revengerat | 23b816ce9fd19977c9760a94e258b9631ce9c79c3705f9190cbe22c00f421877

Analysis

max time kernel
435s
max time network
440s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-12-2024 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

court.bat
Size

3KB
MD5

8f552193a9634e5212ba7fc7f23dc54a
SHA1

6ee0c655994ae65693caf05ef2f8ae98b22e9742
SHA256

23b816ce9fd19977c9760a94e258b9631ce9c79c3705f9190cbe22c00f421877
SHA512

a3017ae55f9451b22c03066e0cc4ba74411228501b5d789c8ab813b2a092e26f4d3636b1759d56949ed7d1ea8355593224b9c6cc3dd5707219d9ec4c915669c3

Score

10^/10

revengerat guest agilenet aspackv2 defense_evasion discovery evasion persistence stealer trojan upx

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x001e00000002ac82-483.dat	revengerat

Downloads MZ/PE file

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000b000000025ccb-1710.dat	aspack_v212_v242

Executes dropped EXE 13 IoCs

pid	Process
1952	RevengeRAT.exe
664	RevengeRAT.exe
1924	WinNuke.98.exe
3100	WinNuke.98.exe
3196	WinNuke.98.exe
1488	ArcticBomb.exe
4836	BlueScreen.exe
2728	LoveYou.exe
3164	MrsMajor3.0.exe
4512	eulascr.exe
4212	YouAreAnIdiot.exe
1116	YouAreAnIdiot.exe
444	DesktopBoom.exe

Loads dropped DLL 1 IoCs

pid	Process
4512	eulascr.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/4512-1500-0x0000000000440000-0x000000000046A000-memory.dmp	agile_net

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\Downloads\\RevengeRAT.exe"	RegSvcs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
42	raw.githubusercontent.com
106	drive.google.com
2	0.tcp.ngrok.io
10	raw.githubusercontent.com
10	0.tcp.ngrok.io
36	0.tcp.ngrok.io
36	drive.google.com
37	0.tcp.ngrok.io

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1952 set thread context of 2820	1952	RevengeRAT.exe	110
PID 2820 set thread context of 1040	2820	RegSvcs.exe	111
PID 664 set thread context of 3164	664	RevengeRAT.exe	114
PID 3164 set thread context of 4196	3164	RegSvcs.exe	115

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000024f58-1057.dat	upx
behavioral1/memory/1488-1067-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1488-1069-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/files/0x0007000000025b84-1374.dat	upx
behavioral1/memory/4836-1379-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/4836-1389-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 10 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\ArcticBomb.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\YouAreAnIdiot.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\DesktopBoom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BlueScreen.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\LoveYou.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Launcher.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3760	4212	WerFault.exe	223
776	1116	WerFault.exe	227

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArcticBomb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LoveYou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlueScreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 24 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Launcher.exe:Zone.Identifier	msedge.exe
File created	C:\svchost\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\Downloads\ArcticBomb.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 900644.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BlueScreen.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\DesktopBoom.exe:Zone.Identifier	msedge.exe
File created	C:\svchost\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 549925.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 588555.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 7975.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 699489.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\LoveYou.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 121870.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 359234.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 837099.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\YouAreAnIdiot.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 663136.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Walker.com:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 507694.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 433524.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
5056	msedge.exe
5056	msedge.exe
880	msedge.exe
880	msedge.exe
448	msedge.exe
448	msedge.exe
1476	identity_helper.exe
1476	identity_helper.exe
4672	msedge.exe
4672	msedge.exe
2340	msedge.exe
2340	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
1440	msedge.exe
1440	msedge.exe
4940	msedge.exe
4940	msedge.exe
4456	msedge.exe
4456	msedge.exe
3916	msedge.exe
3916	msedge.exe
2784	msedge.exe
2784	msedge.exe
3912	msedge.exe
3912	msedge.exe
1960	msedge.exe
1960	msedge.exe
3000	msedge.exe
3000	msedge.exe
1540	msedge.exe
1540	msedge.exe
3576	msedge.exe
3576	msedge.exe
1208	msedge.exe
1208	msedge.exe
2296	msedge.exe
2296	msedge.exe
1348	identity_helper.exe
1348	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
880	msedge.exe
444	DesktopBoom.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

pid	Process
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	RevengeRAT.exe
Token: SeDebugPrivilege	2820	RegSvcs.exe
Token: SeDebugPrivilege	664	RevengeRAT.exe
Token: SeDebugPrivilege	3164	RegSvcs.exe
Token: SeDebugPrivilege	4512	eulascr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
880	msedge.exe
880	msedge.exe
3164	MrsMajor3.0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1948	1704	cmd.exe	79
PID 1704 wrote to memory of 1948	1704	cmd.exe	79
PID 880 wrote to memory of 3796	880	msedge.exe	83
PID 880 wrote to memory of 3796	880	msedge.exe	83
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 2216	880	msedge.exe	84
PID 880 wrote to memory of 5056	880	msedge.exe	85
PID 880 wrote to memory of 5056	880	msedge.exe	85
PID 880 wrote to memory of 3616	880	msedge.exe	86
PID 880 wrote to memory of 3616	880	msedge.exe	86
PID 880 wrote to memory of 3616	880	msedge.exe	86
PID 880 wrote to memory of 3616	880	msedge.exe	86
PID 880 wrote to memory of 3616	880	msedge.exe	86
PID 880 wrote to memory of 3616	880	msedge.exe	86
PID 880 wrote to memory of 3616	880	msedge.exe	86
PID 880 wrote to memory of 3616	880	msedge.exe	86
PID 880 wrote to memory of 3616	880	msedge.exe	86
PID 880 wrote to memory of 3616	880	msedge.exe	86
PID 880 wrote to memory of 3616	880	msedge.exe	86
PID 880 wrote to memory of 3616	880	msedge.exe	86
PID 880 wrote to memory of 3616	880	msedge.exe	86
PID 880 wrote to memory of 3616	880	msedge.exe	86
PID 880 wrote to memory of 3616	880	msedge.exe	86
PID 880 wrote to memory of 3616	880	msedge.exe	86
PID 880 wrote to memory of 3616	880	msedge.exe	86
PID 880 wrote to memory of 3616	880	msedge.exe	86

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\court.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fccd3cb8,0x7ff8fccd3cc8,0x7ff8fccd3cd8
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1792 /prefetch:2
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6324 /prefetch:8
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6668 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5044 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3408
- C:\Users\Admin\Downloads\WinNuke.98.exe
  "C:\Users\Admin\Downloads\WinNuke.98.exe"
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6096 /prefetch:8
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2132 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6968 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4456
- C:\Users\Admin\Downloads\ArcticBomb.exe
  "C:\Users\Admin\Downloads\ArcticBomb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3404 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7028 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3916
- C:\Users\Admin\Downloads\BlueScreen.exe
  "C:\Users\Admin\Downloads\BlueScreen.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7204 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2784
- C:\Users\Admin\Downloads\LoveYou.exe
  "C:\Users\Admin\Downloads\LoveYou.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7056 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3912
- C:\Users\Admin\Downloads\MrsMajor3.0.exe
  "C:\Users\Admin\Downloads\MrsMajor3.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3164
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\40D9.tmp\40DA.tmp\40DB.vbs //Nologo
    3⤵
    - UAC bypass
    - System policy modification
    PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\40D9.tmp\eulascr.exe
      "C:\Users\Admin\AppData\Local\Temp\40D9.tmp\eulascr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2132 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3908 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6952 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1960
- C:\Users\Admin\Downloads\YouAreAnIdiot.exe
  "C:\Users\Admin\Downloads\YouAreAnIdiot.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1228
    3⤵
    - Program crash
    PID:3760
- C:\Users\Admin\Downloads\YouAreAnIdiot.exe
  "C:\Users\Admin\Downloads\YouAreAnIdiot.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1200
    3⤵
    - Program crash
    PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7300 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7220 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- C:\Users\Admin\Downloads\DesktopBoom.exe
  "C:\Users\Admin\Downloads\DesktopBoom.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
  2⤵
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7248 /prefetch:8
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1712,12836100111804383098,17261011191645318477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6808 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4624

