revengerat | hxxp://rep

Analysis

max time kernel
164s
max time network
166s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
24-08-2024 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://rep

Score

10^/10

revengerat guest defense_evasion discovery persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000400000002abd3-459.dat	revengerat

Downloads MZ/PE file

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe

Executes dropped EXE 1 IoCs

pid	Process
1136	RevengeRAT.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\Downloads\\RevengeRAT.exe"	RegSvcs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
51	raw.githubusercontent.com
60	raw.githubusercontent.com
61	0.tcp.ngrok.io
62	0.tcp.ngrok.io
38	0.tcp.ngrok.io

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1136 set thread context of 1440	1136	RevengeRAT.exe	113
PID 1440 set thread context of 784	1440	RegSvcs.exe	114

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4272559161-3282441186-401869126-1000\{4BEDA98D-BBA8-4062-921D-06FBA3978849}	msedge.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 403202.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	msedge.exe
File created	C:\svchost\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File created	C:\svchost\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1880	msedge.exe
1880	msedge.exe
1016	msedge.exe
1016	msedge.exe
4568	identity_helper.exe
4568	identity_helper.exe
1848	msedge.exe
1848	msedge.exe
5060	msedge.exe
5060	msedge.exe
4772	msedge.exe
4772	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	RevengeRAT.exe
Token: SeDebugPrivilege	1440	RegSvcs.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2812	1016	msedge.exe	80
PID 1016 wrote to memory of 2812	1016	msedge.exe	80
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1616	1016	msedge.exe	81
PID 1016 wrote to memory of 1880	1016	msedge.exe	82
PID 1016 wrote to memory of 1880	1016	msedge.exe	82
PID 1016 wrote to memory of 4680	1016	msedge.exe	83
PID 1016 wrote to memory of 4680	1016	msedge.exe	83
PID 1016 wrote to memory of 4680	1016	msedge.exe	83
PID 1016 wrote to memory of 4680	1016	msedge.exe	83
PID 1016 wrote to memory of 4680	1016	msedge.exe	83
PID 1016 wrote to memory of 4680	1016	msedge.exe	83
PID 1016 wrote to memory of 4680	1016	msedge.exe	83
PID 1016 wrote to memory of 4680	1016	msedge.exe	83
PID 1016 wrote to memory of 4680	1016	msedge.exe	83
PID 1016 wrote to memory of 4680	1016	msedge.exe	83
PID 1016 wrote to memory of 4680	1016	msedge.exe	83
PID 1016 wrote to memory of 4680	1016	msedge.exe	83
PID 1016 wrote to memory of 4680	1016	msedge.exe	83
PID 1016 wrote to memory of 4680	1016	msedge.exe	83
PID 1016 wrote to memory of 4680	1016	msedge.exe	83
PID 1016 wrote to memory of 4680	1016	msedge.exe	83
PID 1016 wrote to memory of 4680	1016	msedge.exe	83
PID 1016 wrote to memory of 4680	1016	msedge.exe	83
PID 1016 wrote to memory of 4680	1016	msedge.exe	83
PID 1016 wrote to memory of 4680	1016	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://rep
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa49bd3cb8,0x7ffa49bd3cc8,0x7ffa49bd3cd8
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
  2⤵
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3296 /prefetch:8
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3440 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6756 /prefetch:8
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6604 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4772
- C:\Users\Admin\Downloads\RevengeRAT.exe
  "C:\Users\Admin\Downloads\RevengeRAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1136
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:784
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ee0sscix.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3852
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F27.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF9A4F8DE9B4901A519AEED6E12F4DC.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4692
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_lqyulgh.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:580
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FC3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD64EFAB9BB7D420BBA76D5F1C06DCC74.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4696
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dcpwe2pi.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1460
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES904F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc430A487548DB42D69775A0FF9C8B8BE.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g2twjjiv.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2488
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90BD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7F31BF785F29455C99A17D435BC9DA9A.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\02_ljvu9.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2436
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9169.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCAA075D6D226449588486BD2F8578AB7.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\crwljws9.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4612
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91E6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc89AC6F324B44389EEB7F854E2BDCE2.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fm2yflz8.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3456
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9263.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF65F92321EA42C0823D1D879592DCFA.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u7imdaws.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1620
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92D0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B0377AEAB844E2393D2FEAA90A334F8.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oshehyda.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1964
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES933D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcABABA9EE73AB4067A75F5F84D138C33.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:564
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pdgkxi2u.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2744
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES939B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF209A326E074B0B9D67B0EEB16443B4.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1172
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zydgcjkf.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2972
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9409.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc90B8718770054CB9BC20B77348A4462.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\msi5d8a5.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1896
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9476.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBCCB9AB019F44EBAAB69D28A68AAFEC.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nlbmcw00.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1548
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9096A7FF89264B9AA2877501C13DFF.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dmqlkmvi.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2396
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9560.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBE49B2ED6117445392B3158F7143B285.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kbp3cbv3.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2656
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A27CDF3764D4D95B913CCBD1E989542.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sf9adrz9.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3120
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES963B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5106FE5916F42C09B4DE1D057E22E6D.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-k2g6y_u.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4792
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96B8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3BD646BFB1C94AC3A74977F9C63AFBB8.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gvv6yxt4.cmdline"
      4⤵
      PID:2568
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9716.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc672A232E4C84B50B76CF23035E4A6F6.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ogbwnsrz.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1556
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9774.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2EE04520B0DD466797BE68B353BDB499.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3852
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dp2dgcwt.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:740
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97E1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC8299FA9BBA34F5FBEECA0CC21625DA0.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lmaix6-i.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1848
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES987D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6FBBF304828848B0AE3AAB436EA83DA.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:932
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\Downloads\RevengeRAT.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1448
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\puq0nf8m.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1908
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C63.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc431453E2B2448399092746F999757D3.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-8bjxbsd.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2664
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D1E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB1EE19B01BA544D48B7433481ED1434F.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\smy51xm5.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2056
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D9B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50462D822C0F4CEEB1501A4AD08751BF.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\egckywom.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1792
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E28.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc811168BA62624890AEE59CC9505B86C8.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d23e_zcg.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4552
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E95.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc745419D5FCD40C59B6187BBCF60CA43.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:236
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ncrgttfk.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3224
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F41.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E652B17975F46C78DEB62DBCA13EBA.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1384
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6ibno6lr.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3932
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FDD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95ADF3B4359C4E4893F0CB2B4915A8DD.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v2wfehg7.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2816
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES206A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc378EC80FEC4644FCB566F9BCB20AF54.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:700
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yrw47ggo.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2744
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc196D564BBBA14A82AE6E2F90E42AD243.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4woffrhr.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3524
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2174.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98B7B99BE60D45828765E2C97D9A5E0.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,9862190682759328015,1580279225325783909,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7076 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
602ddd0c457eb622800ec2b65d1a3723

