warzonerat | hxxp://v

Analysis

max time kernel
129s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://v

Score

10^/10

warzonerat discovery infostealer rat rezer0

Malware Config

Extracted

Family

warzonerat

168.61.222.215:5400

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/4492-891-0x0000000005C60000-0x0000000005C88000-memory.dmp	rezer0

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/548-898-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/548-900-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 28 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WarzoneRAT (1).exe

Executes dropped EXE 30 IoCs

pid	Process
4492	WarzoneRAT (1).exe
1704	WarzoneRAT (1).exe
1592	WarzoneRAT (1).exe
3312	WarzoneRAT (1).exe
4668	WarzoneRAT (1).exe
5068	WarzoneRAT (1).exe
4512	WarzoneRAT (1).exe
3316	WarzoneRAT (1).exe
3944	WarzoneRAT (1).exe
4996	WarzoneRAT (1).exe
4780	WarzoneRAT (1).exe
2000	WarzoneRAT (1).exe
4004	WarzoneRAT (1).exe
4464	WarzoneRAT (1).exe
928	WarzoneRAT (1).exe
4424	WarzoneRAT (1).exe
4472	WarzoneRAT (1).exe
3680	WarzoneRAT (1).exe
4780	WarzoneRAT (1).exe
468	WarzoneRAT (1).exe
2812	WarzoneRAT (1).exe
2940	WarzoneRAT (1).exe
4744	WarzoneRAT (1).exe
4360	WarzoneRAT (1).exe
3984	WarzoneRAT (1).exe
4972	WarzoneRAT (1).exe
516	WarzoneRAT (1).exe
4464	WarzoneRAT (1).exe
4472	WarzoneRAT (1).exe
3096	WarzoneRAT (1).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
168	raw.githubusercontent.com
169	raw.githubusercontent.com

Suspicious use of SetThreadContext 28 IoCs

description	pid	Process	procid_target
PID 4492 set thread context of 548	4492	WarzoneRAT (1).exe	144
PID 1704 set thread context of 5072	1704	WarzoneRAT (1).exe	150
PID 1592 set thread context of 1648	1592	WarzoneRAT (1).exe	155
PID 3312 set thread context of 4520	3312	WarzoneRAT (1).exe	158
PID 4668 set thread context of 3812	4668	WarzoneRAT (1).exe	166
PID 5068 set thread context of 1016	5068	WarzoneRAT (1).exe	170
PID 4512 set thread context of 4140	4512	WarzoneRAT (1).exe	174
PID 3316 set thread context of 2280	3316	WarzoneRAT (1).exe	179
PID 3944 set thread context of 1548	3944	WarzoneRAT (1).exe	187
PID 4996 set thread context of 3492	4996	WarzoneRAT (1).exe	216
PID 4780 set thread context of 1648	4780	WarzoneRAT (1).exe	217
PID 2000 set thread context of 3112	2000	WarzoneRAT (1).exe	220
PID 4004 set thread context of 3680	4004	WarzoneRAT (1).exe	221
PID 4464 set thread context of 748	4464	WarzoneRAT (1).exe	207
PID 928 set thread context of 1012	928	WarzoneRAT (1).exe	212
PID 4424 set thread context of 1648	4424	WarzoneRAT (1).exe	367
PID 4472 set thread context of 3112	4472	WarzoneRAT (1).exe	374
PID 3680 set thread context of 2000	3680	WarzoneRAT (1).exe	229
PID 4780 set thread context of 3312	4780	WarzoneRAT (1).exe	232
PID 468 set thread context of 2876	468	WarzoneRAT (1).exe	236
PID 2812 set thread context of 1796	2812	WarzoneRAT (1).exe	240
PID 2940 set thread context of 4060	2940	WarzoneRAT (1).exe	247
PID 4744 set thread context of 4512	4744	WarzoneRAT (1).exe	409
PID 4360 set thread context of 8	4360	WarzoneRAT (1).exe	253
PID 3984 set thread context of 4668	3984	WarzoneRAT (1).exe	357
PID 4972 set thread context of 1440	4972	WarzoneRAT (1).exe	262
PID 516 set thread context of 928	516	WarzoneRAT (1).exe	265
PID 4464 set thread context of 1076	4464	WarzoneRAT (1).exe	271

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 629238.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 18393.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:SmartScreen:$DATA	WarzoneRAT (1).exe

