Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 15:22
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/NJRat.exe
Resource
win10v2004-20241007-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/NJRat.exe
Malware Config
Extracted
revengerat
Guest
0.tcp.ngrok.io:19521
RV_MUTEX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
resource yara_rule behavioral1/files/0x000b000000023d00-207.dat revengerat -
Downloads MZ/PE file
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:SmartScreen:$DATA RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe RegSvcs.exe -
Executes dropped EXE 8 IoCs
pid Process 4240 RevengeRAT.exe 1712 RevengeRAT.exe 3584 RevengeRAT.exe 1592 RevengeRAT.exe 3004 RevengeRAT.exe 5760 svchost.exe 4240 AgentTesla.exe 6060 AgentTesla.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe" RegSvcs.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 65 0.tcp.ngrok.io 133 0.tcp.ngrok.io 51 raw.githubusercontent.com -
Suspicious use of SetThreadContext 12 IoCs
description pid Process procid_target PID 4240 set thread context of 3704 4240 RevengeRAT.exe 113 PID 3704 set thread context of 2000 3704 RegSvcs.exe 114 PID 1712 set thread context of 3292 1712 RevengeRAT.exe 117 PID 3292 set thread context of 4320 3292 RegSvcs.exe 118 PID 3584 set thread context of 1352 3584 RevengeRAT.exe 121 PID 1352 set thread context of 4868 1352 RegSvcs.exe 122 PID 1592 set thread context of 2448 1592 RevengeRAT.exe 125 PID 2448 set thread context of 2544 2448 RegSvcs.exe 126 PID 3004 set thread context of 364 3004 RevengeRAT.exe 130 PID 364 set thread context of 116 364 RegSvcs.exe 131 PID 5760 set thread context of 4004 5760 svchost.exe 211 PID 4004 set thread context of 1612 4004 RegSvcs.exe 212 -
Drops file in Program Files directory 20 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll AgentTesla.exe File opened for modification C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml AgentTesla.exe File opened for modification C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll AgentTesla.exe File opened for modification C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll AgentTesla.exe File opened for modification C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll AgentTesla.exe File opened for modification C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe AgentTesla.exe File opened for modification C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config AgentTesla.exe File opened for modification C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll AgentTesla.exe File opened for modification C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml AgentTesla.exe File opened for modification C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml AgentTesla.exe File created C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll AgentTesla.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AgentTesla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AgentTesla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 RegSvcs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegSvcs.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 RegSvcs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegSvcs.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
NTFS ADS 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 407536.crdownload:SmartScreen msedge.exe File created C:\svchost\svchost.exe\:SmartScreen:$DATA RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\svchost.exe\:SmartScreen:$DATA RegSvcs.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 325967.crdownload:SmartScreen msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5188 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 5028 msedge.exe 5028 msedge.exe 4172 msedge.exe 4172 msedge.exe 4052 identity_helper.exe 4052 identity_helper.exe 1464 msedge.exe 1464 msedge.exe 5748 msedge.exe 5748 msedge.exe 5884 msedge.exe 5884 msedge.exe 5884 msedge.exe 5884 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 4240 RevengeRAT.exe Token: SeDebugPrivilege 3704 RegSvcs.exe Token: SeDebugPrivilege 1712 RevengeRAT.exe Token: SeDebugPrivilege 3292 RegSvcs.exe Token: SeDebugPrivilege 3584 RevengeRAT.exe Token: SeDebugPrivilege 1352 RegSvcs.exe Token: SeDebugPrivilege 1592 RevengeRAT.exe Token: SeDebugPrivilege 2448 RegSvcs.exe Token: SeDebugPrivilege 3004 RevengeRAT.exe Token: SeDebugPrivilege 364 RegSvcs.exe Token: SeDebugPrivilege 5760 svchost.exe Token: SeDebugPrivilege 4004 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 49 IoCs
