revengerat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

20-10-2024 00:05

241020-adhe3aygrj 3

20-10-2024 00:04

19-10-2024 23:57

19-10-2024 23:54

19-10-2024 23:50

19-10-2024 23:42

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

revengerat warzonerat guest discovery infostealer persistence rat rezer0 stealer trojan

Malware Config

Extracted

Family

warzonerat

168.61.222.215:5400

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/5900-328-0x0000000005C50000-0x0000000005C78000-memory.dmp	rezer0

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 841585.crdownload	revengerat

Warzone RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/6072-337-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/6072-335-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WarzoneRAT.exeWarzoneRAT.exeAdwereCleaner.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	AdwereCleaner.exe

Drops startup file 3 IoCs

Processes:

RegSvcs.exeRegSvcs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe

Executes dropped EXE 10 IoCs

Processes:

RevengeRAT.exeWarzoneRAT.exeWarzoneRAT.exesvchost.exebutterflyondesktop.exebutterflyondesktop.tmpButterflyOnDesktop.exeAdwereCleaner.exe6AdwCleaner.exesvchost.exe

pid	process
4492	RevengeRAT.exe
5900	WarzoneRAT.exe
6116	WarzoneRAT.exe
2824	svchost.exe
5932	butterflyondesktop.exe
2152	butterflyondesktop.tmp
3184	ButterflyOnDesktop.exe
5124	AdwereCleaner.exe
5404	6AdwCleaner.exe
4704	svchost.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

butterflyondesktop.tmpRegSvcs.exe6AdwCleaner.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto"	6AdwCleaner.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

101 0.tcp.ngrok.io
197 0.tcp.ngrok.io
206 0.tcp.ngrok.io
67 raw.githubusercontent.com
68 raw.githubusercontent.com
80 0.tcp.ngrok.io

flow	ioc
101	0.tcp.ngrok.io
197	0.tcp.ngrok.io
206	0.tcp.ngrok.io
67	raw.githubusercontent.com
68	raw.githubusercontent.com
80	0.tcp.ngrok.io

Suspicious use of SetThreadContext 8 IoCs

Processes:

RevengeRAT.exeRegSvcs.exeWarzoneRAT.exeWarzoneRAT.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exe

description	pid	process	target process
PID 4492 set thread context of 1552	4492	RevengeRAT.exe	RegSvcs.exe
PID 1552 set thread context of 4720	1552	RegSvcs.exe	RegSvcs.exe
PID 5900 set thread context of 6072	5900	WarzoneRAT.exe	MSBuild.exe
PID 6116 set thread context of 3068	6116	WarzoneRAT.exe	MSBuild.exe
PID 2824 set thread context of 4644	2824	svchost.exe	RegSvcs.exe
PID 4644 set thread context of 5524	4644	RegSvcs.exe	RegSvcs.exe
PID 4704 set thread context of 5268	4704	svchost.exe	RegSvcs.exe
PID 5268 set thread context of 5264	5268	RegSvcs.exe	RegSvcs.exe

Drops file in Program Files directory 6 IoCs

Processes:

butterflyondesktop.tmp

description	ioc	process
File created	C:\Program Files (x86)\Butterfly on Desktop\is-DV34T.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-I3HLV.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-G7M9F.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-K8129.tmp	butterflyondesktop.tmp
File opened for modification	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vbc.execvtres.execvtres.exevbc.exevbc.execvtres.exevbc.exevbc.execvtres.execvtres.execvtres.execvtres.execvtres.exevbc.execvtres.exeschtasks.execvtres.execvtres.execvtres.execvtres.execvtres.exevbc.execvtres.execvtres.exevbc.exevbc.execvtres.exeRegSvcs.exeRegSvcs.exevbc.exeWarzoneRAT.exeschtasks.exeMSBuild.execvtres.execvtres.exeRegSvcs.execvtres.exeRegSvcs.exevbc.exevbc.execvtres.exevbc.execvtres.exeRegSvcs.exeAdwereCleaner.exeMSBuild.exevbc.exevbc.exebutterflyondesktop.tmpButterflyOnDesktop.execvtres.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.execvtres.exeRegSvcs.exevbc.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdwereCleaner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ButterflyOnDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 808760.crdownload	nsis_installer_1
C:\Users\Admin\Downloads\Unconfirmed 808760.crdownload	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

6AdwCleaner.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	6AdwCleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	6AdwCleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	6AdwCleaner.exe

NTFS ADS 7 IoCs

Processes:

msedge.exeWarzoneRAT.exeRegSvcs.exeRegSvcs.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 745059.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:SmartScreen:$DATA	WarzoneRAT.exe
File created	C:\svchost\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 718665.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 808760.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 841585.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

