revengerat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/NJRat[.]exe

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/NJRat.exe

Score

10^/10

revengerat guest discovery persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000b000000023d00-207.dat	revengerat

Downloads MZ/PE file

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe

Executes dropped EXE 8 IoCs

pid	Process
4240	RevengeRAT.exe
1712	RevengeRAT.exe
3584	RevengeRAT.exe
1592	RevengeRAT.exe
3004	RevengeRAT.exe
5760	svchost.exe
4240	AgentTesla.exe
6060	AgentTesla.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
65	0.tcp.ngrok.io
133	0.tcp.ngrok.io
51	raw.githubusercontent.com

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 4240 set thread context of 3704	4240	RevengeRAT.exe	113
PID 3704 set thread context of 2000	3704	RegSvcs.exe	114
PID 1712 set thread context of 3292	1712	RevengeRAT.exe	117
PID 3292 set thread context of 4320	3292	RegSvcs.exe	118
PID 3584 set thread context of 1352	3584	RevengeRAT.exe	121
PID 1352 set thread context of 4868	1352	RegSvcs.exe	122
PID 1592 set thread context of 2448	1592	RevengeRAT.exe	125
PID 2448 set thread context of 2544	2448	RegSvcs.exe	126
PID 3004 set thread context of 364	3004	RevengeRAT.exe	130
PID 364 set thread context of 116	364	RegSvcs.exe	131
PID 5760 set thread context of 4004	5760	svchost.exe	211
PID 4004 set thread context of 1612	4004	RegSvcs.exe	212

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml	AgentTesla.exe
File opened for modification	C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml	AgentTesla.exe
File created	C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll	AgentTesla.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 407536.crdownload:SmartScreen	msedge.exe
File created	C:\svchost\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 325967.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5188	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5028	msedge.exe
5028	msedge.exe
4172	msedge.exe
4172	msedge.exe
4052	identity_helper.exe
4052	identity_helper.exe
1464	msedge.exe
1464	msedge.exe
5748	msedge.exe
5748	msedge.exe
5884	msedge.exe
5884	msedge.exe
5884	msedge.exe
5884	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4240	RevengeRAT.exe
Token: SeDebugPrivilege	3704	RegSvcs.exe
Token: SeDebugPrivilege	1712	RevengeRAT.exe
Token: SeDebugPrivilege	3292	RegSvcs.exe
Token: SeDebugPrivilege	3584	RevengeRAT.exe
Token: SeDebugPrivilege	1352	RegSvcs.exe
Token: SeDebugPrivilege	1592	RevengeRAT.exe
Token: SeDebugPrivilege	2448	RegSvcs.exe
Token: SeDebugPrivilege	3004	RevengeRAT.exe
Token: SeDebugPrivilege	364	RegSvcs.exe
Token: SeDebugPrivilege	5760	svchost.exe
Token: SeDebugPrivilege	4004	RegSvcs.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4240	AgentTesla.exe
6060	AgentTesla.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 988	4172	msedge.exe	84
PID 4172 wrote to memory of 988	4172	msedge.exe	84
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 1372	4172	msedge.exe	85
PID 4172 wrote to memory of 5028	4172	msedge.exe	86
PID 4172 wrote to memory of 5028	4172	msedge.exe	86
PID 4172 wrote to memory of 3980	4172	msedge.exe	87
PID 4172 wrote to memory of 3980	4172	msedge.exe	87
PID 4172 wrote to memory of 3980	4172	msedge.exe	87
PID 4172 wrote to memory of 3980	4172	msedge.exe	87
PID 4172 wrote to memory of 3980	4172	msedge.exe	87
PID 4172 wrote to memory of 3980	4172	msedge.exe	87
PID 4172 wrote to memory of 3980	4172	msedge.exe	87
PID 4172 wrote to memory of 3980	4172	msedge.exe	87
PID 4172 wrote to memory of 3980	4172	msedge.exe	87
PID 4172 wrote to memory of 3980	4172	msedge.exe	87
PID 4172 wrote to memory of 3980	4172	msedge.exe	87
PID 4172 wrote to memory of 3980	4172	msedge.exe	87
PID 4172 wrote to memory of 3980	4172	msedge.exe	87
PID 4172 wrote to memory of 3980	4172	msedge.exe	87
PID 4172 wrote to memory of 3980	4172	msedge.exe	87
PID 4172 wrote to memory of 3980	4172	msedge.exe	87
PID 4172 wrote to memory of 3980	4172	msedge.exe	87
PID 4172 wrote to memory of 3980	4172	msedge.exe	87
PID 4172 wrote to memory of 3980	4172	msedge.exe	87
PID 4172 wrote to memory of 3980	4172	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/NJRat.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe4ce346f8,0x7ffe4ce34708,0x7ffe4ce34718
  2⤵
  PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6068 /prefetch:8
  2⤵
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1464
- C:\Users\Admin\Downloads\RevengeRAT.exe
  "C:\Users\Admin\Downloads\RevengeRAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4240
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Drops startup file
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    PID:3704
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2000
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l6byebaj.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5808
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc26BAC2AA33654911B639487A3D937F.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5888
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kbhszdoo.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5936
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6359.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc12E98CF41EBC496AAFF81472E9CB5715.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6016
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rw9aj8wu.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6064
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc89D2D48C51415E9DA4B9DE10298AE7.TMP"
        5⤵
        