SHA1
e322f2927b3eb868f88f61318589cdbc9b5e4554

SHA256
6491b2ebfda073e601f99be125c6ce0c4a72162e0995c673605c673581023a82

SHA512
eb0cd42b7178ee205af959b3b811bf85c44343c2e3ead6678ece7bc340fd0efdde3067a583649d12aa2123b555a4cc2a7be7a587fb2874a9f9aa666093df782b

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico

Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\ProgramData\svchost\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

Filesize
4KB

MD5
28d98fecf9351c6a31c9c37a738f7c15

SHA1
c449dee100d5219a28019537472edc6a42a87db2

SHA256
39445a090b7ce086d5efb4ac35add13672fac9bf40eb481b54fa87302a3f45e0

SHA512
f5c2458348347798304393fdb5c77f4f7ed7245c0d4c7594deb0113262828cb8e210e7b48a4aa7c4d2fe1e31201b4e326cd60a6f9d4e3ba1a7fbef322dde0971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0487ced0fdfd8d7a8e717211fcd7d709

SHA1
598605311b8ef24b0a2ba2ccfedeecabe7fec901

SHA256
76693c580fd4aadce2419a1b80795bb4ff78d70c1fd4330e777e04159023f571

SHA512
16e1c6e9373b6d5155310f64bb71979601852f18ee3081385c17ffb943ab078ce27cd665fb8d6f3bcc6b98c8325b33403571449fad044e22aa50a3bf52366993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5578283903c07cc737a43625e2cbb093

