neshta | f15ad996fa1508df4fc2c4fa24da3209e59c12b76f7e9a5fae5eb7605b992bc6

Analysis

max time kernel
1797s
max time network
1552s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12-11-2024 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TRIX HALF CRACKED zad.bat
Size

21KB
MD5

7404a82f0298431390a71fc848db57d0
SHA1

5d80a655c6737d7894b5567143d6360381dfdc20
SHA256

f15ad996fa1508df4fc2c4fa24da3209e59c12b76f7e9a5fae5eb7605b992bc6
SHA512

191d8fa9341254ca79dcfd346c74ad43be960f9e92500e5363723b9f0b49d31c0d2951ff5244d70948b69dfb5d0797acf5e48c7f96ce73e588116086c8ce1243
SSDEEP

384:ESkQ7Y2QQXx5jJ2pLhN0gX5jTCm0EQLY2YQXdfHm9Ab:tkQ7Y2QQXx5jIqk5jTC1EQLY2YQXdfGK

Score

10^/10

neshta discovery evasion persistence phishing privilege_escalation spyware

Malware Config

Signatures

Detect Neshta payload 1 IoCs

resource	yara_rule
behavioral1/memory/1184-1501-0x0000000000B80000-0x00000000016BE000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2668	netsh.exe

A potential corporate email address has been identified in the URL: sodo-search@~1.1
phishing

Executes dropped EXE 8 IoCs

pid	Process
2368	svchost.exe
4604	Server.exe
2760	svchost.exe
3556	Server.exe
1860	svchost.exe
1144	Server.exe
4856	Server.exe
4888	Trojan.exe

Loads dropped DLL 5 IoCs

pid	Process
3536	sigthief.exe
3536	sigthief.exe
3536	sigthief.exe
3536	sigthief.exe
3536	sigthief.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
151	pastebin.com
1	camo.githubusercontent.com
60	camo.githubusercontent.com
87	pastebin.com
150	pastebin.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3388	4604	WerFault.exe	116
2408	3556	WerFault.exe	122
668	5000	WerFault.exe	125
4492	1144	WerFault.exe	147

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NjRat 0.7D Danger Edition.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GHAWY HACKER EGYPT NjRat 0.7D v.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	яσσтRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NjRat 0.7d Golden Edition.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NjRat 0.7D Danger Edition.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	njRAT v0.7d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GHAWY HACKER EGYPT NjRat 0.7D v.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dangerous RAT 2020 Cracked by Unknown Venom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SlayerRAT v 0.7.2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	SlayerRAT v 0.7.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	SlayerRAT v 0.7.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	SlayerRAT v 0.7.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	SlayerRAT v 0.7.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	SlayerRAT v 0.7.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	SlayerRAT v 0.7.2.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell	SlayerRAT v 0.7.2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\SniffedFolderType = "Generic"	SlayerRAT v 0.7.2.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	SlayerRAT v 0.7.2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	SlayerRAT v 0.7.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202020202	SlayerRAT v 0.7.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	SlayerRAT v 0.7.2.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	SlayerRAT v 0.7.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	SlayerRAT v 0.7.2.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	SlayerRAT v 0.7.2.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	SlayerRAT v 0.7.2.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17	SlayerRAT v 0.7.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	SlayerRAT v 0.7.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	SlayerRAT v 0.7.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	SlayerRAT v 0.7.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	SlayerRAT v 0.7.2.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	SlayerRAT v 0.7.2.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0\4	SlayerRAT v 0.7.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	SlayerRAT v 0.7.2.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	SlayerRAT v 0.7.2.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0	SlayerRAT v 0.7.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	SlayerRAT v 0.7.2.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	SlayerRAT v 0.7.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	SlayerRAT v 0.7.2.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	SlayerRAT v 0.7.2.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	SlayerRAT v 0.7.2.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1	SlayerRAT v 0.7.2.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	SlayerRAT v 0.7.2.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg	SlayerRAT v 0.7.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	SlayerRAT v 0.7.2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	SlayerRAT v 0.7.2.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	SlayerRAT v 0.7.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	SlayerRAT v 0.7.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	SlayerRAT v 0.7.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	SlayerRAT v 0.7.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	SlayerRAT v 0.7.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	SlayerRAT v 0.7.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	SlayerRAT v 0.7.2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	SlayerRAT v 0.7.2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	SlayerRAT v 0.7.2.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Sheet-rat-2.6-main.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\njRAT-All-Versions-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1756	msedge.exe
1756	msedge.exe
3076	msedge.exe
3076	msedge.exe
4448	identity_helper.exe
4448	identity_helper.exe
844	msedge.exe
844	msedge.exe
3644	msedge.exe
3644	msedge.exe
4776	msedge.exe
4776	msedge.exe
3732	msedge.exe
3732	msedge.exe
952	identity_helper.exe
952	identity_helper.exe
4648	msedge.exe
4648	msedge.exe
4192	msedge.exe
4192	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe
4888	Trojan.exe

Suspicious behavior: GetForegroundWindowSpam 7 IoCs

pid	Process
3804	OpenWith.exe
1836	SlayerRAT v 0.7.2.exe
2276	NjRat 0.7D Danger Edition.exe
4888	Trojan.exe
776	KilerRat v7.5.4.exe
1444	KilerRat v10.0.0.exe
2628	NjRat 0.7D Danger Edition.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs

pid	Process
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: 33	2372	CobianRAT v1.0.40.7.exe
Token: SeIncBasePriorityPrivilege	2372	CobianRAT v1.0.40.7.exe
Token: SeDebugPrivilege	1184	Dangerous RAT 2020 Cracked by Unknown Venom.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe

Suspicious use of SendNotifyMessage 63 IoCs

pid	Process
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
3732	msedge.exe
1184	Dangerous RAT 2020 Cracked by Unknown Venom.exe
1184	Dangerous RAT 2020 Cracked by Unknown Venom.exe
1184	Dangerous RAT 2020 Cracked by Unknown Venom.exe
1184	Dangerous RAT 2020 Cracked by Unknown Venom.exe
3804	GHAWY HACKER EGYPT NjRat 0.7D v.2.exe
3804	GHAWY HACKER EGYPT NjRat 0.7D v.2.exe
3804	GHAWY HACKER EGYPT NjRat 0.7D v.2.exe
3804	GHAWY HACKER EGYPT NjRat 0.7D v.2.exe
4072	Hallaj PRO Rat [Fixed].exe
4072	Hallaj PRO Rat [Fixed].exe
1836	SlayerRAT v 0.7.2.exe
1836	SlayerRAT v 0.7.2.exe
1836	SlayerRAT v 0.7.2.exe
2276	NjRat 0.7D Danger Edition.exe
2276	NjRat 0.7D Danger Edition.exe
2276	NjRat 0.7D Danger Edition.exe
2276	NjRat 0.7D Danger Edition.exe
4724	яσσтRAT.exe
4724	яσσтRAT.exe
4724	яσσтRAT.exe
4724	яσσтRAT.exe
3404	njRAT v0.7d.exe
3404	njRAT v0.7d.exe
3404	njRAT v0.7d.exe
3404	njRAT v0.7d.exe
4972	NjRat 0.7d Golden Edition.exe
4972	NjRat 0.7d Golden Edition.exe
4972	NjRat 0.7d Golden Edition.exe
4972	NjRat 0.7d Golden Edition.exe
3512	GHAWY HACKER EGYPT NjRat 0.7D v.2.exe
3512	GHAWY HACKER EGYPT NjRat 0.7D v.2.exe
3512	GHAWY HACKER EGYPT NjRat 0.7D v.2.exe
3512	GHAWY HACKER EGYPT NjRat 0.7D v.2.exe
776	KilerRat v7.5.4.exe
1444	KilerRat v10.0.0.exe
1444	KilerRat v10.0.0.exe
2628	NjRat 0.7D Danger Edition.exe
2628	NjRat 0.7D Danger Edition.exe
2628	NjRat 0.7D Danger Edition.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
3804	OpenWith.exe
3804	OpenWith.exe
3804	OpenWith.exe
3804	OpenWith.exe
3804	OpenWith.exe
3804	OpenWith.exe
3804	OpenWith.exe
3804	OpenWith.exe
3804	OpenWith.exe
3804	OpenWith.exe
3804	OpenWith.exe
3804	OpenWith.exe
3804	OpenWith.exe
3804	OpenWith.exe
3804	OpenWith.exe
1052	AcroRd32.exe
1052	AcroRd32.exe
1052	AcroRd32.exe
1052	AcroRd32.exe
1836	SlayerRAT v 0.7.2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 4024	4320	cmd.exe	80
PID 4320 wrote to memory of 4024	4320	cmd.exe	80
PID 4320 wrote to memory of 3812	4320	cmd.exe	81
PID 4320 wrote to memory of 3812	4320	cmd.exe	81
PID 1756 wrote to memory of 836	1756	msedge.exe	87
PID 1756 wrote to memory of 836	1756	msedge.exe	87
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 1912	1756	msedge.exe	88
PID 1756 wrote to memory of 3076	1756	msedge.exe	89
PID 1756 wrote to memory of 3076	1756	msedge.exe	89
PID 1756 wrote to memory of 3872	1756	msedge.exe	90
PID 1756 wrote to memory of 3872	1756	msedge.exe	90
PID 1756 wrote to memory of 3872	1756	msedge.exe	90
PID 1756 wrote to memory of 3872	1756	msedge.exe	90
PID 1756 wrote to memory of 3872	1756	msedge.exe	90
PID 1756 wrote to memory of 3872	1756	msedge.exe	90
PID 1756 wrote to memory of 3872	1756	msedge.exe	90
PID 1756 wrote to memory of 3872	1756	msedge.exe	90
PID 1756 wrote to memory of 3872	1756	msedge.exe	90
PID 1756 wrote to memory of 3872	1756	msedge.exe	90
PID 1756 wrote to memory of 3872	1756	msedge.exe	90
PID 1756 wrote to memory of 3872	1756	msedge.exe	90
PID 1756 wrote to memory of 3872	1756	msedge.exe	90
PID 1756 wrote to memory of 3872	1756	msedge.exe	90
PID 1756 wrote to memory of 3872	1756	msedge.exe	90
PID 1756 wrote to memory of 3872	1756	msedge.exe	90