        PID:5124
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\10jowses.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5380
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6433.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE84D620892B64FC890CFA4D1417BCD52.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5600
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q5r2rjk1.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5648
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEBBE0F51E7148589E3B643A721A45E6.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5456
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ux61ifzm.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5528
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES651E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1223C8E0E6D0480EA570F5CDEA7D527.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mujz4is8.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1564
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE26DAE25F96546C094826C6D195CAE.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5736
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pel7kqzx.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5800
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6618.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc862A5D9D60D04FEBB6A2418CD8FFD214.TMP"
        5⤵
        
        PID:5916
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3w3givcq.cmdline"
      4⤵
      PID:5920
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6695.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc279809FC56342B7BDE3465E189CD9B.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6036
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_uejcowg.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5940
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6702.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF5EA0E7DDB24032A4B71C83F8CB61D.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6136
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hv3dimn7.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5264
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES676F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7DFAC124FE004C67918EC0DB93CAFA5F.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5440
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mcwa3b5t.cmdline"
      4⤵
      PID:5612
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES680C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc85C463CFA1D34DB1B19541D27BD4481B.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5432
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4wcf93hw.cmdline"
      4⤵
      PID:5460
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6879.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5219C276FB14486AEF391B2EA86DD31.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5320
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9v2xa5tx.cmdline"
      4⤵
      PID:5524
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6906.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD64876E7FF6D4155A79EEF428E995550.TMP"
        5⤵
        
        PID:5104
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6xq-cbia.cmdline"
      4⤵
      PID:5308
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6973.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE01D781B65B47969231EF673299244.TMP"
        5⤵
        
        PID:5744
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x5rmlmzn.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:536
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES69F0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8434D682AB34648809ECDC088B29976.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3768
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tn4yqus9.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3192
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A6D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc132A67F344F547EB84F81BF8A5734546.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5804
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_2nsbzk9.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5820
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6ACB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA8E1FFA8E1B434CBF835F21A4AB3CE.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5808
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w_c-zvzv.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6044
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B29.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5AD0B3534B144C9087DDFBCCD8D3A530.TMP"
        5⤵
        
        PID:6052
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dp9uqzrx.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1960
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B96.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc15E9EC94693344D1AF3D884E5164D86D.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\twss7zng.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5476
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C23.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC82587FF5EA4837A3DFC9AA6B938117.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5632
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:5760
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        Drops startup file
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        6⤵
        
        PID:1612
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5188
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6j-p4fyb.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc72DFC6EC880F42AE971771574796F66B.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pmp4mo3k.cmdline"
        6⤵
        
        PID:5544
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1553.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4E128DF5FE4246139261FA38DB384BF.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\izekdwso.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4160
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES162E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F06D22CA8204862B8AA10E36D42EE4A.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4116
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aybnhc0d.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8184EBBE37F94B33A8807BBE3347761.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:624
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\43bxloyt.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1786.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc15F87B9E08F47849C94F64258E964FD.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_d8pqyp1.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1831.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc93C6B2C38D514B21AD215436FBB03035.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5900
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vt9jrpqc.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18CE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA9A83F53FF534DC69D8E4E31C5A4F9F2.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5316
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yxa2ks0q.cmdline"
        6⤵
        