Scheduled Task/Job: Scheduled Task 1 TTPs 62 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1960	schtasks.exe
5060	schtasks.exe
2088	schtasks.exe
2656	schtasks.exe
2224	schtasks.exe
4212	schtasks.exe
2632	schtasks.exe
3912	schtasks.exe
1752	schtasks.exe
2916	schtasks.exe
1332	schtasks.exe
2916	schtasks.exe
2916	schtasks.exe
992	schtasks.exe
2480	schtasks.exe
4880	schtasks.exe
3076	schtasks.exe
2656	schtasks.exe
4668	schtasks.exe
3128	schtasks.exe
4532	schtasks.exe
4024	schtasks.exe
3096	schtasks.exe
3060	schtasks.exe
1512	schtasks.exe
512	schtasks.exe
4212	schtasks.exe
4880	schtasks.exe
4088	schtasks.exe
928	schtasks.exe
4660	schtasks.exe
3192	schtasks.exe
1308	schtasks.exe
4332	schtasks.exe
3316	schtasks.exe
2028	schtasks.exe
1152	schtasks.exe
1916	schtasks.exe
5068	schtasks.exe
1332	schtasks.exe
396	schtasks.exe
2028	schtasks.exe
1916	schtasks.exe
3312	schtasks.exe
1840	schtasks.exe
2136	schtasks.exe
2880	schtasks.exe
4512	schtasks.exe
2876	schtasks.exe
3496	schtasks.exe
4996	schtasks.exe
5056	schtasks.exe
4512	schtasks.exe
5048	schtasks.exe
4420	schtasks.exe
4228	schtasks.exe
2940	schtasks.exe
4780	schtasks.exe
2880	schtasks.exe
2884	schtasks.exe
1332	schtasks.exe
2812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4796	msedge.exe
4796	msedge.exe
2768	msedge.exe
2768	msedge.exe
640	identity_helper.exe
640	identity_helper.exe
3680	msedge.exe
3680	msedge.exe
4492	WarzoneRAT (1).exe
4492	WarzoneRAT (1).exe
4492	WarzoneRAT (1).exe
4492	WarzoneRAT (1).exe
1704	WarzoneRAT (1).exe
1704	WarzoneRAT (1).exe
1704	WarzoneRAT (1).exe
1704	WarzoneRAT (1).exe
1704	WarzoneRAT (1).exe
1704	WarzoneRAT (1).exe
1592	WarzoneRAT (1).exe
1592	WarzoneRAT (1).exe
1592	WarzoneRAT (1).exe
1592	WarzoneRAT (1).exe
3312	WarzoneRAT (1).exe
3312	WarzoneRAT (1).exe
3312	WarzoneRAT (1).exe
3312	WarzoneRAT (1).exe
4668	WarzoneRAT (1).exe
4668	WarzoneRAT (1).exe
4668	WarzoneRAT (1).exe
4668	WarzoneRAT (1).exe
5068	WarzoneRAT (1).exe
5068	WarzoneRAT (1).exe
5068	WarzoneRAT (1).exe
5068	WarzoneRAT (1).exe
4512	WarzoneRAT (1).exe
4512	WarzoneRAT (1).exe
4512	WarzoneRAT (1).exe
4512	WarzoneRAT (1).exe
3316	WarzoneRAT (1).exe
3316	WarzoneRAT (1).exe
3316	WarzoneRAT (1).exe
3316	WarzoneRAT (1).exe
3944	WarzoneRAT (1).exe
3944	WarzoneRAT (1).exe
3944	WarzoneRAT (1).exe
3944	WarzoneRAT (1).exe
4996	WarzoneRAT (1).exe
4996	WarzoneRAT (1).exe
4996	WarzoneRAT (1).exe
4996	WarzoneRAT (1).exe
3316	WarzoneRAT (1).exe
3316	WarzoneRAT (1).exe
3316	WarzoneRAT (1).exe
3316	WarzoneRAT (1).exe
3316	WarzoneRAT (1).exe
3316	WarzoneRAT (1).exe
4780	WarzoneRAT (1).exe
4780	WarzoneRAT (1).exe
4780	WarzoneRAT (1).exe
4780	WarzoneRAT (1).exe
3944	WarzoneRAT (1).exe
3944	WarzoneRAT (1).exe
3944	WarzoneRAT (1).exe
3944	WarzoneRAT (1).exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs

pid	Process
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	4492	WarzoneRAT (1).exe
Token: SeDebugPrivilege	1704	WarzoneRAT (1).exe
Token: SeDebugPrivilege	1592	WarzoneRAT (1).exe
Token: SeDebugPrivilege	3312	WarzoneRAT (1).exe
Token: SeDebugPrivilege	4668	WarzoneRAT (1).exe
Token: SeDebugPrivilege	5068	WarzoneRAT (1).exe
Token: SeDebugPrivilege	4512	WarzoneRAT (1).exe
Token: SeDebugPrivilege	3316	WarzoneRAT (1).exe
Token: SeDebugPrivilege	3944	WarzoneRAT (1).exe
Token: SeDebugPrivilege	4996	WarzoneRAT (1).exe
Token: SeDebugPrivilege	4780	WarzoneRAT (1).exe
Token: SeDebugPrivilege	2000	WarzoneRAT (1).exe
Token: SeDebugPrivilege	4004	WarzoneRAT (1).exe
Token: SeDebugPrivilege	4464	WarzoneRAT (1).exe
Token: SeDebugPrivilege	928	WarzoneRAT (1).exe
Token: SeDebugPrivilege	4424	WarzoneRAT (1).exe
Token: SeDebugPrivilege	4472	WarzoneRAT (1).exe
Token: SeDebugPrivilege	3680	WarzoneRAT (1).exe
Token: SeDebugPrivilege	4780	WarzoneRAT (1).exe
Token: SeDebugPrivilege	468	WarzoneRAT (1).exe
Token: SeDebugPrivilege	2812	WarzoneRAT (1).exe
Token: SeDebugPrivilege	2940	WarzoneRAT (1).exe
Token: SeDebugPrivilege	4744	WarzoneRAT (1).exe
Token: SeDebugPrivilege	4360	WarzoneRAT (1).exe
Token: SeDebugPrivilege	3984	WarzoneRAT (1).exe
Token: SeDebugPrivilege	4972	WarzoneRAT (1).exe
Token: SeDebugPrivilege	516	WarzoneRAT (1).exe
Token: SeDebugPrivilege	4464	WarzoneRAT (1).exe
Token: SeDebugPrivilege	4472	WarzoneRAT (1).exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2320	2768	msedge.exe	83
PID 2768 wrote to memory of 2320	2768	msedge.exe	83
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4124	2768	msedge.exe	84
PID 2768 wrote to memory of 4796	2768	msedge.exe	85
PID 2768 wrote to memory of 4796	2768	msedge.exe	85
PID 2768 wrote to memory of 224	2768	msedge.exe	86
PID 2768 wrote to memory of 224	2768	msedge.exe	86
PID 2768 wrote to memory of 224	2768	msedge.exe	86
PID 2768 wrote to memory of 224	2768	msedge.exe	86
PID 2768 wrote to memory of 224	2768	msedge.exe	86
PID 2768 wrote to memory of 224	2768	msedge.exe	86
PID 2768 wrote to memory of 224	2768	msedge.exe	86
PID 2768 wrote to memory of 224	2768	msedge.exe	86
PID 2768 wrote to memory of 224	2768	msedge.exe	86
PID 2768 wrote to memory of 224	2768	msedge.exe	86
PID 2768 wrote to memory of 224	2768	msedge.exe	86
PID 2768 wrote to memory of 224	2768	msedge.exe	86
PID 2768 wrote to memory of 224	2768	msedge.exe	86
PID 2768 wrote to memory of 224	2768	msedge.exe	86
PID 2768 wrote to memory of 224	2768	msedge.exe	86
PID 2768 wrote to memory of 224	2768	msedge.exe	86
PID 2768 wrote to memory of 224	2768	msedge.exe	86
PID 2768 wrote to memory of 224	2768	msedge.exe	86
PID 2768 wrote to memory of 224	2768	msedge.exe	86
PID 2768 wrote to memory of 224	2768	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://v
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebdd546f8,0x7ffebdd54708,0x7ffebdd54718
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3128 /prefetch:2
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2648 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7424 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7396 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7540 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6564 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3680
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5BD2.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3128
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:3060
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6538.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2136 /prefetch:1
  2⤵
  PID:3468
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6D08.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4228
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1648
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3312
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6DC4.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2940
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4520
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp73A0.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2876
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3812
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp73EE.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1916
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1016
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp749A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:992
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4140
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3316
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7565.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3312
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5076
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3536
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2876
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2280
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7620.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4160
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4984
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1548
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp76AD.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1916
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3492
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7768.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2644
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1648
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp790E.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3112
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp79BA.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=3116,8012537474836254511,2758995317730297627,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6444 /prefetch:2
  2⤵
  PID:3924
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4464
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7FC5.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:748
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8052.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2480
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2000
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1012
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4424
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp810D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3316
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1648
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp81E8.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4880
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3112
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3680
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8543.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5068
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2704
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2000
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp85B1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3076
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2656
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3312
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:468
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp865D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3060
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4756
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp86E9.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2916
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1796
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8795.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1840
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4060
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4744
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8822.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3496
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2480
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4228
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:384
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4512
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4360
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp891C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:928
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9948.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4668
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4972
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9996.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5048
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1440
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:516
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A42.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3192
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:928
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4464
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D7E.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2656
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1076
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E1B.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2224
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4640
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3096
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9ED6.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3912
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5048
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:4168
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F92.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1308
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:384
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:3944
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA03E.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1512
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4792
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:3264
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA195.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4420
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4328
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:4080
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA1F3.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:512
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3788
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:3652
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA2DD.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1960
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2880
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:3924
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA399.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2812
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4880
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:4208
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA454.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4532
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2016
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA57D.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4212
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4360
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1152
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:3380
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA5FA.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2656
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3932
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:676
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA6D5.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2136
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3220
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:5068
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA771.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4660
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:872
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:4728
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA82D.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:396
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1772
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:3760
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA8E8.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4212
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:800
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:4640
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAD3E.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5060
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4320
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4888
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:4768
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpADDA.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3384
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1564
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAED4.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:468
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:4208
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAF70.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2632
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:516
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4004
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3328
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1220
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3264
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:2480
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB04B.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4668
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1512
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:3932
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB106.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3912
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2224
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:1668
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB1D2.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4024
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4612
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:748
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB2AC.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2916
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3112
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:3908
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB339.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4004
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:5044
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB55C.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:800
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:4756
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB608.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4880
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:4844
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB6C3.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4512
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3536
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1708
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3612
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:4864
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB79E.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2916
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:740
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4404
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:208
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:2656
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB82B.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3096
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4768
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:4728
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC00A.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1152
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:384
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:1992
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC068.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4756
- C:\Users\Admin\Downloads\WarzoneRAT (1).exe
  "C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
  2⤵
  PID:5096
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC143.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4512
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1936

