Analysis Overview
Threat Level: Known bad
The file https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/NJRat.exe was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
RevengeRat Executable
Downloads MZ/PE file
Uses the VBS compiler for execution
Drops startup file
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Browser Information Discovery
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
NTFS ADS
Modifies registry class
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 15:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 15:22
Reported
2024-10-13 15:24
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:SmartScreen:$DATA | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\RevengeRAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RevengeRAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RevengeRAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RevengeRAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\RevengeRAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.ngrok.io | N/A | N/A |
| N/A | 0.tcp.ngrok.io | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.xml | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\UWPHook.exe.config | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Briano\UWPHook\VDFParser.dll | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\Microsoft.Management.Infrastructure.dll | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.dll | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\System.Management.Automation.xml | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 407536.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\svchost\svchost.exe\:SmartScreen:$DATA | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\svchost.exe\:SmartScreen:$DATA | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 325967.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\AgentTesla.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/NJRat.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe4ce346f8,0x7ffe4ce34708,0x7ffe4ce34718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5148 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6068 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6300 /prefetch:8
C:\Users\Admin\Downloads\RevengeRAT.exe
"C:\Users\Admin\Downloads\RevengeRAT.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\Downloads\RevengeRAT.exe
"C:\Users\Admin\Downloads\RevengeRAT.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\Downloads\RevengeRAT.exe
"C:\Users\Admin\Downloads\RevengeRAT.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\Downloads\RevengeRAT.exe
"C:\Users\Admin\Downloads\RevengeRAT.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Users\Admin\Downloads\RevengeRAT.exe
"C:\Users\Admin\Downloads\RevengeRAT.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultb32fe7edh8bc1h46f6h8359hfa5893e1afe5
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe4ce346f8,0x7ffe4ce34708,0x7ffe4ce34718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,16161895044351288382,18350348043826183869,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,16161895044351288382,18350348043826183869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l6byebaj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc26BAC2AA33654911B639487A3D937F.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kbhszdoo.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6359.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc12E98CF41EBC496AAFF81472E9CB5715.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rw9aj8wu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc89D2D48C51415E9DA4B9DE10298AE7.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\10jowses.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6433.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE84D620892B64FC890CFA4D1417BCD52.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q5r2rjk1.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEBBE0F51E7148589E3B643A721A45E6.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ux61ifzm.