C:\Users\Admin\Downloads\RevengeRAT.exe
"C:\Users\Admin\Downloads\RevengeRAT.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1952
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1040
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jqyb7d1t.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1988
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A5F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1FB67435FEF64880A7CCB5A40912683.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1540
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4hzur4ji.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4624
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc35D466D9F5A84DB186CB7D853F7EA5D4.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1172
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pjx6_3bk.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:472
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B69.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3906D0C1199840309D1FDDF9581C84.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1744
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y9mgk3ox.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3080
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BF6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFE65B0363ECB49F38E2BE3FF461A8E6E.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4736
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ehnqzi4p.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2948
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CC1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA0C4DB1FCC064DF39B55BD792736CC2.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3144
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mylr-fdn.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4952
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D3E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc62DC61DAA6444446945FD443DCF9B3EF.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3792
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wkdeqovb.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3196
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3DAB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB44379243E76427E98EB491D84A08074.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2980
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gvv3in52.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4764
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E28.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC96FA10336754D1589EB8433C8DB86CB.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2100
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zpyip6c3.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2388
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E96.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc73E6EE064EB94A5A9DEF3AA9D0FDFDE1.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1428
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rku6kw3w.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1996
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EF3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC4D58F23C88B4655B34715702C8AB2A0.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2660
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wgflzvxj.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:932
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F70.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc61F615B8777043638B5A11E441C9E53D.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2528
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\enfogg55.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1744
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5177D6E0CC814AFDA5328B2860F184E1.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1380
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u193agfq.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4648
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES405B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB81FB87D00745CA8AF9117AEF8C7DD3.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4704
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\itjhajxn.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:752
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc451F3FDCD72844D9A1C1B76D8898B43.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:244
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uwpofdr4.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1544
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4135.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2EFCBDAD4A904A31987277FED773B5E3.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3792
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ia6am91o.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3136
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7FAEDF4E52140D5AC99E7FF4EA28824.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1440
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x-3uqddn.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3196
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES425E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC6901759A97146248C6618B1FF67A4F.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2100
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\81a4pirr.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4284
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc225D069DF02C45818874F5CF5819D27E.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2152
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jp4egoxv.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4056
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4339.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1B641ED06B724A238A76A007788CC44.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4628
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l8sje33x.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:808
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES43A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF3C2BDAA4C374EC898ACDF13ADD7B34C.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3312
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oczjklq0.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3416
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4443.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcADC73E6CE5714BFC8265ADB9A427231A.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1564
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\Downloads\RevengeRAT.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3792

C:\Users\Admin\Downloads\RevengeRAT.exe
"C:\Users\Admin\Downloads\RevengeRAT.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:664
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3164
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4196

C:\Users\Admin\Downloads\WinNuke.98.exe
"C:\Users\Admin\Downloads\WinNuke.98.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924

C:\Users\Admin\Downloads\WinNuke.98.exe
"C:\Users\Admin\Downloads\WinNuke.98.exe"
1⤵
- Executes dropped EXE
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4212 -ip 4212
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1116 -ip 1116
1⤵
PID:2528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fccd3cb8,0x7ff8fccd3cc8,0x7ff8fccd3cd8
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,4432621681976282911,5067533198187451928,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,4432621681976282911,5067533198187451928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,4432621681976282911,5067533198187451928,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4432621681976282911,5067533198187451928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4432621681976282911,5067533198187451928,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4432621681976282911,5067533198187451928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4432621681976282911,5067533198187451928,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,4432621681976282911,5067533198187451928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,4432621681976282911,5067533198187451928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
602ddd0c457eb622800ec2b65d1a3723

SHA1
e322f2927b3eb868f88f61318589cdbc9b5e4554

SHA256
6491b2ebfda073e601f99be125c6ce0c4a72162e0995c673605c673581023a82

SHA512
eb0cd42b7178ee205af959b3b811bf85c44343c2e3ead6678ece7bc340fd0efdde3067a583649d12aa2123b555a4cc2a7be7a587fb2874a9f9aa666093df782b

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico

Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\ProgramData\svchost\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

Filesize
4KB

MD5
28d98fecf9351c6a31c9c37a738f7c15

SHA1
c449dee100d5219a28019537472edc6a42a87db2

SHA256
39445a090b7ce086d5efb4ac35add13672fac9bf40eb481b54fa87302a3f45e0

SHA512
f5c2458348347798304393fdb5c77f4f7ed7245c0d4c7594deb0113262828cb8e210e7b48a4aa7c4d2fe1e31201b4e326cd60a6f9d4e3ba1a7fbef322dde0971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log

Filesize
120B

MD5
50dec1858e13f033e6dca3cbfad5e8de

SHA1
79ae1e9131b0faf215b499d2f7b4c595aa120925

SHA256
14a557e226e3ba8620bb3a70035e1e316f1e9fb5c9e8f74c07110ee90b8d8ae4

SHA512
1bd73338df685a5b57b0546e102ecfdee65800410d6f77845e50456ac70de72929088af19b59647f01cba7a5acfb399c52d9ef2402a9451366586862ef88e7bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d68c7edc2a288ee58e6629398bb9f7c

SHA1
6c1909dea9321c55cae38b8f16bd9d67822e2e51

SHA256
dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

SHA512
0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4a5d9cadb1baf0fef92289489e71cfd4

SHA1
13ba55539c99b4ccfd40f16acced9a5ee77aa101

SHA256
1ab3c43befa8e22fc85b9acc52d7c8d008e438a256d29aef223048e8941e616d

SHA512
8fab6e74c967d3a00280c52d92853220d4ff8ce39486610cf03299286b9301d82709a0c3a5eb2cc7b920db2134f9ffdd96645a89e973c88f0c7c5e436e12a530

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
55598db3dc40b52ef5937f295fe3372a

SHA1
4ca25d612f4759ed48f166df42e42e0b9be44819

SHA256
780a259ce0e385d50d83d2335dae08af681fc49ef9b0f3f0727d5ca8ba992cc0

SHA512
8f6a05691a334351ea534671619606f244bdfa761b20f4c42f60fe8378b56d1155af0a612f3dfcfe9ebe96ee1edd97fcfb3062113eafa57e2d4349ea9a360c64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c03d23a8155753f5a936bd7195e475bc

SHA1
cdf47f410a3ec000e84be83a3216b54331679d63

SHA256
6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

SHA512
6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
67KB

MD5
27d9344de055e50044e074ec3b54231d

SHA1
d07ff356acb90c9d4fa1c1e3e48188b1a2eeaf8d

SHA256
d5c1eb2d4d0a13aa42ee68f03218ae01f420003f64f572b77cbff7d61edff388

SHA512
ad045b2f4e6d58e43de1e26a1d5c0a46d912b65caed68ac4bc07f0c26223c5a9927a74ccc8956e074ee74db6e7b05415f3baa3634a714f3048278982bcddf26a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
64KB