6024 schtasks.exe
5152 schtasks.exe
6120 schtasks.exe

pid	process
6024	schtasks.exe
5152	schtasks.exe
6120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeWarzoneRAT.exeWarzoneRAT.exemsedge.exemsedge.exemsedge.exe

pid	process
1632	msedge.exe
1632	msedge.exe
2032	msedge.exe
2032	msedge.exe
4580	identity_helper.exe
4580	identity_helper.exe
1328	msedge.exe
1328	msedge.exe
5792	msedge.exe
5792	msedge.exe
5900	WarzoneRAT.exe
5900	WarzoneRAT.exe
5900	WarzoneRAT.exe
5900	WarzoneRAT.exe
6116	WarzoneRAT.exe
6116	WarzoneRAT.exe
6116	WarzoneRAT.exe
6116	WarzoneRAT.exe
6116	WarzoneRAT.exe
6116	WarzoneRAT.exe
4884	msedge.exe
4884	msedge.exe
5852	msedge.exe
5852	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe
4192	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	process
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

RevengeRAT.exeRegSvcs.exeWarzoneRAT.exeWarzoneRAT.exesvchost.exeRegSvcs.exe6AdwCleaner.exesvchost.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4492	RevengeRAT.exe
Token: SeDebugPrivilege	1552	RegSvcs.exe
Token: SeDebugPrivilege	5900	WarzoneRAT.exe
Token: SeDebugPrivilege	6116	WarzoneRAT.exe
Token: SeDebugPrivilege	2824	svchost.exe
Token: SeDebugPrivilege	4644	RegSvcs.exe
Token: SeDebugPrivilege	5404	6AdwCleaner.exe
Token: SeDebugPrivilege	4704	svchost.exe
Token: SeDebugPrivilege	5268	RegSvcs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exebutterflyondesktop.tmpButterflyOnDesktop.exe

pid	process
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2152	butterflyondesktop.tmp
3184	ButterflyOnDesktop.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

msedge.exeButterflyOnDesktop.exe

pid	process
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
3184	ButterflyOnDesktop.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

6AdwCleaner.exe

pid process

5404 6AdwCleaner.exe
5404 6AdwCleaner.exe

pid	process
5404	6AdwCleaner.exe
5404	6AdwCleaner.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2032 wrote to memory of 3104	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 3104	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1436	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1632	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1632	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 1748	2032	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6d6546f8,0x7ffb6d654708,0x7ffb6d654718
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4256 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1328
- C:\Users\Admin\Downloads\RevengeRAT.exe
  "C:\Users\Admin\Downloads\RevengeRAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Drops startup file
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4720
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9skuamjc.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5304
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6741.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6827BF6F77BA43EF8B84C810FA8B3419.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3872
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8uhwxnov.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5316
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES67DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6771A24BF454FF08BB2749E90D842.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5368
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jsllrjdl.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5412
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES685A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6448C125134D48A5DA49FE85869CA0.TMP"
        5⤵
        
        PID:5520
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o0u2twsh.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5640
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES68E6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc339319AF0CF46ECBF44139C87C68835.TMP"
        5⤵
        
        PID:5744
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6topmn5y.cmdline"
      4⤵
      PID:5692
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6973.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc42E88A1E5BF747188774E48B7C6D367A.TMP"
        5⤵
        
        PID:1912
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3fgvpjko.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5916
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES69F0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7414315AA9CA4BF3BE73D1F9163729D6.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1r9bqypp.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6068
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A5D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5C551A4B454447BA57B3B62D16550B9.TMP"
        5⤵
        
        PID:6100
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hb9dx09_.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4528
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AEA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc266822BB96D8409F932C0D2A2ADC222.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wzqgxa3k.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5672
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B77.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C77122D91AA49C3BBF2C413B9F6BBC9.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fwlwykab.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3052
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C71.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5083B2905319442C8C5CC711DCD36D0.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3244
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hq-opcma.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3188
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC1BE327998C144E786493394C9FADB5.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j-odxdvj.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5184
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc584585B310CE4F789C5F4CE83405811.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5396
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fgbxkzr2.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2468
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E17.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc171857B96EC641EDACFEAD90B45D2662.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3804
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4u1itpqd.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:460
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E94.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAED02121C53A427E8D20F3DF667B1614.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5684
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\khqmp3s4.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2492
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F20.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc317057824654B4B9D30BBD593E3B6BE.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5700
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4jn2n2uf.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5812
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FAD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC626D600ED9B4652B4C7DE1E7353EA6B.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:100
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uf_w8y6j.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5688
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7049.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA3CFE671D904C0F87CA4D4892318AD.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5988
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bf0dk5-e.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5980
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70E5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDBB4D24CF08D48AABBBDE1ECF7C840D4.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6008
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\unp510zi.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:852
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71A1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3AF996ED5FF74007B7E3CF677029C5EE.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5904
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qzgce3ww.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5160
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES724D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9018BC349B90483087C09D152CDA7F20.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vmleoqss.cmdline"
      4⤵
      PID:5516
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES72F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc778D7738A19430B8592919126947BE.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:372
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:2824
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        Drops startup file
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5524
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6120
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tqg6rav-.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F823687B324415DB381B3E0FE51779.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4964
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uwaikcq_.cmdline"
        6⤵
        