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES651E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1223C8E0E6D0480EA570F5CDEA7D527.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mujz4is8.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE26DAE25F96546C094826C6D195CAE.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pel7kqzx.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6618.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc862A5D9D60D04FEBB6A2418CD8FFD214.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3w3givcq.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6695.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc279809FC56342B7BDE3465E189CD9B.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_uejcowg.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6702.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF5EA0E7DDB24032A4B71C83F8CB61D.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hv3dimn7.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES676F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7DFAC124FE004C67918EC0DB93CAFA5F.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mcwa3b5t.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES680C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc85C463CFA1D34DB1B19541D27BD4481B.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4wcf93hw.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6879.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5219C276FB14486AEF391B2EA86DD31.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9v2xa5tx.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6906.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD64876E7FF6D4155A79EEF428E995550.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6xq-cbia.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6973.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE01D781B65B47969231EF673299244.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x5rmlmzn.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES69F0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8434D682AB34648809ECDC088B29976.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tn4yqus9.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A6D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc132A67F344F547EB84F81BF8A5734546.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_2nsbzk9.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6ACB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA8E1FFA8E1B434CBF835F21A4AB3CE.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w_c-zvzv.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B29.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5AD0B3534B144C9087DDFBCCD8D3A530.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dp9uqzrx.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B96.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc15E9EC94693344D1AF3D884E5164D86D.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\twss7zng.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C23.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC82587FF5EA4837A3DFC9AA6B938117.TMP"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6j-p4fyb.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc72DFC6EC880F42AE971771574796F66B.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pmp4mo3k.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1553.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4E128DF5FE4246139261FA38DB384BF.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\izekdwso.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES162E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F06D22CA8204862B8AA10E36D42EE4A.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aybnhc0d.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8184EBBE37F94B33A8807BBE3347761.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\43bxloyt.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1786.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc15F87B9E08F47849C94F64258E964FD.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_d8pqyp1.