MD5
0e5ae7d24cbd1a6f91db56aeffee6e48

SHA1
345033c13fea4de92aab7b762714e476f6f0cad8

SHA256
7d9c9c67abb01eed11f0d8856e520b54c8918808f7c86be6c124d26a52ab7350

SHA512
46fde2ae998d4d3ce0d1c1d6dde0ffd47f02cc6d7fa8862e5a4114af989dddc47dfda77f3386c7151e1d2fead06fd99d140a1209ef79b3643f6c15328152f795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
1f687da0c5d49ba9ac64b98376c00f28

SHA1
f8c5c3ed8b21d9292b9c3bc2baa0afa874a9b14b

SHA256
84b91d521a45c114808685921b19a508c9b0aee793186cc0cbaa3dad59f5f8b3

SHA512
bb3733885f0b8b7861ccb2a4868e7a9eb1cb3fa6397d7839f95dab73ae1c606ea0a564fada69cf8cbc6bbe68c2572607f73a0a01192188e6b7114895d214da17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
36dd9e1bc5aae0e3048af2bf48c7dd7e

SHA1
9c69ae53fd204c4e2f353403663d139839e2d587

SHA256
50dfc16b91805245b1beb61b5e2ce1c8f34c83d6acb834d20c605f7a7035b437

SHA512
0b69fb086eda3528c18a02802fa6f1c5f414281a6256bd269005fc3182f021d98a2bacef00ed6a7882bcfbefcaaf2335cb5c929343b0cfe8b843897b4008fb08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
344886cae29111e81e8613358baebcb4

SHA1
2340edfbbaa34f34279d9ba4221d0b75994ff98f

SHA256
d9adabc94f5b9b815fe22dc7bc0d96e3f62cfbd23539ce662a6759fad9d17cf1

SHA512
25cd05c091e117bb8449be3aa21e3f364fbdd25b17593df2bad570b6f83530da2fb8c206e58ce6160b81597409bfab0c6cd06926c4917e27579e752b52bc82e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
be0a178ee5834b6e616353f5eb2e8b28

SHA1
11e2a05635e8978a4fb5418e76d365c6beb7a45a

SHA256
848d699d89c1b409a7291d716baa53b834be0503576e2def2702c633615ced28

SHA512
4945e6509727c854d3755381a8a357c9305332fe11b53f415e3cee8445d67d268c27b876149e1b920b7c9a82c0ea5c25a4daf07ef961478ecf1f27ee7f59d8c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
dfdb48b0a6d46a2f9b67f15c8a2d50c2

SHA1
0fa75b47139a401be784d843a8ad899944f48d7b

SHA256
eae82b1f48cef1d3598fa23319a01af73fe051fd90ce47b732903ac3ec83ab59

SHA512
7011195ea4a264ba258ca483367dcd7c1253da0f8f4497ec7f683ef1e48f093455cce7bd2912f2c27270fa0097fb966a2520a6e81bd2c1b0a288a9ab619ec673

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
255ed9cd3d985633d5e5b8ab0871300f

SHA1
9825a8b8cb4e69d1b90187dbca5aa3f88a3a85e0

SHA256
6a1699b3a7b46a05d938257099d23dd309175c2bdb03563b27fcc03c78551572

SHA512
e94b94af41a261d3ce137aeb5e32cd3c783854b0150486bfd3b6eb42abc6b72fbf2a64d2a6017dba662bcbed41b3242f00aa459e07f4fe8ed7107867cb9cf823

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
31f9913401cafa7833302068e3380412

SHA1
bf9ebb1a431ba439fd1fc0402d345c8d5448b982

SHA256
2a3453ad2e2f2938182e42d2aea9634aebe29de5e746bdf73b9fa6a3d28c3875

SHA512
ee7e6e35745054e2b94c5b0eeb99c66de1e9c81dc59ed1bafebc11732d6f23ced5ac655dd15fc8b4756ede73f6078a23ab9b364dd4d5455dc6850ec99bea5ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
40369a91a2b3740aa5704718391b19cd

SHA1
2593dd25735cc0f3def435a8abec637f029d70df

SHA256
56a1b095ced6b26ec92728607bca0f878c1703c894e33a342e04b1362399d83a

SHA512
5d3003403a3097bb60a5ee637af59751e09ab4b933fb8b3b2f63df088d0d53648b610c2da4ebeac2b921dc87ceb005c60e063a67e4321981eaa4fcff923f936c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ccd9c3c857ff72a75659944290679a21

SHA1
1e22385ebf74d6c79bdf269dfe4fb20b1caba4cd

SHA256
b39df284e2948e46d51314a6ca07c1621fc70850cc1b1a03a30353b1dbdca121

SHA512
d0f8a314cbc4cbc233d400ea8eb65398cb33e7bad4c12a5b81ff034496ed5e6df759c1299cc0e9e34cc25a74770ae2c5ede0410b3781c2b3285e5610a23d4407

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
700f447142d2d247a00c9b0c601e66a8

SHA1
7fe409cf3a68363d03500357a7d12813b87e4543

SHA256
c28390b20e1839a1123c8850509f49c17a63b37152c54541b42973e8e23e19e8

SHA512
a532011c7c84e8ce38a29edaf8f384d3a8921ef21124c9674b61ca88c066d03f4c4c399c8990234a1c520864b901aeac07db6f249235932a35145b5b8ed36076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
39b754ef6f8e2c7c8cac6ae93c482853

SHA1
bba4d72b5623c2689c7c63f36605dc98114525f0

SHA256
204346f3a2b44bf01a3e075104f023a9eecf0f5b392ba8acbce09ee194d1306d

SHA512
90c3345c6d8ec5513e0a0cb2a7d3ab1931a54b12b4110a6fcd773b62a633a9a4032a59e1edcf5d6589ce378d5eb5ae72ae4294835c23881243ed74dc97beb548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a8a0057f002b27638deb3688a03294b1

SHA1
9adadb4a084a79cbb2abccec968b052050638e9c

SHA256
14f618212611a114f020717c064b5e6359037e735b552d2d7b69d7bfd55db4e7

SHA512
af34cc84e4d2a4686a474ce90fc64d374213a952ed8c115c17accc4e1f07e940ef198f6980518690206433cb773d0c5c38d7e0f7c49e98e3d64ae9b095980d01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2411d73156329cd0411a797717c6b682

SHA1
227a3ff26805acc8d9b8209133eeb963cc31992a

SHA256
74a993feb77d888dd2d514e3aae8783c0d8b225671260b5ad8ab244d71258667

SHA512
a108d24546f2b1c44bb11c763c53f4440957ba715a4409c4baaed6bf3384fbe57900586f946f9ab69dcb3ac43edcf81bb5ef3f75ee36d73041b16352eaf73262

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
813dbd14f8cf4b4b91ec2cd54733d6d3

SHA1
1c210ad7f7c5cff12f34cf40823af88dafddfc60

SHA256
b231ed4971906d3fdc7aafcaba9756560aa0e8f367cf3bf34f242edf04df6b75

SHA512
359fb730efab961d5475d77fa860db63d2d47b86817a99026692e235940cc76518977b1a36a380a31c5e3ef2cffe75457b8d749a786bbf27d993d1e7047d6173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
aa6e9ce6e9a410d94957e00ebe91da16

SHA1
3acee2eed83aa9d5aa7ad9fc8abed471ef5886f3

SHA256
d5c2cc847069eb8fc9eefb5bb3a6d39576c362e4471a983aff37952682fb468e

SHA512
ce941380f326a3e72945d54ff102787ab40a009c7142aa149ec953b21dce4653221b73b9a44a9b6480c2b80e1a4efc6caad667640696735eb6a1732f23b750e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3dfef30b9b777feb33d9c171aeeda0a