        PID:740
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES197A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34F1CBF318A54ECE9768E7B73899D9B.TMP"
        7⤵
        
        PID:4516
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bwnstgla.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A25.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D01428D8E234562BBCC28DBB9F84414.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oqlw9bog.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1AE1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDC5F22B4D0694DB49660B3A399FED9.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5580
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z5y20aub.cmdline"
        6⤵
        
        PID:5612
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B7D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc79A663D1C9884F40BAD655F229344943.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5392
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xgto5bku.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C29.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0DEB32D97314867BCCC7C7512AC989C.TMP"
        7⤵
        
        PID:4032
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qghncy9z.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CC5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3036A55BB8554763B763F8134A5A1BD6.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6092
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fvum3cdj.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D52.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4566B5824F714396862AB06F18943D38.TMP"
        7⤵
        
        PID:4948
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kld9upul.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DEE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A5EEE5660934BCF8F4A2B44CD32BCC3.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5888
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gh6hatv4.cmdline"
        6⤵
        
        PID:3132
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E6B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5936E527C4204F95BCF0D6151374E26A.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2752 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1704 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5792
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5900
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4409.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:6024
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6072
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6116
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4F44.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5152
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3388 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4884
- C:\Users\Admin\Downloads\butterflyondesktop.exe
  "C:\Users\Admin\Downloads\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  PID:5932
- - C:\Users\Admin\AppData\Local\Temp\is-3UFHS.tmp\butterflyondesktop.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-3UFHS.tmp\butterflyondesktop.tmp" /SL5="$A0110,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:2152
  - - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
      "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
      4⤵
      PID:4820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb6d6546f8,0x7ffb6d654708,0x7ffb6d654718
        5⤵
        
        PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6532 /prefetch:8
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1788 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5852
- C:\Users\Admin\Downloads\AdwereCleaner.exe
  "C:\Users\Admin\Downloads\AdwereCleaner.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5124
- - C:\Users\Admin\AppData\Local\6AdwCleaner.exe
    "C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,6269195319173428023,13208766277231359049,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2828

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4704
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5268
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico

Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\Local\6AdwCleaner.exe

Filesize
168KB

MD5
87e4959fefec297ebbf42de79b5c88f6

SHA1
eba50d6b266b527025cd624003799bdda9a6bc86

SHA256
4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61

SHA512
232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WarzoneRAT.exe.log

Filesize
507B

MD5
8cf94b5356be60247d331660005941ec

SHA1
fdedb361f40f22cb6a086c808fc0056d4e421131

SHA256
52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

SHA512
b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
207cb3e5fdd3d25af42d9b692854e9fe

SHA1
86caf2e40a62475a25fa5b05a265cac02bc6345f

SHA256
7567b28e6eee64349099bf4ba8eabf1a1179c09478b591b90f28cede4ccaac6e

SHA512
5ab757fa8ec4a9c66bed6cc1eee6c35c315dc65baf1842306066d53ac6a09d8309628a536a23719256b6071f2048a5776956f1a2dd77aa59cd8e8b43a808d6e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0d9106657c8a72fa2e7c694e489a80a5

SHA1
7e5d84a9728be967c76ef9b3ad76f597626556e5

SHA256
36e961bc00ef4dd4747d14501ce586f4c2c7b39f759355a7afdf7329149f9bc3

SHA512
6053aaec79006bd9d75fbc4897ea2c44e7b22500c2a2dc2c9931d3b0807b679f1c1740f055c1face1e0c9fa37fd9284fbc2025eca627232411cde7ed541655c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
a7d1701142cca705f833d70023ef4e1e

SHA1
1b76853132abfcddb4fefac42bf9df5d013c9815

SHA256
6c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7

SHA512
806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a815f06a41330aa3f9e06ea53cc4910b

SHA1
5f5c0de84f28b0248744f7a782b16d5e197a8926

SHA256
9785f315cc01bf60d27054f84e6f2ca7736a51a3e535006d5f4681d1944c82fc

SHA512
38f9b2d9f2317085a8e09803b94060ae576fda5d4cd47ed4423096a2c97bd939eceacea2a2a6a4d3d6bc8f7c71b4366bc8196340fa3156dde2dafbdf56631997

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3a0f53e43fa47f4d54f75e2c0100a204

SHA1
b1b3bc0341b2d99432d47e2265bc196a492c2745

SHA256
d51deebc5d7a07623669f65a794dbb880244814742e3f2e4ca8dc575d1fc8991

SHA512
9fb94846e01917447455441737fbfdcb614f45ffb8e39188c01754c8bde0e47750b305f5b522887a186e7293ac02f2d84a2ed8a0a678ad4d44aa49963413d864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
0355ea94680d3945b70e5cc4c9c2d696

