeb0fa73b6c31b536b3d917e84578828219b4ffd2e93e1775c163b69d74708e4a8894dd437db5e22e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3994FBD97E6B4964929FD9241CD8102D.TMP

Filesize
5KB

MD5
d0700df86922f8822ee8cf4dc28769af

SHA1
80c24d2ad4d0add576cc97c608644dfdf9d0444e

SHA256
ff1ca342c6c1c86e58276a9c7a36e06cc300c8a566a57dc6e62831dc3d84c3ef

SHA512
721eae27ddee0305b5b5a07a8c8c2cacc2e44e11f032597d74d78e8979bddc51b74e4c1f700e74baff9eec4cf064bf97e58936ab6d69541f3a609c19f4dd7b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5736EE1A953F4E04B058BCFEEC2033A0.TMP

Filesize
5KB

MD5
84e9754f45218a78242330abb7473ecb

SHA1
3794a5508df76d7f33bde4737eda47522f5c1fdd

SHA256
a979621de3bcabf9a0fa00116bcd57f69908b5471341f966c2930f07acfee835

SHA512
32b51e82e505e9124fa032bfd02997de6d6f56e0c0dfb206aec2124199048168ec0f7927a0a289f4653662bdeb5089d91db080019a9556491ef111df99b12623

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc70C901FA48A64872831977FB61E51C23.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB2D32F63BCD34E19964EC3CDB21D503E.TMP

Filesize
5KB

MD5
4a0d9970022b9e7d0066dea49c7639f4

SHA1
6a576f471355762c7dec0b258fa8268c06b352d4

SHA256
b9fc51192ec614b38899c981eb6cfe47429047df1af56226e87da01f95089cc9

SHA512
92bcbbbbade44c91abe5bc4b4633892036b19ea6b0c5007a98ddc102aa41dca5d83568a9a243060a9a5153fea77bf7a56c7612d80881341358b1dcf190d42c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB765E184DCA74590A5CACBF629387EBA.TMP

Filesize
5KB

MD5
abeaa4a5b438ffa58d07d9459e5c1d6c

SHA1
69631de7891162dd4840112a251f6531feae7509

SHA256
ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd

SHA512
c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBE8323847C364269957039232DA3A26A.TMP

Filesize
5KB

MD5
12709a9ce7122fd789256103eebaee0d

SHA1
a4ad85d03d56f31da215284fedc0a96ca02a0c65

SHA256
9753ea5ce1bef84c96a49bc4cf5d96e3b9195932d7209d3acf949b8adaa80278

SHA512
a7764fb031270b6da3c4aba217221c4aca7e8acd6fa5c34217cc4650fbd35543e47a44f7c884dde076c23e66279386a0cf2e908c7cec37a1cd5237e4bee3c49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC11B032579D148B9B85E72773BF75EE6.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE5126A7D9FF246B68313C1AB9A56FB.TMP

Filesize
5KB

MD5
11cb9aba8820effebbb0646c028ca832

SHA1
a64d9a56ee1d2825a28ce4282dac52c30137db96

SHA256
2a1e197c5f17c60b3085782d3c8c97bd9aa2ac1e3a4a721122c0b5ec56d276c8

SHA512
d227b39d5d67c18703730fd990ac41077321054d4f24198cafbc0b7af1ed6c72e7ef7eb626fb558f9407e11b5b9f0d194237400d248a80560d715c88971ad375

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF1CD3923C78E46AEB9C2F9412F4CD61.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFF3671E9E22843F1B7FFA5D97F0FA12.TMP

Filesize
5KB

MD5
0d43c4212c75578ea7eeb11e292cb183

SHA1
30b2ba3ad685b03fe365fd5a78801f039c8cd26c

SHA256
c6eb948ff4f2359dce5d80890ea50516c48a6599fd522744ec0dcb5da8da7495

SHA512
1adc9f10811af124048c36c9f41b48c3e777b6807aa61f148f52448d79d3eaac533fe4b9e7f887c6ab64cf99e9664113dd7fbc98353a1b57fb98db1d7f865b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmhsynti.0.vb

Filesize
355B

MD5
6e4e3d5b787235312c1ab5e76bb0ac1d

SHA1
8e2a217780d163865e3c02c7e52c10884d54acb6

SHA256
aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706

SHA512
b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmhsynti.cmdline

Filesize
224B

MD5
0c9b28709fab03befe94b015d45587ae

SHA1
01f89f789872c959eac02b53bda1fb845b8bdeb4

SHA256
f451a0ccaa8abb334cec36c3b41f714131818602a72b308bd77cc3e3a17f603e

SHA512
e4fbad516ef2160368d0e10484b08d433936bb33dcfaaad94445f3d125bcf66f93ce44254ee29c3489bf9c26c2a931ab2e7ae43e570cf99198005d140f05e771