        PID:3856
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES193B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc97A747CB913A46668E371E39E44BBCF.TMP"
        7⤵
        
        PID:2700
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-jxotqiw.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES19C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC4FF7BB4188E4E9295C1F5EBBE7CA66C.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6064
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\adnleeye.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A45.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc106154ECAC2F47A2B640265B41DDD.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5488
- C:\Users\Admin\Downloads\RevengeRAT.exe
  "C:\Users\Admin\Downloads\RevengeRAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3292
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4320
- C:\Users\Admin\Downloads\RevengeRAT.exe
  "C:\Users\Admin\Downloads\RevengeRAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3584
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1352
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4868
- C:\Users\Admin\Downloads\RevengeRAT.exe
  "C:\Users\Admin\Downloads\RevengeRAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2544
- C:\Users\Admin\Downloads\RevengeRAT.exe
  "C:\Users\Admin\Downloads\RevengeRAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:364
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5952 /prefetch:8
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5748
- C:\Users\Admin\Downloads\AgentTesla.exe
  "C:\Users\Admin\Downloads\AgentTesla.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6068 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5884
- C:\Users\Admin\Downloads\AgentTesla.exe
  "C:\Users\Admin\Downloads\AgentTesla.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultb32fe7edh8bc1h46f6h8359hfa5893e1afe5
1⤵
PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe4ce346f8,0x7ffe4ce34708,0x7ffe4ce34718
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,16161895044351288382,18350348043826183869,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,16161895044351288382,18350348043826183869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  PID:5588

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:5468

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico

Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log

Filesize
120B

MD5
50dec1858e13f033e6dca3cbfad5e8de

SHA1
79ae1e9131b0faf215b499d2f7b4c595aa120925

SHA256
14a557e226e3ba8620bb3a70035e1e316f1e9fb5c9e8f74c07110ee90b8d8ae4

SHA512
1bd73338df685a5b57b0546e102ecfdee65800410d6f77845e50456ac70de72929088af19b59647f01cba7a5acfb399c52d9ef2402a9451366586862ef88e7bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\90be4c28-7ce6-4f8c-957d-6a250c51f848.tmp

Filesize
10KB

MD5
b80937429b78cc91a4975a4f6954687f

SHA1
7238181e7ec4a06cc6a319694da1f58a553b7e7f

SHA256
623cd871462a3b3c1e051699e0d57a93583ee4147dd212f9fc10a5a3e6e5d0be

SHA512
eb8fafa69d140181d9af391617c12e5a36ce65c0bc278ca151de6bc382efd0af564c551add4273d84640a02e6bc3839f0f46725285eba893b35313a948d8b488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3926723650c90eba55a49584940dcdd3

SHA1
ee7cfcb23ce9adf2324b0e1ce2c99da4289f4376

SHA256
97e6ef4981bf38f249834fe4868e0de05eb4c421de0ec313dffa41fa20e660aa

SHA512
a86ed7907a0f33b41d7242d79bdb6055775f77d08f75cd070df218e4e037a25191c0ab7503674ea11c2fa0d13a2763bf887df3f135dc1b5c5dd30b6e753420a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
387de02eeb0de6b3cfe1a52ea551838a

SHA1
b96a26e16406257c9ef9773eb84569add649a7d2

SHA256
2b08b400243b9f042b77934852ac0397eabcd3ef77c1b58a72520d6aa0c76974

SHA512
a29ab01682554dbeff239908682dc168691e5a3365fa32e4d3048eae0ecc27eb64878f72fbe0e974bc8591c635209a19baa99ca1618a106996e2115cabe319ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b5333db43abfefd58f35922e6ccf9ff4

SHA1
00fa19e0fae65020a5670108247047c5a2d87671

SHA256
ebf967afef592cec9838d512fb38f6c754c390982910ac186eacd28888a17940

SHA512
e5242c9ca764f900bbeb6ab88fa835fbd633be780427d17ca94e2b9ba0683f3bb278645b3e8b5e36203d1753c7e26f53dac086d230cb126aa6737ccbd4c79fe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
5022b10efc3c6d669ded7960cc594a19