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TRIX HALF CRACKED zad.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4024
- C:\Windows\system32\mode.com
  mode 120,31
  2⤵
  PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbbec13cb8,0x7ffbbec13cc8,0x7ffbbec13cd8
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,1774301290747111766,12178032390125863675,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:4880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4800

C:\Users\Admin\Downloads\Sheet-rat-2.6-main\Sheet-rat-2.6-main\SheetRat v2.6\sheet rat v2.6\Server.exe
"C:\Users\Admin\Downloads\Sheet-rat-2.6-main\Sheet-rat-2.6-main\SheetRat v2.6\sheet rat v2.6\Server.exe"
1⤵
PID:4084
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 844
    3⤵
    - Program crash
    PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4604 -ip 4604
1⤵
PID:4444

C:\Users\Admin\Downloads\Sheet-rat-2.6-main\Sheet-rat-2.6-main\SheetRat v2.6\sheet rat v2.6\Server.exe
"C:\Users\Admin\Downloads\Sheet-rat-2.6-main\Sheet-rat-2.6-main\SheetRat v2.6\sheet rat v2.6\Server.exe"
1⤵
PID:920
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 808
    3⤵
    - Program crash
    PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3556 -ip 3556
1⤵
PID:4712

C:\Users\Admin\Downloads\Sheet-rat-2.6-main\Sheet-rat-2.6-main\SheetRat v2.6\sheet rat v2.6\Confused\Server.exe
"C:\Users\Admin\Downloads\Sheet-rat-2.6-main\Sheet-rat-2.6-main\SheetRat v2.6\sheet rat v2.6\Confused\Server.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 896
  2⤵
  - Program crash
  PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5000 -ip 5000
1⤵
PID:2176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3804
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Sheet-rat-2.6-main\Sheet-rat-2.6-main\SheetRat v2.6\sheet rat v2.6\Plugins\Chat.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1052
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4292
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7146F78BAA954B877D3FD096F0D64F6D --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1836
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9233C37FE9608DE32838EF04BA5F48DC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9233C37FE9608DE32838EF04BA5F48DC --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:4452
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=36DC0280200AAF61FC1400439535B4A8 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2848
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=ABB218789AF0032BF4CFD0FBA8550388 --mojo-platform-channel-handle=2448 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:416
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CDE45C502B0C15CB37B9848ACA2AAC79 --mojo-platform-channel-handle=1864 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2776

C:\Users\Admin\Downloads\Sheet-rat-2.6-main\Sheet-rat-2.6-main\SheetRat v2.6\sheet rat v2.6\Stub\Client.exe
"C:\Users\Admin\Downloads\Sheet-rat-2.6-main\Sheet-rat-2.6-main\SheetRat v2.6\sheet rat v2.6\Stub\Client.exe"
1⤵
PID:3348

C:\Users\Admin\Downloads\Sheet-rat-2.6-main\Sheet-rat-2.6-main\SheetRat v2.6\sheet rat v2.6\Stub\ethminer.exe
"C:\Users\Admin\Downloads\Sheet-rat-2.6-main\Sheet-rat-2.6-main\SheetRat v2.6\sheet rat v2.6\Stub\ethminer.exe"
1⤵
PID:1532

C:\Users\Admin\Downloads\Sheet-rat-2.6-main\Sheet-rat-2.6-main\SheetRat v2.6\sheet rat v2.6\Stub\sigthief.exe
"C:\Users\Admin\Downloads\Sheet-rat-2.6-main\Sheet-rat-2.6-main\SheetRat v2.6\sheet rat v2.6\Stub\sigthief.exe"
1⤵
PID:3244
- C:\Users\Admin\Downloads\Sheet-rat-2.6-main\Sheet-rat-2.6-main\SheetRat v2.6\sheet rat v2.6\Stub\sigthief.exe
  "C:\Users\Admin\Downloads\Sheet-rat-2.6-main\Sheet-rat-2.6-main\SheetRat v2.6\sheet rat v2.6\Stub\sigthief.exe"
  2⤵
  - Loads dropped DLL
  PID:3536

C:\Users\Admin\Downloads\Sheet-rat-2.6-main\Sheet-rat-2.6-main\SheetRat v2.6\sheet rat v2.6\Stub\xmrminer.exe
"C:\Users\Admin\Downloads\Sheet-rat-2.6-main\Sheet-rat-2.6-main\SheetRat v2.6\sheet rat v2.6\Stub\xmrminer.exe"
1⤵
PID:4840

C:\Users\Admin\Downloads\Sheet-rat-2.6-main\Sheet-rat-2.6-main\SheetRat v2.6\sheet rat v2.6\Server.exe
"C:\Users\Admin\Downloads\Sheet-rat-2.6-main\Sheet-rat-2.6-main\SheetRat v2.6\sheet rat v2.6\Server.exe"
1⤵
PID:2044
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 816
    3⤵
    - Program crash
    PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1144 -ip 1144
1⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbbec13cb8,0x7ffbbec13cc8,0x7ffbbec13cd8
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7152 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6836 /prefetch:8
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7208 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7449615534078483385,10097195793084668527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:4848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3304

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C8
1⤵
PID:3100

C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\CobianRAT v1.0.40.7\CobianRAT v1.0.40.7.exe
"C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\CobianRAT v1.0.40.7\CobianRAT v1.0.40.7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\Dangerous RAT\Dangerous RAT 2020 Cracked by Unknown Venom.exe
"C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\Dangerous RAT\Dangerous RAT 2020 Cracked by Unknown Venom.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1184

C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\GHAWY HACKER EGYPT NjRat 0.7D v.2\GHAWY HACKER EGYPT NjRat 0.7D v.2.exe
"C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\GHAWY HACKER EGYPT NjRat 0.7D v.2\GHAWY HACKER EGYPT NjRat 0.7D v.2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:3804

C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\Hallaj PRO Rat [Fixed]\Hallaj PRO Rat [Fixed].exe
"C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\Hallaj PRO Rat [Fixed]\Hallaj PRO Rat [Fixed].exe"
1⤵
- Suspicious use of SendNotifyMessage
PID:4072

C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT v 0.7.2.exe
"C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT v 0.7.2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1836

C:\Users\Admin\Downloads\Server.exe
"C:\Users\Admin\Downloads\Server.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4856
- C:\Users\Admin\AppData\Local\Temp\Trojan.exe
  "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4888
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2668

C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\NjRat 0.7D Danger Edition\NjRat 0.7D Danger Edition.exe
"C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\NjRat 0.7D Danger Edition\NjRat 0.7D Danger Edition.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:2276

C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\RootRAT\яσσтRAT.exe
"C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\RootRAT\яσσтRAT.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:4724

C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\njRAT v0.7d Professional Edition By Dark .NET\njRAT v0.7d.exe
"C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\njRAT v0.7d Professional Edition By Dark .NET\njRAT v0.7d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:3404

C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\NjRat 0.7d Golden Edition (English)\NjRat 0.7d Golden Edition.exe
"C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\NjRat 0.7d Golden Edition (English)\NjRat 0.7d Golden Edition.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:4972