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe:Zone.Identifier

Filesize
121B

MD5
442c58f9d577ac49ec2ed727fef72fea

SHA1
419d84b1892236bb1a790909b23f5d2c6584bfef

SHA256
96002dae40c3f5f7b0b0ba7a0e1c70557d8704a271d07f8a60bdfefdf6ac177d

SHA512
823f196f94080926ce4272b30e5764e2bae80acfb6e765d85cd9ab5b3ee9f49438b70b764ae421b6d73cd9fdd6cc642a94e321bbf92f32e19098011da18f4e4e

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 544659.crdownload

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Windows\Temp\SDIAG_9e1f920b-c7ee-4382-9b64-2de9d1a9d23f\DiagPackage.dll

Filesize
488KB

MD5
ec287e627bf07521b8b443e5d7836c92

SHA1
02595dde2bd98326d8608ee3ddabc481ddc39c3d

SHA256
35fa9f66ed386ee70cb28ec6e03a3b4848e3ae11c8375ba3b17b26d35bd5f694

SHA512
8465ae3ca6a4355888eecedda59d83806faf2682431f571185c31fb8a745f2ef4b26479f07aaf2693cd83f2d0526a1897a11c90a1f484a72f1e5965b72de9903

Download Submit
C:\Windows\Temp\SDIAG_9e1f920b-c7ee-4382-9b64-2de9d1a9d23f\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44b3399345bc836153df1024fa0a81e1

SHA1
ce979bfdc914c284a9a15c4d0f9f18db4d984cdd

SHA256
502abf2efedb7f76147a95dc0755723a070cdc3b2381f1860313fd5f01c4fb4d

SHA512
a49ba1a579eedca2356f8a4df94b1c273e483ceace93c617cddee77f66e90682836c77cea58047320b2c2f1d0e23ee7efa3d8af71e8ee864faef7e68f233bec4

Download Submit
C:\Windows\Temp\SDIAG_9e1f920b-c7ee-4382-9b64-2de9d1a9d23f\result\B2FF1D27-2048-43AD-8581-B70C916ECECE.Diagnose.Admin.0.etl

Filesize
192KB

MD5
68be0d52b4bbcd468fb605f672e3bc03

SHA1
a8918b392522ac417070a48a93757d3d323f1711

SHA256
d0aecd1e719cf4f147f1928ac24e63941349c4c5d81d2fa603d82c96f68202c8

SHA512
bb15440388e683016fc812d689b7561434d6847246c7bed3804eac500825d95426f17c3c17eae58d4c3dbe6317c0ff841f7c8f164042bce94879b124d7d23a5f

Download Submit
C:\Windows\Temp\SDIAG_9e1f920b-c7ee-4382-9b64-2de9d1a9d23f\result\NetworkConfiguration.cab

Filesize
1KB

MD5
af3db86633241ecec99c7232124beadf

SHA1
1f2de5cb9eff58cbbcb160bfd416a16ac0039b5c

SHA256
aa266bb7f0641111a912f7703d0f7bc3d5a6ba47ab97659a3e186d4c72853984

SHA512
40a521adb7a1d2e37495e484a0d67ff817e8a74dddc07b70803412052ce603fb6682824c535211599b26fffa1dcb45dfe0d1d68c844103cc77c6b69533548c2a

Download Submit
memory/3096-72-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3596-71-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4168-67-0x000000001C0D0000-0x000000001C59E000-memory.dmp

Filesize
4.8MB

Download
memory/4168-68-0x000000001C5A0000-0x000000001C646000-memory.dmp

Filesize
664KB

Download
memory/4168-69-0x000000001C6C0000-0x000000001C722000-memory.dmp

Filesize
392KB

Download
memory/4428-1030-0x00000252D1440000-0x00000252D1450000-memory.dmp

Filesize
64KB

Download
memory/4428-1034-0x00000252D1900000-0x00000252D1901000-memory.dmp

Filesize
4KB

Download
memory/4428-1026-0x00000252D1400000-0x00000252D1410000-memory.dmp

Filesize
64KB

Download
memory/6064-1005-0x0000023C2CFF0000-0x0000023C2D012000-memory.dmp

Filesize
136KB

Download