SHA1
a79ad985b345f09f5f4f265ba1867800ab4d3be1

SHA256
a6c395932ed70d3a45247d91c6593b48d6d389a52aa806ad484aef62b63c8e53

SHA512
a496101a7c30b7205f91698eec23c53b52d80a24a2208f3184733b905fd34066163df9688e00856278fc536fd955bcb0d2c62f3561f28718e378a08754c53c00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b93cf0a97bcf2e32e71f1baca0a65707

SHA1
54f77697c8b7550f01b08fedcb0b26ce39a7fe57

SHA256
872e6810514b3e46125c4d229e5d311870479698c6335d0c0e7da939bf2e8273

SHA512
a097392c3d54802dd62e045885526baff8cba7ab6a40f34ede595a29fab4e125f653d560e4c9628c7f3b91898972c3cc04a3a8ad65c250c3490f39a9f68cbbd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c792a6c9e6ea7a208ece2a84e19d37f8

SHA1
d8f9607ab4dfeadd088ea8f60708396b73a0fddb

SHA256
5b1f301fda9fbe22021d08fdedda48fadd060987b30c97db0e0f09a4f1d3c43c

SHA512
fe1d95314e72a932b6c0d7ddf6533ccc5139dc84d314fea474e2074a8de99bf8ba7c72974783b5a6b7910f6b2a5033b6b13dca1e10732682e7c5128dd96dbaae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
db56dea6fff0ecd175eade83a8f121ec

SHA1
8fcfed0ac2be5533afaf793d43369f6988d30395

SHA256
8898bd1bb1ba40a5391d203b92ad085bce67a6273b4e5c81298aae35754a6d6a

SHA512
daf16512ff003cb5600b3c9ee3e3309971b31eeeac3724875b267f5dec45c15e7c8074c900f7b68b710ef5f47fd1f91e022cf878abef5e0d723f8dbd3ce8eda9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5a02e45c6e4c1e045924e947853f2930

SHA1
c1d39dbc7286d8b51552804481e5c78a7e28af4d

SHA256
767bc221650056e632cbf9cf731e9a90e16caee5e8d306d4877a5d86718ef3f7

SHA512
0718d12798fbfdfc3072065adb26d68d9b62fde5e1736421f04ff3144eecdd11be28e43b7855a65a7ce1c5bfda6c74e61870713f595ee06a9f9d903c459c50cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5ff05fd9cf22435dbede0b68f8bdf808

SHA1
b746101f3c3904e0024cb0a76df99764a00a72c5

SHA256
069a73f6086ba241f0f8a1b562a043e8a7796751231745a4169f071848fdb16e

SHA512
707d9dd274ec9167f9c1bcf5b5a5850e403c78c7d7fe10c09730c4b2f710ef4d8d14b9f66adb9c76278007022d4bc313246d54b0afa22f85e2c2d7a97b25c7a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0f97563a3618c66d8765c41e2159ceec

SHA1
18a14fb68be484a4dc082a1b93b3d15f978fe1c5

SHA256
9766656d882b69cb91f6e7792dc0d3333b57cbdafa8841a225f085489684f703

SHA512
9ba5194a4ee71f37ae5f0faedeea199710647104596e42f701790b0853e7d886a2ac86641d39e44727863bdb718b5a314864584ab4037be4a926ae564a90cc90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51988a079f7286c17dcef68e0331cc69

SHA1
3eb4770bfaa47778a692352dd4a2db438d8582b4

SHA256
18d85026f9c7a21f6538ad94adffac3162d1d7a41e25e90f027b910f372e61ff

SHA512
44356685cddeba87a1d993417a03bce96e43d228915a6b4681fd4cf375143c32edff221b28488600650506ca50690b7959d1dfbe2d9103649429e2b792ead297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
371eaefb7107e00d8b5e42a8f9ebdb96

SHA1
24cfc75d24e587e834f1f084424b6fe6c8ffc512

SHA256
594a246b16cf7fca3aa2a9be651c3f4f9328fecd22937840d52d4af97aaa3484

SHA512
f826ebf23d02adbeb14d51525ac2c6c157fd8bd9c5809107a6ed98e9e2b6f72c44d45cec61c1a606610d34e38f1aa9d0ed5e3ce1db5559c848ffb4db6abdb6ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3831324f9d35ce2354166dc649f4ddae