SHA1
8b073d25ad656065b55149c04fcd44f6367abab1

SHA256
ea449f19ab8c1483de2a767a25f2ad599a86405b06031d48e0b8d8a76e093cdc

SHA512
73ed3f14295f7bdf29f1c4004c9dc7a071048c667ddd2c913c285a13edf3d209b7eedf780b6b175fa2ef7e6bced3984d51ed6983b788d366b713874be54949f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a53732c8885bdba4f7ee12aae90d991b

SHA1
9388d436e7a2a8835b3d5c2edfeeba10ebc89675

SHA256
de81dd585261948291f84cb64f29ba6fb5b8ead26b2c16d92de3ad84d130ce30

SHA512
160b52728a84d1578436c913ee4870433d2ed9b72adf2f75cef47502b8d6aae00c924dbaf84f3da37d34020dc38b93981131b15af5f84e4cf6d500fe65860cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
76db81260f78337a915f1a4423183c1e

SHA1
1e588dedb2f53c78dfa96a473b090ec393730732

SHA256
837e5644c11810309824e52bb9303d7967a47b1917d18bcf050b9db042ea936e

SHA512
0d1f25db592d2c9924e394bc40cc0bc94e43f8a97c56a37876dfa3abf9fc5444640c9382ed49a29c2d39bb605ad0e4fde9c3059db6e6fc050ea6d7857846048b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
70211cfa7a6199b38e2d587febf27704

SHA1
41766175a88b5fef587877518104b077ff21858b

SHA256
99ac3d130afe943f37b06c03d45d40cd75986be3020678fadbcc6140aec76a61

SHA512
aa67bd0e13e6cef9fecc39e7e3eeb118f4d838e4bf13c066d96d03770f18a5fc018bd1d205b80f3b40016b4573b0a5cb473e43691baf4dd2b388b50bb48f9f3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2c52aa711b71e699019275fac85256e3

SHA1
e7320b353f17bd453c0ba6b1a4a039abbdc2712a

SHA256
222b7ecf498e0483ec9c56d6e34af1505b384faea0eebfe4824b352809c73014

SHA512
6bbf014b7bca5e2433f6b119f59b4456a4ddeb0f2017786757fa3c5a2058abf3be14a41d9e99b590e0352249e87185ddb1732a86d94815cb06edb77b193e8e76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5dcb1d64c2d3bfe6bffb0b427ea830c9

SHA1
ba644d9e846ccf27ffbd400a3a2eda5d9b594014

SHA256
c2152b44832f0c7d18d7ae6ce15afa89b00b1ae1e2512f6b242a97fca72e4e09

SHA512
2e81dee4e8e399ee1f66ecc7f3228bedff25a6898fc5d67589da2619a2375fd768b36bd1270df0a58819ae090c9f24844074127cb4b5d0cdf0c07412af80e09c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6013cff158da378e679321560ecd94ef

SHA1
803ac07e77758379490f1d4c4003912eaff59d49

SHA256
952fb34f75eabddc448a23ea2451f7694501f15ad8cdb89e6c52451026ed6a99

SHA512
95dab4cfa93a0bdc700cfb61443d8946991d917d0422510c0ac60ac229b757035723d94de4fb8ace74fe352941b61ef1340202004ecf3e65c2ec3b082316c7f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
27e18a58c250a718895975f679527d5f

SHA1
c9b3749b647dcf62c4ece093bbd9f67eb82d8b6c

SHA256
f67f22ae32f7cbda41fc83a191d6511cd5e618fe48a5f13199dae5c5920ebd95

SHA512
a74f445720b37c9f5587c459e3d74191fd9c6995637c23d2b9dcce781b834d82496046990173ed12a9d76073b0c3b6cd61a031013502dc5484c32889f357d0c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e49c15a7fd01546c34dfbe3fd3cd38cf

SHA1
2fdcf3eb132f373e19747c7713d16a1a538e1035

SHA256
eed31005b7063e40e9a63c4a5af3be841168cb65ee3c8bb12d1dc72c0886f0d1

SHA512
188b0d36c16c6d29fbd6718bb64fcc83b95a4ee11839214b5bbe6851255d7ca0242dc9acb5376ecd4678a37caa0dd406c10931b9542a73d387348c93bab62428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
828d73d7f1ad095e0d7039ffcbc907a4

SHA1
e7a0c7f50a424200879d55bcbfdf4f656a23c955

SHA256
e8f750f67b2a6285effb143893053056295db2cbf608fdd31b4ed9ab6f1869ef

SHA512
0e83830a1f10c15dba83fbbe61b1d4186dc6db24c9107702ee196e540d2921be39818376a9c89a50900b8d322c64fad48d2f0abfb8d5f6dd9ae94c3779a34712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e7d583e36e06567fb9407d66c0476763

SHA1
4ff2be4b5463bd919dedc4256fa5023cb0da3619

SHA256
d41ccaa99f3a8e746558af4ba71347ea12225dc1c54f9b0bc44a8c1565b8434b

SHA512
fefa0ff7776bdf50995db5ad3372d4694283318526ee02fcf47a49802e103b2d6bf9d5b15505cd01b6f95e8fc0f00a3ce27880a8c2a59c4da7426663bc82ade1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8d4b519d60f19f695e3aaa9f4407c1d2

SHA1
a0af15ba1d517f58be4744b1b14eba5eeb93104e

SHA256
921c7ed99d6cad645e8402fc66a3da23156408ca7ed209f32f36e76ce81276ca

SHA512
4003ea0794b94c408473c04a3bdb6b489d9d9126a614dd7b09b207dffe6256dc6a3bcbd1e10d3412221c9b82ba646b5aceea1e5ec405a22decdc2c95bb399033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
16f9d68fec9523fe788c70bc59da9d3d

SHA1
f9871106b23a92cac26d99123f2a76c86a10ff62

SHA256
947e5f45ab4f2f2623e76df6a53f3bcca40ff392a72b52df57a716c3e9936df4

SHA512
432ca324a9d7a09ab4b8b1f654c65745b98b554c0900b559eda6f200ee243e27c46cfc0aed1b4bef79e111b0e8d49fbbb2660d0d9300442ee6af09a7032e834c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0ead82cd968973845be968bdb2faf4ce

SHA1
d894cfa7e8d2c8ff5a2dd09ae9047db463ac0fe1

SHA256
de56e00014d5f2efb5741184c9c1432822ea15360d847e31ed4a8cd354b33cc3

SHA512
e3f1834fb4f1f825521c7d9717996f11089c17c9825761ca2912c94ec52cc9c4d774c65e34c05f65c0d99ad87d30b5335a546ca965c039272e7dc4124f63f22c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fe42246e68917af5ba3cc556ebf3c237

SHA1
53272c0dac327ceee2cc979385c2864d9e4e8f78

SHA256
4974f847b357dce5865aebed83c902d77cc47157173f2f3fb3ee92b78d9f11c6

SHA512
5f651ce7d83f6f6269ff5e711dae6cd7227c68830066346db1508efe8881b478b016c24723185ff6fb166870558a4d292e0755ec28ad0289f5851604973c1480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8ef0694d2cfd5af84d723e13ca0ffae1

SHA1
8f5294528e57583bd32ee6c72c2de8d359863d45

SHA256
1f60fbc310695a1fff13f272125050a31142af4bd360ab14077807b6242c28a8

SHA512
a1c204429519fe7fd98af09981a0926a9890ed674e9667ff6d9f26d3722771a247ded9f84eb079a6a30512b3dc4f8f29673d52c618822d356b276361fd306c8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cdd500f8a28504b8f8c85732f49d1097