SHA1
f438ad2bef7125e928fcde43082a20457f5df159

SHA256
7268c7d8375d50096fd5f773a0685ac724c6c2aece7dc273c7eb96b28e2935b2

SHA512
3b29531c0bcc70bfc0b1af147fe64ce0a7c4d3cbadd2dbc58d8937a8291daae320206deb0eb2046c3ffad27e01af5aceca4708539389da102bff4680afaa1601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
20bc92d3d55fb57eabc91b3db5bbd157

SHA1
8e82ec264040239c09d7be862a4577ec1f3ad230

SHA256
c0693a31cf8fab066c04c9eaa57db975f22b33573ac8f2bda4f54e5e302c1a54

SHA512
2b127dd21c3d50c2c3c95b36523bf07346ef31f8a72c847c8bd000f51080cae78d09c64afbfe6acce05afc7f8595c3718f775a00389fc6f7ef1e967c99fb3a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
d72954f6ccbcbaeaaaa6714d207f6d97

SHA1
b7790821854d318101d75776fddae7e58dae487c

SHA256
a51dfbe4466bcfbc3ebcb06508b7dd83981f4660801bf916548929ec35f1d0f6

SHA512
e72e39e15957736f2755adc6c9b0fb7d0852c67400beb215a1cbc30837fe4a0f5b0bd28d4fff9af7cebb6e53549e19a9e29ddc4fe7bb0340c6d3cd8cb2be1086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
879B

MD5
f2380ce6306907fa2cc803f3b2e52a78

SHA1
54191ad11c47f2437175db293e32bfa9f7d42bf4

SHA256
360c760c1fa0386caa7658032367d6b15ca07a243584c4c93f30fe4ba09357f9

SHA512
d9ed36644f8d766f1d271dbe6117a87a3acd0aced0a7c9d06bfa75fa49326f82f900a42d78c226f45cdca778c218fb03f31d343ef538635b4aad449e45978bfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
796B

MD5
8691e9bdcb8887814f4ddb146bd5ba35

SHA1
874acfaf556b8e8df5d08ec3b52c975e16cce901

SHA256
17295cdf75e2b65113e565800b4be2db92aa3c55cbe22d380d3399b2210992ee

SHA512
e4453f0e133325558a19ed6efe4df96d2aecc8cd809582054f5cbdda76b2ad33449e8af539e06bff9204589a97211c398d13cb8bbf81378f14a85a71faf98dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
43270e7094ca9b0ce76fbfe7d1738ee1

SHA1
f571ece92fa9640bd04a822636b0da5d7b73002f

SHA256
d507df813fa6f15aaf96173b59217005c8f932f2d1e4e869f11e950f9947af28

SHA512
cc8cc1d699d06ba025f5644275dac9372611283e034f6e6c9310e50ab4f9cf8e2032774ad19225efaa2d74279cd4f862ff711df955b222e6de9f85de580787eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de445953e1a0a593e15570c3d7b0c1fd

SHA1
53710b352a7c2cbbd3ac53d036f705cdf87c3154

SHA256
8ee222b996e0d267e8115c7747d06e0dcd792ae1da13d679ff3be3960dac428f

SHA512
850b6af02c51077b41b03b4b1fb01c6e0709f4e124b67cd33690e8bce77a58b2e43032cf1d1fd8228531de02c1bafaafd154f4e8085c46b2807f4d0f96bdecb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
938531d7160c49e58b5fa87fecb900ed

SHA1
19bed8941c2f59d8b60c760ac8b5660ef5e088ab

SHA256
f4cb193a92e0ac973af0a752e265d664a43129c3cf86541ba7328eeee9dea5b6

SHA512
b7462f4511dd44cd71c11a353f39ad7581acc1d1c8ff8a70f3fc9ba95827e29e7452bbf2b6d21f0ab9f6c31715121965f38e3d2e2bed13b3d38e38fae246c3eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8aff7e8df5263bdc5a33f91faac45fcb

SHA1
f64cd13ba45fc670714d00335b742dd757c1297f

SHA256
ccc48838c13b5d3ba3f08c79223eb4fef6fa8d3a57e007ea9f36aa5300520b6a

SHA512
3fd7a40386815d6202e63167ffe8b8e7158aaf1acf5960b89090672f86763f41a8b8c0d417799b4c5c86faf27c3507c67bbc7bbb6e044d7ad9dfab51500fb275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
244e33555c7fcfaeaf2764f3f69f6444

