crimsonrat | hxxps://wearedevs[.]net/d/Nihon

Analysis

max time kernel
209s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://wearedevs.net/d/Nihon

Score

10^/10

crimsonrat njrat warzonerat credential_access discovery evasion infostealer persistence privilege_escalation rat rezer0 spyware stealer trojan

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Extracted

Family

warzonerat

168.61.222.215:5400

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023ddb-702.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
Njrat family
njrat
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/4476-974-0x0000000004FE0000-0x0000000005008000-memory.dmp	rezer0

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2372-979-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/2372-980-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3980	netsh.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	VanToM-Rat.bat
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WarzoneRAT.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:SmartScreen:$DATA	NJRat.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe

Executes dropped EXE 22 IoCs

pid	Process
1392	CrimsonRAT.exe
4676	CrimsonRAT.exe
1292	dlrarhsiva.exe
3260	CrimsonRAT.exe
3952	CrimsonRAT.exe
1076	CrimsonRAT.exe
976	CrimsonRAT.exe
2916	dlrarhsiva.exe
4600	dlrarhsiva.exe
1316	dlrarhsiva.exe
1624	dlrarhsiva.exe
2316	NJRat.exe
4956	NJRat.exe
1416	VanToM-Rat.bat
3544	VanToM-Rat.bat
4116	Server.exe
3932	VanToM-Rat.bat
1736	VanToM-Rat.bat
928	WarzoneRAT.exe
4476	WarzoneRAT.exe
1144	WarzoneRAT.exe
5012	WarzoneRAT.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\Downloads\\VanToM-Rat.bat"	VanToM-Rat.bat
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\Downloads\\VanToM-Rat.bat"	VanToM-Rat.bat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
172	raw.githubusercontent.com
173	raw.githubusercontent.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 928 set thread context of 2372	928	WarzoneRAT.exe	189
PID 1144 set thread context of 1004	1144	WarzoneRAT.exe	196
PID 5012 set thread context of 3260	5012	WarzoneRAT.exe	197

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3108	4476	WerFault.exe	181

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe\:SmartScreen:$DATA	VanToM-Rat.bat
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 732203.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:SmartScreen:$DATA	WarzoneRAT.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 283797.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 196010.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 979983.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1112	schtasks.exe
4952	schtasks.exe
2460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3196	msedge.exe
3196	msedge.exe
3472	msedge.exe
3472	msedge.exe
844	identity_helper.exe
844	identity_helper.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2552	msedge.exe
2552	msedge.exe
1720	msedge.exe
1720	msedge.exe
2316	NJRat.exe
4956	NJRat.exe
2316	NJRat.exe
4956	NJRat.exe
4956	NJRat.exe
4956	NJRat.exe
2316	NJRat.exe
2316	NJRat.exe
4956	NJRat.exe
2316	NJRat.exe
4956	NJRat.exe
2316	NJRat.exe
4956	NJRat.exe
2316	NJRat.exe
4956	NJRat.exe
2316	NJRat.exe
4956	NJRat.exe
2316	NJRat.exe
4956	NJRat.exe
2316	NJRat.exe
4956	NJRat.exe
2316	NJRat.exe
4956	NJRat.exe
2316	NJRat.exe
4956	NJRat.exe
2316	NJRat.exe
4956	NJRat.exe
2316	NJRat.exe
4956	NJRat.exe
2316	NJRat.exe
4956	NJRat.exe
2316	NJRat.exe
4956	NJRat.exe
2316	NJRat.exe
4956	NJRat.exe
2316	NJRat.exe
4956	NJRat.exe
4956	NJRat.exe
4956	NJRat.exe
4956	NJRat.exe
2316	NJRat.exe
2316	NJRat.exe
2316	NJRat.exe
2316	NJRat.exe
4956	NJRat.exe
4956	NJRat.exe
4956	NJRat.exe
4956	NJRat.exe
4956	NJRat.exe
2316	NJRat.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1416	VanToM-Rat.bat
1736	VanToM-Rat.bat