SHA1
4998ad409b34f5a78de59b34fe4132600e598d5e

SHA256
ff695619db19a91264fe2930610fe0c7c01245be0d6802c293b59d42108a5f8c

SHA512
e578a1bfef176647b59eee573809d3ac39db992024c87e3fed6a03a3d10b81d4049310f12a299c796a2760d5788ed6f14c8fe48aa60bfdb3554faadbe603bb0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
08dd35d12120e25118c603384ae37b90

SHA1
b0d28ebf37677cb5b2c3d9c7859ce3c30088f732

SHA256
7c66a4eaf691f8f4ab5c9ae2454e08cada852d0088c3b72a0943e66a0ab91603

SHA512
e38edd3dfba21096b3f9d65aea243caadb9f6066262299b828202e6abcde1abe5644c7f1caeee190bfc7693808fe4ad13274ae98eb26f987d8f5d42f0a1d956d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9b81f84f623a10f06a3761f4a1fe786f

SHA1
8e365c58a4c31dfa191a40e32bf46d7ec34b2beb

SHA256
dc72fc573e9e02ac69addb476361f17785cbe13647026131abdeba41ebdacdc2

SHA512
f3f13f7de4c5a9e8d6e5a12ca4b2f7c4148b1835bb4deb2cfe94768a670e7dd8920a3391fc1e9180d1419860c0a98d3662cb6d12d637236e8da743cee7f7110c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e642dfaf2824da5cfe326882c7011567

SHA1
3cff1fcf77e8ed3f23a32d03817fad65843d196a

SHA256
c99f4d5d0401cb647da43d4eb25d0661a4038f3690cbf3228c9994adf9f6fd07

SHA512
e810499e7bce49a35cb6f4548e2124c5d6798883afa7971f8b956ee9975e800d51a0718c0a09735de89f07f8e09fccf3a31e0208c6be3a5da6720680689ca799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c8001e3dc24cd595c79081c604d3b429

SHA1
9641752cecf75f34f0e439557e9184c479df918c

SHA256
19e375ad9a8a658942777500bceea94beaa57eb8c5a8848a791a2cb2c0c4c32e

SHA512
8121530445812243123dea5ab473f21b35c72e58f331c80eeabffd8bb3e11bf71c0ae892cbce60cd4c80f561a992ffafd84398ae0cf3a9bf6bb87ab7017f1e4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5a3bf01543c328283a346015b7c432d5

SHA1
e873503f8743cad81f6d5f058659ee8167b1f8a9

SHA256
c7981c1c9371f4ca04c6444813eab3ff9604ba529d63e465e7d26bed030d5c69

SHA512
e210da5ebca680e062a426e7e1bc25730fc750f92c5ad41ed45037373fb6ea395cd39b1cd6aae4b276321a699ab06ab30909cfaa6cb54df0c5553261bfb0b7e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f82bb40175c8f9776029205e4eda46bf

SHA1
962c147e6e6b1012bf8b96358d6b84d715051a6d

SHA256
ca7cc6608f4c0fffc7dad7bf6d2cd9c49d16ac97e29b1aa0d2b5cc49950da02f

SHA512
3cfec1035ed293455799092edc8a6b5794f1f6e6c5553c1b107b1f118a8a1dc3eab9bef5faf35dcc97c448d61b4d1f1e3a80a80c3a5be5b581dbc83534f1cce2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
16930a39d77b54f1dbc9ff6abc2284d9

SHA1
43058d0a6a60d6d15a697e36c1b6443112936250

SHA256
67df2104228b23fd4a7405c12199c093e7c4b7099a54b7db409baaa7d31227cd

SHA512
e3f4fdfc180035bc0139f192cfec114035ddb339d8e2b06ea9e456d92c701d9cb533f6b1b34e498fb869087957b6f1ec7ad49496b82f7f80666dfb141bca8160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8437bc222aeb8fe15bf7e17a8c305172

SHA1
873ed67204f569545b3133e7123680fe6b749cb7

SHA256
09613518edfcc7186c6c7427832102c6a588610fb414b3fb162d9c6d05962ced

SHA512
7c2d74c047e46f28d61db8c17798c479fc7d0707d8f17da86543dd2c6829d56467bb6e6d125dffcf1056fef3e2c0b7bcadae6e964e9fb734a754de8f99eed512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
18562f7248b555953882d8093fb64ef4

SHA1
21b73445d48122779b563cd9365b7d7be38a9b6a

SHA256
42e6d0d7af860476838b65ac44ea2705b36f56d6d03540a72c8fb5dff759e4e7

SHA512
b0c001596a0c2b19353f36730f9a8dad417080b209f3e640f7472e271c5a8e4de229781d7e638eb77f4bc96eb86ef20f6d2bb0cbe3e38f0385a3522364c6cca6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5880c4.TMP

Filesize
1KB

MD5
aa88acf0ed634912a9bba9b8b454df4e

SHA1
468f61afd41f0e623362ed7a315d67107d10e9c8

SHA256
c93ff843af40f2811120e4ff41ea0f3a150f17a2227e564ed84c7fb01b63f996

SHA512
92e8c00db016324ff1525bfada0f4cac57e07f984d3eea3f36e19ceec2a7a95ca7855b3257275fc549374d9340c33b6228d15150d445990783f6ebded7b47de7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a4e77fea53d81abe168510343b1dbfdf

SHA1
127248f68ca3c96ef65dfabf62d956b4806f7507

SHA256
ecb1a4bd96fa0f700affe5373ec9babf9439f56125bad074e01335a9a223f26d

SHA512
a411a1efa8c4910f58f815cb03f69da23f312c2e244691749b178913bae661c454340b061b96d9369759b605cd8e04221ef43ec89440d6edd3961b7952f4ea9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1387f08619932f950828fcb3cbcfc1a8

SHA1
176e8333a340e16feeb6c83e82c64fdaec37072f

SHA256
507726a47ae5b4c5e887050edf9ab01f00886e86f4b6d13bf9c7131271ea427c

SHA512
787a8b5ff3dc4e7fa22b6014c2b0be78c8aa97717bb00f278af550f9b7c5ed188c461ecb6f9ae6dfbfb6386a92ad0f74c31f2502ee97c29ce035c11e58229e48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e069f1ab7c7ee6338532c436ad9b9661

SHA1
73aea4810814eeda2d6e6ce786229f373b1ea5ef

SHA256
5116304d9f95ef12c70545c40e75438ed2961b945c6dcd7aafadcb7d62630cbd

SHA512
e91a708cd201fc0b1b4555664d468be3e538337256a48e7ae95657b317559d8b0d6184cd48ecc1c8b59597fdb1e9a0c206a10232e7f5c325c66edcecc4e17d3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a7ad8132186a9f3146225b34b8675624

SHA1
455ecaa92c37067876d977a0c1eefc8e7a1a0032

SHA256
454c09f049a64b1826f96c47189a17b03b79fa442d41b2694b8efbc3933480b6

SHA512
4e9c3646bbc32895decac2600a899f59357d79827c8c97958eb5792d67a696e34f85c05a1ea4212df64f41a38f5d337a7b5d098a79d313245719c12746da9c0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
edc38f8cb28c50824bb832a23f4db347

SHA1
8dd2ac6dde4371425007d7eef6001d01f9158de5

SHA256
e25c5a854eb99650d7baa5b7f0f5c0d6a0d2a0ebad3c1b605c6ebb8e0e051f49

SHA512
c0d51a1b18c35ed442d43613b43ecac52028b0b948ce0d97bc8622bc0aa1cbb1860605647a883c16dca22029318f928bc859d816af701e0da22de25c5f66d366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3fb55cad4cc1a19e1eb2953abdfa4c0b