SHA1
16acb604decd11900f58074da52158381b8011c3

SHA256
4401293c65d824a0b473a9ddc081d784b5800faa3537748ea9d478ff23a8d14f

SHA512
77f4f50f6273cbb9507c2601cf4f3b9b153ad369001187803a8a33def270eca7bae344def0dae310cdadeb379aaa488a8b3bf059c8c3e820b3ca655daef8f1d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7f61951031bfd8198d95c76b35429aec

SHA1
ce059f5e923f85a1663a29f611834b384b061a0c

SHA256
431e58dc67dd465d17c90ef9f7f58dc4b0d83d4cfa60c9ac725c8bf7f39926fd

SHA512
56e07676dcca974e7b7cd1ab033d769d2a2d60f204c8337028f442b10e29ba788ca212b3a7a8982c62f2ef5e80af11f8fe100c0af55cc414cc97b53f46cd5037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
746dc7e5796a1eaed594661864f1635f

SHA1
224d76ef0822df45c8af4d16c9a0a514e5b228c8

SHA256
d1aadfa572ff0ef63b43ba8bc3857e558095c0a7afb3e5c03873d46d8c3bde0c

SHA512
75322615b08cd869044b543740911360ba4eb5b595d672414ced65032b94977018a36fb537ff7a6efc12a2e3a8d8f4b614f5648badd7cdaad3d842bedfd446a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d9d1.TMP

Filesize
1KB

MD5
a7c8ae33c59897085cd737d215e5fb75

SHA1
9289b63c4fa6047dec1236e13219bdc6f2c9ff48

SHA256
93a0419c8b694b6db79074b444c7eefdb37905e9ef9535b634d5a456d12b1850

SHA512
8cf4007060a269b3237e5e00e3660cd71a705be237def656ae19f9ac76374c3e634f5fcd5bd754496617e135d6bc3a1aa8312015d210558f3f478bfe557a277f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7a3373944464aabef5082619107ec02c

SHA1
c3f7ddfb027d36eb11d18dd2df6be5164d1f3738

SHA256
690b8e18895addc746c847f73511f97313d4131bc5b6e81a359b3e1ec0aed93f

SHA512
1f69d004a974efd09104c4a596e4a7dacca87ccf0161e9ce45f742604a830629053d012eb4934dd439d3fae3d2268bd85997f67f993108b9c0a5e47a0124a109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
40a1b43336915bb2024fa5e30de1d29e

SHA1
959375d9bca9c958fdec7fb1a7484557c0c3b4ca

SHA256
1648cece3ad7c1f75393727b386e766e6158a13e1d4f7b79784b6d0d48b68d12

SHA512
e6c9ccb699f54075d8b4c35d523b5176e9f4177e421938b21cff954a275092da199e1c9d4fc625454571a432ea95656d155b2d444a109732c2716b759f2ef9cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
71fdcaeafe7622163f7d7c7f78e3ae38

SHA1
884d32b8d3660f4072f5f9621a773b2dcdaff0b4

SHA256
d6bef6d6c30f5e3ff27035844bb7215f11b13c1cdb081910adb75235bea3fe7a

SHA512
d72eccaef8b20107eb8f80aacac9c9ccaac4688c7b727d62e18497b937a8000cfad1057b0992dfe235debb283ba5f9158f1fc6264cea49e0698fc3e2c55d6c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\02_ljvu9.0.vb

Filesize
373B

MD5
197e7c770644a06b96c5d42ef659a965

SHA1
d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc

SHA256
786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552

SHA512
7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\02_ljvu9.cmdline

Filesize
261B

MD5
4536e249490a3dc2586cc3a6069dccc9

SHA1
6582e78b59a0a70c88266bce04cde9f1b0380d79

SHA256
46c97d0be6bb092bc2e4aec5b178f358664ade45557c47017123908820ed97e8

SHA512
49445835f872882a2376668a97e3e37115912adb9e67eabb72bf07fb28869b6e7b364daf547af93a0ad8415bc50c481d72384e89b7c0d15c3246800c9b7bdebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8F27.tmp

Filesize
5KB

MD5
59a9ad2720aeee00db0efd0cce2c81fc

SHA1
e11740a3c343c076367c4a5ab20a507873d515a5

SHA256
cbeb5fd13cc2aa5199fda12c5e1c0d80709f1005ca63601516e7f83466e2ca34

SHA512
18cefe28da1d6aae70e3a1588e4b2ee27d9a402cbb7a2544710242aeb056797a2acbc0c954a569a0abea21f02c86a53b36433de5d9a5c879b902cc559371c3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8FC3.tmp

