Analysis Overview
Threat Level: Known bad
The file https://wearedevs.net/d/Nihon was found to be: Known bad.
Malicious Activity Summary
Njrat family
Crimsonrat family
Warzonerat family
WarzoneRat, AveMaria
CrimsonRAT main payload
njRAT/Bladabindi
CrimsonRat
ReZer0 packer
Warzone RAT payload
Downloads MZ/PE file
Modifies Windows Firewall
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Unsecured Credentials: Credentials In Files
Reads data files stored by FTP clients
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
Program crash
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
NTFS ADS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-14 19:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-14 19:47
Reported
2024-12-14 19:50
Platform
win10v2004-20241007-en
Max time kernel
209s
Max time network
211s
Command Line
Signatures
CrimsonRAT main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
CrimsonRat
Crimsonrat family
Njrat family
WarzoneRat, AveMaria
Warzonerat family
njRAT/Bladabindi
ReZer0 packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\WarzoneRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\WarzoneRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\CrimsonRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\CrimsonRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\CrimsonRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\CrimsonRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\VanToM-Rat.bat | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\CrimsonRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\WarzoneRAT.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe | C:\Users\Admin\Downloads\NJRat.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:SmartScreen:$DATA | C:\Users\Admin\Downloads\NJRat.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe | C:\Users\Admin\Downloads\NJRat.exe | N/A |
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." | C:\Users\Admin\Downloads\NJRat.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." | C:\Users\Admin\Downloads\NJRat.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\Downloads\\VanToM-Rat.bat" | C:\Users\Admin\Downloads\VanToM-Rat.bat | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe" | C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\Downloads\\VanToM-Rat.bat" | C:\Users\Admin\Downloads\VanToM-Rat.bat | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 928 set thread context of 2372 | N/A | C:\Users\Admin\Downloads\WarzoneRAT.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 1144 set thread context of 1004 | N/A | C:\Users\Admin\Downloads\WarzoneRAT.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 5012 set thread context of 3260 | N/A | C:\Users\Admin\Downloads\WarzoneRAT.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Downloads\WarzoneRAT.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\NJRat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\WarzoneRAT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\NJRat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\WarzoneRAT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\WarzoneRAT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\WarzoneRAT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe\:SmartScreen:$DATA | C:\Users\Admin\Downloads\VanToM-Rat.bat | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 732203.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:SmartScreen:$DATA | C:\Users\Admin\Downloads\WarzoneRAT.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 283797.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 196010.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 979983.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\VanToM-Rat.bat | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\VanToM-Rat.bat | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\VanToM-Rat.bat | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\VanToM-Rat.bat | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://wearedevs.net/d/Nihon
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ff94ef946f8,0x7ff94ef94708,0x7ff94ef94718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1948 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1192 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6104 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6996 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3496 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7208 /prefetch:8
C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
C:\ProgramData\Hdlharas\dlrarhsiva.exe
"C:\ProgramData\Hdlharas\dlrarhsiva.exe"