SHA1
2926f7ab66d02f15e3d46a4424838d94f44588de

SHA256
545e5e1bc046770ab44f515105fac006507285947b0196da93fb467815bc9eee

SHA512
2cfff6a0b75bd9887e587ead64d4f46061572e81f2340791f4f56dc3402cf48d494541e9115a9e40997ac16ba6ed0c7d4df8eb2c0d57701545b690e748588e95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f2e67ac24452ffafa4904432d4ee777a

SHA1
27025691f295d446c04df86f93ae7dfe245777bc

SHA256
b7c574702a95dbc5e670a6d349959c9a9d108022165884f6e3bb3433fe831ff3

SHA512
5317214e931cd996c617ba51b7cba3ac088b8aa96cacc43b6bbd7a88e91e683990e96148c405570e38bbd7e374cc24c3900b1496d8402d07717979e48061e709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1b855b5401a7231c2480fce82c205fc7

SHA1
094445683dd182fb365e069059110745a7cd5fe6

SHA256
51977e240a0d8d3d0233cbd0a08a2c98509f2ce0fac9a18dd182ede4465fb781

SHA512
1787b7a25fd59ba705a5310a6a3af224d56276d2c660a0048005df234c216049f5b2266a630a992ea48fafa4ca747f4282d22760d670d81c7d6c64e4012c8b3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
200a77a6a41b9fe46ec5e48ee6f003b3

SHA1
fa5d8fb662bc77989bad8116c547df240d902ba5

SHA256
24785a2fcd93deee4e99189345de7907c0beda12a46ecc4d6f98396ea1873c2e

SHA512
690401d2846e0979e9c9128adb6c8b9c28a097a6f0be985f19f6e858a551b6ffe4eb6aea9340865f15f6469be84572f8367468738bc3cdb3ef6089e2b6c006e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ceb4121e489aa0753a6eb56144106ec2

SHA1
3ebba6cc4c4f5b0f11199fc0092ac2dc0543b93e

SHA256
1bda772edcd689e759cf293db8a1383e951432f94c64d1bfd4092ad4d6a8d3c7

SHA512
02073b981883129e8b70bb70593ff34273eb6f81078a44e9471bace2637da4381deadb3f559e6cdd37378a6638beef9919837ce032a99b02eac565552c99130d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4a37fbe371fa24cd89ceb4c52674bd03

SHA1
df3bd513adb88dfa9f03d21978f4b6773db224a3

SHA256
c3e3727c13c8c858f467982527580288d43d357d68b5c59a6ad7b3cc60920211

SHA512
fc46be1c49cecca0e7cbeb7b86e83a5a561d3bd285d52471e149e957f26c051b6b23adf3b5442d5070fe22f36a9229db6d27e65b4a7e460442f67f2cfc4cceb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
71047f005e30169a32142debb138b85e

SHA1
5393a748ac08453cc8461551b30dd8ddf5ea08cb

SHA256
7ad90200b16f8c5d9aabb5784283d0f9932a98c23c6b7ed6c4acd14888d70cf3

SHA512
92204ea7f444b48601b9b61983c63cab5f9aeb5bc88191cd4275cb272fb6016dedb692557ce26308d568fc334ef601fe1758c4e63d86b5a5f1f0da2b2b882f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4hzur4ji.0.vb

Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4hzur4ji.cmdline

Filesize
224B

MD5
97c8c8a2c654216d0334ab60b06d9417

SHA1
6d6b06ad7af7d69e2d1c125fbe28208ebcc70f2b

SHA256
ff87e3e90fa5f0d4f0095f8c4977734400fd70c1eaac795577d7b657d7bd2ca4

SHA512
fadec1fbf35b614ffd63c5500dae0e16020b5260aa13c94ca885f394f6bc631b10d1ecc6f5cb3c8db71cfe1bacbd750b54d5e91106cd964143252b4059dc517c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3A5F.tmp

Filesize
5KB

MD5
59e9db9fa0dc6871e7902ee107020691

SHA1
7e195b7d3630a81ecaf77df4fd42c834c7a6903e

SHA256
61ac2c7fe1ae2088207f85bf9a3fa97bc0c5225f3f03ad916916ff3e7762e4e3

SHA512
6a1ea3d0d0de48d3fa4708a541e563faf1f86e04d5423aaab5fbc29c17b4c4471b7fddb6f63252712e6188c426f0f7d47712725de04e2e75a62580447c3a8192

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3AFC.tmp

Filesize
5KB

MD5
f159c490f75dadc1ff6061cfc43c0cb7

SHA1
bf0e9e316556d2bb7f4e5b4825be8a36b471aa47

SHA256
5b56edfdb6a4abc192cf45586ea934261f6c9ab9c065987a989235a520ca653e

SHA512
db85c8052f77859022f54d45182be3191d7d65f7c4b3f04a71d5f4516141d0d339896361808373d2647bf28db682128367e2ec3d2eeee87872053791ef74575d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3B69.tmp

Filesize
5KB

MD5
2ec804cac833deb67b463baac18a2588

SHA1
8c0d5d26167119cadbc454206885582f41a6a5d6

SHA256
b93703e0056a969f9bfd2b5358bb0b5391c2a5e5043f8e2d0741e833293ef973

SHA512
8c2bd5bc2deb9b006b0aef46645ba1c77610b0a3bbdc7fc1ab8fe20c93b2c5e422519c1b6243d6afaa6da67f4ecbfbe8539ac33493efa23b97528412475e60c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3BF6.tmp

Filesize
5KB

MD5
a46ee46f5c4a3a41188308a47f4e0129

SHA1
ba0bc6d7cb28210b2ff23451c7d601bfbaed9984

SHA256
59d1c99319bb345088d05dc5c25e54f1047107aea065c9b12c9d3c75a078c7a8

SHA512
d7af27df08ab1bc640d8dafec2951aa9887ad38e58613598aa41c5b54bc2b340a0842d685f03fd0a25496500e9a14171dddeaecd15b16073997f0fa8a9972562

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3CC1.tmp

Filesize
5KB

MD5
434d2ddb2305f21ec4aa866a91deaa01

SHA1
b2365ada9eb0badc9194eddef5d611d1d4233204

SHA256
47954e1d2655839010809819c470f3a750f99ea976ce39472b1044fb3c394721

SHA512
12f703feebda43a881719777ca780782e5cdf278e4927182dab27d76dade93869d57e4f56d6deaaeef8a92bda620f05b04f0932378038c8bcfd9410fb426212f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3D3E.tmp

Filesize
5KB

MD5
0d4105ad15259a2a81958d5426daa221

SHA1
49f81d784edecb9d8990504dd3878992f2eee318

SHA256
b85ab24a576dc55247c724f43ce11a97ffe365539bc178b9f05e8f54176f693b

SHA512
a58621b7f4bc7cc30c34adc5cf8fcfdd19e37a3a196649e7e6f1cfdb5653f3c5e13021863c00383998e527997a9b885d47b27771d55b7e5d07797eb7cb73a357

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3DAB.tmp

Filesize
5KB

MD5
bc8d13e8d0cd88c0571786569f84bfd4

SHA1
89cc96c81460204be6cfbf6a5ce4edc561ea4bdf

SHA256
dc5c0c6a7cccb61520fab99515fadc538af971cb3882dab43706a93e455c024f

SHA512
d1eae2e5a9f60d807220e3624344c247c642a9c588ff4a20d080977dc1b953c62d89aa2498412b766eca2c0eeddc86931a6b1a363e045b2af1e7be458bdcff10