C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\GHAWY HACKER EGYPT NjRat 0.7D v.2\GHAWY HACKER EGYPT NjRat 0.7D v.2.exe
"C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\GHAWY HACKER EGYPT NjRat 0.7D v.2\GHAWY HACKER EGYPT NjRat 0.7D v.2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:3512

C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\KilerRat v7.5.4\KilerRat v7.5.4.exe
"C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\KilerRat v7.5.4\KilerRat v7.5.4.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:776

C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\KilerRat v10.0.0\KilerRat v10.0.0.exe
"C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\KilerRat v10.0.0\KilerRat v10.0.0.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:1444

C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\NjRat 0.7D Danger Edition\NjRat 0.7D Danger Edition.exe
"C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\NjRat 0.7D Danger Edition\NjRat 0.7D Danger Edition.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

Filesize
264KB

MD5
d5ca43c369ac39838045ab4b1a0a5bdf

SHA1
fef829197e857113caccb4ff40350e37b19329ba

SHA256
475f582d05334821c9d2512bb2c7ecc50c087f44b57817fe324a34f26c4cc195

SHA512
a11328d7ceaf259b6a5afdf2e5522d0acfc6d671ec7037e5f524e416ecf3b9edc7b181cf7fc6795e7b91cd47b5075a9764bba1179213b0e893f057c33d45353b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Server.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
871B

MD5
bc4e798e428bf600621ffa361da29e88

SHA1
60c6bbe3f8dd34346f4b917d540bf23d7e388d0c

SHA256
e581886635b44fab5f83b1267283d3718cfd5b1663c888bd43723d3735d13d61

SHA512
f311add74aea7f96f9face313710328846f49131c97568ee556bd31447036c29c08e6953394fe8dcb0fc072bb19dcb6e72dcf26c0519cec26056da0e869127c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
17a6e9095c22451e5216c94b1a61ba38

SHA1
055f2f99e33fb803993dd343f850e693f239d20a

SHA256
27739df6879b8afeb7b4774aaea0bcdfc3d3d2f292db0f1c25e4edc3ab9f58bb

SHA512
6f5ea46ebcdb290f6a821c51edf4ed69be79402b53af5bb492259ca75631e79eb5cac5c5d8bf1ae6ce9b40b5791721378b1460fc60bd38cba4b87c98a3de9eaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b01be3ea3b6721e56c5435f4aa038cbb

SHA1
2c21a031cefa8996de1338ced671bf97cb35efe5

SHA256
10a459d7b410fc54e547cdc7add584e3fb07f13c7885ab1dbb8b124fef015e9a

SHA512
2b168c10314490869abfe114af170cb3469fdc1011f2d19abc508e42e3902d49f313d00afcc09cafabb5436830e7d5a32004a1152a48317a7b413f55482094c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\805d21c5-6071-475a-bcc7-2c4a2943d74b.tmp

Filesize
6KB

MD5
7a25ea82a4e9626ad785a0d73271d89b

SHA1
539cdddce6d457fc51b78ead1ef795009741dee7

SHA256
8e3af8e3175ed4c56e8cbae9fbd4f08b88a0ab05dc9b0045abf61976a6ecbf56

SHA512
9a043b8995fa4cfd39c1f128163cff46bd1b34e01216d6829deb90f79ae84f2f36bcca06ab8a9213f3d7da3bcf04240c482c57057eac3bc506ac33539473092f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
120KB

MD5
1728b6a0247e3d2111f9a7f005963f6c

SHA1
468cbb3c220e18255c02ef40dbba367f6b745fff

SHA256
3c973232ea7247725d7f81bff43c3a4ef49c0baae2d5a5a41204fcae994d621b

SHA512
633cfb5b2a0c73ff98f59a78816f7a290b382770aebc4f8f68038b6a70c17827cab09cbceea34ac1e6144c65a879a89c87440464791f04ce6046330bbab12a98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000057

Filesize
20KB

MD5
7820868733f40be1532c203ddef29dac

SHA1
b05284788e05da2048eafe2d32ae82d72cc7bf20

SHA256
697fe36c8e350ba203e98a5b319be12ac8c3c4b1b0c7b0659d32b0d8210f5c12

SHA512
34ea94632c42798d74da4bae84839889bb071a6545e20e6732523f1b1f8357a9db9b5002c897307bcbcfcdacaab3a7939f069d8b8c8ab2d04c5bc39ffdcb795c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
09fd8d88b465fcb83dc611695d358750

SHA1
843d3602c0bd1f019dc3fde0cebd03ae0bc3f5a2

SHA256
42b88262ea3a431b02cdaae84c12282fb586ec7efe2f035321f2758d69ea2b54

SHA512
1e404abb3e3eb2d068f8dca5f61822b57db330f89e100867fc4192f0b3bf13aa414620be5fd9308903017ffee61702311657e857c0bfdd81d189a993fdd48c92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
41773a8b8958f23c2204dc9463d1700f

SHA1
f77e2eff24124b531e906897b7bf3ed2f7e7a75a

SHA256
084ba5d146b227d719e91dc6e99a85a889024f769d6337b546eaa88ccc7ef736

SHA512
5e160b81e8377fcad73a05598c352e083d14f9dc03ea89093ff6c898c64e81ec0234717b789f1c12f3911f26fa1ea1666e86c5b8b62c00d2d74f0f9d0d2e9681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
36f6c6d8723e2a78e71c14c464222ab6

SHA1
a11b16e2fa57b73e7635aad460c5f7db08381f3a

SHA256
543ddd6c0472e67785379397c13c5623c7017cbaea2efd76e8ac13c2b417e509

SHA512
7eb17f3c3129ebfb86b85edc5c5e83923809e68f1c37d80d1c2716e1e5ab9bb9e1b66bc3622bda1c20c2f614e8a2394ca0a80e0bd409ad35fc4cf2c882aa2bcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
401166390445c69e54af30bf4f692868

SHA1
3a4ff7ef07304087cc8cf80854b66474c12c736b

SHA256
731661aa8ee2389896edc325b5d559b6d0abf0ba1d54e0a817ad632d06248f02

SHA512
4bb52a6b0372a9722a376387af6f8c28697b16525e193ad7b41902d6e6dd6c1c761356428f1d4e067ed9debc9f66bb84a59494d30f07166eb8ff2d43eb587e61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
24KB

MD5
6f1579a47ec752c45b73c94d41073729

SHA1
6fae7786fd48acea5839058252cc0673b6126bd0

SHA256
b6d006319a3e9c49736c045d4abd09f704bf059304fe4f0b0b851aa606fcce57

SHA512
8e9f2c521a65941c460d318eacffdf7d31289c6fc40ab2088e336808aeda28763528157cb72eb1f5fa280fa94548adf9d1a02bf3166ccfb3357431c5724c56fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
5dc2646c90eb1b452dfd9fc940a0ba99

SHA1
eed67ec49ec1f476db8e0cc342a5dfbeb35d34ba

SHA256
b2ced95e646438c54f4fb35ade1af8d47b0b2e3ea7dabaeef1f30b14f27f0d89

SHA512
b902c21b304f0979b8b6bf19a4ede6f088cf573323cee886bfde13dde65ddc95893fc6bf20d83f9c46e77478077986103163f1f23ed669c97b8fe8abaf4e48c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
e1b4451c28c4a9971963bc1151208487

SHA1
4a1a1436b9fa619dcd6ad499c177789a50ce60ae

SHA256
2c0afdc63fc274e567df227759db9fc915322ef56583f6ad7cc63e9af5aba650

SHA512
99efb82f127168366f24c2b3a48061c742a8536437e4c52385c8a9faca5ded93cd02d633673b23fca34ae5c41e471624ff15cc39795e7ed500fea40dbc99fa90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
1KB

MD5
0a30e10131fdbd71c0935aabeaacd252

SHA1
4d4410504f715bbb775c8c365b781e18efc36f26

SHA256
3698752716318513ab9341758651b6f4ad20f7cd50bb2c245931736df4e193b9

SHA512
0ca325f59479c44c755950775a34a2ecbc87b9c95dc3bfe1c62b47f788f4fcf15c51317e5d9f41bde136bfbfdf3a2a46bca3e9c90ff5506cc47d7cca040d5a4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
2cba5821e5a5078ea6d1a52cd381786c

SHA1
37a5c7c793ff5c830660579c50812f1026190df3

SHA256
2a2afa5947b3ef7e009551fde0c8396299fd1d10c4fd2ffa2ca605063a43910b

SHA512
ebd8648069471959579c1b89f3a64aa527f8792842bd40cdb728c81206e547ca568827a79014b52a968c64ae5b9c8cb93e72ed6cfb644275ea0c469e1e4c05c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
7c04baf84d9440c5223a36ce9f794179