pid Process 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe 4172 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4240 AgentTesla.exe 6060 AgentTesla.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4172 wrote to memory of 988 4172 msedge.exe 84 PID 4172 wrote to memory of 988 4172 msedge.exe 84 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 1372 4172 msedge.exe 85 PID 4172 wrote to memory of 5028 4172 msedge.exe 86 PID 4172 wrote to memory of 5028 4172 msedge.exe 86 PID 4172 wrote to memory of 3980 4172 msedge.exe 87 PID 4172 wrote to memory of 3980 4172 msedge.exe 87 PID 4172 wrote to memory of 3980 4172 msedge.exe 87 PID 4172 wrote to memory of 3980 4172 msedge.exe 87 PID 4172 wrote to memory of 3980 4172 msedge.exe 87 PID 4172 wrote to memory of 3980 4172 msedge.exe 87 PID 4172 wrote to memory of 3980 4172 msedge.exe 87 PID 4172 wrote to memory of 3980 4172 msedge.exe 87 PID 4172 wrote to memory of 3980 4172 msedge.exe 87 PID 4172 wrote to memory of 3980 4172 msedge.exe 87 PID 4172 wrote to memory of 3980 4172 msedge.exe 87 PID 4172 wrote to memory of 3980 4172 msedge.exe 87 PID 4172 wrote to memory of 3980 4172 msedge.exe 87 PID 4172 wrote to memory of 3980 4172 msedge.exe 87 PID 4172 wrote to memory of 3980 4172 msedge.exe 87 PID 4172 wrote to memory of 3980 4172 msedge.exe 87 PID 4172 wrote to memory of 3980 4172 msedge.exe 87 PID 4172 wrote to memory of 3980 4172 msedge.exe 87 PID 4172 wrote to memory of 3980 4172 msedge.exe 87 PID 4172 wrote to memory of 3980 4172 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/NJRat.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe4ce346f8,0x7ffe4ce34708,0x7ffe4ce347182⤵PID:988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:22⤵PID:1372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:82⤵PID:3980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:4044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:4848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:82⤵PID:2448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:12⤵PID:3444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5148 /prefetch:82⤵PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵PID:3132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6068 /prefetch:82⤵PID:576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵PID:4788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:12⤵PID:224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:12⤵PID:2756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:12⤵PID:4016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6300 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464
-
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4240 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:3704 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2000
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l6byebaj.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:5808 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc26BAC2AA33654911B639487A3D937F.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5888
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kbhszdoo.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:5936 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6359.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc12E98CF41EBC496AAFF81472E9CB5715.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:6016
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rw9aj8wu.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:6064 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc89D2D48C51415E9DA4B9DE10298AE7.TMP"5⤵PID:5124
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\10jowses.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:5380 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6433.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE84D620892B64FC890CFA4D1417BCD52.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5600
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q5r2rjk1.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:5648 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEBBE0F51E7148589E3B643A721A45E6.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5456