SHA1
4589397ab866399b891e32cbc061db05d7cad9d5

SHA256
0d6fc4aaca00362adaeda781aa61cda08d5d266660f8c38dd053e1e0a9d9f9c2

SHA512
25db484386f0e93d588349ff28e2e1bcdb09f297ed83b8422772ac95fc00f66fd0e6e0c4dd3eedd099971e6f5f33b72d0f82d66c1e93481411a848828199808b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
cf1a920fec4a18f7291960245e856278

SHA1
ae52b2294679640cdf27f318c664f098a68735fb

SHA256
56484e8581a72657aaada1fc1d17cf826f076e849fa9f106d78d15f57bd7a194

SHA512
633636a9abc8d01bb5c9ff814751dc84717fbaf9afdd3c67588f3725ea8d36da7871996123ce276462df15872ad79accf2cd346b23d11bc794e37b5ec865d992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f84745e0fbf89179b60574ef50fa9521

SHA1
73f0d379fe256cf6b3d7772550165df996ae4efb

SHA256
9bf3093e130207541535c9c6b3c7e403a969c970a0975251bbe2e2b26d9e67c3

SHA512
577f952bdc95604531a25a23d3d6d6db842b71c46c1f0322aa34cb74339194ab987c66feef8f5fb8d648b2b4ac625de5895e103a17fdb40b8925212acc60636e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c841.TMP

Filesize
874B

MD5
0ea2c18590a9a8c05980e9cb1dc4fe4d

SHA1
0784a0ab1b72259c541241a603712e0e71b0257c

SHA256
1e453c6f76bac87108ff70ba1cef9e16499e8e98d9b9353d548fc93791718d89

SHA512
d6aa001cee8666d57985c7a8706feddc607561fb576c07404e6edfcb3f9672b9e976b3470eada010b69c3ea9b8cdc82909dbff93520a1f1ef2e43ad50183cf9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4ab4026107e9ba34a94ed61f8f6ffa34

SHA1
d695f79df86461b5f8113018b30c2d67b0298825

SHA256
ac4d80bf786e2d1af5906febc5a6c5da86a3a5cf5a675a12476ce0383333d7d2

SHA512
ba5bdbec7c94f0ec85736e94f03548ae0e61d76351192658190d33aab67bfa0099080237f25416a9a28f422e710045c7d148a85ecc65f60605a2f3e7a114c4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a276eea65ec4c51f927dd109f5999641

SHA1
820d6a5cd299052e6aaa445a67632bf00c6a0b15

SHA256
dd3ff329f01fde362ffe853fb9beecad5f1ddfa8bf27f3e935178642df80981c

SHA512
fdb1c38ff5ad7e7ff1f9a8e0c8007b97ecaf262ed08c05ac8c8d78d942d0ecaa63d29115253fff55878d453ed00dfd7b402a406b240aa09221659dcaee975857

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
77d5b85a5c3bdaeb8c3d2d20c8d6724d

SHA1
4f345521afa6c43427783a3201fa4a5159e3a6f2

SHA256
4d57a604522d6a3492d5ea2123d5e8fa46d35a41702e1664d29ac5b49360244c

SHA512
bf76fdbcfdb12c7f27bc7a479bb7ee09ae191642513c6d2004bdd333a10523cf0c014b28bbd92623d2370a7009e76e657455506eb90d241d67c2ac66782fd8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\10jowses.0.vb

Filesize
355B

MD5
6e4e3d5b787235312c1ab5e76bb0ac1d

SHA1
8e2a217780d163865e3c02c7e52c10884d54acb6

SHA256
aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706

SHA512
b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10jowses.cmdline

Filesize
224B

MD5
c372eb1edace91735e6f6417eba5738a

SHA1
a254128eb1803ec320ea6c0d87e86d88abaf4916

SHA256
7606f1c7f6c8b021e5fbbf8942c56adb98b1cd68e06d35320f78dafa07af874c

SHA512
5d094a44f216da437a8485364e6944767e60e9a1a8e878c5a9f1038f034e4b226f100c3ae2b8287f5f34b45fcefd64aa88805f733920d935be21acea64215ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES62CC.tmp