SHA1
614d2596c2ef912a90830f77222fcc355f7ed3f1

SHA256
f9067e838ee277aa0ef5bd87870079da4a0d160ecc0990e41364a689622e158b

SHA512
a720d666fc75b733880cfb19d832da2767efb556f897e69e672ec805f59e76bb76fdf866280298045b6ff8b7c580932a1c8f6a8e1ac0971d972ed2dff4a94106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
851B

MD5
86d5830732e8f94ff3ccba9a0f3a66eb

SHA1
52145daba08338a526202a78a4bedca42dc8848b

SHA256
0eafc54fda2ba981c205b6f4f623a8fe8e11f2e4cd3402d626a9b38ae3966d38

SHA512
31cc3263cbbe063153ca9186926976ff14d389204c1d30f743944b697a093fed3993ab7b0cff42911d6c8e327f1efc0b9ddf075925b7ba58adf3445457277f9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
589c4980a03b4d669e13298197994330

SHA1
33a314fbe1ba01e224eca30b43df4c4af987d795

SHA256
bef90859e14ea11a29a2077d6c06077f4d74554697da69f54a3b3c8447d61b06

SHA512
f28b7ce878a300b95d77dd38f92733e500e9faa5f32cbb62b4dbe6a932b31f0fafc87d7a26e028163f04be596ef995d4433cfc5c27f802cfdfe0b20d2c75ed6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7ed1d2453d8ba4a2a0eb3647f28e3985

SHA1
e280ad62ec2c71d8ce21301deb202dcdb76414f3

SHA256
adceba4f3eb5686f0dc93c871a956c955b56dae074db1b3ada2b020eeecf37ea

SHA512
7e6d74156df027936cad24a5487c4aa44abf61a018d8809067274c0e60d26f0c796de4f961d6d9be475989ce6e0cb8ecac9f3950089bcf8fd4d0ffee776600b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
08d28b4e4576719871ed1b7a5cbbbbe7

SHA1
484e4c70eb13090cbd113df1f09e4858cee49bd1

SHA256
70b5f36a0c665da441010c53d34665c78a352d3e09aae8f61abf3deb00fb3106

SHA512
fc0e54327e228b05cb7c366e3d35e42578ede461e416a241283e2ec6be99aec05d14c8a031cd93abb63c601f8075f4787a5386582c2d7f829110a2bbcb1d93db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2c7a352d9fd905ec5096df4f525b4366

SHA1
3cc573d5a65ac2dbef70b6043c1ae5923be019dc

SHA256
7a31f23d56f9bbf99d11faff0c02ff78116f0cc8334e821473db323a3a384d88

SHA512
eec6101ea68019c22286253da767938bf1c7d3dd23ef17fb33966b8051d334d6d0d8228ffd4e26c46df3e6fb6c3c7ff369840b281ddb9cde2b718b0c8535d1fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f8a5481c64538373bc9e563a8036c628

SHA1
4641ebc86fd066413655937d86185f9081182d1f

SHA256
674e98f8147e361aa8b5b857f7e2862230bd8b5939a553ee78c3b3bfac2ceada

SHA512
1c5281101fd26d6a895bf54ccd2f8cb272f3a9d74aec4693d8e6ee9874110ff95de02576a624a50fcfdbdba76ae165f349595faf1996390f60306f044fa14ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
0fd2306011fb812d94b068eea12b129e

SHA1
626ec681498d523e8d16b35ec27353840bb9963e

SHA256
cfb521e9590c4100ffeab0de129b295bc16557edad8fba784e15cf4d616887b4

SHA512
b3b6cf381ba6ed313935067172189931866b5dab2814335e53158a509667637bba4f97ea08876f07ceb0f4587af7feb1deb88f636567c3ae9480fdbd4449d262

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b3fd281dd6fc834b17419adeedc08f7c

SHA1
3407855b8691b710d951dc5be8d1a52ed63345f2

SHA256
a5afb7c69f5a1351d2c7c8a7eecfdd3ecdb7f5372099bb3f2a6ca1271bf1ea50

SHA512
3f797ea248722f2821ad33008b04ee105c084eee33702d1aa969eed9d3e10bfa0fbd223b6f3910c67ca94ba597efb425d22f1ad139562dcd92be9c7fa8c04943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
0878279654c569b60651baeefb1f98fd

SHA1
1bb3f92101674f0d59631befbb5ae0c8d27ba991

SHA256
d814d14afd436986547a2ae1b46c593de942fb8fa3f61b2803b602a4df755541

SHA512
12a8659f019db2deadd01d7ab69f929efcebc01a34d2b497bdcab009be130420b196ca3a0d6ab0d5518f373abef16edf77c9cccc998f2a673dba86253d7208da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
939c6262c3a588153d639cc629b99ffd

SHA1
5b0ec8d77fbd1546eb8a40580f808892ba46f383

SHA256
1266ba740885365024b0893d4c296cd6514f6f58696a0730463d89db03009d47

SHA512
0ef5b84fb915150adc6b1e3748fda6a4849aa06aade0fcf5078943fb1b7202c8ea5157e57ab45f8f504580c57fb1eca60ca1c6825d1678399ef350fc073c8747

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
522fbe1d0f6f0df8542d0979b519b422

SHA1
712cdfbba48a957cb1d5dee412e4066b182cbae8

SHA256
6888eef80611ba8081dfedfddf9b735c28abdb180ac4d790824729861c530052

SHA512
4863f2a9851fc46f8f375c7627de8634f829375d8c800a2148c5ed366c676b1dbecc7b427c55f0d3d1e43ebbc43c215f52e3abecb2df2a34aeb1638379d31abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
148adc60f93242869c4648989b8b2a06

SHA1
07a1ea3ca431db4fea525f8da05f7cff54207996

SHA256
74b385ebecab94aa1d77cd07eb76d11029e2648ed30d85a40aac116638cf924c

SHA512
2a3c796b71e7d219e071b5fc2e2b83e85614ada3a55a1faa7418fc71956548449b03c09987c259011d45c27ee370c797615a618d4f9de707039f8832235095b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
36201786ce071875622822df77d52661

SHA1
6ccd47291b0600a3ebac0795138ec0fce5b4e205

SHA256
40f8f0caf6b9baffd426a695a132ff46682bf221759143b7a9193476e9b864a0

SHA512
35b0be5101f0edded80b1a8b975ab65fe1a5635850cc5af281f40dd497989bb5d57cddc69ef3911f4e2fb69b59e6b648be7fe9fd92958f62ee002ca283fbfc3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13375919903969543

Filesize
12KB

MD5
2e21bdda6e58848aec993c207ca3a191

SHA1
3dd5006ffa017e2abe9773048ea470b34df9dace

SHA256
477cbaf9bc8e1bda46bc76334f72070780fe368384f7b8f26a4722d572f18f40

SHA512
1dd73289ad5d3f495007619f0c53eb2b4089d0a085cdb163df7e24caa6e8266446db5d93db5f18c335a6177d8a028734833705dcfb267b7a06673e96f3ccd17e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
184B

MD5
70ef18dcc3a1caf86add6fc327a66dea

SHA1
3e17a4789f06128a8c66a5581afe27e99c176ef9

SHA256
1a4623a11982c2693db9121361cbfe1f75da8435b47aef1fc1ca7498f95cb78e

SHA512
464c35b106cf72e58ad1ad87bd99dcabefc6f5bc82767a134f2c3e41ac70444cddb1b58a6e7d4485c61b8831b9b9d734d051e4ad1fb833877e91c131b965485d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
38169e203980921b6fb0af6213754170

SHA1
9fb966b080dc18f5d28e7a20bf36b00e0e49513d

SHA256
f3cf63b5577fbb3c78927e58966de488c7a244f8f8bc2ee3ce0045f3bcb3b96e

SHA512
b0fb4fc98807a95575ec16d67a7af5bd6b974a14e7bee33ad8d7d7f62e1372b5760229a9c6f6c06572e52d3531b2a9f2407c59d9918165eb055b5dd0bf2cdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
6b5b3ee220da5bbe19a083b47a783de3

SHA1
4e34e76a1c0d64a3c1dfc017c13b0a92e4d6a35e

SHA256
e70d5e9bf9f89ce55dfe6144213e3d01d16531e5471f21220d6805df0ed305b2

SHA512
40a990a498c580769a4700a5442edca1be9167bca307b25491fc491d0a4ca14b53709bd9c55537c7f872710f9292a39295fd5cbc9cfdd1f753ea0615749a14eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
60a4c7491fb71ccbc52fd305138bedfa