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs

pid	Process
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	NJRat.exe
Token: SeDebugPrivilege	4956	NJRat.exe
Token: 33	2316	NJRat.exe
Token: SeIncBasePriorityPrivilege	2316	NJRat.exe
Token: 33	2316	NJRat.exe
Token: SeIncBasePriorityPrivilege	2316	NJRat.exe
Token: 33	2316	NJRat.exe
Token: SeIncBasePriorityPrivilege	2316	NJRat.exe
Token: 33	2316	NJRat.exe
Token: SeIncBasePriorityPrivilege	2316	NJRat.exe
Token: 33	2316	NJRat.exe
Token: SeIncBasePriorityPrivilege	2316	NJRat.exe
Token: SeDebugPrivilege	928	WarzoneRAT.exe
Token: SeDebugPrivilege	4476	WarzoneRAT.exe
Token: SeDebugPrivilege	1144	WarzoneRAT.exe
Token: SeDebugPrivilege	5012	WarzoneRAT.exe
Token: 33	2316	NJRat.exe
Token: SeIncBasePriorityPrivilege	2316	NJRat.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3544	VanToM-Rat.bat

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe
3472	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3544	VanToM-Rat.bat
4116	Server.exe
3932	VanToM-Rat.bat

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 3332	3472	msedge.exe	83
PID 3472 wrote to memory of 3332	3472	msedge.exe	83
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 4036	3472	msedge.exe	84
PID 3472 wrote to memory of 3196	3472	msedge.exe	85
PID 3472 wrote to memory of 3196	3472	msedge.exe	85
PID 3472 wrote to memory of 2592	3472	msedge.exe	86
PID 3472 wrote to memory of 2592	3472	msedge.exe	86
PID 3472 wrote to memory of 2592	3472	msedge.exe	86
PID 3472 wrote to memory of 2592	3472	msedge.exe	86
PID 3472 wrote to memory of 2592	3472	msedge.exe	86
PID 3472 wrote to memory of 2592	3472	msedge.exe	86
PID 3472 wrote to memory of 2592	3472	msedge.exe	86
PID 3472 wrote to memory of 2592	3472	msedge.exe	86
PID 3472 wrote to memory of 2592	3472	msedge.exe	86
PID 3472 wrote to memory of 2592	3472	msedge.exe	86
PID 3472 wrote to memory of 2592	3472	msedge.exe	86
PID 3472 wrote to memory of 2592	3472	msedge.exe	86
PID 3472 wrote to memory of 2592	3472	msedge.exe	86
PID 3472 wrote to memory of 2592	3472	msedge.exe	86
PID 3472 wrote to memory of 2592	3472	msedge.exe	86
PID 3472 wrote to memory of 2592	3472	msedge.exe	86
PID 3472 wrote to memory of 2592	3472	msedge.exe	86
PID 3472 wrote to memory of 2592	3472	msedge.exe	86
PID 3472 wrote to memory of 2592	3472	msedge.exe	86
PID 3472 wrote to memory of 2592	3472	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://wearedevs.net/d/Nihon
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ff94ef946f8,0x7ff94ef94708,0x7ff94ef94718
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1948 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1192 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6104 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6996 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3496 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2552
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4676
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:1292
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3260
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:2916
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3952
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:1316
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1076
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:4600
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:976
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7528 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7476 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1720
- C:\Users\Admin\Downloads\NJRat.exe
  "C:\Users\Admin\Downloads\NJRat.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3980
- C:\Users\Admin\Downloads\NJRat.exe
  "C:\Users\Admin\Downloads\NJRat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7632 /prefetch:8
  2⤵
  PID:1172
- C:\Users\Admin\Downloads\VanToM-Rat.bat
  "C:\Users\Admin\Downloads\VanToM-Rat.bat"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1416
- C:\Users\Admin\Downloads\VanToM-Rat.bat
  "C:\Users\Admin\Downloads\VanToM-Rat.bat"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - NTFS ADS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3544
- - C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
    "C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:4116
- C:\Users\Admin\Downloads\VanToM-Rat.bat
  "C:\Users\Admin\Downloads\VanToM-Rat.bat"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:3932
- C:\Users\Admin\Downloads\VanToM-Rat.bat
  "C:\Users\Admin\Downloads\VanToM-Rat.bat"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1948 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:8
  2⤵
  PID:4940
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBBCF.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1112
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3548
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2372
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1120
    3⤵
    - Program crash
    PID:3108
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCA85.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4952
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1004
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5012
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB21.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2460
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4476 -ip 4476
1⤵
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrimsonRAT.exe.log