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ux61ifzm.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:5528 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES651E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1223C8E0E6D0480EA570F5CDEA7D527.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5104
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mujz4is8.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE26DAE25F96546C094826C6D195CAE.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5736
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pel7kqzx.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:5800 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6618.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc862A5D9D60D04FEBB6A2418CD8FFD214.TMP"5⤵PID:5916
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3w3givcq.cmdline"4⤵PID:5920
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6695.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc279809FC56342B7BDE3465E189CD9B.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:6036
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_uejcowg.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:5940 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6702.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF5EA0E7DDB24032A4B71C83F8CB61D.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:6136
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hv3dimn7.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:5264 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES676F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7DFAC124FE004C67918EC0DB93CAFA5F.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5440
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mcwa3b5t.cmdline"4⤵PID:5612
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES680C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc85C463CFA1D34DB1B19541D27BD4481B.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5432
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4wcf93hw.cmdline"4⤵PID:5460
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6879.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5219C276FB14486AEF391B2EA86DD31.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5320
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9v2xa5tx.cmdline"4⤵PID:5524
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6906.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD64876E7FF6D4155A79EEF428E995550.TMP"5⤵PID:5104
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6xq-cbia.cmdline"4⤵PID:5308
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6973.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE01D781B65B47969231EF673299244.TMP"5⤵PID:5744
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x5rmlmzn.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:536 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES69F0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8434D682AB34648809ECDC088B29976.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:3768
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tn4yqus9.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:3192 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A6D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc132A67F344F547EB84F81BF8A5734546.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5804
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_2nsbzk9.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:5820 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6ACB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA8E1FFA8E1B434CBF835F21A4AB3CE.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5808
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w_c-zvzv.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:6044 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B29.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5AD0B3534B144C9087DDFBCCD8D3A530.TMP"5⤵PID:6052
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dp9uqzrx.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B96.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc15E9EC94693344D1AF3D884E5164D86D.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5260
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\twss7zng.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:5476 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C23.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC82587FF5EA4837A3DFC9AA6B938117.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5632