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4464

C:\Users\Admin\Downloads\WarzoneRAT (1).exe
"C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
1⤵
PID:1652
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE41.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:748

C:\Users\Admin\Downloads\WarzoneRAT (1).exe
"C:\Users\Admin\Downloads\WarzoneRAT (1).exe"
1⤵
PID:2704
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE7A7.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WarzoneRAT (1).exe.log

Filesize
507B

MD5
8cf94b5356be60247d331660005941ec

SHA1
fdedb361f40f22cb6a086c808fc0056d4e421131

SHA256
52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

SHA512
b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
68KB

MD5
a8341ca73b534f205f2d0b374ac19435

SHA1
bcada16644b1f906d8af52524cf4270144055fdf

SHA256
8598b733a6c0efe8bd5df94d41cc6e802295c5cd21311f565bb3aa5976a4515a

SHA512
b73e0fcafddf994c3bf40839c8ef3ee277f43d4378b354733e4e316fd735af33ce65f6469f2c5d3165f2a344797445403c8c33e4e4a4ec8a8e8084182d76865d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
70KB

MD5
807dda2eb77b3df60f0d790fb1e4365e

SHA1
e313de651b857963c9ab70154b0074edb0335ef4

SHA256
75677b9722d58a0a288f7931cec8127fd786512bd49bfba9d7dcc0b8ef2780fc

SHA512
36578c5aedf03f9a622f3ff0fdc296aa1c2d3074aaea215749b04129e9193c4c941c8a07e2dbbf2f64314b59babb7e58dfced2286d157f240253641c018b8eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
67KB