Filesize
1KB

MD5
2d2a235f1b0f4b608c5910673735494b

SHA1
23a63f6529bfdf917886ab8347092238db0423a0

SHA256
c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884

SHA512
10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
20KB

MD5
6475a4afa02878aba743451522eb5e43

SHA1
c0f8d41970f233ab9fb258b06674d1df7bff58a9

SHA256
db13973812c4dd5f62d6885ad06ed9d86f59089de6753752618b32be56d72fc3

SHA512
a016fd71ebd5c38cf4c4f4fcff4d0c555e86ebc201b8da4cd29e5f68162ede89922458495df44b05347ad62c76ee9f82f3147bfce1e5b4bfc5d55332de3119df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5a0c2b4edcdb560b027f42df5844f434

SHA1
8c1fb0fd33d7e88b3d535afa2377319aee9a91a2

SHA256
c5b0df6e39cb65f1f2194c09e82502fe4022dad374aeb19a3581b577bc550b16

SHA512
36fa3d106e5fe653bbd0ae75995f8e9be630bb939973015bbb613e148c537c20bbe8b1dd3e9c6b1a7f36edf21c4636a260c919ea7bcb78ac284538dc4604da2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
cf5a26364ff760c14096d8b3f3cceb41

SHA1
f48d74be37fccc8fbf51d980329fbe4ba7b6f450

SHA256
e15d137747d131093417f928076665562d7977282b843d21d8a775d0246039f7

SHA512
a2a4a1fc12845cc12d7770d60f0eb4c92192983f23f0faae42100f370af22ae418e038880201b22dcffed70c31d425314ba50dcbaf6a0d987d5f573796fb2609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
b04a1a9976d7967d038b35eaafc21017

SHA1
4dd7beb67c309a09586a7ab3b3e33bcb851b4d6b

SHA256
00c971b46c7dd40fcc544e9c4a87ab952acfe1ffef1eada6454bc4e77fa6863b

SHA512
c9bdcf624cae1fcc787c9a10db0314ae903ec28c456ca32457cee3a7569b1338eca1f2390192f9a7032b52a94ac3d24c4d56f55f8f854190d734825531809595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
80de552dd16bcd6d5dc06e894024046b

SHA1
bebb221bfedf3cdbbb27d0e0f8485a9a3be881e0

SHA256
055747d4fc52e1aa38bff18d2c6bf15358f7f16ce23d0f71d4fb4013aca7f676

SHA512
268325c8d1098ef4c904d77f84d76ef3e44444cc8edd102fa2283dab0c73ac50ebd0f4e5e4ced0752a8186e34baf4113691be60df63125a0d6ccf349a74be953

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1f2108280733a5e7fa2af890f3bcde85

SHA1
ca92d129947920a11b7ab957a100d9d1969794a9

SHA256
fb9280225901e8a3c2e1170ddd8d6dc176b54021e34aec5ce75b4ff52d83b1ac

SHA512
cbd42ef5e3b2aa596f78fb120967a8b3109deeabda4dc83f88f8b7687cee370fc2f2f3e3344415fd25cc63d7ed2ef069e6adcb742148ead29f7bfdb3ea59d3a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
d66321389ee1163efe286d71c606dae4

SHA1
0f9bd859c78fe070a4eb3d80248a80b288881ea4

SHA256
73be030676b40c4603242350c8b2469ae2062987f460bcfe0940171ab8e32ff5

SHA512
90100b2b9bd99237cf4409ec4ffcd31b15d5990213968869214c7833d17fcf88f19226ee156e82462584949dc1b43209850e3994023363499149d534a8719bd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
372bb02148e723dbb09adfd09240f41c