Filesize
5KB

MD5
fbf2b7e8a2059a31c57c10d73ff7d89c

SHA1
de705bae1945e17a05afeac72286a1896db50a52

SHA256
4a573d6e4477fa5e1d490909b84fba4180e62ccaec0ea128197ff59b205834eb

SHA512
a57de3f53bf4c0ce467da5014ee0214afed232de178482b5cb5ac3b5ff3b2a60e3911f9455122d572421b049ccc336649207e6422a802e0fb3dd9a06fe9b86a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6359.tmp

Filesize
5KB

MD5
5c64f1b5ca17b58215438743e35bfb62

SHA1
b0b2b2f5f6bcc840833bed6655f223c9b8cdd716

SHA256
a8d1fd37be7afcbd86b082e76481f25563b927f265a3f5c4596ee3c16219ae9e

SHA512
fc339316dd59f456578d24a99db32cb07b7769a94d4db36e30d851e01c23c2a27583c539e451f253bc936dcea85d86ddf42d70a50d4a12c32668e3a82f466b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES63D6.tmp

Filesize
5KB

MD5
6c5bf6deb14ec1ad5ce3e6c4c2f9149d

SHA1
f650074727497218ec23f3bafa600d4a2ebe859b

SHA256
4d93a92c914d1ae5889a5c03124aaba2d00a54945e879863e70b1259d15a0af3

SHA512
07aefc02e5bc2a57791c845dd107f573872431aac78363ebb65e010caa872e3f9cdfbd3172c5096a0ced900fb66c7e1770d6ab57074ecb157005bd632739b53f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6433.tmp

Filesize
5KB

MD5
cfe180e287783f450652689dae32f0a7

SHA1
d8d97fff369318e09d3ded101a255971e88c628e

SHA256
764494055e6c3093e2f6a98e6573d17e334b3efee3a003c20942522de6f248da

SHA512
a53ea746faf4ff634be1533f809ab1770c13a5654e622945ab5d836fc245c761f2e825df26706c900cfeb44fa8d401adbdbb55c9c0e1911b4afff183b23ba9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES64B0.tmp

Filesize
5KB

MD5
c2d90c4b53c7ad51ee6be498f04a02df

SHA1
8eadfbda734960140227402a269ee115acc2faf6

SHA256
ac178ecf936981a6152eadbc51eebf90ff245e36cb86575d8322b30053e93faa

SHA512
1be70f038d8cce17e577c49bd688192b0fea940ca8cc9f5408121c2c6206f06e938a0984bff2220788a1b3a8b2fabed704217db790e0d450680b235382318394

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES651E.tmp

Filesize
5KB

MD5
f27d8b61067fb917ea1b3966a7e17d0b

SHA1
77cb26ce170c239334c89045a357f020412017c0

SHA256
d4df9be29c9fb5d9042bef2f891810e825aaeca9326b35dfb4b4972269c36f6a

SHA512
b92e3357f04de9f99c931e2bdd9032948f4a7a720721b253d771b97489877f8aa2ff742fb2a266ff45cef5a30583c5006cbe9dd6f93a287329c601a6e60c1341

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES65AA.tmp

Filesize
5KB

MD5
e6b607c00f55fd3566b9ade9c84d20a9

SHA1
c4b42d607577976da8f62a972a683ef1c889fe6f

SHA256
d69459a98d87915c00b948bca000f9207f357339a78d9fa0d9569c88443b3172

SHA512
416ab6f0aa4cd3b14d731fcdbf6039c14c1cf4d07b83c516c142a8205d2d90ecaef158b2aeea6e3f6ce24d59d12c88575330218bd309939b7386d0fb57873566

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbhszdoo.0.vb

Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbhszdoo.cmdline

Filesize
224B

MD5
e6f7d786e7ac57ee96c036bc887be448

SHA1
eef5a9df8a75a74d525396b95f8df8bd12e279e6

SHA256
8a27ff0e70a1084a81bc2650aeb33214d9362ec0a8b3117ec663c517aa2423bb

SHA512
7cf6f661d276c0f1a68aecf2629d1b68d5813f0351ec924758910fbc795f17a5b860fa31b77ee37cb514bdfec5e21d102d5f5eb879803334715cebc2688544a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\l6byebaj.0.vb

Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\l6byebaj.cmdline

Filesize
253B

MD5
939aba9847aa265cb05df77c37bfd9ff

SHA1
23cd94487ebb9c133917ef5de983f60422faa420

SHA256
9de024d98e43660c0f414a9e1b446201493a14183f8a1a8ec89e0c5da5e4eefc

SHA512
f6384c64e25815c5e485555a5be1a39fcd58c7aa5908cd80940fa4ca9be1665f11b0322f23f3c7daa70c59288ab4b6a2157e7949fdcb68d0bbc1b97b48246b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\mujz4is8.0.vb

Filesize
373B

MD5
7d0d85a69a8fba72e1185ca194515983

SHA1
8bd465fb970b785aa87d7edfa11dbff92c1b4af6

SHA256
9f78b435099106c2c3486c5db352f7d126b3532c1b4e8fe34ef8931c7b8968d5

SHA512
e5ef339dc329dbba2ab06678a9e504aa594d2f21ade45e49bccd83a44a76dc657f5f44dcf368f4d112bb3b01af2e577a487c6078751943770e90780fad202989

Download Submit
C:\Users\Admin\AppData\Local\Temp\mujz4is8.cmdline

Filesize
261B

MD5
0098fbe000c2c8779f87dc28475b69e7

SHA1
da05124760c8a9ab645de523e81c08a20c037c42

SHA256
fe652f278962bd000c61ca1a74cd7b561cb25cb5df115adef50fd0c2c3de13c1

SHA512
c3dc7f8b8c6ce81311e9df8926239a527a80d6b9a916bbc479079f26b4a672db991fdda5ec969aab07b872f898cd07ed8ff90713b7460d7a769b1a0a0f8b1e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pel7kqzx.cmdline

Filesize
267B

MD5
b238ce094ff15d6462af334a8128136c

SHA1
ca0756f4757284e3384f966890b9330e1a9c7a4b

SHA256
92edf08190397cb87935c4fe292a0cd4530d5cfc98a90e62929eacc8bd298bb7

SHA512
b4a0258ffa7974765769b265132e708eea60983537ec865dffdc14bba313a0d6285b627f2b0f86c1cfb898b1f05f49f429fe6c3f20f12fa76af71781c05d8dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\q5r2rjk1.0.vb

Filesize
373B

MD5
197e7c770644a06b96c5d42ef659a965

SHA1
d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc

SHA256
786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552

SHA512
7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\q5r2rjk1.cmdline

Filesize
261B

MD5
56aff9f7c1f5530adaf4d1acf6a5bff9

SHA1
35c8bd1723cd9b13dc5afc825d72640011cc7449

SHA256
ff9e70870a953d7e4823bbf6fd3b525428575d8cfcbec130b03964fb206ca031

SHA512
5eaac03ac4f633d197c56bbfefcffb79c365ee6f946def64231367b2270e3ff04f311798d1b76a93c0e3397294bc9d908c66c94cc24ca7f12363cfac48cb02db

Download Submit
C:\Users\Admin\AppData\Local\Temp\rw9aj8wu.0.vb

Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\rw9aj8wu.cmdline

Filesize
253B

MD5
d9b77752812585f57f60eb33b1f5c91a

SHA1
1dfdecef3ec86da9be894e5a2fa20ef7e079a9af

SHA256
196ce16a783f03b65bb1864eaf402c7151399238d3fc37af24a893009bf32fde

SHA512
82c963cd3fc81b31701a8bf2cacb9b3a18a984b8e7d64402e2f358d484590cf8bd0709ed3e63d31f084c404104316a9596d53f4b4679c5180b184a82d39cf43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ux61ifzm.0.vb

Filesize
376B

MD5
7a8e43324d0d14c80d818be37719450f

SHA1
d138761c6b166675a769e5ebfec973435a58b0f4

SHA256
733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909

SHA512
7a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715

Download Submit
C:\Users\Admin\AppData\Local\Temp\ux61ifzm.cmdline

Filesize
267B

MD5
37c2d92af52e40ff578c39fb90320790

SHA1
ac734a1b9db34302664a23a8154cef2982a5f9ea

SHA256
be3f70f8bc2402ca5a2836d16ed34980cd21ed3a6d7989c5c583f2090a1f13dc

SHA512
a323c2271aabdd863e3498fcc3a85a6ae2938487316f470f9ed0b099b7b3315a40c0e7a2045b9664d6e2c945c4f67e8e7b3a2fc8b878a9e5d35f0d0eeedc1ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1223C8E0E6D0480EA570F5CDEA7D527.TMP