MD5
bcfda9afc202574572f0247968812014

SHA1
80f8af2d5d2f978a3969a56256aace20e893fb3f

SHA256
7c970cd163690addf4a69faf5aea65e7f083ca549f75a66d04a73cb793a00f91

SHA512
508ca6011abb2ec4345c3b80bd89979151fee0a0de851f69b7aa06e69c89f6d8c3b6144f2f4715112c896c5b8a3e3e9cd49b05c9b507602d7f0d6b10061b17bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
20KB

MD5
2bb242bfd89e2b49e2b7234045ef7d23

SHA1
845db51ae72e25ccd8895c3915f9c21c6bc98ff1

SHA256
a5fa33ede1b14967d581d664ee1269b65b36603caf7e37ec0de63d72ccd3944a

SHA512
131bdc258e74cdcf284423cd196ccb91cd97a2ac617da20edd895709c3b7570ca2b03a5fe10497acf70ee177534ad0ec7eec1843ec1fb366b622636c3ead092d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
00e79d1e665889f8b5ea0a3cd1c8e34b

SHA1
b6f955f74a0345f6d0cdacc70f19f984025baa9d

SHA256
c5ec3d1b21099bddf7d401069df1f68aad2d0aec58373a6fafb306de9befcea5

SHA512
32072b29811026c54c89b308bc1760cbf71e19ef8372d72aa37bec9c8896a44669fd9aefbce8740a208781476383d371a560b92ce97d9b01a67a11923886db68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
bbe8abcd3d7cddaeffb7e33a1038dc99

SHA1
f14ffbeef60d6fa1545f3b40bcaea5520ded8cec

SHA256
592219698c11d2176c5f6e678931fbf20e37177c7b1f6b8265672fa5f074835e

SHA512
c2d80b1e33d9f8394cd3e7589ea0c055338b0fe1cc1efa23cab1cff3468f3634ae424bfca403878f32649fd7a751ad8b3be13a8eadb77d510f8feb09e24a6a11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
9c6c1f8f305878cb0e1899446b68ee7b

SHA1
e394b1eadcf3d8af807d189db16e2cc408efc1d7

SHA256
2572aa380eef7228c99c0af3f6116e9748c32d041849432d03d5c50715fcb71a

SHA512
59758bdf9d21dffc2838d4360f83af87af2b3073d2b645002f177a0f1f9fa2df36a81830d489cb144a748b478998e6eeb993a575d9d94a86202e56e3a02239d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
5752a7780468046b1e69ceb5bb28590c

SHA1
fb12cc64ca480aa8e9ae46fbc2a3a50e8b8b9d5c

SHA256
986db820912fbc36bc17197a8793a0da2c8d0d24ae806f9cd01d81d94c48b087

SHA512
28af9ab7e39138f23cc9de04afd73eeb06c8bbc7144690744305776b1195b1073818912709eeb0675f92a08ea4a09952ca56a60a1b1968fa217f81b2d203d22f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
46e370c630ccf26345810b73139c7624

SHA1
0a96b5f5629f0d6df14375c8e70f2da29829eb1d

SHA256
dd591c37b6b7d5bd77655198ff77a3fdcaf564a61a7943dfcb68afad39df3b11

SHA512
1d5726764aafb01431ea32edff43310b755e02d1d4a266971f36a9952314f3f49f81b1e15666e05d75774d39e320b1f17e00947b30dabfb454eff0654959c4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
713fd180ceae26f9fde37c0f4f9f1743

SHA1
a01b00db3863a141f6acc7b5f0644fb0b023edc2

SHA256
fda4510cb81912bbc3a2ea383d7260eeba2f2562a392dfb80651705b08932aa8

SHA512
2cc237a2e726c217871f3c2d6b5ff9b040fb1112e70062580a0a0ef0a49340f82cf50b2e0b3a9bf6fe8871cf327cc2e3244a1f4475f307e6ec796b705f04adf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ae753488f7510603bc3159f523a3dfb6

SHA1
8a99bbe4a022fa40737a442bc5e18040ff448cbc

SHA256
f6f03d9d1e2c4aada30d70524d869e9706f0970f01723bda793933555f548e4e

SHA512
cc9f2ff1dd8bbfe8fe05657d38beaa94cd6c8b031db59e45e1fcac147afdca18b9ad401283f946f5572f753c261b32c750e10df0fea1aa7c0e694c2614ce3e34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f7fa06796d47083bae040d4d7d60dfa0