SHA1
4c96817d9b0bf9a836f87dcff7cbaf27afb55369

SHA256
be7dc629e761a0e0855a6b30777dc2f13205b7f41cc041232cb7793cedb093e8

SHA512
85d12d08a0d76e1022b9d314cf863bec2d451dadf6f4428f23ab72138136aba41c344abfeadec071228fcbe292f0c77141535c85330d46acb3ec2f56f7f60f8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
76142e9653e49c58ccfa02182c2ec03e

SHA1
34b79f3246851e65d27f064451993de04bc51946

SHA256
b4ad8ad5ac400532c010e88f788b07cdb5ee10c9287014803435567b296a0f70

SHA512
2e76fe8f1769eabb8a2f34b2b990ce324fb4e14ffd081090d2e6879d66321337fdd48f64e65f9d81b7adca1bd76bfa4d3a8f33ed3f4f9830093342d54e2853ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c63340378b450c4e516402e7b5b3d7d0

SHA1
8bca9656d7bd7ab782d3a8aa01e7d72173700883

SHA256
e00c096977feced37cd0431db56e5e6323bdd385eb8ec80beb4898fb18148a68

SHA512
44eb82f800ee99e73c4a1f0edb74e3ac503957523581d9c6d60b5a1e03fed79092d54588be7d9a676b41412f7746e96be4915ef02709931dc2755d202b27e565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580693.TMP

Filesize
48B

MD5
3a09639f02799eacf95a74f943c6fccc

SHA1
cbfbf55120a7bef28d1f3620e21d1460f9076358

SHA256
c4f60cd9222710a29892f9be656535337230d850de0a28887088e59f52578552

SHA512
f070cb79761ba1014e9b60c7fc759ad68893ff05e116ef615981db398d54f61a1523b06d2fbe97c77dea73e24e74186a3f07a188b5e4d70b608d4ef60a9ecab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
19a537d3358a79d625472c05cc72f007

SHA1
2ede6acaec348c0cd64154fdfa864d574d1473ec

SHA256
91ba7a1c8cbb14f35bdcb072cb75bc8753498dca1f81e985a6dc664b25db998d

SHA512
47e5a42dfa76dd04271356a8b6b7de3d5e63e7ec17e7d34cc4c6fed76d91f0a83bbd3f6e071fea430fe990dbd0ba05060b5fb74d79bae8ff42d9ca91d30a0411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f4fb3f046e3f63fba973b010c83072b9

SHA1
22bc7082950a1d4ca84d4765c709d20f2df0a00a

SHA256
eaca129b67f9addd8a17b64f7d15c72d1540e0f320db3844e66b7dc5333c0698

SHA512
6b75bcc86e8893da175024b0368ea694a3082cd202da7475c02f3f62729b28dd3e8c96bceb97a5210ea0e44ba8d52f7ab627ba74b47bd044d8ae8e6c99075233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0aa94fb8bdb0a20843384d7837991585

SHA1
560eee8ae9110bf5930370ab5ae5d98841fdaa46

SHA256
18e794ebf09cd888b887914acd25df652e04381e4d8ad50013bf022713deb7a2

SHA512
35e955d2b71dec897de43fb04ef8f6f53f5499739a5b061a749ad62256ecabef556a06f24ddaf1806da1531ba3411c8dbcba6a4dff7db41944b72ec2414a64be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
17ae01e63ebaef6954e8eff246160b08

SHA1
6939bbaab668629dca2d4029be810d247f4333e9

SHA256
911ad8cabee32edd6b662ee50c61c495f21fee1557e14d290ebfc2d1d5c073f7

SHA512
e0a98fc6fbb14a3871c3c6b612d0c3e3a59244668f2cd24cfeb331621bb95cbe9c6a85f7a6ed776fe54874b0dff292801bdf83d50b32c4324822cb9615f1f63c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1049c0d2bedcd73aa7a4d750f86406ef