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1831.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc93C6B2C38D514B21AD215436FBB03035.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vt9jrpqc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18CE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA9A83F53FF534DC69D8E4E31C5A4F9F2.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yxa2ks0q.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES193B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc97A747CB913A46668E371E39E44BBCF.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-jxotqiw.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES19C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC4FF7BB4188E4E9295C1F5EBBE7CA66C.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\adnleeye.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A45.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc106154ECAC2F47A2B640265B41DDD.TMP"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5952 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6700 /prefetch:8
C:\Users\Admin\Downloads\AgentTesla.exe
"C:\Users\Admin\Downloads\AgentTesla.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,13140419563017001608,4243381926150374675,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6068 /prefetch:2
C:\Users\Admin\Downloads\AgentTesla.exe
"C:\Users\Admin\Downloads\AgentTesla.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.111.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.113.82.140.in-addr.arpa | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 81.103.146.3.in-addr.arpa | udp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| GB | 92.123.128.152:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | www.babylon-software.com | udp |
| US | 8.8.8.8:53 | 152.128.123.92.in-addr.arpa | udp |
| US | 174.138.88.129:443 | www.babylon-software.com | tcp |
| US | 174.138.88.129:443 | www.babylon-software.com | tcp |
| US | 8.8.8.8:53 | 129.88.138.174.in-addr.arpa | udp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | edge.marker.io | udp |
| US | 104.26.15.104:443 | edge.marker.io | tcp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.w.org | udp |
| US | 192.0.77.48:443 | s.w.org | tcp |
| US | 192.0.77.48:443 | s.w.org | tcp |
| US | 192.0.77.48:443 | s.w.org | tcp |
| US | 192.0.77.48:443 | s.w.org | tcp |
| US | 192.0.77.48:443 | s.w.org | tcp |
| US | 192.0.77.48:443 | s.w.org | tcp |
| US | 8.8.8.8:53 | api.marker.io | udp |
| US | 104.26.15.104:443 | api.marker.io | tcp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| US | 8.8.8.8:53 | 36.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.77.0.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.15.26.104.in-addr.arpa | udp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 216.239.32.36:443 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 18.190.63.84:19521 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 84.63.190.18.in-addr.arpa | udp |
| US | 18.190.63.84:19521 | 0.tcp.ngrok.io | tcp |
| US | 18.190.63.84:19521 | 0.tcp.ngrok.io | tcp |
| US | 18.190.63.84:19521 | 0.tcp.ngrok.io | tcp |
| US | 18.190.63.84:19521 | 0.tcp.ngrok.io | tcp |
| US | 18.190.63.84:19521 | 0.tcp.ngrok.io | tcp |
| US | 18.190.63.84:19521 | 0.tcp.ngrok.io | tcp |
| US | 18.190.63.84:19521 | 0.tcp.ngrok.io | tcp |
| US | 18.190.63.84:19521 | 0.tcp.ngrok.io | tcp |
| US | 18.190.63.84:19521 | 0.tcp.ngrok.io | tcp |
| US | 18.190.63.84:19521 | 0.tcp.ngrok.io | tcp |
| US | 18.190.63.84:19521 | 0.tcp.ngrok.io | tcp |
| US | 18.190.63.84:19521 | 0.tcp.ngrok.io | tcp |
| US | 18.190.63.84:19521 | 0.tcp.ngrok.io | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a0486d6f8406d852dd805b66ff467692 |
| SHA1 | 77ba1f63142e86b21c951b808f4bc5d8ed89b571 |
| SHA256 | c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be |
| SHA512 | 065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a |
\??\pipe\LOCAL\crashpad_4172_WLTNHJVICKGDDAHE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | dc058ebc0f8181946a312f0be99ed79c |
| SHA1 | 0c6f376ed8f2d4c275336048c7c9ef9edf18bff0 |