Filesize
5KB

MD5
0956e46ec33887e504741a1d95628681

SHA1
4c41b37bb72513603cacbac6dcbd190ae4ca0131

SHA256
132ee3d6a548a9d05880a56793c8f19db5a4fcee8310c2733ed9c365199a137f

SHA512
1091a6f5b93bdae54f8fc704590cd74a6572f44d339d5979e46b240354471d8f74b859f12cb15acb5f5cef31d5c2a446dbb86f67551440081884e859a9a717f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES904F.tmp

Filesize
5KB

MD5
7f7ff3df1f7ea71c1a6f0e2072bb3341

SHA1
563f58f87af6d829b007fd7e7a497749f664ad51

SHA256
2e70f32c7c1e47eb849d1efe541828501f73977319beab70bfb8a91c235da790

SHA512
f3d90199149298ef93d423724071843f39b0de37b99abf8ba16f938a6c968e394cc6092f21d81e9a823a307847135e19d41ccbda9de27257d6175242cc9d046c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES90BD.tmp

Filesize
5KB

MD5
f2365ef117f7b64ee4f850a70239bb31

SHA1
73b9bf5c2c80f129126a9d05dcc9c7498517555b

SHA256
8d85596e29e30ebc46ed03e877bff4f3664b92cf6d6443a1f6b5820d388f68ab

SHA512
96996433d19ef930befcccdd135907471ec66f5b98103633da0b40c456b23bddb19a8e810f5cf8ecbc9e5b673d7b64a1d7a7b4de8ab4eb9402831183686e8d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9169.tmp

Filesize
5KB

MD5
78df9b31ceffa97c7983e842aa466725

SHA1
0883b1ef42f09275fd023307b45b415463e1e286

SHA256
73d9b10f526e9195ecdec47651946db28d3d5d8731c830e49380e899b90136e5

SHA512
62c891d595c6c4ff31f6847c326f0ab2755dc13211ffb2e810650bcb7f78f54d6acd12149b66443315f76ac58731f2abcde8680360714ed865dde431b3e13daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES91E6.tmp

Filesize
5KB

MD5
71922591e89b345f5ea146c018d06e77

SHA1
054fa81931efce31adbab7c54427f4f5547c1cce

SHA256
bf9a9dcd4b3cf28dd6cdd4a749209193b763376863df9b1eae162b6d07fa49d1

SHA512
c63aa986d61b49f79b1137777f28f587b0b31d341b0dc96aab4a5bde6a30d81a330d285c077973f4b4e5efe4ff4c94a8d22a4df07122d7a38a58229262790ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9263.tmp

Filesize
5KB

MD5
fd215a8ef25c28c947ddea835211d0b6

SHA1
a6a25fb788b7ea5734df808a8311458893f4dc26

SHA256
a7ca7835326268aa28a9438ec6dbfcca9a6baab8d44a0449b50455013232b215

SHA512
624d44c9eefac915ee54b9bf6ec3214aeda3448c0fa889fafe52c843a69150974077363cf29aee6f2f78df3b3098d98e0eafe777441747e417498f81e3574a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\_lqyulgh.0.vb

Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_lqyulgh.cmdline

Filesize
224B

MD5
08d5d6ad55eb8a9752ada05f31237e90

SHA1
d7b659c9a8dc80cbd54e50b427d15052a7d9d471

SHA256
c0e67499cc9d723f690da563e600535e102499f743d9a10f0959be63fac2979e

SHA512
2484801cd825340260786000bf545fc26ee15338e34c10ef0ab04e33151e8557bdb8fb6e109cc864d7c2eecbe2368b82327d0afdc7c8733683633461744d684c