Filesize
5KB

MD5
5fb831248c686023c8b35fa6aa5f199c

SHA1
39760507c72d11c33351b306e40decaad7eb2757

SHA256
d062acbeea69acb031b014cff19bed988cf9df34c230ee23d494457461b41908

SHA512
2244f84bff19e1f43a245569d03712ab62a9655bc6f3eb4ae78ca3472ddfc6ad7950dc76d10cdc1c7b2235a9045582554c200e93c3cd34c18e494ed60dd3b3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc12E98CF41EBC496AAFF81472E9CB5715.TMP

Filesize
5KB

MD5
abeaa4a5b438ffa58d07d9459e5c1d6c

SHA1
69631de7891162dd4840112a251f6531feae7509

SHA256
ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd

SHA512
c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc15F87B9E08F47849C94F64258E964FD.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc26BAC2AA33654911B639487A3D937F.TMP

Filesize
5KB

MD5
249d49f34404bfbe7ed958880be39f61

SHA1
51ec83fb9190df984bf73f2c5cd1edc0edf1882a

SHA256
fcb5a4d24f24fbeaf4dc9d8e29f2701b2bb71411acb13c4fa67fe7025892912b

SHA512
082f47f59b9184dd6c88f64214e10b82656a09c5a5cf3f0eccbf7935505db473eeb9a395cb5b59ec5009e731f2aa1891670c94ff6315a0b2d4fcc0392cff0e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8184EBBE37F94B33A8807BBE3347761.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc89D2D48C51415E9DA4B9DE10298AE7.TMP

Filesize
5KB

MD5
d01de1982af437cbba3924f404c7b440

SHA1
ccbd4d8726966ec77be4dbe1271f7445d4f9b0ce

SHA256
518d9922618db6eea409cee46b85252f0d060b45c2f896cb82eeca22eb715598

SHA512
a219cd3df17bcf16cb57bdeea804e206a60be50084e2cb99d6d5e77d88957d79535d110b34735a4b549d3fcae528cdff8bfa5286582028ef22e8b4d60e146878

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA9A83F53FF534DC69D8E4E31C5A4F9F2.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE26DAE25F96546C094826C6D195CAE.TMP

Filesize
5KB

MD5
2f824fea57844a415b42a3a0551e5a5a

SHA1
0e0a792d5707c1d2e3194c59b9ed0b3db5ce9da4

SHA256
803a596fd573096225dd07568b8b459d2fbbfce03fa60ca69d05d7d92b64c5ee

SHA512
7ec7ea88364f2e18747192ac2913f326a6ebb19c64be4ae9fc4f811d31deb5dc3b0b83d46814ddb836b36ac57e70c9b63be0cc4c84e6e958acf2512c57877008

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE84D620892B64FC890CFA4D1417BCD52.TMP

Filesize
5KB

MD5
d56475192804e49bf9410d1a5cbd6c69

SHA1
215ecb60dc9a38d5307acb8641fa0adc52fea96c

SHA256
235e01afd8b5ad0f05911689146c2a0def9b73082998ac02fd8459682f409eee

SHA512
03338d75dd54d3920627bd4cb842c8c3fefad3c8130e1eeb0fa73b6c31b536b3d917e84578828219b4ffd2e93e1775c163b69d74708e4a8894dd437db5e22e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEBBE0F51E7148589E3B643A721A45E6.TMP

Filesize
5KB

MD5
2f97904377030e246bb29672a31d9284

SHA1
b6d7146677a932a0bd1f666c7a1f98f5483ce1f9

SHA256
7e033003d0713f544de1f18b88b1f5a7a284a13083eb89e7ce1fe817c9bb159f

SHA512
ddf2c3a3ec60bed63e9f70a4a5969b1647b1061c6ff59d3b863771c8185904d3937d1f8227f0e87572329060300096a481d61e8dc3207df6fe0568da37289f54

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 325967.crdownload

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 407536.crdownload

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
memory/2000-261-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3704-260-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4240-258-0x000000001C7C0000-0x000000001C822000-memory.dmp

Filesize
392KB

Download
memory/4240-257-0x000000001C650000-0x000000001C6F6000-memory.dmp

Filesize
664KB

Download
memory/4240-256-0x000000001C180000-0x000000001C64E000-memory.dmp

Filesize
4.8MB

Download