SHA1
e0ec1b0e7782670b2f3d749e19282f462bc9d3fd

SHA256
4c0ea574c3c31a5ec4cbd6003f7180066e96eb399ad07eb07918ce5f0ae46b9b

SHA512
27df216523cdbb850d429ffa8084f544e9b9f15b85c89cbbb3ef0743d4ec3d1147090791e2ea7997110d8b3b75b89270bcfb28a19720ca069b603715ec4bb621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
26621e0efe474bdc1038d667e43a2e5f

SHA1
e7076b1ba18d14510008c5fda5a7daf2e1febb53

SHA256
7303515abb6d4c33a62cc19c2f05afa1e311d34d389a09d06f9c921186c34821

SHA512
5236cfb419e13af5781224a2b6fd649f2494480664b0852c43cd68a321c94179cb4b02f8a36dc33a158657b7f5fb8dc588c1add79672ca27be7f43f04fc5bd42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
99f435f2d7d7bda815a7926ba7475b7b

SHA1
983d9ec8114d14326ac3481cdd1587b2111d5c21

SHA256
da14097a8379caa2675dcb902f53c91e5eaab7b77bb89c51ad260be32a02dac8

SHA512
ddb563454dde22460ec7ea7942f1ce09d405a55c330c836199398ce2fe015229d922a4ea508f363a2ca14e42c67ff1c622b958c0d37240ac7df31abee08c57c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
35e2aea1c8da5c164ec3f2e87622e752

SHA1
cd521c1ed8f92fb2b09ce9dc4c38bd77b43b1bc0

SHA256
622cb699a4bb0a9894be05a700aba65aac8c06813a58a2fc9e635c490cea5241

SHA512
2322ae804ee9e462eb4ea71ad79f300c33b82367555d35645b61a433cf186ed83b775b350cdd96f3374c5d3a2b2ece52c15880f5b5d8304f135a99c44974e7b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3a2749dfea481647576bc8adbe14320f

SHA1
b47a6d5942abff04357e49374e5dc017864953d4

SHA256
0722a7140819a9e04109bc9bee47ef3103e0bd61c42ff2d4d696333046fee742

SHA512
01b1a780fa9c1e9c22003ba07f65ba6c23c5ab5d9c9b17db085f2315753dfdc1d298b5da96b02ce36de7a5ec25133b89868fc7880f7ac74eebff6d154d9e4f9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7fa4719a59f8077ddf4aca376c103bea

SHA1
991562f885bda62a78456e2897954ce8083b373b

SHA256
39515f6323a2f50304da97b1f01edb484053a0b0069c76b7db3784a7f3371b78

SHA512
e1ac533a781331fc05a088e3e56c6ad62b57ecf7faab18a2f5ccc6a0e0db00651253c1b49af774a722bfd6376a7fa199bf714203d63c11a29108038f795be029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
06b52e49be6e1034ac97e38c29ccb671

SHA1
8aaa3b736cec15e10add79bc332734bb7028ae6d

SHA256
3bc8bc962b193165762ae54b1c55731ddabfda1eeec6489065d9fb24fe45b6c0

SHA512
af7f23958ae1e1fdd15a53135ee7552834275a5c97afe9a8c22957d1163c2ca4dc97cb6870cc694d9b45c89ca1370806a9d235b83b021f94bb4b43505dc86545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d04b92b96a4ea6e3fddefedb8b1ae824

SHA1
732b37f3e2fe955761e5d641df303604b560b8b7

SHA256
eb210c2131c2c5ad06dabe8cc335c23533ee0d7ce5ddd136fb2284dcfcedd3fb

SHA512
5c9bbe33e8266e26562cfed5da219d57cd43718d0262f42656e143c5a549ce9d5113a0f72e8443083f0136e6d6ef167a8355f6873d428ed03722c6e0849d5a6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e687f18868422b214419e8ddc1b2762d

SHA1
167d00d82aaee1396fc166ded191f264ab454476

SHA256
25d7d6e24001b60dbbbbafb2b06cbdca26fd3b91745005817cfd5062b5ed46db

SHA512
e7255e3fe5500846324c09ab57c35e4bc7342ce58916dc5ed6d1ddca1002edf6005f050af411104d9ecfacd8c81f49d2da2b1a097ffe30e33e3d8511221608a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6cd846e15af54f2f31ce44232e67dc58

SHA1
df090746ed4d3ffec649d53a0b79e81310b0c7f2

SHA256
0c92f542fa26f368fd632c87d0aa3bb0c16f6db4d5242ac6cdd7ebe32a4e2975

SHA512
13b89cffd7ba8ec6478faa0c33e1c8ac83fb98ac1714f465dea5daa3da6c43af0ef60548834a2241fb603bebc83f3369320b0c93988c60710d78314d1a3e4324

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
829407d7ea0a0b190237240fe70c3a24