| SHA256 | 378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a |
| SHA512 | 36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b93cf0a97bcf2e32e71f1baca0a65707 |
| SHA1 | 54f77697c8b7550f01b08fedcb0b26ce39a7fe57 |
| SHA256 | 872e6810514b3e46125c4d229e5d311870479698c6335d0c0e7da939bf2e8273 |
| SHA512 | a097392c3d54802dd62e045885526baff8cba7ab6a40f34ede595a29fab4e125f653d560e4c9628c7f3b91898972c3cc04a3a8ad65c250c3490f39a9f68cbbd7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\90be4c28-7ce6-4f8c-957d-6a250c51f848.tmp
| MD5 | b80937429b78cc91a4975a4f6954687f |
| SHA1 | 7238181e7ec4a06cc6a319694da1f58a553b7e7f |
| SHA256 | 623cd871462a3b3c1e051699e0d57a93583ee4147dd212f9fc10a5a3e6e5d0be |
| SHA512 | eb8fafa69d140181d9af391617c12e5a36ce65c0bc278ca151de6bc382efd0af564c551add4273d84640a02e6bc3839f0f46725285eba893b35313a948d8b488 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0f97563a3618c66d8765c41e2159ceec |
| SHA1 | 18a14fb68be484a4dc082a1b93b3d15f978fe1c5 |
| SHA256 | 9766656d882b69cb91f6e7792dc0d3333b57cbdafa8841a225f085489684f703 |
| SHA512 | 9ba5194a4ee71f37ae5f0faedeea199710647104596e42f701790b0853e7d886a2ac86641d39e44727863bdb718b5a314864584ab4037be4a926ae564a90cc90 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 807419ca9a4734feaf8d8563a003b048 |
| SHA1 | a723c7d60a65886ffa068711f1e900ccc85922a6 |
| SHA256 | aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631 |
| SHA512 | f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5ff05fd9cf22435dbede0b68f8bdf808 |
| SHA1 | b746101f3c3904e0024cb0a76df99764a00a72c5 |
| SHA256 | 069a73f6086ba241f0f8a1b562a043e8a7796751231745a4169f071848fdb16e |
| SHA512 | 707d9dd274ec9167f9c1bcf5b5a5850e403c78c7d7fe10c09730c4b2f710ef4d8d14b9f66adb9c76278007022d4bc313246d54b0afa22f85e2c2d7a97b25c7a6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | cf1a920fec4a18f7291960245e856278 |
| SHA1 | ae52b2294679640cdf27f318c664f098a68735fb |
| SHA256 | 56484e8581a72657aaada1fc1d17cf826f076e849fa9f106d78d15f57bd7a194 |
| SHA512 | 633636a9abc8d01bb5c9ff814751dc84717fbaf9afdd3c67588f3725ea8d36da7871996123ce276462df15872ad79accf2cd346b23d11bc794e37b5ec865d992 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c841.TMP
| MD5 | 0ea2c18590a9a8c05980e9cb1dc4fe4d |
| SHA1 | 0784a0ab1b72259c541241a603712e0e71b0257c |
| SHA256 | 1e453c6f76bac87108ff70ba1cef9e16499e8e98d9b9353d548fc93791718d89 |
| SHA512 | d6aa001cee8666d57985c7a8706feddc607561fb576c07404e6edfcb3f9672b9e976b3470eada010b69c3ea9b8cdc82909dbff93520a1f1ef2e43ad50183cf9b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b5333db43abfefd58f35922e6ccf9ff4 |
| SHA1 | 00fa19e0fae65020a5670108247047c5a2d87671 |
| SHA256 | ebf967afef592cec9838d512fb38f6c754c390982910ac186eacd28888a17940 |
| SHA512 | e5242c9ca764f900bbeb6ab88fa835fbd633be780427d17ca94e2b9ba0683f3bb278645b3e8b5e36203d1753c7e26f53dac086d230cb126aa6737ccbd4c79fe3 |
C:\Users\Admin\Downloads\Unconfirmed 407536.crdownload
| MD5 | 1d9045870dbd31e2e399a4e8ecd9302f |
| SHA1 | 7857c1ebfd1b37756d106027ed03121d8e7887cf |
| SHA256 | 9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885 |
| SHA512 | 9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 51988a079f7286c17dcef68e0331cc69 |
| SHA1 | 3eb4770bfaa47778a692352dd4a2db438d8582b4 |
| SHA256 | 18d85026f9c7a21f6538ad94adffac3162d1d7a41e25e90f027b910f372e61ff |
| SHA512 | 44356685cddeba87a1d993417a03bce96e43d228915a6b4681fd4cf375143c32edff221b28488600650506ca50690b7959d1dfbe2d9103649429e2b792ead297 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c792a6c9e6ea7a208ece2a84e19d37f8 |
| SHA1 | d8f9607ab4dfeadd088ea8f60708396b73a0fddb |
| SHA256 | 5b1f301fda9fbe22021d08fdedda48fadd060987b30c97db0e0f09a4f1d3c43c |
| SHA512 | fe1d95314e72a932b6c0d7ddf6533ccc5139dc84d314fea474e2074a8de99bf8ba7c72974783b5a6b7910f6b2a5033b6b13dca1e10732682e7c5128dd96dbaae |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 77d5b85a5c3bdaeb8c3d2d20c8d6724d |
| SHA1 | 4f345521afa6c43427783a3201fa4a5159e3a6f2 |
| SHA256 | 4d57a604522d6a3492d5ea2123d5e8fa46d35a41702e1664d29ac5b49360244c |