C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
C:\ProgramData\Hdlharas\dlrarhsiva.exe
"C:\ProgramData\Hdlharas\dlrarhsiva.exe"
C:\ProgramData\Hdlharas\dlrarhsiva.exe
"C:\ProgramData\Hdlharas\dlrarhsiva.exe"
C:\ProgramData\Hdlharas\dlrarhsiva.exe
"C:\ProgramData\Hdlharas\dlrarhsiva.exe"
C:\ProgramData\Hdlharas\dlrarhsiva.exe
"C:\ProgramData\Hdlharas\dlrarhsiva.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7528 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7476 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7524 /prefetch:8
C:\Users\Admin\Downloads\NJRat.exe
"C:\Users\Admin\Downloads\NJRat.exe"
C:\Users\Admin\Downloads\NJRat.exe
"C:\Users\Admin\Downloads\NJRat.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7632 /prefetch:8
C:\Users\Admin\Downloads\VanToM-Rat.bat
"C:\Users\Admin\Downloads\VanToM-Rat.bat"
C:\Users\Admin\Downloads\VanToM-Rat.bat
"C:\Users\Admin\Downloads\VanToM-Rat.bat"
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
"C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
C:\Users\Admin\Downloads\VanToM-Rat.bat
"C:\Users\Admin\Downloads\VanToM-Rat.bat"
C:\Users\Admin\Downloads\VanToM-Rat.bat
"C:\Users\Admin\Downloads\VanToM-Rat.bat"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1948 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,13472538804876894809,557911775836095980,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:8
C:\Users\Admin\Downloads\WarzoneRAT.exe
"C:\Users\Admin\Downloads\WarzoneRAT.exe"
C:\Users\Admin\Downloads\WarzoneRAT.exe
"C:\Users\Admin\Downloads\WarzoneRAT.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4476 -ip 4476
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBBCF.tmp"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1120
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\Downloads\WarzoneRAT.exe
"C:\Users\Admin\Downloads\WarzoneRAT.exe"
C:\Users\Admin\Downloads\WarzoneRAT.exe
"C:\Users\Admin\Downloads\WarzoneRAT.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCA85.tmp"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB21.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wearedevs.net | udp |
| US | 104.26.6.147:443 | wearedevs.net | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.6.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.wearedevs.net | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| FR | 142.250.178.130:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | www.google.co.uk | udp |
| US | 216.239.34.36:443 | region1.analytics.google.com | tcp |
| BE | 74.125.71.155:443 | stats.g.doubleclick.net | tcp |
| FR | 216.58.214.67:443 | www.google.co.uk | tcp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | 168.201.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.201.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.34.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.71.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.36.239.216.in-addr.arpa | udp |
| FR | 142.250.179.78:443 | fundingchoicesmessages.google.com | tcp |
| FR | 142.250.179.78:443 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | lh3.googleusercontent.com | udp |
| FR | 142.250.179.65:443 | lh3.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 78.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ep1.adtrafficquality.google | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | ep2.adtrafficquality.google | udp |
| FR | 142.250.178.129:443 | ep2.adtrafficquality.google | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 142.250.178.130:443 | googleads.g.doubleclick.net | udp |
| FR | 142.250.178.129:443 | ep2.adtrafficquality.google | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 216.58.214.161:443 | tpc.googlesyndication.com | tcp |
| FR | 216.58.214.161:443 | tpc.googlesyndication.com | tcp |
| FR | 216.58.214.161:443 | tpc.googlesyndication.com | tcp |
| FR | 216.58.214.161:443 | tpc.googlesyndication.com | tcp |
| US | 216.239.34.36:443 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | 129.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.20.217.172.in-addr.arpa | udp |
| FR | 216.58.214.161:443 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | googleads4.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | s0.2mdn.net | udp |
| FR | 142.250.179.98:443 | googleads4.g.doubleclick.net | tcp |
| FR | 142.250.201.166:443 | s0.2mdn.net | tcp |
| US | 8.8.8.8:53 | 98.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.201.250.142.in-addr.arpa | udp |
| FR | 142.250.179.98:443 | googleads4.g.doubleclick.net | udp |
| FR | 172.217.20.164:443 | www.google.com | udp |
| FR | 172.217.20.164:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 95.100.195.166:443 | www.bing.com | tcp |