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5760 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"5⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:4004 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"6⤵PID:1612
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5188
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6j-p4fyb.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:4448 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc72DFC6EC880F42AE971771574796F66B.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2864
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pmp4mo3k.cmdline"6⤵PID:5544
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1553.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4E128DF5FE4246139261FA38DB384BF.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:3936
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\izekdwso.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:4160 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES162E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F06D22CA8204862B8AA10E36D42EE4A.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:4116
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aybnhc0d.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8184EBBE37F94B33A8807BBE3347761.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:624
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\43bxloyt.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1786.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc15F87B9E08F47849C94F64258E964FD.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2696
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_d8pqyp1.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:4912 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1831.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc93C6B2C38D514B21AD215436FBB03035.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:5900
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vt9jrpqc.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:5840 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18CE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA9A83F53FF534DC69D8E4E31C5A4F9F2.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:5316
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yxa2ks0q.cmdline"6⤵PID:3856
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES193B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc97A747CB913A46668E371E39E44BBCF.TMP"7⤵PID:2700
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-jxotqiw.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:4696 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES19C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC4FF7BB4188E4E9295C1F5EBBE7CA66C.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:6064
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\adnleeye.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:5348 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A45.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc106154ECAC2F47A2B640265B41DDD.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:5488
-
-
-
-
-
-
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1712 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3292 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4320
-
-
-
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3584 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1352 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4868
-
-
-
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2448 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2544
-
-
-
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3004 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:364 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- System Location Discovery: System Language Discovery
PID:116
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:12⤵PID:6000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵PID:5552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:12⤵PID:364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:12⤵PID:6140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:12⤵PID:3848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5952 /prefetch:82⤵PID:1004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵PID:3652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:12⤵PID:4872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6700 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5748