SHA1
9ec46683f700c178d2d30bcba7516bd7127ab596

SHA256
6e376283591cb85c736352d5030b0315b98a0193a89d0c2b285ff1fcedde82db

SHA512
38b0245ab61f75ba4a292dc33edf6ae67284692daa63c5bedc0aec6b34df273ef54497dee0cab8b365960d95350e593d5873dc429ecb9f388f33c3165dbd495f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ee96.TMP

Filesize
874B

MD5
263e8267ca47fa4028799aa43f6f2eac

SHA1
a3dc89c7f6e5b976d418ef6c14504a1323425f65

SHA256
5fb3328eb21d2da3b13ce6b1545421212c4adcb8741ca558957b6907a650abed

SHA512
e2b9206f7b7a5ffb65fef318fbfc33817f6835154e9cb2bb71307bad16c52788258e401926289d0cd4e55cd48523711cfead81bc6a6b485efb4da51387d9a4d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
436fec72a24109de6aadf78552194929

SHA1
c430b21098dbefa55da67df23606ac48a667ff95

SHA256
4c82c37cbe7fdc9c1dac23ecb930c08e693b3729fa6dd4ea54f5f15e6b876cad

SHA512
6ba55110532ab0f756105ee740d811a8b61da4ee67f0ceebf0ca1684fc704321665a6a6ffa6bcf9cc578493ebada523b4ffbe8cb5a3b7dbc85c326803df63db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0d523c7716b6c4eafa5ed9e234b42486

SHA1
98cf87068e537f9c9dfd0f203d8cc652da63d98c

SHA256
40b6aa08e800a0d86cf2a83b8dc4125f3b62e9e2fd77e7c3ac194f62d53e90b6

SHA512
c41c84d400e24ed96e47bd4f65089da0f479b00303c35a73f5ebe5aaa23ba4b8a643465ba4179c7f49dab4b8e4004635487f4f4c9de7575e28c8ba5bea59aee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8c9676c0d1a9ef8752d66640bf4a7e8f

SHA1
3ec388f272a3f86862778ee417405467d7df0bf7

SHA256
e90cac6e600d3361153bce326c353692cee71591c7f0e23eda735c5172e6e951

SHA512
c23507973c8e687a11cf6f1284042529d7b25555532fb871dfcb2c0fc0e82a1e844759e83e6f2af8d35e44ec00ef66f8b0866bae2aa2af751327c7c184c6d129

Download Submit
C:\Users\Admin\AppData\Local\Temp\1r9bqypp.0.vb

Filesize
373B

MD5
7d0d85a69a8fba72e1185ca194515983

SHA1
8bd465fb970b785aa87d7edfa11dbff92c1b4af6

SHA256
9f78b435099106c2c3486c5db352f7d126b3532c1b4e8fe34ef8931c7b8968d5

SHA512
e5ef339dc329dbba2ab06678a9e504aa594d2f21ade45e49bccd83a44a76dc657f5f44dcf368f4d112bb3b01af2e577a487c6078751943770e90780fad202989

Download Submit
C:\Users\Admin\AppData\Local\Temp\1r9bqypp.cmdline

Filesize
261B

MD5
9f3555e2a186b3656dbd6c7238372326

SHA1
22a54b67c2f13f833a91161783ac46504699461a

SHA256
97be5f0d36d826f98dea04c490e1fcc8dda769b3e621c1dfc48cd213314ea27e

SHA512
593c3a1b55f70f96f6de662ef1c12ddfa7aefc38dda80708057f87e1d45863fc564e53edc7ae1881999a0fd21f9feea6eef82a2422c72ee380b88acd3c402493

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fgvpjko.0.vb

Filesize
376B

MD5
7a8e43324d0d14c80d818be37719450f

SHA1
d138761c6b166675a769e5ebfec973435a58b0f4

SHA256
733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909

SHA512
7a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fgvpjko.cmdline

Filesize
267B

MD5
1ca11fa7f9fc71542f8811db10270b09

SHA1
d9098eb70c6602017bbfd1c3116d98d15980349c

SHA256
8b41e01ba3c6d3980af009c6b465c304d1c7c0f9b7ce5bd21663880d357a46f5

SHA512
bc6244227980983efd7a94a763218dd8b62f2ce440328e4da3b4133f5ab26430574fc9add91dcdc433a9ca179cd6e827a6eb64cc186152db67ff22a337cb046c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6topmn5y.0.vb

Filesize
373B

MD5
197e7c770644a06b96c5d42ef659a965

SHA1
d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc

SHA256
786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552

SHA512
7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6topmn5y.cmdline

Filesize
261B

MD5
dace0fa0e1328b04d47072fc89b8d0cd

SHA1
f60b4377fbca48b4a07b75e139144fa669bc63f7

SHA256
72dc985c7164776df61c2187e93bf4be078e86af751e6647f4275f74f9f3204f

SHA512
1e34210cc5919b770809e099133117ee6e32250f0453d10ddf5e6481069380fdafe4fa1758e1414c0b9d03fc7e2efa1952e55e5708d95f64591a889347107cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\8uhwxnov.0.vb

Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8uhwxnov.cmdline

Filesize
224B

MD5
4d241677bf3577a84e8b6f00f9fdf898

SHA1
a407d06210352d76e9c7ff7cbd37edda29635b00

SHA256
8703e0085c8e8a832bb3cbdeddd2c43f50abf55377c010dd95b1148eeafe66a1

SHA512
96201fada8c853b2cfec568ac78f436430e78c8d7e4319c2c3ef3f76b54e96bc0f51a40c893f01172ed61db222d816809d32d6ce72853ba8c1b6bfa2aa44785b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9skuamjc.0.vb

Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9skuamjc.cmdline

Filesize
253B

MD5
f958244a3ff706892ba871b91aed7cc9

SHA1
dbbad6b8fbf6381aa08449dfb1d3440c9cf798a0

SHA256
b653fcd19f2c80e5b645e0ff83993ddac7af783215233daa058710fccb9ec25c

SHA512
6cfa41c435667ad8686209db317c720f8b9a63e986602ab1249678ab2cd8099465757b08938c336a0f89b8236da4b6f66195067d389dc8149284df9efc014d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6741.tmp

Filesize
5KB

MD5
3a97eb356de756e1c5ab6910469cfda6

SHA1
7bc6fcd69175037c1f59a17a347781993884306e

SHA256
59b52f8510f06bf1c294f1d2ffad29679392b63277b61d52930fca270c3e77dd

SHA512
cf1784b287806f05c72f4ffd5994323536e6d42be6abebeb4b6ce5a25749d93bf2e3975c40b05d66c0c9b143211306fb6062844c8386b07b63bda9d1581fec52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES67DD.tmp

Filesize
5KB

MD5
8a8c7757f0fb1cc206388b5b09c884a3

SHA1
5c64caed71a57879661a347aace1e49531cf7c06

SHA256
53fa6ec750f4845ffa8a919a08b639209ce83d15b7a34814ce77da1f45fecd0b

SHA512
03906f120b7c2ff257f38ea0c97ce9f986136f0dc46686a4bf88912153569c743b1d84e988a5be324f3c10a260605ddc58ba6ec5bf18733493a90b9a2eb2744b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES685A.tmp

Filesize
5KB

MD5
b2aef7b7fcc91f829973a855ab7277d1

SHA1
0cda0ce4b4b033088180f8732d0fe7b294db4682

SHA256
0de2e1d541cc43bdd6d673fe1133bca9b7ef07c336750dd99e8359e6fa81633f

SHA512
ea95139138af73ddf1b9165f82bb982ec1b26405b34efa1e89e7904d71ef6d8ae9f2fad3387e0c0a44093c7fdf6f00a9ec7041d13c37ff332152ac618ad3355f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES68E6.tmp

Filesize
5KB

MD5
7c26cc89f8d9cd56aa2654ab87026585

SHA1
374a6d0b79636773811d977e40a5e5e40b40d6c4

SHA256
c3b18c8c7b5134366fff573aaa0589f1ee45c07c572aa0a1a7c6c91946256315

SHA512
2ad65123c9053cfc2b0f4d0fcdbcb8d1657ad40a3da60e731f7f21c69c92b073cb6cff06f5f12ff88a57439fd9c023c9b580c73069e310ef3a4e50460b872ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6973.tmp

Filesize
5KB

MD5
c5958a771bcb079592ae84d956f64f20

SHA1
9706deb310652da3afe77d80503efba8bad0e699

SHA256
a5675b3e6dacdfa4ff9a72b62b0213c9087822b2369f8c2b94989d8dfd81a44d

SHA512
c8b9fdf81b6e60913499ac70d996142c9f7baf4d1f8f4fc8fda428d0c2d907196c0920cd64319191ab4f800f5488e3ab958fd9ffae6b1b45c3ee0b4841d76744

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES69F0.tmp

Filesize
5KB

MD5
2e21ee2c69d715363ff2e4a8fbf78038

SHA1
c91c5339c87cc2050ee21bdeb601c2ea9facccaf

SHA256
67717168f0923413376d69976a9359903a47987bdbf5cd650da21728a7dc7d9f

SHA512
b097ba239fde393dbb8197f55770c8f7f90a818eb2f114eeec243ada3775b9865c51a9f482b46075d3cf7911af45e3a44cec9c577bb5d2eaad300e8cf810b5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6A5D.tmp

Filesize
5KB

MD5
9ed85e9f242b7186ec14909678087271

SHA1
519481b7fd6c580ec03f6e482aabe1b3ac73b11e

SHA256
cebeb65105a48d7799f7ce3e2d5cc1073e1d67ff732e4e5f8385c91fb8b9a205

SHA512
b29c1aaeb6ff54d9764c36cf966c305327008c789a1f0d0fb65a34f276d762e6c9cf77954b3c1203bac9bdf4b030b97b5f131122f56328a7cf05bec59f7954d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hb9dx09_.0.vb