Download Submit
C:\Users\Admin\AppData\Local\Temp\crwljws9.0.vb

Filesize
376B

MD5
7a8e43324d0d14c80d818be37719450f

SHA1
d138761c6b166675a769e5ebfec973435a58b0f4

SHA256
733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909

SHA512
7a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715

Download Submit
C:\Users\Admin\AppData\Local\Temp\crwljws9.cmdline

Filesize
267B

MD5
74eb950da7711481d636f1c42bef8b3a

SHA1
6767d3fa5b481b7956a000afb94dd961f1c166a9

SHA256
54bd57c7d39b5a84903603fef14f955121e9324ec5dd3fdb267e55d3dadbc04e

SHA512
fb0fc42688cc9c5a512b2f56bdb0cd9c395ec695da561d8a8c8aff31492a627b2a7fb8fa0e0e15021361b44c101928fb559178f4f242c4421077651fe75a3a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcpwe2pi.0.vb

Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcpwe2pi.cmdline

Filesize
253B

MD5
05df680a27882806987b88657514bfd0

SHA1
6941589658f6793556e1f6b4afd24e7ff12b6201

SHA256
4c5d4971f89cd28f28fad424424e4856ec0fd53cdb16dcca2438a52d43649583

SHA512
b58c713926fdff4be6ba01a8f2b7e5db4e67ba163bc871d325be88cc1942adf13b7e484bc905f6385e0fb027e82aaccf8de0a7385ba33c51af8692029fea3bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee0sscix.0.vb

Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee0sscix.cmdline

Filesize
253B

MD5
91b3d34807ead0f9d55fd9f6ecd6279d

SHA1
24e39a54278b956083a07d5d3f94f6705c0d65c2

SHA256
22a990c073ac1ec77fe5858ec373faec35f302bd1e5c14f35abbb0ceb562f778

SHA512
ceda22393fbbeb7e4f3cd25711a31e0ba86b05eec2f2f6a532837bb2ad61c8a57cadf9ba8c1261add6e231c14d8a610345c2777f3d30b278299d070dc1580da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fm2yflz8.0.vb

Filesize
373B

MD5
7d0d85a69a8fba72e1185ca194515983

SHA1
8bd465fb970b785aa87d7edfa11dbff92c1b4af6

SHA256
9f78b435099106c2c3486c5db352f7d126b3532c1b4e8fe34ef8931c7b8968d5

SHA512
e5ef339dc329dbba2ab06678a9e504aa594d2f21ade45e49bccd83a44a76dc657f5f44dcf368f4d112bb3b01af2e577a487c6078751943770e90780fad202989

Download Submit
C:\Users\Admin\AppData\Local\Temp\fm2yflz8.cmdline

Filesize
261B

MD5
de886dab954909318f0a97de57f19111

SHA1
704b9fa038e2ec4351c07756e306bc5ccde544e6

SHA256
895f40da6b81ace95d8efad4fed1dd54f7d3118b158e17e039bbdb9c95600af2

SHA512
52250ccad18f2b75aa18bb3c18e404c872e660346bb9b66c4798ff7191bf03f14e0d638b2d17df3f5fd6435fab74751f3d2ea5f85b69720bce3490a89fe0a850

Download Submit
C:\Users\Admin\AppData\Local\Temp\g2twjjiv.0.vb

Filesize
355B

MD5
6e4e3d5b787235312c1ab5e76bb0ac1d

SHA1
8e2a217780d163865e3c02c7e52c10884d54acb6

SHA256
aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706

SHA512
b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\g2twjjiv.cmdline

Filesize
224B

MD5
3d1dd5fe9da8905e766778afcbbf530e

SHA1
40dd2a957623921bd7dd3662b70c9b771d9efbc9

SHA256
302174f6f1b73ea24f3e2a1e87d598cc17f34d69eb4eea54d61a0b65c5b4b961

SHA512
687260ab3f3d3139e802a17de365d4c242e5c96e4f35dd10767b359b8ab48c7433798e71eb97762a5ebe4eb5a5ee58ec1fe947593a10ea595b5e528802da5278

Download Submit
C:\Users\Admin\AppData\Local\Temp\u7imdaws.cmdline

Filesize
267B

MD5
eb3528b832bd17438c6cf6b18c1b9a42

SHA1
f1c67614731ee2e6cca945fd0cd8c00b78ff67ed

SHA256
3728cb051e452950d2bb9a4a4024cecb69b3aba2f1a19a620292e9ade14cad18

SHA512
cedc68a4c58cf333490f1c78fa30878403a3864f3c50b5c04d248f3a13f91858b9b326f092a15062eceff6ee672aaab0d1598c2717012f8ae838b804501eecb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc378EC80FEC4644FCB566F9BCB20AF54.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc430A487548DB42D69775A0FF9C8B8BE.TMP