SHA1
3560cb4b0b319b7ca0e233961b97c4aa01a020c3

SHA256
f87fb17b44537b66f4f550554a206153607b1a87b474bb7a348b797d9a66e410

SHA512
891425b3802fbdfe18fa788b91938759ad08aaf2a3cbb70413579b286f5031af57bcd242793e46212ecc759a68c6d1ecf3dafdff615216207647a441d174297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6defae70f96504ca2bb954467f09a017

SHA1
2932bab4c5ba8d6b2f2baaffa10349b69b85aedb

SHA256
38191545afa6720c6ae87a9ecbc1923f303ee67d6a2e217ab10a7f2e61a58618

SHA512
1d7854c7dfeff20853b1c86ef8d7fff1a4db35efdc48b27c829e86b0631a8ec81349f489464eda5987cda6dca8af4acbf4a1eaf6fba9ead9a19441fcb7ac2d43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bbf81e0a127de02b52960c4dbd5c69d8

SHA1
45e106dbaeb2069b7ac2b2bcddea6126e97bdaf3

SHA256
3dedc5513b065d3660c9a17e17416b76fa2f4a509bde17e80ea1b0c35886d1f7

SHA512
6f0dc030c71381ed50ebbce4d11a080444d62d37d9fc51efbe2b36f676d9dd526483942310bd93459bb0fc6cc80291ad2b87c6118d3b03ce851c25c52b6c0048

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
09bd97bf15befbdbe934f01cd0bc11c3

SHA1
4facb1ad72f2ff0529b02b371c24bd93fb60d679

SHA256
3f7e3f15ca49efb5febd3e94c82b2c8834313b76a8ecb79cefaa263b9ca13362

SHA512
abe9d1ed75840cde9ce67faa21b5d4033c5e2dc0eb4cc06056dfcd626b54f59e3d329f65c5de0d857916730f35ba59a7f712ee4f0661563c53d3ee451b590aeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
8823ca49a198445f96837faccb76d471

SHA1
fb5018262482a51413fb2f5e97166febe1537308

SHA256
42cbc1658ee7e238729b9faca4fb24488c6b8b83df5227735f22b7bb52cf7825

SHA512
5b5750e5fa544c9e9d2fd34a2526c03d1b3d11b2f66eb41bf3d69a1709bd0724f9d63aaada02537b42e1fe89d816516a228a1994fb469e24a35ce32567427408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5e0f2ab60566e54342b19546bff6a02d

SHA1
6b8eddbc86e0b284bdd3981dd3d542ebf21d0558

SHA256
25042591f138d43d22e704bf7c844cc645b8fbb85169a078f595e7cf447e8474

SHA512
f150242340dcb15850993e167bc24e6dc2e34cdff38e4d921a03102a729ee6175b5143faadba33344f85fe22173f5c39bf8bb3d0aa8ca7f3ff6511a57bc025c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
7697f6635acf53e78e140060b0ca4858

SHA1
b4217c73a0ccc2b26286060e91294f2d61020344

SHA256
542a724e95318f8bf26e3b43eafd3d1ced6cc12f03144e1eb6f632a4edc4f24f

SHA512
8a888e5cc3b17f8e65ec0f61b66c7d7fa9779dec23a6a253859dffa421ca150cf5f175123ee67ecd0d08200febe788923b4884a42164a3be6df7bf3cbe188e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
08682489df79c6e7f876ebfb5b255b2c

SHA1
fd4c4f4cfa4c644c746ccb19e396a50130f06664

SHA256
c727635fc993ea81df3c52ec16b1eb9a18b56f32bc5e81fa1aa9fdfd46169b49

SHA512
94a29e415bef093928026553ea93cb47e91c3ca90391a874cc0565a2c2378472ea396ca1ade007336ac564bd6db8e015d4a8062623cce11a197547b84b30b5fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581122.TMP

Filesize
1KB

MD5
6b2910c3bd917edebedfee8606ef6313

SHA1
2cb6a6ead8b3d7d823ff2700b5662fda6f167536

SHA256
78c4a43ab3b5a3fddec3d73285aef5516b5ed559375b536d081fc9569bb3a5cf

SHA512
697a09e23222f3ab4ff39bffc181a63f508ef9cfdb326105e1c534b4a5df86cfd1ed3d63422d22f9d25e5bc4a9823acfebf57646ee1c4e51e8412e6ab0c892d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
05e498dcfbea669273dfc76e45e9a76f

SHA1
ad8c5e8f03f5d60ba957fadc12b7b6e8aaf8bd28

SHA256
f27becdbf886ea0a42024948ec439a9cfe8152c6f8faacefc3ddd9cda8d2863c

SHA512
6bb5285409a6546a8a81548a9c9beedc33d6aec1efad9317a224b0b05fefd91d1e48c5f525cbc2c91e9667c1c61cbf272742f4cd57399533c809f2cc2fd00410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
6e5a7d812881cd99c1c3663d510af2c8

SHA1
719856e93bdf96c1eff7fd402a09c11e1036ca49

SHA256
66993f52cb41d26bb01cd2e8cc85a3bb6ff41c520ea374db4b2a793999197d60

SHA512
69dbb98dd3504d0ebc159f9c2cb9df4748d84d1aae16d71c96246e5e4ce108e1c242ff9e19ef3b7d12bc93b54278381bd49f00385aea5fc877451754060779d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
72KB

MD5
e53c7a9b1cf05bfbf768a697c4940400

SHA1
104d932eb7dc84f1facbc629cc99475dcaae8bf4

SHA256
4cc09c6ed11ba652521608c5b84c22cff9e4c26fd94843104f7c51b76448f9fc

SHA512
d75f460f64b795c8f6693e0e96abffde08dc93742f2daaefae1c2f9673b6523fce158147c7af2bd10c78ee5dae14a556098e86c3a28c767b7d2657f05275d900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2e417ceda4d1fd5bb532bdfe8bd1864e

SHA1
fee9589c081cbb559e89ac360b562544c7c95560

SHA256
30ac37446be350b3aad3c7725d439456110744b253d6d0670b8aee84b19a9291

SHA512
65e5a3103cb7556c6e29ff08477f1e7b5f7e834ff6688ed55c326477be9ca686f288935486934804f2800b4efa264e96a4c2f1e87cceb16e1621e24e75155bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
22fef8b1541db2a48d67bba7d79d769f

SHA1
39209da36e71cf6055a38e93d26c9bbca5aa9cda

SHA256
20f077b0d8c1d818773f0950737735121bf14722ea0e3d2aa88aaaeb4eefd9f8

SHA512
1e670be44e707b95e7030b5ad82e3b09b250d20126901269aa0a03850c9ddbb46818bb64757429972e9daaaa8202b6ab202329e9e90d7fa9e2a94ae1cc38f077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
841845bf0f4139673c0ee5b14055d8fe

SHA1
df4bc59dead9368912bcdc9c8570a7c117edbcbf

SHA256
2abedc5826b4cfd71d2005af563f9658c2173024d8ecd08352e9df0165f522e8

SHA512
838e91041ca5a1a3b35a002e50d12c089459b7cba890d5b29619e2afc95a5f9523a14b0cd180ccf85ef68b80e176e63b48c724f1929a0bead0b70556b83334d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bc9f621a144ff72c702c898ce9c7b034

SHA1
eaadb2b100f17c66b76d2ae2ba56ff94af4085d7

SHA256
0f5c955f458ae45b0b3bc622c82fb2277978723dd676b37893d820f1e7d62156

SHA512
b6108645f7f636cf3c198ad6c954692c0b67e57f5d4df749fa8eac9fe3012c9b4a82b5841ea9d6f2cc80145e525282299f46232183c58674e9204f1cce9403b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
87a4a11526d14fb96aa4efc0f6d2dac5

SHA1
538880a368b08224f4b7d778f340e3f16e759cf5

SHA256
03948cfbcc5dd3f5cd5985fa99446dffe6f1d0f0a759a1e95eaa5a92d5195ce3

SHA512
9f1db742baf7c3b1adda4e8ad919b95f17963c6ed957740a561ad7798c49863347794782da1b42bafb85f971671ca1fe9fbd4d9679dfe4b7063ba8415489790c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8241b07efe47c9fa7b4e37e7f7e9019b

SHA1
95fa50bf4249b7296160f0d6ccafb80d18e6b252

SHA256
6ab68552cef6c2cb4392bed1b8be3db6494f29ac3c90ad4d646c7de30ff15976

SHA512
8fc78080354b425e598a33453fcb70e6650020469fb98aef0fa3da44d70f20bee5e29344b44c083be0c31be387165bc8752d0fc9fe0c457f81d74a245840de00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a32cac579812d932e01fdfb365141d1f