| SHA512 | bf76fdbcfdb12c7f27bc7a479bb7ee09ae191642513c6d2004bdd333a10523cf0c014b28bbd92623d2370a7009e76e657455506eb90d241d67c2ac66782fd8fa |
memory/4240-256-0x000000001C180000-0x000000001C64E000-memory.dmp
memory/4240-257-0x000000001C650000-0x000000001C6F6000-memory.dmp
memory/4240-258-0x000000001C7C0000-0x000000001C822000-memory.dmp
memory/3704-260-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt
| MD5 | 502984a8e7a0925ac8f79ef407382140 |
| SHA1 | 0e047aa443d2101eb33ac4742720cb528d9d9dba |
| SHA256 | d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c |
| SHA512 | 6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17 |
memory/2000-261-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log
| MD5 | 50dec1858e13f033e6dca3cbfad5e8de |
| SHA1 | 79ae1e9131b0faf215b499d2f7b4c595aa120925 |
| SHA256 | 14a557e226e3ba8620bb3a70035e1e316f1e9fb5c9e8f74c07110ee90b8d8ae4 |
| SHA512 | 1bd73338df685a5b57b0546e102ecfdee65800410d6f77845e50456ac70de72929088af19b59647f01cba7a5acfb399c52d9ef2402a9451366586862ef88e7bf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4ab4026107e9ba34a94ed61f8f6ffa34 |
| SHA1 | d695f79df86461b5f8113018b30c2d67b0298825 |
| SHA256 | ac4d80bf786e2d1af5906febc5a6c5da86a3a5cf5a675a12476ce0383333d7d2 |
| SHA512 | ba5bdbec7c94f0ec85736e94f03548ae0e61d76351192658190d33aab67bfa0099080237f25416a9a28f422e710045c7d148a85ecc65f60605a2f3e7a114c4cc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3926723650c90eba55a49584940dcdd3 |
| SHA1 | ee7cfcb23ce9adf2324b0e1ce2c99da4289f4376 |
| SHA256 | 97e6ef4981bf38f249834fe4868e0de05eb4c421de0ec313dffa41fa20e660aa |
| SHA512 | a86ed7907a0f33b41d7242d79bdb6055775f77d08f75cd070df218e4e037a25191c0ab7503674ea11c2fa0d13a2763bf887df3f135dc1b5c5dd30b6e753420a3 |
C:\Users\Admin\AppData\Local\Temp\l6byebaj.cmdline
| MD5 | 939aba9847aa265cb05df77c37bfd9ff |
| SHA1 | 23cd94487ebb9c133917ef5de983f60422faa420 |
| SHA256 | 9de024d98e43660c0f414a9e1b446201493a14183f8a1a8ec89e0c5da5e4eefc |
| SHA512 | f6384c64e25815c5e485555a5be1a39fcd58c7aa5908cd80940fa4ca9be1665f11b0322f23f3c7daa70c59288ab4b6a2157e7949fdcb68d0bbc1b97b48246b32 |
C:\Users\Admin\AppData\Local\Temp\l6byebaj.0.vb
| MD5 | e4a08a8771d09ebc9b6f8c2579f79e49 |
| SHA1 | e9fcba487e1a511f4a3650ab5581911b5e88395d |
| SHA256 | ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6 |
| SHA512 | 48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1 |
C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |
C:\Users\Admin\AppData\Local\Temp\vbc26BAC2AA33654911B639487A3D937F.TMP
| MD5 | 249d49f34404bfbe7ed958880be39f61 |
| SHA1 | 51ec83fb9190df984bf73f2c5cd1edc0edf1882a |
| SHA256 | fcb5a4d24f24fbeaf4dc9d8e29f2701b2bb71411acb13c4fa67fe7025892912b |
| SHA512 | 082f47f59b9184dd6c88f64214e10b82656a09c5a5cf3f0eccbf7935505db473eeb9a395cb5b59ec5009e731f2aa1891670c94ff6315a0b2d4fcc0392cff0e98 |
C:\Users\Admin\AppData\Local\Temp\RES62CC.tmp
| MD5 | fbf2b7e8a2059a31c57c10d73ff7d89c |
| SHA1 | de705bae1945e17a05afeac72286a1896db50a52 |
| SHA256 | 4a573d6e4477fa5e1d490909b84fba4180e62ccaec0ea128197ff59b205834eb |
| SHA512 | a57de3f53bf4c0ce467da5014ee0214afed232de178482b5cb5ac3b5ff3b2a60e3911f9455122d572421b049ccc336649207e6422a802e0fb3dd9a06fe9b86a4 |
C:\Users\Admin\AppData\Local\Temp\kbhszdoo.cmdline
| MD5 | e6f7d786e7ac57ee96c036bc887be448 |
| SHA1 | eef5a9df8a75a74d525396b95f8df8bd12e279e6 |
| SHA256 | 8a27ff0e70a1084a81bc2650aeb33214d9362ec0a8b3117ec663c517aa2423bb |
| SHA512 | 7cf6f661d276c0f1a68aecf2629d1b68d5813f0351ec924758910fbc795f17a5b860fa31b77ee37cb514bdfec5e21d102d5f5eb879803334715cebc2688544a8 |
C:\Users\Admin\AppData\Local\Temp\kbhszdoo.0.vb
| MD5 | acd609faf5d65b35619397dc8a3bc721 |
| SHA1 | ba681e91613d275de4b51317a83e19de2dbf1399 |
| SHA256 | 4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518 |
| SHA512 | 400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c |
C:\ProgramData\svchost\vcredist2010_x64.log.ico
| MD5 | bb4ff6746434c51de221387a31a00910 |
| SHA1 | 43e764b72dc8de4f65d8cf15164fc7868aa76998 |
| SHA256 | 546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506 |
| SHA512 | 1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1 |