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehnqzi4p.0.vb

Filesize
373B

MD5
197e7c770644a06b96c5d42ef659a965

SHA1
d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc

SHA256
786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552

SHA512
7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehnqzi4p.cmdline

Filesize
261B

MD5
c43f81069eddd31b16a2d30d0d6fc0f5

SHA1
c9f83a09aa0d04eb0001597d88a6e31c8dacb4a6

SHA256
0484f6a065342d38bca2635b346b34fd1cf8b6e3984e7e0fa639814bd1a03065

SHA512
848e4cfd8f138bafe5acd1bea18ac27a7c0063d5bfa8fae7fe1aad02cf36dd1e7e9cf5bb285d164d42fb626f68c27b8b984f6d69b8c78d3dfd00c997a87d74b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gvv3in52.0.vb

Filesize
376B

MD5
688ef599a13c30230d9c00287511e084

SHA1
496834103ac52660dd8554590a2f92cbda8ab759

SHA256
9ce0d8e22177e91d78bf3e578b8b5f0d22d724ae17931195de2e3b5b46255051

SHA512
0f244536f83308c7db23337dadcef882fd258954d7e3c8a5f3f66ee0861fec0cd6ea7b3310db65a306de380da410af1e8e4041fabbc917b6af4b94d9424cec8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gvv3in52.cmdline

Filesize
267B

MD5
03f91a45f01754c7cb0f0a829bb22fe2

SHA1
3827efb69580a3f7d12807cdcd9e43980f492688

SHA256
af4625cf8a9f0dea9bd3b515505181a919f9aed96ae876b68d307f64adf51b3a

SHA512
bf2ded65e8d651cdf93303900ec8efb799cf22bc23dca19e1a869cc2a4ab51c6910b5a6dff8aac6cf5df90a9308b9c907d286dc082ab31354c73b1a086137e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqyb7d1t.0.vb

Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqyb7d1t.cmdline

Filesize
253B

MD5
cb808774a4b3629f558a9d7596026efe

SHA1
0eac349533207e69c2ea180f7b96d33095374256

SHA256
9561d0cc5e1d6666794df02c1df8ec6d13b55186548c356776f3b0b69d564fdf

SHA512
ac4b0369dbb407282f9628a58a429b86b038cdfb05bc409515ee33905149eeaf9083f340e972dc8bba95f0d4f4a7989b9d42f7864d43302f60d4b4668da5a128

Download Submit
C:\Users\Admin\AppData\Local\Temp\mylr-fdn.0.vb

Filesize
376B

MD5
7a8e43324d0d14c80d818be37719450f

SHA1
d138761c6b166675a769e5ebfec973435a58b0f4

SHA256
733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909

SHA512
7a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715

Download Submit
C:\Users\Admin\AppData\Local\Temp\mylr-fdn.cmdline

Filesize
267B

MD5
bb35b883c0fa72603cb5b31b7fc066a2

SHA1
dd136566948da15d3bf1d522f3fb4cda859e6da6

SHA256
8e7c896a4fdbd2cc01e1355123b9bd76c66dbc15bcf0cf6c0ed9010d858b8c8a

SHA512
c24f27d8d675b2536cb876cc959a2df3d3c94e17c1d66c9e3364e92dbcea4bc235ccd0d3f3b965b622a833a1bdd2e5a3dee34c74438fdb892ed2672fe565a282

Download Submit
C:\Users\Admin\AppData\Local\Temp\pjx6_3bk.0.vb

Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\pjx6_3bk.cmdline

Filesize
253B

MD5
e95895652a3e8ba7b380fd76ae827fe7

SHA1
a65fabd9f3248cee59a2b356fbc1e4eab4009468

SHA256
fb3da12a3fe136163e52401e0d413634f731d350251fd29a6307bd64ea7939ec

SHA512
2589c03c4fd39d487dc5da0a83cff3b55913a9c5d68d17829a406a7ecde56fef7a80cac2f3360aa44cc068c89000c5cbe47a55dd4dff93580115c9fb8347cfdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1FB67435FEF64880A7CCB5A40912683.TMP

Filesize
5KB

MD5
84e9754f45218a78242330abb7473ecb

SHA1
3794a5508df76d7f33bde4737eda47522f5c1fdd

SHA256
a979621de3bcabf9a0fa00116bcd57f69908b5471341f966c2930f07acfee835

SHA512
32b51e82e505e9124fa032bfd02997de6d6f56e0c0dfb206aec2124199048168ec0f7927a0a289f4653662bdeb5089d91db080019a9556491ef111df99b12623

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc35D466D9F5A84DB186CB7D853F7EA5D4.TMP

Filesize
5KB

MD5
abeaa4a5b438ffa58d07d9459e5c1d6c

SHA1
69631de7891162dd4840112a251f6531feae7509

SHA256
ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd

SHA512
c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3906D0C1199840309D1FDDF9581C84.TMP

Filesize
5KB

MD5
11cb9aba8820effebbb0646c028ca832

SHA1
a64d9a56ee1d2825a28ce4282dac52c30137db96

SHA256
2a1e197c5f17c60b3085782d3c8c97bd9aa2ac1e3a4a721122c0b5ec56d276c8

SHA512
d227b39d5d67c18703730fd990ac41077321054d4f24198cafbc0b7af1ed6c72e7ef7eb626fb558f9407e11b5b9f0d194237400d248a80560d715c88971ad375

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc62DC61DAA6444446945FD443DCF9B3EF.TMP

Filesize
5KB

MD5
0d43c4212c75578ea7eeb11e292cb183

SHA1
30b2ba3ad685b03fe365fd5a78801f039c8cd26c

SHA256
c6eb948ff4f2359dce5d80890ea50516c48a6599fd522744ec0dcb5da8da7495

SHA512
1adc9f10811af124048c36c9f41b48c3e777b6807aa61f148f52448d79d3eaac533fe4b9e7f887c6ab64cf99e9664113dd7fbc98353a1b57fb98db1d7f865b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA0C4DB1FCC064DF39B55BD792736CC2.TMP

Filesize
5KB

MD5
4a0d9970022b9e7d0066dea49c7639f4

SHA1
6a576f471355762c7dec0b258fa8268c06b352d4

SHA256
b9fc51192ec614b38899c981eb6cfe47429047df1af56226e87da01f95089cc9

SHA512
92bcbbbbade44c91abe5bc4b4633892036b19ea6b0c5007a98ddc102aa41dca5d83568a9a243060a9a5153fea77bf7a56c7612d80881341358b1dcf190d42c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB44379243E76427E98EB491D84A08074.TMP

Filesize
5KB

MD5
d0700df86922f8822ee8cf4dc28769af

SHA1
80c24d2ad4d0add576cc97c608644dfdf9d0444e

SHA256
ff1ca342c6c1c86e58276a9c7a36e06cc300c8a566a57dc6e62831dc3d84c3ef

SHA512
721eae27ddee0305b5b5a07a8c8c2cacc2e44e11f032597d74d78e8979bddc51b74e4c1f700e74baff9eec4cf064bf97e58936ab6d69541f3a609c19f4dd7b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFE65B0363ECB49F38E2BE3FF461A8E6E.TMP

Filesize
5KB

MD5
d56475192804e49bf9410d1a5cbd6c69

SHA1
215ecb60dc9a38d5307acb8641fa0adc52fea96c

SHA256
235e01afd8b5ad0f05911689146c2a0def9b73082998ac02fd8459682f409eee

SHA512
03338d75dd54d3920627bd4cb842c8c3fefad3c8130e1eeb0fa73b6c31b536b3d917e84578828219b4ffd2e93e1775c163b69d74708e4a8894dd437db5e22e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkdeqovb.0.vb