SHA1
176bbb05ce268f22297a5a2a6cd2a66f2ed984c1

SHA256
1f5f6d1613c1414103820f8c220624be6909838ab56d0444c31a81aae8af48ae

SHA512
d033fea447e8c7765d9d5f1feca617a9abf0a40e29e9f37f26dd16e44e760c9c1c6d74d786c874c0d7a37847c485b2d2e57778acce83979ef5b39448c174b9ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
41071bf395620f38511c084b3859a109

SHA1
b1bb4579d721ce7fd555d30e1afcc22a0c01f8f6

SHA256
dc79f9ebc7116e8ac5b5ff420085d4b987a48c05181b661bb08ec4a0ade2a072

SHA512
b7bbf4635f7cfd51e75c0b9d6376bec3864e8a3307cf6265fc75f8798729d5a5d98db5b4b43bc0d6a0c9258478d4178653887ef3b010538a5823624f4858e854

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
1.3MB

MD5
dd6667db55acaefa2d7e99dcf5d97a26

SHA1
c1b281ef573df4da584294c61b5322edfed589ad

SHA256
ce8fd5ec0b2ee4e5d87d35622eeaa022ee971801c97bcb3726ca6ebe4b576238

SHA512
916c8b63400c0a8e495fc59d8e348499a6f04421e79599803c7ac4cd828c82f389bfd733471de27cc1643c03723429f8544446d9adc69082e6a5032139a1f1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
51KB

MD5
497379e37bf55bc9e382f4a3e9c52fd9

SHA1
a8ce723877c07c86cd12d7d5ca4b72a838124e0f

SHA256
f27fbde21946f523c346c5cb584b43a723f417a2a7733306e1114774e8d2a14e

SHA512
57091c1df995f77c8fc3dbd2521090cf53a5b176a89e9c519ef919c9150fed591e3280ee83fe5d195919ac5196d0087a5cef63754bc6e8c85fddbe33bf640c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe.tmp

Filesize
76B

MD5
1692ec83d414b0c59af7725f40cbca2f

SHA1
d15d887063f9d53d02a5fbb5502d17e66ed99937

SHA256
111ebfca821076ba6cb8a46579467a4fe9e5e6a3157b6b052b69a1d6f9010d81

SHA512
671642d22540be8b9d63ef517a78c7b0c12c808fc640567fad94f00a06c5fe2fe92db998e5fdddb1b947f8fbb3f2f2cd432107440fb4733ac37bf096f0b484e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe.tmp

Filesize
153B

MD5
45ea645c716ab6f8a1127c90f6488edb

SHA1
ed97b9d23594d1034991007c351a928f3fb8ce40

SHA256
a26fdc1cdcc8537a996e6cfa2f77b8495121f847fa45f3e6a992db67c4e41f34

SHA512
e0b3c97212197eb1bdca7103211586578bbc9c6a24aa84aa4b254cc65459fb0a2e6cdf2f992490b84e36a5b26809052466c75ea44c55954f96ffd4889ba7948b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe.tmp

Filesize
248B

MD5
cdaaf26fa2179cdcd3f643851424c8ef

SHA1
c7deb36b7169c755b2286da9476534c179af9f53

SHA256
567684aaf1fda69d6ce02c9539251e7a299a07e117ebcee23a0421271598a56a

SHA512
30b9af42ac481d3252ef69fa4f464d1c238a50b39587ed4fc65f29f2e841bdd6aaa7d072a2b046cac040dcf8abf0635652f17e8a51e25e29d7b570b87af318b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32442\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32442\_bz2.pyd

Filesize
81KB

MD5
23dce6cd4be213f8374bf52e67a15c91

SHA1
dfc1139d702475904326cb60699fec09de645009

SHA256
190ade9f09be287fcc5328a6a497921f164c5c67e6d4fcdcb8b8fd6853b06fe2

SHA512
c3983e2af9333a8538f68f7048b83c1bb32219c13adac26fd1036c3dc54394a3e2c1e4c0219232badd8e2c95418019b9b22906bdb23a19601447573a93c038a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32442\_lzma.pyd

Filesize
154KB

MD5
401eca12e2beb9c2fbf4a0d871c1c500

SHA1
7cfc2f94ade6712dd993186041e54917a3dd15ae

SHA256
5361824ddac7c84811b80834eca3acb5fe6d63bf506cf92baf5bd6c3786bf209

SHA512
da6b63ba4e2e7886701ff2462c11dd989d8a3f2a2a64bb4f5eed7271b017d69e6cfe7347e3d515fdf615ec81d2bb58367bcc1533b8a5073edf9474a3759f6d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32442\base_library.zip

Filesize
1.0MB

MD5
d5391ee8538a06d6622f31d3ec907407

SHA1
f322e086573ecf325f422fd0fdab032e2a8c22a0

SHA256
a11b40a99cc08c769c2bfb97c4996d3fe1052a204cbb9e3b4994c3fc4d32d341

SHA512
c0b46b54e4f358d9fceb65d471c755f77817a5ef5f6e87ff33c8d2eef1157d0ded4143d07aa72b92e1a40d6b7b025eb314695c80c85d67a383c14a7495b654a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32442\python310.dll

Filesize
4.3MB

MD5
54f8267c6c116d7240f8e8cd3b241cd9

SHA1
907b965b6ce502dad59cde70e486eb28c5517b42

SHA256
c30589187be320bc8e65177aeb8dc1d39957f7b7dcda4c13524dd7f436fb0948

SHA512
f6c865c8276fe1a1a0f3267b89fb6745a3fc82972032280dce8869006feb2b168516e017241a0c82bdae0f321fab388523691769f09a502fc3bd530c1c4cacf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32442\ucrtbase.dll

Filesize
993KB

MD5
9679f79d724bcdbd3338824ffe8b00c7

SHA1
5ded91cc6e3346f689d079594cf3a9bf1200bd61

SHA256
962c50afcb9fbfd0b833e0d2d7c2ba5cb35cd339ecf1c33ddfb349253ff95f36

SHA512
74ac8deb4a30f623af1e90e594d66fe28a1f86a11519c542c2bad44e556b2c5e03d41842f34f127f8f7f7cb217a6f357604cb2dc6aa5edc5cba8b83673d8b8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
606KB

MD5
d79e2bf5fc35be7555d89894f6cd8601

SHA1
d4cadea285b298c3f781e1f98ff73d080e03fed4

SHA256
1c824ec41c4c99dbf55dd0b5e54e57f50beac71ba2a03ee7c3d58921dabbc01d

SHA512
5e14147a42bab9836f4d84f73211e1078508e3692564b4a632378822dfea44bbfea26c8ff99582fa1189619f22468f840e2bb77e9ba420b79a00a37e40e36aec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
1602b5e256b4d574345d1cc686dc0eb2

SHA1
8fce4b0410b78b6601a25cc986f2ce129704ab14

SHA256
56555fe39455bae427da7d7460f0eecddd00daeaa57da9646de7446b40248e54

SHA512
7fc5a470f67e5a9563ccc3936a75b951069765b47058777617618b6c0f0fa924c2701c3b80bde23bec71cc90f6748fce0d167a80b2c6ddb88d15e0047683654e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
94bcb09381ad1998baec44bc642e74fe

SHA1
9d2aa6879374e19ff0f0d953223f879de0f39e75

SHA256
497b127c7d5a16a36a715e027627d30cb1bc8d61e4e3f557ad1f51c72345bc5e

SHA512
da02008f8196997b13090f8676f3b8ae6db60e2c9bada40c89a45f5a22eb1a19d01dda2158aa2ba2fb70c9ab3cb64a3f2be119991b40f75b4346fba70abd9057

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
672273c66300b2836948c937bb59497c

SHA1
fe6a0e137af63e258a7f3ba20eb38e011c2fcffd

SHA256
f97e2866097ddc486b62cb9a260edb7d83153526847da389aacb1122d9e0b348

SHA512
de008da8f627bef89cc1f84766b1ef0143e8af7586ddcdb90e3428e00faad4ae737d53a59d357f8e024da93808755142ddee8898e6ae6f0b41541d940421617f

Download Submit
C:\Users\Admin\Downloads\Sheet-rat-2.6-main.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 528474.crdownload

Filesize
13.8MB

MD5
7aadfcaf76affdce9d8f02b4fb66d88a

SHA1
3ca15804c1fa0a44e37eaebeaa4235c86a6f1fa8

SHA256
29ed2cd26ee85330727502ca1e9e60e598f0d3975ce8c845dbcb1da07e5ea902

SHA512
46ebf66a52693726305a4e07cd8c6de5201b01987c274ecd9afb34336736b1aaeb65ab70c04af79bcbd4cfee43d85597297026feb6fb1467215cd57d3d5dd942