-
-
C:\Users\Admin\Downloads\AgentTesla.exe"C:\Users\Admin\Downloads\AgentTesla.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6068 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5884
-
-
C:\Users\Admin\Downloads\AgentTesla.exe"C:\Users\Admin\Downloads\AgentTesla.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6060
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1488
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultb32fe7edh8bc1h46f6h8359hfa5893e1afe51⤵PID:5304
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe4ce346f8,0x7ffe4ce34708,0x7ffe4ce347182⤵PID:5324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,16161895044351288382,18350348043826183869,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:22⤵PID:5580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,16161895044351288382,18350348043826183869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:32⤵PID:5588
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:5468
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5320
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5fde1b01ca49aa70922404cdfcf32a643
SHA1b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25
-
Filesize
4KB
MD5bb4ff6746434c51de221387a31a00910
SHA143e764b72dc8de4f65d8cf15164fc7868aa76998
SHA256546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506
SHA5121e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1
-
Filesize
120B
MD550dec1858e13f033e6dca3cbfad5e8de
SHA179ae1e9131b0faf215b499d2f7b4c595aa120925
SHA25614a557e226e3ba8620bb3a70035e1e316f1e9fb5c9e8f74c07110ee90b8d8ae4
SHA5121bd73338df685a5b57b0546e102ecfdee65800410d6f77845e50456ac70de72929088af19b59647f01cba7a5acfb399c52d9ef2402a9451366586862ef88e7bf
-
Filesize
10KB
MD5b80937429b78cc91a4975a4f6954687f
SHA17238181e7ec4a06cc6a319694da1f58a553b7e7f
SHA256623cd871462a3b3c1e051699e0d57a93583ee4147dd212f9fc10a5a3e6e5d0be
SHA512eb8fafa69d140181d9af391617c12e5a36ce65c0bc278ca151de6bc382efd0af564c551add4273d84640a02e6bc3839f0f46725285eba893b35313a948d8b488
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
Filesize
152B
MD53926723650c90eba55a49584940dcdd3
SHA1ee7cfcb23ce9adf2324b0e1ce2c99da4289f4376
SHA25697e6ef4981bf38f249834fe4868e0de05eb4c421de0ec313dffa41fa20e660aa
SHA512a86ed7907a0f33b41d7242d79bdb6055775f77d08f75cd070df218e4e037a25191c0ab7503674ea11c2fa0d13a2763bf887df3f135dc1b5c5dd30b6e753420a3
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5387de02eeb0de6b3cfe1a52ea551838a
SHA1b96a26e16406257c9ef9773eb84569add649a7d2
SHA2562b08b400243b9f042b77934852ac0397eabcd3ef77c1b58a72520d6aa0c76974
SHA512a29ab01682554dbeff239908682dc168691e5a3365fa32e4d3048eae0ecc27eb64878f72fbe0e974bc8591c635209a19baa99ca1618a106996e2115cabe319ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5b5333db43abfefd58f35922e6ccf9ff4
SHA100fa19e0fae65020a5670108247047c5a2d87671
SHA256ebf967afef592cec9838d512fb38f6c754c390982910ac186eacd28888a17940
SHA512e5242c9ca764f900bbeb6ab88fa835fbd633be780427d17ca94e2b9ba0683f3bb278645b3e8b5e36203d1753c7e26f53dac086d230cb126aa6737ccbd4c79fe3
-
Filesize
496B
MD55022b10efc3c6d669ded7960cc594a19
SHA1a79ad985b345f09f5f4f265ba1867800ab4d3be1
SHA256a6c395932ed70d3a45247d91c6593b48d6d389a52aa806ad484aef62b63c8e53
SHA512a496101a7c30b7205f91698eec23c53b52d80a24a2208f3184733b905fd34066163df9688e00856278fc536fd955bcb0d2c62f3561f28718e378a08754c53c00
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
6KB
MD5b93cf0a97bcf2e32e71f1baca0a65707
SHA154f77697c8b7550f01b08fedcb0b26ce39a7fe57
SHA256872e6810514b3e46125c4d229e5d311870479698c6335d0c0e7da939bf2e8273
SHA512a097392c3d54802dd62e045885526baff8cba7ab6a40f34ede595a29fab4e125f653d560e4c9628c7f3b91898972c3cc04a3a8ad65c250c3490f39a9f68cbbd7
-
Filesize
6KB
MD5c792a6c9e6ea7a208ece2a84e19d37f8
SHA1d8f9607ab4dfeadd088ea8f60708396b73a0fddb
SHA2565b1f301fda9fbe22021d08fdedda48fadd060987b30c97db0e0f09a4f1d3c43c
SHA512fe1d95314e72a932b6c0d7ddf6533ccc5139dc84d314fea474e2074a8de99bf8ba7c72974783b5a6b7910f6b2a5033b6b13dca1e10732682e7c5128dd96dbaae
-
Filesize
7KB
MD5db56dea6fff0ecd175eade83a8f121ec
SHA18fcfed0ac2be5533afaf793d43369f6988d30395
SHA2568898bd1bb1ba40a5391d203b92ad085bce67a6273b4e5c81298aae35754a6d6a
SHA512daf16512ff003cb5600b3c9ee3e3309971b31eeeac3724875b267f5dec45c15e7c8074c900f7b68b710ef5f47fd1f91e022cf878abef5e0d723f8dbd3ce8eda9