Filesize
373B

MD5
7d0d85a69a8fba72e1185ca194515983

SHA1
8bd465fb970b785aa87d7edfa11dbff92c1b4af6

SHA256
9f78b435099106c2c3486c5db352f7d126b3532c1b4e8fe34ef8931c7b8968d5

SHA512
e5ef339dc329dbba2ab06678a9e504aa594d2f21ade45e49bccd83a44a76dc657f5f44dcf368f4d112bb3b01af2e577a487c6078751943770e90780fad202989

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkdeqovb.cmdline

Filesize
261B

MD5
8a2417182dfb6b0f9ae739af03d6196a

SHA1
a870561288c2ff2a5ce12ac903383585be7acfd7

SHA256
83508c12723c89a942648689be8d1c6e9a750cb14650e8c1f45fbafe34f5b38a

SHA512
77e03e71b93577131af365abd4574f598a93a0e13db29becc52f9c4e012553d8e991963f084e464f031ecda11cd347baa04f4d6e2fb283145e73478558e35e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9mgk3ox.0.vb

Filesize
355B

MD5
6e4e3d5b787235312c1ab5e76bb0ac1d

SHA1
8e2a217780d163865e3c02c7e52c10884d54acb6

SHA256
aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706

SHA512
b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9mgk3ox.cmdline

Filesize
224B

MD5
999ef174678dec37d0d06a5bb7ab9c8c

SHA1
13b044d488ff6ea7d5deae30a7abe544eca60b7e

SHA256
0a4b43322329e57b6ee725fab2a7fa3135758ddc1aa52ed7389199fdeeb46425

SHA512
c81b81b8b19d68fcd6a7ab377f15459eb3f4341e45f5449124f59b1c6d66239f99d326893b931c4c21c460c49959a4de24dc2794cb33a4f8919d867ac9698f83

Download Submit
C:\Users\Admin\Downloads\BlueScreen.exe

Filesize
9KB

MD5
b01ee228c4a61a5c06b01160790f9f7c

SHA1
e7cc238b6767401f6e3018d3f0acfe6d207450f8

SHA256
14e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160

SHA512
c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140

Download Submit
C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 121870.crdownload

Filesize
22KB

MD5
31420227141ade98a5a5228bf8e6a97d

SHA1
19329845635ebbc5c4026e111650d3ef42ab05ac

SHA256
1edc8771e2a1a70023fc9ddeb5a6bc950380224b75e8306eb70da8eb80cb5b71

SHA512
cbb18a6667b377eb68395cfd8df52b7d93c4554c3b5ab32c70e73b86e3dedb7949122fe8eea9530cd53944b45a1b699380bf1e9e5254af04d8409c594a52c0e7

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 359234.crdownload

Filesize
381KB

MD5
35a27d088cd5be278629fae37d464182

SHA1
d5a291fadead1f2a0cf35082012fe6f4bf22a3ab

SHA256
4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69

SHA512
eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 433524.crdownload

Filesize
197KB

MD5
7506eb94c661522aff09a5c96d6f182b

SHA1
329bbdb1f877942d55b53b1d48db56a458eb2310

SHA256
d5b962dfe37671b5134f0b741a662610b568c2b5374010ee92b5b7857d87872c

SHA512
d815a9391ef3d508b89fc221506b95f4c92d586ec38f26aec0f239750f34cf398eed3d818fa439f6aa6ed3b30f555a1903d93eeeec133b80849a4aa6685ec070

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 549925.crdownload

Filesize
2KB

MD5
a56d479405b23976f162f3a4a74e48aa

SHA1
f4f433b3f56315e1d469148bdfd835469526262f

SHA256
17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

SHA512
f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 549925.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 588555.crdownload

Filesize
125KB

MD5
ea534626d73f9eb0e134de9885054892

SHA1
ab03e674b407aecf29c907b39717dec004843b13

SHA256
322eb96fc33119d8ed21b45f1cd57670f74fb42fd8888275ca4879dce1c1511c

SHA512
c8cda90323fd94387a566641ec48cb086540a400726032f3261151afe8a981730688a4dcd0983d9585355e22833a035ef627dbd1f643c4399f9ddce118a3a851

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 663136.crdownload

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 699489.crdownload

Filesize
4KB

MD5
93ceffafe7bb69ec3f9b4a90908ece46

SHA1
14c85fa8930f8bfbe1f9102a10f4b03d24a16d02

SHA256
b87b48dcbf779b06c6ca6491cd31328cf840578d29a6327b7a44f9043ce1eb07

SHA512
c1cb5f15e2487f42d57ae0fa340e29c677fe24b44c945615ef617d77c2737ce4227d5a571547714973d263ed0a69c8893b6c51e89409261cdbedff612339d144

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 7975.crdownload

Filesize
32KB

MD5
eb9324121994e5e41f1738b5af8944b1

SHA1
aa63c521b64602fa9c3a73dadd412fdaf181b690

SHA256
2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a

SHA512
7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 837099.crdownload

Filesize
424KB

MD5
e263c5b306480143855655233f76dc5a

SHA1
e7dcd6c23c72209ee5aa0890372de1ce52045815

SHA256
1f69810b8fe71e30a8738278adf09dd982f7de0ab9891d296ce7ea61b3fa4f69

SHA512
e95981eae02d0a8bf44493c64cca8b7e50023332e91d75164735a1d0e38138f358100c93633ff3a0652e1c12a5155cba77d81e01027422d7d5f71000eafb4113

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 900644.crdownload

Filesize
1.1MB

MD5
f0a661d33aac3a3ce0c38c89bec52f89

SHA1
709d6465793675208f22f779f9e070ed31d81e61

SHA256
c20e78ce9028299d566684d35b1230d055e5ea0e9b94d0aff58f650e0468778a

SHA512
57cdb3c38f2e90d03e6dc1f9d8d1131d40d3919f390bb1783343c82465461319e70483dc3cd3efdbd9a62dfc88d74fc706f05d760ffd8506b16fd7686e414443

Download Submit
memory/1040-541-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1488-1067-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1488-1069-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1952-537-0x000000001B910000-0x000000001B9B6000-memory.dmp

Filesize
664KB

Download
memory/1952-536-0x000000001BEA0000-0x000000001C36E000-memory.dmp

Filesize
4.8MB

Download
memory/1952-538-0x000000001C480000-0x000000001C4E2000-memory.dmp

Filesize
392KB

Download
memory/2820-540-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4212-1581-0x0000000000BF0000-0x0000000000C62000-memory.dmp

Filesize
456KB

Download
memory/4212-1582-0x0000000005810000-0x00000000058AC000-memory.dmp

Filesize
624KB

Download
memory/4212-1586-0x0000000005780000-0x00000000057D6000-memory.dmp

Filesize
344KB

Download
memory/4212-1585-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/4212-1584-0x00000000058B0000-0x0000000005942000-memory.dmp

Filesize
584KB

Download
memory/4212-1583-0x0000000005E60000-0x0000000006406000-memory.dmp

Filesize
5.6MB

Download
memory/4512-1500-0x0000000000440000-0x000000000046A000-memory.dmp

Filesize
168KB

Download
memory/4512-1506-0x00007FF8E6610000-0x00007FF8E675F000-memory.dmp

Filesize
1.3MB

Download
memory/4512-1508-0x000000001D420000-0x000000001D948000-memory.dmp

Filesize
5.2MB

Download
memory/4512-1507-0x000000001CD20000-0x000000001CEE2000-memory.dmp

Filesize
1.8MB

Download
memory/4836-1379-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4836-1389-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download