SHA1
514c53a2e995ed549328011f52a2f32f2f3e0575

SHA256
c2cc33e5f64efe7be75218f0bd8f4a30b32a7ddb09c2eff36a5460bdcbfdbc92

SHA512
15f94e700d772f11b4d5792a30915ee6ffd64d61002d5d4376a768514b093416b24a5848e991cd746ead3039446a224de3c8f4dfea4fdfb958bda7b4513f3557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d7201dfba14b4283a45ffa644a1bdb5c

SHA1
8166fe9945f8fe9b9a2e7c5ca9597819574947c4

SHA256
2e6ad1ffae49ac20bf18068260e3cbf78af839c3ec8570927987539aed526180

SHA512
0626902c4fd4750b23177fc6058baae9ba2708d7199c898d6e9d26eb910e80a20e52c73c9242364df9b7396823c01f32cc376f63db615ef047dc9bdf156c2666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
386cfd2a4d3f7e39d0cb141f724989f9

SHA1
31888697478299575608a36ef38cd9c657c35412

SHA256
2b5ef0739dc5e72eae79c8323ee1c580c3b753d211c62412f41194b7ecbb6188

SHA512
68ac8bab67c0b2377d4f037952a5e84c1cafcb14aa2544c56f74e21a7356c869b219c67fd2626b01e6ae0b58d9f3f1acf2d2b2499655811e63d57fa6bfdf1a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
51addba6003dfda6deb80aea42492845

SHA1
aa1a12ab2e944d3c5fd9a02cb89642d13a792d38

SHA256
b37b83b0521d0424b7b80dfed27cf8f6c5b6659c2cf4b314c9642ad0e765da63

SHA512
6ec052d4127600fd40257a1744d5d250bbc526ca89ffd5e9ae8905c56733aa19e07a006dabdac809347631d794afdae8f81ebb4d306b9c1c048c6855513c54ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d08be33a660245ca07159b827a7efd63

SHA1
51928ee57ad29c600e5ed36e86df15658f23dd70

SHA256
7df1924f3abf37f33dc7a35e7a7f35f70607ee6e0508271604660081c4063b4b

SHA512
cca4e42e253234940b1a1a96d713cfb8e7c6843451ed1495c43d452232f0f5241329109a3d32817779a83908614b94cc603a5507279547fbb2983b30f559f665

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
18c3f5bc41abf0b3ec64ec0b5e09d3a1

SHA1
e3db07fe1dbd0e4bb53c9a67896188934a0f48c3

SHA256
8dd48f45213a574e0623a0e740bdda7b87ace406b979ae041e88b67d60482590

SHA512
4fa5e3a7d867237fa276666e5a4b35151e37b5c867c13ffa6106d822cf3aac2b7d9189ff643fae686df014c02c5766e355dab38cb88e6e81b9eb2d33752b2752

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c791.TMP

Filesize
868B

MD5
dd852faa313bd4c08e96d034f8db42b3

SHA1
46ea865a61d99eaac3e592519c0802ff666252b5

SHA256
b9ab666ecc64108ce740fef5a612494085513bf8e5ef4f137d7322867c8f45f4

SHA512
39bd21df79904a1c4c6ab7f32873b97469a5456c5d446b7224b55adad897eb698d4fefed1a52b7a71dca793c1cf06121aab4a884f1ef3fbccd7153acc38f5716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
24e1adcf29e1e07f9e2e8fb34f578bc2

SHA1
7cbbe1ed35175175cf1ba606ec4d0c8bf53d3469

SHA256
eaf78bca1bef3d8c5167d066e78eadbff1a0529c469b37e3bb0d3687b3b24293

SHA512
0ddc98af8e10d4aa2431edf9af6a5ecb59446e175dac40276dcef03651e15961a4c85df1d81fa180bde7e031036b66b19ff2e0d91e146d681efd5ce57f1fd5fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8ce02f7a57ca5942f8d2ca0ccd45e58c