SHA1
ecc1d157f70d8a910e388e29d33a5a2b9abab529

SHA256
f849cec9a7045e05145bb62da0544b3d9452085281d024cdcb543ae449ec3d74

SHA512
acfac7d5b4f39cb9c2da9686f3e43cf6015caf92a513a278f62712a8856dfabcadc73a9469b0c5df0856b4ac41dc3b145c4f18b35a6a44821b5d915e751e8286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ec1ce63ffa37bdf55ddd87ed0f1b1ed0

SHA1
9ffd300ea99c295b76a8c958d014b462fff615c8

SHA256
66a08597817cf9db0811d964042bc66cf09db022eabe66f902545f0db2ca24e8

SHA512
b662d5ad8371ee1f56bd129afcb35363fe16c74a836e65598d975230188f2826ce4576406290585ac8c0394500729179ad9fae6e1bc02867f4c00e559fc49734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a9cd3bb6dbf54e8698c8ea12eeec585e

SHA1
5d84f8f231bf94c4250255e8e8f2e3de14cff5d6

SHA256
48697a1d88c00f4cab42fa3fa0fb48fb07a71fbe008dde6a433132a29fea5f28

SHA512
ce52c6d4b69d5e2cd169b01d1bda599b4196c296d7c6f44985f7b41d51ed8387b7f42cd0df35b878d418c8297b8807da703c5c0d721df4b8916f3855c419cfc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2cbd6427a7e119026bc51c1ec6bb0d73

SHA1
c2cf131ef4d304703e63cb7827ead5e011d3a543

SHA256
804fd1647dd660777354907e42fbd79308a4c25d975f690a84a958aad2cdca7a

SHA512
db190313241b24f21777b00b5d254ad11bf2db30c2e7e0d310e912de2d8f033d6c86f3ff5e8fcecdb5131881d83e0c630c628f0fd32d2c904565b8719b8c8f86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
80f3cc108f59c712e5e64f7ac7e7f7c2

SHA1
8bc7300fe13f6ab4c5bc1832c1384f2c4c252370

SHA256
770d041fb2e03879bed2952727776e489cdc293ede6c9cfbacfe04a00ff3b8b9

SHA512
67f52c3daa9873f3a31e4e01845092541e3c094a26f73b1fcf96a5b4994a3dd74d63f1f58f4a8ff0f6df3e41c0c46d5648e54c542a243b3fc3092ae19ace9b3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
71a9951700092f8a6952d088a0affe61

SHA1
bab981d47c9bfa65e10e38a266498a4b38872ca9

SHA256
d2524542df370018d349171e19b685678fc8516fad2b59a09d58cdc55728862b

SHA512
542d781c81171bf3f765fb45afad767edb0f72ff65441df396aae9fd1882f3b11bdb05cb79108c06262f02cf70bffe940351c28eced2f9bc3bb1ada15f3d35e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f3f2a298bd9a930a2f858ce8d1a1de0d

SHA1
5549d4b37bdb901d4eaa8cf12796c7fb0fb7d4b9

SHA256
155288cb820cca32cc2732bf24fbfb52989a9af1f2cdda159a22c84d23ac7bb4

SHA512
b29fa2336f56c7372330e127497af9395ada1cada1189223ca869569dc0e4fcec272b7cd290ddc626d2ec85e477906365039d91ac3ff9369de9a02d4fa8d5bba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
93c31b7ed4c24448c6499302c6543e6b

SHA1
91c7a9dda0a8dfd0b8911f94a3ed16129c45fcd2

SHA256
7e514692fcf58781446ebb22cc1dcebdca2dd4a3599de8feeb596b1f704dffe3

SHA512
0f09c6de6f1c8215abd90770047c36e9340d11e4d2d1ca2fe14372dfd1b8982d008c3fb0c9c2f438365ee767a43bf1c9f48a4d7b74e240d1a05a8762114f9f24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c59c9f93da4f3b07cc34e0df653ac364

SHA1
7ad832f4152dfc1e352ec11bd888f881576506ea

SHA256
a16951cf0e5835636be975a850baf8b892ebff241f4032e298fa95737f03ee05

SHA512
c54662e56935e0c500e531a798ed55b8db9c4c82b9dbceded1c29230c40f478fb2b262177f2f3797c4133852fb653c52ae6a15372cf7d6d9ffc65ee69aff5a74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c195939722902d0a1e70de5d31d2d20c