-
Filesize
7KB
MD55a02e45c6e4c1e045924e947853f2930
SHA1c1d39dbc7286d8b51552804481e5c78a7e28af4d
SHA256767bc221650056e632cbf9cf731e9a90e16caee5e8d306d4877a5d86718ef3f7
SHA5120718d12798fbfdfc3072065adb26d68d9b62fde5e1736421f04ff3144eecdd11be28e43b7855a65a7ce1c5bfda6c74e61870713f595ee06a9f9d903c459c50cb
-
Filesize
6KB
MD55ff05fd9cf22435dbede0b68f8bdf808
SHA1b746101f3c3904e0024cb0a76df99764a00a72c5
SHA256069a73f6086ba241f0f8a1b562a043e8a7796751231745a4169f071848fdb16e
SHA512707d9dd274ec9167f9c1bcf5b5a5850e403c78c7d7fe10c09730c4b2f710ef4d8d14b9f66adb9c76278007022d4bc313246d54b0afa22f85e2c2d7a97b25c7a6
-
Filesize
6KB
MD50f97563a3618c66d8765c41e2159ceec
SHA118a14fb68be484a4dc082a1b93b3d15f978fe1c5
SHA2569766656d882b69cb91f6e7792dc0d3333b57cbdafa8841a225f085489684f703
SHA5129ba5194a4ee71f37ae5f0faedeea199710647104596e42f701790b0853e7d886a2ac86641d39e44727863bdb718b5a314864584ab4037be4a926ae564a90cc90
-
Filesize
1KB
MD551988a079f7286c17dcef68e0331cc69
SHA13eb4770bfaa47778a692352dd4a2db438d8582b4
SHA25618d85026f9c7a21f6538ad94adffac3162d1d7a41e25e90f027b910f372e61ff
SHA51244356685cddeba87a1d993417a03bce96e43d228915a6b4681fd4cf375143c32edff221b28488600650506ca50690b7959d1dfbe2d9103649429e2b792ead297
-
Filesize
1KB
MD5371eaefb7107e00d8b5e42a8f9ebdb96
SHA124cfc75d24e587e834f1f084424b6fe6c8ffc512
SHA256594a246b16cf7fca3aa2a9be651c3f4f9328fecd22937840d52d4af97aaa3484
SHA512f826ebf23d02adbeb14d51525ac2c6c157fd8bd9c5809107a6ed98e9e2b6f72c44d45cec61c1a606610d34e38f1aa9d0ed5e3ce1db5559c848ffb4db6abdb6ac
-
Filesize
1KB
MD53831324f9d35ce2354166dc649f4ddae
SHA14589397ab866399b891e32cbc061db05d7cad9d5
SHA2560d6fc4aaca00362adaeda781aa61cda08d5d266660f8c38dd053e1e0a9d9f9c2
SHA51225db484386f0e93d588349ff28e2e1bcdb09f297ed83b8422772ac95fc00f66fd0e6e0c4dd3eedd099971e6f5f33b72d0f82d66c1e93481411a848828199808b
-
Filesize
874B
MD5cf1a920fec4a18f7291960245e856278
SHA1ae52b2294679640cdf27f318c664f098a68735fb
SHA25656484e8581a72657aaada1fc1d17cf826f076e849fa9f106d78d15f57bd7a194
SHA512633636a9abc8d01bb5c9ff814751dc84717fbaf9afdd3c67588f3725ea8d36da7871996123ce276462df15872ad79accf2cd346b23d11bc794e37b5ec865d992
-
Filesize
1KB
MD5f84745e0fbf89179b60574ef50fa9521
SHA173f0d379fe256cf6b3d7772550165df996ae4efb
SHA2569bf3093e130207541535c9c6b3c7e403a969c970a0975251bbe2e2b26d9e67c3
SHA512577f952bdc95604531a25a23d3d6d6db842b71c46c1f0322aa34cb74339194ab987c66feef8f5fb8d648b2b4ac625de5895e103a17fdb40b8925212acc60636e
-
Filesize
874B
MD50ea2c18590a9a8c05980e9cb1dc4fe4d
SHA10784a0ab1b72259c541241a603712e0e71b0257c
SHA2561e453c6f76bac87108ff70ba1cef9e16499e8e98d9b9353d548fc93791718d89
SHA512d6aa001cee8666d57985c7a8706feddc607561fb576c07404e6edfcb3f9672b9e976b3470eada010b69c3ea9b8cdc82909dbff93520a1f1ef2e43ad50183cf9b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD54ab4026107e9ba34a94ed61f8f6ffa34
SHA1d695f79df86461b5f8113018b30c2d67b0298825
SHA256ac4d80bf786e2d1af5906febc5a6c5da86a3a5cf5a675a12476ce0383333d7d2
SHA512ba5bdbec7c94f0ec85736e94f03548ae0e61d76351192658190d33aab67bfa0099080237f25416a9a28f422e710045c7d148a85ecc65f60605a2f3e7a114c4cc
-
Filesize
11KB
MD5a276eea65ec4c51f927dd109f5999641
SHA1820d6a5cd299052e6aaa445a67632bf00c6a0b15
SHA256dd3ff329f01fde362ffe853fb9beecad5f1ddfa8bf27f3e935178642df80981c
SHA512fdb1c38ff5ad7e7ff1f9a8e0c8007b97ecaf262ed08c05ac8c8d78d942d0ecaa63d29115253fff55878d453ed00dfd7b402a406b240aa09221659dcaee975857
-
Filesize
10KB
MD577d5b85a5c3bdaeb8c3d2d20c8d6724d
SHA14f345521afa6c43427783a3201fa4a5159e3a6f2
SHA2564d57a604522d6a3492d5ea2123d5e8fa46d35a41702e1664d29ac5b49360244c
SHA512bf76fdbcfdb12c7f27bc7a479bb7ee09ae191642513c6d2004bdd333a10523cf0c014b28bbd92623d2370a7009e76e657455506eb90d241d67c2ac66782fd8fa
-
Filesize
355B
MD56e4e3d5b787235312c1ab5e76bb0ac1d
SHA18e2a217780d163865e3c02c7e52c10884d54acb6
SHA256aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706
SHA512b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8
-
Filesize
224B
MD5c372eb1edace91735e6f6417eba5738a
SHA1a254128eb1803ec320ea6c0d87e86d88abaf4916
SHA2567606f1c7f6c8b021e5fbbf8942c56adb98b1cd68e06d35320f78dafa07af874c
SHA5125d094a44f216da437a8485364e6944767e60e9a1a8e878c5a9f1038f034e4b226f100c3ae2b8287f5f34b45fcefd64aa88805f733920d935be21acea64215ca7
-
Filesize
5KB
MD5fbf2b7e8a2059a31c57c10d73ff7d89c
SHA1de705bae1945e17a05afeac72286a1896db50a52
SHA2564a573d6e4477fa5e1d490909b84fba4180e62ccaec0ea128197ff59b205834eb