C:\Users\Admin\AppData\Local\Temp\vbc12E98CF41EBC496AAFF81472E9CB5715.TMP
| MD5 | abeaa4a5b438ffa58d07d9459e5c1d6c |
| SHA1 | 69631de7891162dd4840112a251f6531feae7509 |
| SHA256 | ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd |
| SHA512 | c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4 |
C:\Users\Admin\AppData\Local\Temp\RES6359.tmp
| MD5 | 5c64f1b5ca17b58215438743e35bfb62 |
| SHA1 | b0b2b2f5f6bcc840833bed6655f223c9b8cdd716 |
| SHA256 | a8d1fd37be7afcbd86b082e76481f25563b927f265a3f5c4596ee3c16219ae9e |
| SHA512 | fc339316dd59f456578d24a99db32cb07b7769a94d4db36e30d851e01c23c2a27583c539e451f253bc936dcea85d86ddf42d70a50d4a12c32668e3a82f466b25 |
C:\Users\Admin\AppData\Local\Temp\rw9aj8wu.cmdline
| MD5 | d9b77752812585f57f60eb33b1f5c91a |
| SHA1 | 1dfdecef3ec86da9be894e5a2fa20ef7e079a9af |
| SHA256 | 196ce16a783f03b65bb1864eaf402c7151399238d3fc37af24a893009bf32fde |
| SHA512 | 82c963cd3fc81b31701a8bf2cacb9b3a18a984b8e7d64402e2f358d484590cf8bd0709ed3e63d31f084c404104316a9596d53f4b4679c5180b184a82d39cf43f |
C:\Users\Admin\AppData\Local\Temp\rw9aj8wu.0.vb
| MD5 | 83f6067bca9ba771f1e1b22f3ad09be3 |
| SHA1 | f9144948829a08e507b26084b1d1b83acef1baca |
| SHA256 | 098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231 |
| SHA512 | b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19 |
C:\Users\Admin\AppData\Local\Temp\vbc89D2D48C51415E9DA4B9DE10298AE7.TMP
| MD5 | d01de1982af437cbba3924f404c7b440 |
| SHA1 | ccbd4d8726966ec77be4dbe1271f7445d4f9b0ce |
| SHA256 | 518d9922618db6eea409cee46b85252f0d060b45c2f896cb82eeca22eb715598 |
| SHA512 | a219cd3df17bcf16cb57bdeea804e206a60be50084e2cb99d6d5e77d88957d79535d110b34735a4b549d3fcae528cdff8bfa5286582028ef22e8b4d60e146878 |
C:\Users\Admin\AppData\Local\Temp\RES63D6.tmp
| MD5 | 6c5bf6deb14ec1ad5ce3e6c4c2f9149d |
| SHA1 | f650074727497218ec23f3bafa600d4a2ebe859b |
| SHA256 | 4d93a92c914d1ae5889a5c03124aaba2d00a54945e879863e70b1259d15a0af3 |
| SHA512 | 07aefc02e5bc2a57791c845dd107f573872431aac78363ebb65e010caa872e3f9cdfbd3172c5096a0ced900fb66c7e1770d6ab57074ecb157005bd632739b53f |
C:\Users\Admin\AppData\Local\Temp\10jowses.cmdline
| MD5 | c372eb1edace91735e6f6417eba5738a |
| SHA1 | a254128eb1803ec320ea6c0d87e86d88abaf4916 |
| SHA256 | 7606f1c7f6c8b021e5fbbf8942c56adb98b1cd68e06d35320f78dafa07af874c |
| SHA512 | 5d094a44f216da437a8485364e6944767e60e9a1a8e878c5a9f1038f034e4b226f100c3ae2b8287f5f34b45fcefd64aa88805f733920d935be21acea64215ca7 |
C:\Users\Admin\AppData\Local\Temp\10jowses.0.vb
| MD5 | 6e4e3d5b787235312c1ab5e76bb0ac1d |
| SHA1 | 8e2a217780d163865e3c02c7e52c10884d54acb6 |
| SHA256 | aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706 |
| SHA512 | b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8 |
C:\Users\Admin\AppData\Local\Temp\vbcE84D620892B64FC890CFA4D1417BCD52.TMP
| MD5 | d56475192804e49bf9410d1a5cbd6c69 |
| SHA1 | 215ecb60dc9a38d5307acb8641fa0adc52fea96c |
| SHA256 | 235e01afd8b5ad0f05911689146c2a0def9b73082998ac02fd8459682f409eee |
| SHA512 | 03338d75dd54d3920627bd4cb842c8c3fefad3c8130e1eeb0fa73b6c31b536b3d917e84578828219b4ffd2e93e1775c163b69d74708e4a8894dd437db5e22e51 |
C:\Users\Admin\AppData\Local\Temp\RES6433.tmp
| MD5 | cfe180e287783f450652689dae32f0a7 |
| SHA1 | d8d97fff369318e09d3ded101a255971e88c628e |
| SHA256 | 764494055e6c3093e2f6a98e6573d17e334b3efee3a003c20942522de6f248da |
| SHA512 | a53ea746faf4ff634be1533f809ab1770c13a5654e622945ab5d836fc245c761f2e825df26706c900cfeb44fa8d401adbdbb55c9c0e1911b4afff183b23ba9be |
C:\Users\Admin\AppData\Local\Temp\q5r2rjk1.cmdline
| MD5 | 56aff9f7c1f5530adaf4d1acf6a5bff9 |
| SHA1 | 35c8bd1723cd9b13dc5afc825d72640011cc7449 |
| SHA256 | ff9e70870a953d7e4823bbf6fd3b525428575d8cfcbec130b03964fb206ca031 |
| SHA512 | 5eaac03ac4f633d197c56bbfefcffb79c365ee6f946def64231367b2270e3ff04f311798d1b76a93c0e3397294bc9d908c66c94cc24ca7f12363cfac48cb02db |
C:\Users\Admin\AppData\Local\Temp\q5r2rjk1.0.vb
| MD5 | 197e7c770644a06b96c5d42ef659a965 |
| SHA1 | d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc |
| SHA256 | 786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552 |
| SHA512 | 7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7 |