Filesize
376B

MD5
688ef599a13c30230d9c00287511e084

SHA1
496834103ac52660dd8554590a2f92cbda8ab759

SHA256
9ce0d8e22177e91d78bf3e578b8b5f0d22d724ae17931195de2e3b5b46255051

SHA512
0f244536f83308c7db23337dadcef882fd258954d7e3c8a5f3f66ee0861fec0cd6ea7b3310db65a306de380da410af1e8e4041fabbc917b6af4b94d9424cec8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hb9dx09_.cmdline

Filesize
267B

MD5
19c4bd4b299316ee9ee3a6368b5c7b8d

SHA1
fdeb5059f3ce7170b2d6d46c9bd8a499158535a9

SHA256
6b8210242cd7958eb3bee848cdfcd30d47dd528a2b3592901940e12d4505a92c

SHA512
c1ab63482a58ea29392cd583f342bab6acfb0dbf4f18402c62ce78f91f54352fd02a0da0ca9b913edf11320ac541cadad199c99f1a8be781ea6998a2c8c6725d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsllrjdl.0.vb

Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsllrjdl.cmdline

Filesize
253B

MD5
d9aca47266b9d58730a2d9c6095e3fe2

SHA1
6e14d6a2bbfc2cdeaf10a6e2e7481a6b9982bc32

SHA256
9b033b32e406deda4208c169c49ba3b89fc8de58d0bfa008726178f85ef5c032

SHA512
d3250bd2c4913150b53007bad133d404cd17a5830d3cdbefb07585896de7a6ce44664ba94ef032ec2fef7808afe51dfc250fdd403b4fe249072612b9d2493c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0u2twsh.0.vb

Filesize
355B

MD5
6e4e3d5b787235312c1ab5e76bb0ac1d

SHA1
8e2a217780d163865e3c02c7e52c10884d54acb6

SHA256
aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706

SHA512
b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0u2twsh.cmdline

Filesize
224B

MD5
fff0511b3586ee61043e6129fbf92054

SHA1
54e4cf2268b77ecfbe04962d8a159624163c8a04

SHA256
b5b93e524e56b0164b7ae1cce163d5bead65578447057b007bb8faa419f94232

SHA512
204b6622c65bec63c5a8460f94297e51b93dc9b1e81739e6b34456b82d6b0e5682ab72c0a8f6afae3439e0cadf801065a6bc446a893ccf323f516cdaa89783db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4409.tmp

Filesize
1KB

MD5
1118048f2edd5c51379c845045dd864b

SHA1
ce9b139e9cb500e26b9264066aefabc311c63d1a

SHA256
3b4432d624f03b8573061e87d99dc2f4a31ed95ebbeb19a10c2ea4a1c5e6dcb7

SHA512
af0ab81c5cfd004157663d90f914fa64dd723351ddbf44e9a20c4842eaec6a7b83623d700535a0fd6749c70a103677008dbda138c3ec05054537fbe2f1f8275c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc266822BB96D8409F932C0D2A2ADC222.TMP

Filesize
5KB

MD5
852ad787d5b62a59d1a85e31224eb42e

SHA1
3f9125530ba96a8d00a2acd6650bd952efbcbfc4

SHA256
5c0fea62e1b6f98b0a2fe87cdb1569ca9c8836cefd8c14d351f95a08ebb4aa46

SHA512
71737f2f3a7b86c54b465aa36d27b42844693b113d207726ba24a4d3c803ba93094d7417d4eea7a0f3f5e5d5f5a74cc34694c5706690287e7b575ad0819be560

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc339319AF0CF46ECBF44139C87C68835.TMP

Filesize
5KB

MD5
d56475192804e49bf9410d1a5cbd6c69

SHA1
215ecb60dc9a38d5307acb8641fa0adc52fea96c

SHA256
235e01afd8b5ad0f05911689146c2a0def9b73082998ac02fd8459682f409eee

SHA512
03338d75dd54d3920627bd4cb842c8c3fefad3c8130e1eeb0fa73b6c31b536b3d917e84578828219b4ffd2e93e1775c163b69d74708e4a8894dd437db5e22e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc42E88A1E5BF747188774E48B7C6D367A.TMP

Filesize
5KB

MD5
2f97904377030e246bb29672a31d9284

SHA1
b6d7146677a932a0bd1f666c7a1f98f5483ce1f9

SHA256
7e033003d0713f544de1f18b88b1f5a7a284a13083eb89e7ce1fe817c9bb159f

SHA512
ddf2c3a3ec60bed63e9f70a4a5969b1647b1061c6ff59d3b863771c8185904d3937d1f8227f0e87572329060300096a481d61e8dc3207df6fe0568da37289f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4566B5824F714396862AB06F18943D38.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6827BF6F77BA43EF8B84C810FA8B3419.TMP