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 564233.crdownload

Filesize
25.5MB

MD5
05ea2575676400d0ede7a8cd3ee86a6b

SHA1
c0ace87fdce5735f686a35a46f4e7ab991a93cb8

SHA256
eba91f3d36b761b2bff285863182585a6d7beac773e96043c6a436e3cb683b61

SHA512
78fe987c7e54788d344eb475248318055d5acc2d5b6dda4090a098172145f67a9df4d0946f528ba67d5b15d3157904d8f78e8fdf8a79a3a4effe0aafd8deed6f

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
14KB

MD5
5740ebdf15e43911abec9e5725e52e81

SHA1
f94f8308971d10940f5d2b89760b29ec719ec8ff

SHA256
b61c629351459de836c2c237aa39fd79189baca9940d90e986c6a50c4f1cbbe9

SHA512
b9d925a7c207e7cf4414485a58e5457c59698682a155659b2bcf21a3b642f2a845c5b6bb0f04ce01924e014b6b924c71bd6c0b44bea2a4138147e168317bdf9a

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
14KB

MD5
f3848d69a72b4c49fcb5f375646c412e

SHA1
ca1e8d253e44ae39c9f63e275e160e80a85be7bb

SHA256
c649eb4743bf2e62b2e38cb30278edc960d168b6a6e02ac7b0188ad8eebac754

SHA512
0517ebe9d8696a7738f8779229ecead095774892f86052cf1a816fe2a978f1de18b706a60d6c0ece14b536f5be5e5ff3a11b1bc2d73f14db0af1daf417d2b721

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
15KB

MD5
e8768aaac18c41fbecc0b0672ab583e6

SHA1
935148fb96df23fd988d10fa09afddf855a1644f

SHA256
b6bb2252730678782056545c648b9b4cca4b16801eb6818d75cb41138a231328

SHA512
a946d23f01d3095f271563aaf3a7f247dd5dcecda152433108348c43d9015abc84b3de44baa0eab9798cbf78a4b86580dbe7584552e379227088a91e81d59661

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
12KB

MD5
52abd6cb7744942a57bd25af6455240b

SHA1
87f64a748edcccb60303b906caf01821140f728a

SHA256
495142d4052eabe67dc830ba3987442a8adb1e5360571d3267085dd75e5a953e

SHA512
0b0d17f5a29c6c42bc92e6c86f5ab4211de79d1f2453c329cb121690c92cfdab081bc8635f4b8a61d8d396d4f46b8de41f40eab8cff147a38110ddccd25eed36

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
11KB

MD5
3afc732d6a1b3aad08a75d186ff5b537

SHA1
5195b8c3dffcf38be902b927c2cad75f69c66414

SHA256
51cd816dc92ba582121bab8d2ff76f1482568f59dd0ca928662dea096e17cd63

SHA512
1c41a42c6206f7807b0977f46a652314b7ee5d8fde2291a89291da79e56d09b757cbaefbf1314a5898f4c405f163fe0d0f33ab321ea03306b2f5d6b21426ab50

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
14KB

MD5
63ed7b602bce8ec4f8bf232476eebfa4

SHA1
0ab1c3533e263bd1ce18c63d0667fb2388be0a59

SHA256
233e4e0c5eceef8c68865ad45e4bad82cab926652a50480553661e7d07fb84d3

SHA512
f430b2bcfe67fa7e71b6280692bf1753bf9055112791c76ea6e3bbfca91aa79fd18e37f209e8b28a5464db02b423b83fa9030c112417e829061b219892090e84

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
11KB

MD5
2b18be25ef6eafb386b84dd0992d65a7

SHA1
b990c8df3a31b31dbbd0bca632d81cbcc8164e68

SHA256
4c731e8d70e39467cf006f4669987383f57a442e91d3e6f41ee25fbce97db7d0

SHA512
efa53355a9c083e1be06db92e40838fc17c7caba370013e953396c73b74f446af3b95cabccc15318abb5f72c02bb31e8b752ffa5d557bea52bc1580ae64e2c5e

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
11KB

MD5
5a0770d469c46cfc4bd550564bc83c6c

SHA1
f0ad11e69b76ff128a6311210a1c44be52628ddc

SHA256
1576ac8a53a84dbb7984f9f18ebb48f530d50e84cec2a0e592f81a3e153b4014

SHA512
87b55fc4a3a49063ef4d5e662a516615abf9b6752b8474ca4ac593caad7e706e63389fc796c4370d33ab012780bd2cd52f5f3cc8b284fa9ef1d9c352f56396a2

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
15KB

MD5
538dfeaf923b37af951d66d7440ef62b

SHA1
710add1ef3709ea3361ac45cc512d21b22a2ab2d

SHA256
b552d5a8d7925db753be4d6a21443445bb51bedee108a7a0d82ad799be4aed77

SHA512
a46635360217fa587bdc83ca852a46c54c19590e398e2ef0e509ef2d799c1830add7e035deba20820735be0f5773778600b51624663944f051e509c690932b68

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
12KB

MD5
6763a94d669b4205f30be287ecd0ccec

SHA1
cd2d7fe942e4bb84362325e1dcf5e66a099ddbf8

SHA256
19092e74959b70e55b9c1cafc450ccda29775604b9f89d487d3b547e70815d2b

SHA512
35c337da5f87214efc026907cd01689bd2069cb303277e6c8839d5b7061ddf9e016e24b2f85ff2164d205d52b9d187fa1a39f299898fb7a4447680c7b9c3a575

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
13KB

MD5
736ce52dff413a144561d7876c61f2d3

SHA1
de77e96f9a575d4aa00e7ae6d936a90d58fa6c5b

SHA256
de1c87658d8ce6bcbc36c80f1e8115c3304da2f4d1f47809863fb1ba4e94feab

SHA512
f3ea13b715bbab8e347e25df0611cd0ba446714debfef93540c75024077e776d3e0851a9d7eb060334c212169ac3841d54c71134139cff3b251e5c9c2c7e7e0a

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
14KB

MD5
a42711c2469bb0e3345299a9a4d00e47

SHA1
06846acb0a66e0c07cf42ce2f6cafda7cb6a63c3

SHA256
0804392cbf2cf482ade817b168d8e996216e49cb4e5a2fcfde69cc6424a69621

SHA512
fc1ee6a7d1c4455a8f269515372023ea6e64f1c90651bc31bfd177205d1792d45c4d19dc2a4132787ea299f3ecc53300b9b853577c41cf959ce4f00b2c678fa0

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
12KB

MD5
6196889015b5b7e13137b828dd3a59c2

SHA1
62d283ebd7feb223956ba30a9bc1dcec7908f536

SHA256
f036b194d0aafa21b5e48013fede1fcb504b96a5e53b98c773103d9b9f8ff75e

SHA512
a332b0f713a5553115e2e6a306e32ed161a6f8de856c2d3f42a3db2f96495770867de87e378ff9a917afdf3e8a2b69668328c1b92c729b2b44527d1ec056de88

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
13KB

MD5
c91cccac49669770c43a5c62a24d7696

SHA1
21af72a0b6a9e9440fc2a59fcdf1bc3e759b0249

SHA256
3ceca45f0a272b37b9ede8f9166596da0b538ce63971fe783feda393d3a80e1b

SHA512
aa4dd9c4a887e6b9dd2bc31627ac8034ae82fc860a4483585956e2cb6b902ce4ce6b7810a193c50d946ab2659dcad47f429b2c8b5c7f849d2a9b29edda0185f7

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
11KB

MD5
3144b879b41d42765d13b7cb0fc7e108

SHA1
5b7537213ce9eb2d3fb840bcaa04a64a23a925df

SHA256
ebe8d596cc163f242c567b2af092f1cfabf04aff415974d005db521d40bab9d4

SHA512
fc88faecbb7667743627b5884f7e099dd8261307e81d169403d7fbd475dd81b03e520771ea2980638a9d676027aacf58a1a121a59facd7cf0a8e35617297b37d

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
13KB

MD5
ecf25877c1d069be55531fed2868a234

SHA1
7693db811f9b92334bbcbd72100a41f93211c5f9

SHA256
699c6371ee4e3ab488777188fbaf6b9b2cc67ae185a68102db2ec58d2d2652cb

SHA512
8aeb3894c20e50bb49ff4e2a8e55d165c1380ea117c00ca5bb6aa51a1417f62014b05377c62c1a15708fbd1a14ed30f9d83c9690a8171e0964402ea2954a1712