C:\Users\Admin\AppData\Local\Temp\vbcEBBE0F51E7148589E3B643A721A45E6.TMP
| MD5 | 2f97904377030e246bb29672a31d9284 |
| SHA1 | b6d7146677a932a0bd1f666c7a1f98f5483ce1f9 |
| SHA256 | 7e033003d0713f544de1f18b88b1f5a7a284a13083eb89e7ce1fe817c9bb159f |
| SHA512 | ddf2c3a3ec60bed63e9f70a4a5969b1647b1061c6ff59d3b863771c8185904d3937d1f8227f0e87572329060300096a481d61e8dc3207df6fe0568da37289f54 |
C:\Users\Admin\AppData\Local\Temp\RES64B0.tmp
| MD5 | c2d90c4b53c7ad51ee6be498f04a02df |
| SHA1 | 8eadfbda734960140227402a269ee115acc2faf6 |
| SHA256 | ac178ecf936981a6152eadbc51eebf90ff245e36cb86575d8322b30053e93faa |
| SHA512 | 1be70f038d8cce17e577c49bd688192b0fea940ca8cc9f5408121c2c6206f06e938a0984bff2220788a1b3a8b2fabed704217db790e0d450680b235382318394 |
C:\Users\Admin\AppData\Local\Temp\ux61ifzm.cmdline
| MD5 | 37c2d92af52e40ff578c39fb90320790 |
| SHA1 | ac734a1b9db34302664a23a8154cef2982a5f9ea |
| SHA256 | be3f70f8bc2402ca5a2836d16ed34980cd21ed3a6d7989c5c583f2090a1f13dc |
| SHA512 | a323c2271aabdd863e3498fcc3a85a6ae2938487316f470f9ed0b099b7b3315a40c0e7a2045b9664d6e2c945c4f67e8e7b3a2fc8b878a9e5d35f0d0eeedc1ec0 |
C:\Users\Admin\AppData\Local\Temp\ux61ifzm.0.vb
| MD5 | 7a8e43324d0d14c80d818be37719450f |
| SHA1 | d138761c6b166675a769e5ebfec973435a58b0f4 |
| SHA256 | 733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909 |
| SHA512 | 7a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715 |
C:\Users\Admin\AppData\Local\Temp\vbc1223C8E0E6D0480EA570F5CDEA7D527.TMP
| MD5 | 5fb831248c686023c8b35fa6aa5f199c |
| SHA1 | 39760507c72d11c33351b306e40decaad7eb2757 |
| SHA256 | d062acbeea69acb031b014cff19bed988cf9df34c230ee23d494457461b41908 |
| SHA512 | 2244f84bff19e1f43a245569d03712ab62a9655bc6f3eb4ae78ca3472ddfc6ad7950dc76d10cdc1c7b2235a9045582554c200e93c3cd34c18e494ed60dd3b3ea |
C:\Users\Admin\AppData\Local\Temp\RES651E.tmp
| MD5 | f27d8b61067fb917ea1b3966a7e17d0b |
| SHA1 | 77cb26ce170c239334c89045a357f020412017c0 |
| SHA256 | d4df9be29c9fb5d9042bef2f891810e825aaeca9326b35dfb4b4972269c36f6a |
| SHA512 | b92e3357f04de9f99c931e2bdd9032948f4a7a720721b253d771b97489877f8aa2ff742fb2a266ff45cef5a30583c5006cbe9dd6f93a287329c601a6e60c1341 |
C:\Users\Admin\AppData\Local\Temp\mujz4is8.cmdline
| MD5 | 0098fbe000c2c8779f87dc28475b69e7 |
| SHA1 | da05124760c8a9ab645de523e81c08a20c037c42 |
| SHA256 | fe652f278962bd000c61ca1a74cd7b561cb25cb5df115adef50fd0c2c3de13c1 |
| SHA512 | c3dc7f8b8c6ce81311e9df8926239a527a80d6b9a916bbc479079f26b4a672db991fdda5ec969aab07b872f898cd07ed8ff90713b7460d7a769b1a0a0f8b1e0f |
C:\Users\Admin\AppData\Local\Temp\mujz4is8.0.vb
| MD5 | 7d0d85a69a8fba72e1185ca194515983 |
| SHA1 | 8bd465fb970b785aa87d7edfa11dbff92c1b4af6 |
| SHA256 | 9f78b435099106c2c3486c5db352f7d126b3532c1b4e8fe34ef8931c7b8968d5 |
| SHA512 | e5ef339dc329dbba2ab06678a9e504aa594d2f21ade45e49bccd83a44a76dc657f5f44dcf368f4d112bb3b01af2e577a487c6078751943770e90780fad202989 |
C:\Users\Admin\AppData\Local\Temp\vbcE26DAE25F96546C094826C6D195CAE.TMP
| MD5 | 2f824fea57844a415b42a3a0551e5a5a |
| SHA1 | 0e0a792d5707c1d2e3194c59b9ed0b3db5ce9da4 |
| SHA256 | 803a596fd573096225dd07568b8b459d2fbbfce03fa60ca69d05d7d92b64c5ee |
| SHA512 | 7ec7ea88364f2e18747192ac2913f326a6ebb19c64be4ae9fc4f811d31deb5dc3b0b83d46814ddb836b36ac57e70c9b63be0cc4c84e6e958acf2512c57877008 |
C:\Users\Admin\AppData\Local\Temp\RES65AA.tmp
| MD5 | e6b607c00f55fd3566b9ade9c84d20a9 |
| SHA1 | c4b42d607577976da8f62a972a683ef1c889fe6f |
| SHA256 | d69459a98d87915c00b948bca000f9207f357339a78d9fa0d9569c88443b3172 |
| SHA512 | 416ab6f0aa4cd3b14d731fcdbf6039c14c1cf4d07b83c516c142a8205d2d90ecaef158b2aeea6e3f6ce24d59d12c88575330218bd309939b7386d0fb57873566 |
C:\Users\Admin\AppData\Local\Temp\pel7kqzx.cmdline
| MD5 | b238ce094ff15d6462af334a8128136c |
| SHA1 | ca0756f4757284e3384f966890b9330e1a9c7a4b |
| SHA256 | 92edf08190397cb87935c4fe292a0cd4530d5cfc98a90e62929eacc8bd298bb7 |
| SHA512 | b4a0258ffa7974765769b265132e708eea60983537ec865dffdc14bba313a0d6285b627f2b0f86c1cfb898b1f05f49f429fe6c3f20f12fa76af71781c05d8dd5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 5022b10efc3c6d669ded7960cc594a19 |
| SHA1 | a79ad985b345f09f5f4f265ba1867800ab4d3be1 |