Filesize
5KB

MD5
249d49f34404bfbe7ed958880be39f61

SHA1
51ec83fb9190df984bf73f2c5cd1edc0edf1882a

SHA256
fcb5a4d24f24fbeaf4dc9d8e29f2701b2bb71411acb13c4fa67fe7025892912b

SHA512
082f47f59b9184dd6c88f64214e10b82656a09c5a5cf3f0eccbf7935505db473eeb9a395cb5b59ec5009e731f2aa1891670c94ff6315a0b2d4fcc0392cff0e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7414315AA9CA4BF3BE73D1F9163729D6.TMP

Filesize
5KB

MD5
5fb831248c686023c8b35fa6aa5f199c

SHA1
39760507c72d11c33351b306e40decaad7eb2757

SHA256
d062acbeea69acb031b014cff19bed988cf9df34c230ee23d494457461b41908

SHA512
2244f84bff19e1f43a245569d03712ab62a9655bc6f3eb4ae78ca3472ddfc6ad7950dc76d10cdc1c7b2235a9045582554c200e93c3cd34c18e494ed60dd3b3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc79A663D1C9884F40BAD655F229344943.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB6771A24BF454FF08BB2749E90D842.TMP

Filesize
5KB

MD5
abeaa4a5b438ffa58d07d9459e5c1d6c

SHA1
69631de7891162dd4840112a251f6531feae7509

SHA256
ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd

SHA512
c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC5C551A4B454447BA57B3B62D16550B9.TMP

Filesize
5KB

MD5
2f824fea57844a415b42a3a0551e5a5a

SHA1
0e0a792d5707c1d2e3194c59b9ed0b3db5ce9da4

SHA256
803a596fd573096225dd07568b8b459d2fbbfce03fa60ca69d05d7d92b64c5ee

SHA512
7ec7ea88364f2e18747192ac2913f326a6ebb19c64be4ae9fc4f811d31deb5dc3b0b83d46814ddb836b36ac57e70c9b63be0cc4c84e6e958acf2512c57877008

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDC5F22B4D0694DB49660B3A399FED9.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE6448C125134D48A5DA49FE85869CA0.TMP

Filesize
5KB

MD5
d01de1982af437cbba3924f404c7b440

SHA1
ccbd4d8726966ec77be4dbe1271f7445d4f9b0ce

SHA256
518d9922618db6eea409cee46b85252f0d060b45c2f896cb82eeca22eb715598

SHA512
a219cd3df17bcf16cb57bdeea804e206a60be50084e2cb99d6d5e77d88957d79535d110b34735a4b549d3fcae528cdff8bfa5286582028ef22e8b4d60e146878

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 718665.crdownload

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 745059.crdownload

Filesize
321KB

MD5
600e0dbaefc03f7bf50abb0def3fb465

SHA1
1b5f0ac48e06edc4ed8243be61d71077f770f2b4

SHA256
61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2

SHA512
151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 808760.crdownload

Filesize
190KB

MD5
248aadd395ffa7ffb1670392a9398454

SHA1
c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5

SHA256
51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc

SHA512
582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 841585.crdownload

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
F:\svchost\svchost.exe:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
\??\pipe\LOCAL\crashpad_2032_HXRZSACDANKKCAVG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2152-745-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2152-750-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3184-866-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3184-1054-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3184-1007-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3184-1129-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3184-1103-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3184-1149-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4492-248-0x000000001C680000-0x000000001C6E2000-memory.dmp

Filesize
392KB

Download
memory/4492-247-0x000000001C560000-0x000000001C606000-memory.dmp

Filesize
664KB

Download
memory/4492-246-0x000000001BFE0000-0x000000001C4AE000-memory.dmp

Filesize
4.8MB

Download
memory/4644-651-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4720-250-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5404-1126-0x000000001B9E0000-0x000000001BB89000-memory.dmp

Filesize
1.7MB

Download
memory/5404-1091-0x0000000000310000-0x000000000033E000-memory.dmp

Filesize
184KB

Download
memory/5404-1148-0x000000001B9E0000-0x000000001BB89000-memory.dmp

Filesize
1.7MB

Download
memory/5900-324-0x0000000005CE0000-0x0000000006284000-memory.dmp

Filesize
5.6MB

Download
memory/5900-325-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/5900-323-0x0000000000AD0000-0x0000000000B26000-memory.dmp

Filesize
344KB

Download
memory/5900-327-0x0000000006330000-0x00000000063CC000-memory.dmp

Filesize
624KB

Download
memory/5900-326-0x0000000005510000-0x0000000005518000-memory.dmp

Filesize
32KB

Download
memory/5900-328-0x0000000005C50000-0x0000000005C78000-memory.dmp

Filesize
160KB

Download
memory/5932-691-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5932-752-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5932-744-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6072-335-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/6072-337-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download