SHA512a57de3f53bf4c0ce467da5014ee0214afed232de178482b5cb5ac3b5ff3b2a60e3911f9455122d572421b049ccc336649207e6422a802e0fb3dd9a06fe9b86a4
-
Filesize
5KB
MD55c64f1b5ca17b58215438743e35bfb62
SHA1b0b2b2f5f6bcc840833bed6655f223c9b8cdd716
SHA256a8d1fd37be7afcbd86b082e76481f25563b927f265a3f5c4596ee3c16219ae9e
SHA512fc339316dd59f456578d24a99db32cb07b7769a94d4db36e30d851e01c23c2a27583c539e451f253bc936dcea85d86ddf42d70a50d4a12c32668e3a82f466b25
-
Filesize
5KB
MD56c5bf6deb14ec1ad5ce3e6c4c2f9149d
SHA1f650074727497218ec23f3bafa600d4a2ebe859b
SHA2564d93a92c914d1ae5889a5c03124aaba2d00a54945e879863e70b1259d15a0af3
SHA51207aefc02e5bc2a57791c845dd107f573872431aac78363ebb65e010caa872e3f9cdfbd3172c5096a0ced900fb66c7e1770d6ab57074ecb157005bd632739b53f
-
Filesize
5KB
MD5cfe180e287783f450652689dae32f0a7
SHA1d8d97fff369318e09d3ded101a255971e88c628e
SHA256764494055e6c3093e2f6a98e6573d17e334b3efee3a003c20942522de6f248da
SHA512a53ea746faf4ff634be1533f809ab1770c13a5654e622945ab5d836fc245c761f2e825df26706c900cfeb44fa8d401adbdbb55c9c0e1911b4afff183b23ba9be
-
Filesize
5KB
MD5c2d90c4b53c7ad51ee6be498f04a02df
SHA18eadfbda734960140227402a269ee115acc2faf6
SHA256ac178ecf936981a6152eadbc51eebf90ff245e36cb86575d8322b30053e93faa
SHA5121be70f038d8cce17e577c49bd688192b0fea940ca8cc9f5408121c2c6206f06e938a0984bff2220788a1b3a8b2fabed704217db790e0d450680b235382318394
-
Filesize
5KB
MD5f27d8b61067fb917ea1b3966a7e17d0b
SHA177cb26ce170c239334c89045a357f020412017c0
SHA256d4df9be29c9fb5d9042bef2f891810e825aaeca9326b35dfb4b4972269c36f6a
SHA512b92e3357f04de9f99c931e2bdd9032948f4a7a720721b253d771b97489877f8aa2ff742fb2a266ff45cef5a30583c5006cbe9dd6f93a287329c601a6e60c1341
-
Filesize
5KB
MD5e6b607c00f55fd3566b9ade9c84d20a9
SHA1c4b42d607577976da8f62a972a683ef1c889fe6f
SHA256d69459a98d87915c00b948bca000f9207f357339a78d9fa0d9569c88443b3172
SHA512416ab6f0aa4cd3b14d731fcdbf6039c14c1cf4d07b83c516c142a8205d2d90ecaef158b2aeea6e3f6ce24d59d12c88575330218bd309939b7386d0fb57873566
-
Filesize
355B
MD5acd609faf5d65b35619397dc8a3bc721
SHA1ba681e91613d275de4b51317a83e19de2dbf1399
SHA2564cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518
SHA512400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c
-
Filesize
224B
MD5e6f7d786e7ac57ee96c036bc887be448
SHA1eef5a9df8a75a74d525396b95f8df8bd12e279e6
SHA2568a27ff0e70a1084a81bc2650aeb33214d9362ec0a8b3117ec663c517aa2423bb
SHA5127cf6f661d276c0f1a68aecf2629d1b68d5813f0351ec924758910fbc795f17a5b860fa31b77ee37cb514bdfec5e21d102d5f5eb879803334715cebc2688544a8
-
Filesize
369B
MD5e4a08a8771d09ebc9b6f8c2579f79e49
SHA1e9fcba487e1a511f4a3650ab5581911b5e88395d
SHA256ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6
SHA51248135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1
-
Filesize
253B
MD5939aba9847aa265cb05df77c37bfd9ff
SHA123cd94487ebb9c133917ef5de983f60422faa420
SHA2569de024d98e43660c0f414a9e1b446201493a14183f8a1a8ec89e0c5da5e4eefc
SHA512f6384c64e25815c5e485555a5be1a39fcd58c7aa5908cd80940fa4ca9be1665f11b0322f23f3c7daa70c59288ab4b6a2157e7949fdcb68d0bbc1b97b48246b32
-
Filesize
373B
MD57d0d85a69a8fba72e1185ca194515983
SHA18bd465fb970b785aa87d7edfa11dbff92c1b4af6
SHA2569f78b435099106c2c3486c5db352f7d126b3532c1b4e8fe34ef8931c7b8968d5
SHA512e5ef339dc329dbba2ab06678a9e504aa594d2f21ade45e49bccd83a44a76dc657f5f44dcf368f4d112bb3b01af2e577a487c6078751943770e90780fad202989
-
Filesize
261B
MD50098fbe000c2c8779f87dc28475b69e7
SHA1da05124760c8a9ab645de523e81c08a20c037c42
SHA256fe652f278962bd000c61ca1a74cd7b561cb25cb5df115adef50fd0c2c3de13c1
SHA512c3dc7f8b8c6ce81311e9df8926239a527a80d6b9a916bbc479079f26b4a672db991fdda5ec969aab07b872f898cd07ed8ff90713b7460d7a769b1a0a0f8b1e0f
-
Filesize
267B
MD5b238ce094ff15d6462af334a8128136c
SHA1ca0756f4757284e3384f966890b9330e1a9c7a4b
SHA25692edf08190397cb87935c4fe292a0cd4530d5cfc98a90e62929eacc8bd298bb7
SHA512b4a0258ffa7974765769b265132e708eea60983537ec865dffdc14bba313a0d6285b627f2b0f86c1cfb898b1f05f49f429fe6c3f20f12fa76af71781c05d8dd5
-
Filesize
373B
MD5197e7c770644a06b96c5d42ef659a965
SHA1d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc
SHA256786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552
SHA5127848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7
-
Filesize
261B
MD556aff9f7c1f5530adaf4d1acf6a5bff9
SHA135c8bd1723cd9b13dc5afc825d72640011cc7449
SHA256ff9e70870a953d7e4823bbf6fd3b525428575d8cfcbec130b03964fb206ca031
SHA5125eaac03ac4f633d197c56bbfefcffb79c365ee6f946def64231367b2270e3ff04f311798d1b76a93c0e3397294bc9d908c66c94cc24ca7f12363cfac48cb02db
-