| SHA256 | a6c395932ed70d3a45247d91c6593b48d6d389a52aa806ad484aef62b63c8e53 |
| SHA512 | a496101a7c30b7205f91698eec23c53b52d80a24a2208f3184733b905fd34066163df9688e00856278fc536fd955bcb0d2c62f3561f28718e378a08754c53c00 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 3831324f9d35ce2354166dc649f4ddae |
| SHA1 | 4589397ab866399b891e32cbc061db05d7cad9d5 |
| SHA256 | 0d6fc4aaca00362adaeda781aa61cda08d5d266660f8c38dd053e1e0a9d9f9c2 |
| SHA512 | 25db484386f0e93d588349ff28e2e1bcdb09f297ed83b8422772ac95fc00f66fd0e6e0c4dd3eedd099971e6f5f33b72d0f82d66c1e93481411a848828199808b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | db56dea6fff0ecd175eade83a8f121ec |
| SHA1 | 8fcfed0ac2be5533afaf793d43369f6988d30395 |
| SHA256 | 8898bd1bb1ba40a5391d203b92ad085bce67a6273b4e5c81298aae35754a6d6a |
| SHA512 | daf16512ff003cb5600b3c9ee3e3309971b31eeeac3724875b267f5dec45c15e7c8074c900f7b68b710ef5f47fd1f91e022cf878abef5e0d723f8dbd3ce8eda9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 371eaefb7107e00d8b5e42a8f9ebdb96 |
| SHA1 | 24cfc75d24e587e834f1f084424b6fe6c8ffc512 |
| SHA256 | 594a246b16cf7fca3aa2a9be651c3f4f9328fecd22937840d52d4af97aaa3484 |
| SHA512 | f826ebf23d02adbeb14d51525ac2c6c157fd8bd9c5809107a6ed98e9e2b6f72c44d45cec61c1a606610d34e38f1aa9d0ed5e3ce1db5559c848ffb4db6abdb6ac |
C:\Users\Admin\AppData\Roaming\svchost.exe:SmartScreen
| MD5 | 4047530ecbc0170039e76fe1657bdb01 |
| SHA1 | 32db7d5e662ebccdd1d71de285f907e3a1c68ac5 |
| SHA256 | 82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750 |
| SHA512 | 8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e |
C:\Users\Admin\AppData\Local\Temp\vbc8184EBBE37F94B33A8807BBE3347761.TMP
| MD5 | 3906bddee0286f09007add3cffcaa5d5 |
| SHA1 | 0e7ec4da19db060ab3c90b19070d39699561aae2 |
| SHA256 | 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00 |
| SHA512 | 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0 |
C:\Users\Admin\AppData\Local\Temp\vbc15F87B9E08F47849C94F64258E964FD.TMP
| MD5 | 85c61c03055878407f9433e0cc278eb7 |
| SHA1 | 15a60f1519aefb81cb63c5993400dd7d31b1202f |
| SHA256 | f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b |
| SHA512 | 7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756 |
C:\Users\Admin\AppData\Local\Temp\vbcA9A83F53FF534DC69D8E4E31C5A4F9F2.TMP
| MD5 | dac60af34e6b37e2ce48ac2551aee4e7 |
| SHA1 | 968c21d77c1f80b3e962d928c35893dbc8f12c09 |
| SHA256 | 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6 |
| SHA512 | 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 387de02eeb0de6b3cfe1a52ea551838a |
| SHA1 | b96a26e16406257c9ef9773eb84569add649a7d2 |
| SHA256 | 2b08b400243b9f042b77934852ac0397eabcd3ef77c1b58a72520d6aa0c76974 |
| SHA512 | a29ab01682554dbeff239908682dc168691e5a3365fa32e4d3048eae0ecc27eb64878f72fbe0e974bc8591c635209a19baa99ca1618a106996e2115cabe319ce |
C:\Users\Admin\Downloads\Unconfirmed 325967.crdownload
| MD5 | cce284cab135d9c0a2a64a7caec09107 |
| SHA1 | e4b8f4b6cab18b9748f83e9fffd275ef5276199e |
| SHA256 | 18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9 |
| SHA512 | c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f84745e0fbf89179b60574ef50fa9521 |
| SHA1 | 73f0d379fe256cf6b3d7772550165df996ae4efb |
| SHA256 | 9bf3093e130207541535c9c6b3c7e403a969c970a0975251bbe2e2b26d9e67c3 |
| SHA512 | 577f952bdc95604531a25a23d3d6d6db842b71c46c1f0322aa34cb74339194ab987c66feef8f5fb8d648b2b4ac625de5895e103a17fdb40b8925212acc60636e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5a02e45c6e4c1e045924e947853f2930 |
| SHA1 | c1d39dbc7286d8b51552804481e5c78a7e28af4d |
| SHA256 | 767bc221650056e632cbf9cf731e9a90e16caee5e8d306d4877a5d86718ef3f7 |
| SHA512 | 0718d12798fbfdfc3072065adb26d68d9b62fde5e1736421f04ff3144eecdd11be28e43b7855a65a7ce1c5bfda6c74e61870713f595ee06a9f9d903c459c50cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a276eea65ec4c51f927dd109f5999641 |
| SHA1 | 820d6a5cd299052e6aaa445a67632bf00c6a0b15 |
| SHA256 | dd3ff329f01fde362ffe853fb9beecad5f1ddfa8bf27f3e935178642df80981c |
| SHA512 | fdb1c38ff5ad7e7ff1f9a8e0c8007b97ecaf262ed08c05ac8c8d78d942d0ecaa63d29115253fff55878d453ed00dfd7b402a406b240aa09221659dcaee975857 |