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
11KB

MD5
8ca64b0bbbecae09879c90aa54925eac

SHA1
cdc93d961a1ec16007616caa4bce2fd1e7a60a26

SHA256
60e76680554ea3b06dbe669ebc80dc102aecafab8e0f286c446b5567165f2115

SHA512
4e5922a64c2dc9fc973cdec6f5c72eee0d368addcddb9145b8928628f70da1d44731aa836d9d1417f4b6f26e51411517675b604eafb6e49e000be4843bef034e

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
14KB

MD5
2ac3cedafe3801e4c12a9372e95fc41b

SHA1
d84923eb76b2a1aa1a4deaf438171703120fc11b

SHA256
da50605eb7b2be04b07e0c7cd50830095bd1bda1415072ebab28a321d8b5db76

SHA512
13feaee435f56cb497656e4d4cb2882400e0cc04b5af4c0a934f3724f677c69893c1a5e93f170be1b125720a9d70bc8da3cb9df8d9d21cf84db8845102efd443

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
12KB

MD5
6fc9f72f9efea0fcd095bf50b1ef4eb6

SHA1
2dc770e086cc4650380876bec78441e37cad8681

SHA256
64ab01aa04162f4ed49905c98b75f2436544bc0f7aa1cec13382e2518f1fb573

SHA512
2ef0b2199124709b62cfb57d127ac7e13315310e2b948dc0264aeb3b94ffc373119dae167f3b88c8c5430f09e2fa6cfb7606d9b461df0fa99ed7e2f7d59fd895

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
15KB

MD5
b5c69c61c9c6102067800d67631df0e1

SHA1
a68541feb138c44463d27b3c3eab64f594c60fa9

SHA256
29ce1816c3dd1056e200e255b47d0a6d22a14a70250479a033e873fb2ac54265

SHA512
859134826e8ab3f257e261464d5173009a6e53fe356124ca8138aec359fe7fe90aa900f2ddfaac8170187d4149b6514f32a5d2f5e0bb17e113300ac08debe55a

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
12KB

MD5
1e1c7467673da0402e7bd7e58a5e9492

SHA1
41c99fe4da4ca4ba2d0e55ad45e8aebc0e562a7a

SHA256
cf9f68ece5acbee11b0a7e80fe73a827c62208b3aa58bc781f4dedd2466da68f

SHA512
344800863030185012a7bae6fcc037d39422d1e5fef8b2d5052f21c839a3f72c1298fdcfed7c01070cac8a6ff6f275d93d330177b54251737f26296d5938d5b6

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
13KB

MD5
666777bd2c20d6f7d245fa4f2bea5ecf

SHA1
211a6d0bc434044e62e0274de0358d1b7a2de8a3

SHA256
172504dd17186b365e5cc11e1685e7af12f1be22676612ac6c336e621a49490d

SHA512
6a4150b5884f931ca505cbb358b9ca2d6a70ac665e5d9c9b53a69dba11b17207647f8982a9d067390bd00842fadf8bf0576a1fb71c5fd33f4fbeecafb11ab982

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
17KB

MD5
5d06a7d6d10f74d4747080fe6f3cdc83

SHA1
33289461223b8129bd2cc0629c55de95f5c43075

SHA256
783866f656a01387dcbdf72eaa346d61c92f721833515d07a901c4708ab8ae51

SHA512
645e49dee496301714ba2ad38abc7c2bd9f39926269ee93f47054bf85943bf01f5ba9a26e29ae6b96e6e8eceb752999fd933dfffc0c33b0bbccc0caf2f33f8a2

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
14KB

MD5
f0c95266fa477673749e49679716660d

SHA1
f7621199b93d6374dfee6c15bebbfeb1f367d388

SHA256
6eab545d8e4cb25abdb8ee701d5832bc6c8fb34a22afbe3c783e87526aefd1cf

SHA512
d203ff7455618febef09fbfed8fcf405164e00d07e74a45c703dc3c848aa6cc37e6d54216184e1947af6b11562e3367cafd452c6cb2a35f9d4b9a2894572dca4

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
14KB

MD5
ec1bc266800bd5862c64360d0e4237b3

SHA1
5bf789062d9fd2274ada597d317560c75351162c

SHA256
6401dfbabb6cd3f87a29826416fcd3c94dcd77a1c47fa1611a93b0165453ed28

SHA512
b9b5a3911901a1d81ca2242397c9492a5cc686da28a6233b9ea032148853bb7f785c8702d19f7a03a7859c8aee775a4093482350bb7c70cd26d0c2ba74e1891a

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
14KB

MD5
5501807b36d89fae70f0674ebd618fa4

SHA1
eaa57834ba8667573ca4c5e9afc20757a9c1a7fa

SHA256
511986232f4e2b22b6a20f75282e6b462539a66fddf8a42b0f18200f264730ac

SHA512
393ba250184b95831104a32c40e03bf7f1b075be77015215533f87477d9616b908694397499b0801a4c6ac8b18f496dcdd8840a301ebf8a6b12f32bb93ebbbdb

Download Submit
C:\Users\Admin\Downloads\njRAT-All-Versions-master\njRAT-All-Versions-master\SlayerRAT V 0.7.2\SlayerRAT_users\DDHXJJEQ_Admin_DF93F770\sc.jpg

Filesize
14KB

MD5
d9a05f85173118dd1e05d1f67a4a43c2

SHA1
11aabff76a8010471285fe61df3a4c6a6e1f4866

SHA256
c86aecf3195de4207898a8fec65ffc29940c1d8cc178b3b76658eddedfa86b3f

SHA512
d5acd8b4cb5572489a5cce466a8fae58c2c8640bec047fbfc4cf59a618b3a43bb656a472bf6a7199287158b9bcac0aa7769351c0bc09bb8a7fca8fd436fedd93

Download Submit
memory/1184-1505-0x0000000007780000-0x000000000778A000-memory.dmp

Filesize
40KB

Download
memory/1184-1504-0x0000000005750000-0x00000000057A2000-memory.dmp

Filesize
328KB

Download
memory/1184-1503-0x0000000005650000-0x00000000056EC000-memory.dmp

Filesize
624KB

Download
memory/1184-1502-0x00000000054F0000-0x0000000005582000-memory.dmp

Filesize
584KB

Download
memory/1184-1501-0x0000000000B80000-0x00000000016BE000-memory.dmp

Filesize
11.2MB

Download
memory/1184-1506-0x0000000007990000-0x00000000079E6000-memory.dmp

Filesize
344KB

Download
memory/1184-1507-0x0000000002ED0000-0x0000000002EE2000-memory.dmp

Filesize
72KB

Download
memory/1444-3077-0x000000001C2D0000-0x000000001C406000-memory.dmp

Filesize
1.2MB

Download
memory/1444-3078-0x000000001D430000-0x000000001D6AE000-memory.dmp

Filesize
2.5MB

Download
memory/1444-3079-0x000000001D6B0000-0x000000001DB54000-memory.dmp

Filesize
4.6MB

Download
memory/1444-3080-0x0000000023420000-0x0000000023482000-memory.dmp

Filesize
392KB

Download
memory/2368-626-0x0000000000A10000-0x0000000000AAC000-memory.dmp

Filesize
624KB

Download
memory/2372-1484-0x000000001C110000-0x000000001C1AC000-memory.dmp

Filesize
624KB

Download
memory/2372-1482-0x000000001B530000-0x000000001B5D6000-memory.dmp

Filesize
664KB

Download
memory/2372-1483-0x000000001BB40000-0x000000001C00E000-memory.dmp

Filesize
4.8MB

Download
memory/2372-1485-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/2372-1486-0x000000001C370000-0x000000001C3BC000-memory.dmp

Filesize
304KB

Download
memory/2372-1487-0x000000001EDF0000-0x000000001EEF4000-memory.dmp

Filesize
1.0MB

Download
memory/3348-694-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/4072-1519-0x000000001D660000-0x000000001D7BE000-memory.dmp

Filesize
1.4MB

Download
memory/4084-603-0x00000000006D0000-0x00000000007A2000-memory.dmp

Filesize
840KB

Download
memory/4604-630-0x0000000000B30000-0x0000000000C78000-memory.dmp

Filesize
1.3MB

Download
memory/4604-632-0x0000000005C00000-0x00000000061A6000-memory.dmp

Filesize
5.6MB

Download
memory/4840-804-0x000001E535700000-0x000001E535720000-memory.dmp

Filesize
128KB

Download
memory/5000-659-0x00000000009C0000-0x0000000000BA2000-memory.dmp

Filesize
1.9MB

Download
memory/5000-660-0x00000000079B0000-0x0000000007A6A000-memory.dmp

Filesize
744KB

Download