Filesize
369B
MD583f6067bca9ba771f1e1b22f3ad09be3
SHA1f9144948829a08e507b26084b1d1b83acef1baca
SHA256098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231
SHA512b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19
-
Filesize
253B
MD5d9b77752812585f57f60eb33b1f5c91a
SHA11dfdecef3ec86da9be894e5a2fa20ef7e079a9af
SHA256196ce16a783f03b65bb1864eaf402c7151399238d3fc37af24a893009bf32fde
SHA51282c963cd3fc81b31701a8bf2cacb9b3a18a984b8e7d64402e2f358d484590cf8bd0709ed3e63d31f084c404104316a9596d53f4b4679c5180b184a82d39cf43f
-
Filesize
39B
MD5502984a8e7a0925ac8f79ef407382140
SHA10e047aa443d2101eb33ac4742720cb528d9d9dba
SHA256d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c
SHA5126c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17
-
Filesize
376B
MD57a8e43324d0d14c80d818be37719450f
SHA1d138761c6b166675a769e5ebfec973435a58b0f4
SHA256733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909
SHA5127a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715
-
Filesize
267B
MD537c2d92af52e40ff578c39fb90320790
SHA1ac734a1b9db34302664a23a8154cef2982a5f9ea
SHA256be3f70f8bc2402ca5a2836d16ed34980cd21ed3a6d7989c5c583f2090a1f13dc
SHA512a323c2271aabdd863e3498fcc3a85a6ae2938487316f470f9ed0b099b7b3315a40c0e7a2045b9664d6e2c945c4f67e8e7b3a2fc8b878a9e5d35f0d0eeedc1ec0
-
Filesize
5KB
MD55fb831248c686023c8b35fa6aa5f199c
SHA139760507c72d11c33351b306e40decaad7eb2757
SHA256d062acbeea69acb031b014cff19bed988cf9df34c230ee23d494457461b41908
SHA5122244f84bff19e1f43a245569d03712ab62a9655bc6f3eb4ae78ca3472ddfc6ad7950dc76d10cdc1c7b2235a9045582554c200e93c3cd34c18e494ed60dd3b3ea
-
Filesize
5KB
MD5abeaa4a5b438ffa58d07d9459e5c1d6c
SHA169631de7891162dd4840112a251f6531feae7509
SHA256ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd
SHA512c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4
-
Filesize
676B
MD585c61c03055878407f9433e0cc278eb7
SHA115a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA5127099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756
-
Filesize
5KB
MD5249d49f34404bfbe7ed958880be39f61
SHA151ec83fb9190df984bf73f2c5cd1edc0edf1882a
SHA256fcb5a4d24f24fbeaf4dc9d8e29f2701b2bb71411acb13c4fa67fe7025892912b
SHA512082f47f59b9184dd6c88f64214e10b82656a09c5a5cf3f0eccbf7935505db473eeb9a395cb5b59ec5009e731f2aa1891670c94ff6315a0b2d4fcc0392cff0e98
-
Filesize
668B
MD53906bddee0286f09007add3cffcaa5d5
SHA10e7ec4da19db060ab3c90b19070d39699561aae2
SHA2560deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA5120a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0
-
Filesize
5KB
MD5d01de1982af437cbba3924f404c7b440
SHA1ccbd4d8726966ec77be4dbe1271f7445d4f9b0ce
SHA256518d9922618db6eea409cee46b85252f0d060b45c2f896cb82eeca22eb715598
SHA512a219cd3df17bcf16cb57bdeea804e206a60be50084e2cb99d6d5e77d88957d79535d110b34735a4b549d3fcae528cdff8bfa5286582028ef22e8b4d60e146878
-
Filesize
644B
MD5dac60af34e6b37e2ce48ac2551aee4e7
SHA1968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA2562edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA5121f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084
-
Filesize
5KB
MD52f824fea57844a415b42a3a0551e5a5a
SHA10e0a792d5707c1d2e3194c59b9ed0b3db5ce9da4
SHA256803a596fd573096225dd07568b8b459d2fbbfce03fa60ca69d05d7d92b64c5ee
SHA5127ec7ea88364f2e18747192ac2913f326a6ebb19c64be4ae9fc4f811d31deb5dc3b0b83d46814ddb836b36ac57e70c9b63be0cc4c84e6e958acf2512c57877008
-
Filesize
5KB
MD5d56475192804e49bf9410d1a5cbd6c69
SHA1215ecb60dc9a38d5307acb8641fa0adc52fea96c
SHA256235e01afd8b5ad0f05911689146c2a0def9b73082998ac02fd8459682f409eee
SHA51203338d75dd54d3920627bd4cb842c8c3fefad3c8130e1eeb0fa73b6c31b536b3d917e84578828219b4ffd2e93e1775c163b69d74708e4a8894dd437db5e22e51
-
Filesize
5KB
MD52f97904377030e246bb29672a31d9284
SHA1b6d7146677a932a0bd1f666c7a1f98f5483ce1f9
SHA2567e033003d0713f544de1f18b88b1f5a7a284a13083eb89e7ce1fe817c9bb159f
SHA512ddf2c3a3ec60bed63e9f70a4a5969b1647b1061c6ff59d3b863771c8185904d3937d1f8227f0e87572329060300096a481d61e8dc3207df6fe0568da37289f54
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
2.8MB
MD5cce284cab135d9c0a2a64a7caec09107
SHA1e4b8f4b6cab18b9748f83e9fffd275ef5276199e
SHA25618aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9
SHA512c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f
-
Filesize
4.0MB
MD51d9045870dbd31e2e399a4e8ecd9302f
SHA17857c1ebfd1b37756d106027ed03121d8e7887cf
SHA2569b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA5129419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909