Filesize
5KB

MD5
11cb9aba8820effebbb0646c028ca832

SHA1
a64d9a56ee1d2825a28ce4282dac52c30137db96

SHA256
2a1e197c5f17c60b3085782d3c8c97bd9aa2ac1e3a4a721122c0b5ec56d276c8

SHA512
d227b39d5d67c18703730fd990ac41077321054d4f24198cafbc0b7af1ed6c72e7ef7eb626fb558f9407e11b5b9f0d194237400d248a80560d715c88971ad375

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc745419D5FCD40C59B6187BBCF60CA43.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7F31BF785F29455C99A17D435BC9DA9A.TMP

Filesize
5KB

MD5
d56475192804e49bf9410d1a5cbd6c69

SHA1
215ecb60dc9a38d5307acb8641fa0adc52fea96c

SHA256
235e01afd8b5ad0f05911689146c2a0def9b73082998ac02fd8459682f409eee

SHA512
03338d75dd54d3920627bd4cb842c8c3fefad3c8130e1eeb0fa73b6c31b536b3d917e84578828219b4ffd2e93e1775c163b69d74708e4a8894dd437db5e22e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc811168BA62624890AEE59CC9505B86C8.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc89AC6F324B44389EEB7F854E2BDCE2.TMP

Filesize
5KB

MD5
0d43c4212c75578ea7eeb11e292cb183

SHA1
30b2ba3ad685b03fe365fd5a78801f039c8cd26c

SHA256
c6eb948ff4f2359dce5d80890ea50516c48a6599fd522744ec0dcb5da8da7495

SHA512
1adc9f10811af124048c36c9f41b48c3e777b6807aa61f148f52448d79d3eaac533fe4b9e7f887c6ab64cf99e9664113dd7fbc98353a1b57fb98db1d7f865b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCAA075D6D226449588486BD2F8578AB7.TMP

Filesize
5KB

MD5
4a0d9970022b9e7d0066dea49c7639f4

SHA1
6a576f471355762c7dec0b258fa8268c06b352d4

SHA256
b9fc51192ec614b38899c981eb6cfe47429047df1af56226e87da01f95089cc9

SHA512
92bcbbbbade44c91abe5bc4b4633892036b19ea6b0c5007a98ddc102aa41dca5d83568a9a243060a9a5153fea77bf7a56c7612d80881341358b1dcf190d42c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD64EFAB9BB7D420BBA76D5F1C06DCC74.TMP

Filesize
5KB

MD5
abeaa4a5b438ffa58d07d9459e5c1d6c

SHA1
69631de7891162dd4840112a251f6531feae7509

SHA256
ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd

SHA512
c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDF9A4F8DE9B4901A519AEED6E12F4DC.TMP

Filesize
5KB

MD5
84e9754f45218a78242330abb7473ecb

SHA1
3794a5508df76d7f33bde4737eda47522f5c1fdd

SHA256
a979621de3bcabf9a0fa00116bcd57f69908b5471341f966c2930f07acfee835

SHA512
32b51e82e505e9124fa032bfd02997de6d6f56e0c0dfb206aec2124199048168ec0f7927a0a289f4653662bdeb5089d91db080019a9556491ef111df99b12623

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF65F92321EA42C0823D1D879592DCFA.TMP

Filesize
5KB

MD5
d0700df86922f8822ee8cf4dc28769af

SHA1
80c24d2ad4d0add576cc97c608644dfdf9d0444e

SHA256
ff1ca342c6c1c86e58276a9c7a36e06cc300c8a566a57dc6e62831dc3d84c3ef

SHA512
721eae27ddee0305b5b5a07a8c8c2cacc2e44e11f032597d74d78e8979bddc51b74e4c1f700e74baff9eec4cf064bf97e58936ab6d69541f3a609c19f4dd7b9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 403202.crdownload

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
memory/784-499-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1136-495-0x000000001B1B0000-0x000000001B256000-memory.dmp

Filesize
664KB

Download
memory/1136-494-0x000000001B7D0000-0x000000001BC9E000-memory.dmp

Filesize
4.8MB

Download
memory/1136-496-0x000000001BD10000-0x000000001BD72000-memory.dmp

Filesize
392KB

Download
memory/1440-498-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download