SHA1
3ef307aa76db88981069c12fc6b8513c1713c745

SHA256
251f43c1ab08f223d6303849a8a72c187ec0474731ad4051333c0d01d5c2ba9c

SHA512
6f8bf6e5dba8024c4e7ca72c96990a10616ff20ecf9169ddd5b3c5b1812e51e22635d2cd933e3f857c197fc9198fa332f9f4ce94390c7cdd6efd5f7d7c8c6bf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2a5af78d4cae3e61ae86a304752e4702

SHA1
63ecd69b227f4f2674d973bdf4a587c060b2db46

SHA256
bab2e54a6232ab8110bfc5dbd20191ef0b4a3e456e29adc2ab08ef05c95f6267

SHA512
5b8ca5a25c7e251b3a5b88d0c435837f94ee1a4e862cc455f59ef7997b95d8a64e5b39f95f91455cc072f18253ea986ce65513432d5800d5d21f07c338912c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581596.TMP

Filesize
1KB

MD5
da025c5c936472ac5048b31bbf20efb8

SHA1
fbacaa5582ad1291994a04aa34d9442ee205f15a

SHA256
a61597623b143bd84c9c8d54b8fec3c82a8a2d81c62b80bf77e87d90b4253f67

SHA512
a36db3e21a68a112e81f13f47bac416c9b4d3545719273bd487e7eb5f44acb7ac27e84562d00e62636501f919aaa4ab3427db0c805d04863374c565d99941933

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3f4d1980914f593b196ab7c4abc1d564

SHA1
778a894ca3cf9859086cb9fb66229e0e3cbf5856

SHA256
ec344576229584cade3116e195a185fb70e7555f01e8e8b698d771e5eff0d9fe

SHA512
7c9b4113d81ad8d959e680c459c49ed97bdf35954cb96ceb5d3ed6939c651e9284d3c4c320ac53b11de6de2c46828369cf13109669a0869ab3454294b3b66099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ba7362d709e2f9a500db59d75c304903

SHA1
893363022391916c95ef694ab3c86b4c83c57dba

SHA256
b0ce81e5b1fcf3940e340edc4a9819e38ad3fc06169605576d1ea25e115c582f

SHA512
ee8f5903e4ebc9694a3330b0f7d45118c00a0824a06ac6808a619e8a0769d526d984167b04c1948c6a237d0fb0d6e1d8eb2dbb8c19a9bc3a835faa88cd2891ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4adcf08e33e1fa13a6b968fe9d94603a

SHA1
359817aed3365a916f094f73748c952812bc2f6e

SHA256
d5e48db898167ff0c69b47dc811c9ecb9e33fef1cd0023e68bf51edb73b64775

SHA512
b884b7d9072fa34fcc25b51e9d301190f2a3b6f2b9c555781e899359216c6ad3e61aa947be7979b641dc175c06077343340987a02e695b15c683927659d264b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5BD2.tmp

Filesize
1KB

MD5
8012ef52233d0a09515ebe33f9531a2b

SHA1
94b109f4968335643329d91ca25c9c407377d3ba

SHA256
28d6a470f4a2711bef60e7096fffb7577a06bae1e3f8f186725abc85d86ff924

SHA512
9e5846cd762423383f527799e636c28fa112867e4fae5c2699f1081d613076be44ff782ea69c3e5f26d784d9994a340089baa542cdc90b64877e9c684f87c109

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 629238.crdownload

Filesize
321KB

MD5
600e0dbaefc03f7bf50abb0def3fb465

SHA1
1b5f0ac48e06edc4ed8243be61d71077f770f2b4

SHA256
61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2

SHA512
151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

Download Submit
memory/548-900-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/548-898-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/4492-887-0x00000000056B0000-0x0000000005C54000-memory.dmp

Filesize
5.6MB

Download
memory/4492-891-0x0000000005C60000-0x0000000005C88000-memory.dmp

Filesize
160KB

Download
memory/4492-890-0x0000000005D00000-0x0000000005D9C000-memory.dmp

Filesize
624KB

Download
memory/4492-889-0x00000000052F0000-0x00000000052F8000-memory.dmp

Filesize
32KB

Download
memory/4492-888-0x0000000005320000-0x00000000053B2000-memory.dmp

Filesize
584KB

Download
memory/4492-886-0x0000000000520000-0x0000000000576000-memory.dmp

Filesize
344KB

Download