SHA1
7be5598d6e086a785cbefdf639865fb61be1508c

SHA256
096c373556d3c683bc77d6e7d667e7b96014c9d6ef264adae050295118d97eaa

SHA512
da455279f2afc572ce9d15d65af70cccad78882ed9b49dc8b199d0cc97e865d1cd2a23b2297d73061fd74d7bfc70193d6118e58afc4ac4989c15a36963ee6700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
755a3f7b8daac610a0748a47124f663d

SHA1
c6388188080b636c11b6bfe92f154aeb898d532e

SHA256
5969fa5349f3480874bec97a39851344b47a5b21ab05356d6dd3e7b8d4db6629

SHA512
5ad291bee34a7c79e045e22e3b580d804d3031bb79591d01e7e6fafa9997b168d3604e3055006d5b9de71de8d1f8def5208a038d19830ee7ad941bc57f643eb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
42d31035799091ecd790aef1811903a3

SHA1
9c6308eb9e0787dd028f9877e6e27113dab8678f

SHA256
d044f3fa472c0d507ba1db16300d206b42209bcd72b21d1621a42c99080d43f8

SHA512
b43352bca386f5c1ec72a5e82cc4ba60feeff21b41c77459ef9e0adf33c1d1a141ccab9db5f3dcf49cdd4355806a8e98302b3d0ddecd69a81e485ea93ad0dd91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
cf83547944dded445bc2d8a5f006ff7f

SHA1
5abc79895446ebc295108311ba7b6471c117d5c6

SHA256
9f0abbaa8c2180cc76779009e81b54dfc91062ea0742fbabd3e3f1abc65e2b11

SHA512
20dd72b8fd40f6174efec490f16800c1679fb3c28119645766dbb1109efd82dea518596757a5432c7bfab17753cc97714995b2a26e83b2f643fa5d328e0246e8

Download Submit
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 196010.crdownload

Filesize
31KB

MD5
29a37b6532a7acefa7580b826f23f6dd

SHA1
a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

SHA256
7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

SHA512
a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 283797.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 732203.crdownload

Filesize
321KB

MD5
600e0dbaefc03f7bf50abb0def3fb465

SHA1
1b5f0ac48e06edc4ed8243be61d71077f770f2b4

SHA256
61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2

SHA512
151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 979983.crdownload

Filesize
183KB

MD5
3d4e3f149f3d0cdfe76bf8b235742c97

SHA1
0e0e34b5fd8c15547ca98027e49b1dcf37146d95

SHA256
b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a

SHA512
8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff

Download Submit
memory/928-973-0x0000000005990000-0x0000000005A2C000-memory.dmp

Filesize
624KB

Download
memory/928-969-0x0000000000780000-0x00000000007D6000-memory.dmp

Filesize
344KB

Download
memory/928-970-0x0000000005A60000-0x0000000006004000-memory.dmp

Filesize
5.6MB

Download
memory/1292-713-0x00000230CC6F0000-0x00000230CD004000-memory.dmp

Filesize
9.1MB

Download
memory/1392-677-0x0000025F4E480000-0x0000025F4E49E000-memory.dmp

Filesize
120KB

Download
memory/1416-894-0x00000000018C0000-0x00000000018C8000-memory.dmp

Filesize
32KB

Download
memory/1416-895-0x000000001CC20000-0x000000001CC6C000-memory.dmp

Filesize
304KB

Download
memory/1416-896-0x000000001EFD0000-0x000000001F2DE000-memory.dmp

Filesize
3.1MB

Download
memory/1416-891-0x00000000018E0000-0x0000000001986000-memory.dmp

Filesize
664KB

Download
memory/2372-980-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2372-979-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3544-893-0x000000001BB00000-0x000000001BB9C000-memory.dmp

Filesize
624KB

Download
memory/3544-892-0x000000001B550000-0x000000001BA1E000-memory.dmp

Filesize
4.8MB

Download
memory/4476-974-0x0000000004FE0000-0x0000000005008000-memory.dmp

Filesize
160KB

Download
memory/4476-972-0x0000000004E40000-0x0000000004E48000-memory.dmp

Filesize
32KB

Download
memory/4476-971-0x0000000004E60000-0x0000000004EF2000-memory.dmp

Filesize
584KB

Download