| US | 95.100.195.166:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 166.195.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| GB | 2.18.27.82:443 | r.bing.com | tcp |
| GB | 2.18.27.82:443 | r.bing.com | tcp |
| GB | 2.18.27.82:443 | r.bing.com | tcp |
| GB | 2.18.27.82:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 82.27.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| NL | 20.190.160.20:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.111.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 185.199.111.133:443 | user-images.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.112.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
| FR | 185.136.161.124:6128 | tcp | |
| US | 8.8.8.8:53 | startitit2-23969.portmap.host | udp |
| FR | 185.136.161.124:6128 | tcp | |
| FR | 185.136.161.124:6128 | tcp | |
| FR | 185.136.161.124:6128 | tcp | |
| FR | 185.136.161.124:6128 | tcp | |
| US | 8.8.8.8:53 | startitit2-23969.portmap.host | udp |
| DE | 193.161.193.99:22603 | tcp | |
| US | 8.8.8.8:53 | startitit2-23969.portmap.host | udp |
| DE | 193.161.193.99:22603 | tcp | |
| DE | 193.161.193.99:22603 | tcp | |
| US | 8.8.8.8:53 | startitit2-23969.portmap.host | udp |
| US | 8.8.8.8:53 | startitit2-23969.portmap.host | udp |
| DE | 193.161.193.99:22603 | tcp | |
| DE | 193.161.193.99:22603 | tcp | |
| DE | 193.161.193.99:22603 | tcp | |
| US | 8.8.8.8:53 | startitit2-23969.portmap.host | udp |
| DE | 193.161.193.99:22603 | tcp | |
| DE | 193.161.193.99:22603 | tcp | |
| DE | 193.161.193.99:22603 | tcp | |
| US | 8.8.8.8:53 | startitit2-23969.portmap.host | udp |
| FR | 185.136.161.124:8761 | tcp | |
| FR | 185.136.161.124:8761 | tcp | |
| FR | 185.136.161.124:8761 | tcp | |
| FR | 185.136.161.124:8761 | tcp | |
| FR | 185.136.161.124:8761 | tcp | |
| US | 8.8.8.8:53 | startitit2-23969.portmap.host | udp |
| US | 168.61.222.215:5400 | tcp | |
| US | 8.8.8.8:53 | startitit2-23969.portmap.host | udp |
| DE | 193.161.193.99:22603 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 443a627d539ca4eab732bad0cbe7332b |
| SHA1 | 86b18b906a1acd2a22f4b2c78ac3564c394a9569 |
| SHA256 | 1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9 |
| SHA512 | 923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 99afa4934d1e3c56bbce114b356e8a99 |
| SHA1 | 3f0e7a1a28d9d9c06b6663df5d83a65c84d52581 |
| SHA256 | 08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8 |
| SHA512 | 76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da |
\??\pipe\LOCAL\crashpad_3472_NDDAHELUIFPAOUBT
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1f2108280733a5e7fa2af890f3bcde85 |
| SHA1 | ca92d129947920a11b7ab957a100d9d1969794a9 |
| SHA256 | fb9280225901e8a3c2e1170ddd8d6dc176b54021e34aec5ce75b4ff52d83b1ac |
| SHA512 | cbd42ef5e3b2aa596f78fb120967a8b3109deeabda4dc83f88f8b7687cee370fc2f2f3e3344415fd25cc63d7ed2ef069e6adcb742148ead29f7bfdb3ea59d3a2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8ce02f7a57ca5942f8d2ca0ccd45e58c |
| SHA1 | 7be5598d6e086a785cbefdf639865fb61be1508c |
| SHA256 | 096c373556d3c683bc77d6e7d667e7b96014c9d6ef264adae050295118d97eaa |
| SHA512 | da455279f2afc572ce9d15d65af70cccad78882ed9b49dc8b199d0cc97e865d1cd2a23b2297d73061fd74d7bfc70193d6118e58afc4ac4989c15a36963ee6700 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d66321389ee1163efe286d71c606dae4 |
| SHA1 | 0f9bd859c78fe070a4eb3d80248a80b288881ea4 |
| SHA256 | 73be030676b40c4603242350c8b2469ae2062987f460bcfe0940171ab8e32ff5 |
| SHA512 | 90100b2b9bd99237cf4409ec4ffcd31b15d5990213968869214c7833d17fcf88f19226ee156e82462584949dc1b43209850e3994023363499149d534a8719bd1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019
| MD5 | 6475a4afa02878aba743451522eb5e43 |
| SHA1 | c0f8d41970f233ab9fb258b06674d1df7bff58a9 |
| SHA256 | db13973812c4dd5f62d6885ad06ed9d86f59089de6753752618b32be56d72fc3 |
| SHA512 | a016fd71ebd5c38cf4c4f4fcff4d0c555e86ebc201b8da4cd29e5f68162ede89922458495df44b05347ad62c76ee9f82f3147bfce1e5b4bfc5d55332de3119df |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580693.TMP
| MD5 | 3a09639f02799eacf95a74f943c6fccc |
| SHA1 | cbfbf55120a7bef28d1f3620e21d1460f9076358 |
| SHA256 | c4f60cd9222710a29892f9be656535337230d850de0a28887088e59f52578552 |
| SHA512 | f070cb79761ba1014e9b60c7fc759ad68893ff05e116ef615981db398d54f61a1523b06d2fbe97c77dea73e24e74186a3f07a188b5e4d70b608d4ef60a9ecab2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | c63340378b450c4e516402e7b5b3d7d0 |
| SHA1 | 8bca9656d7bd7ab782d3a8aa01e7d72173700883 |
| SHA256 | e00c096977feced37cd0431db56e5e6323bdd385eb8ec80beb4898fb18148a68 |
| SHA512 | 44eb82f800ee99e73c4a1f0edb74e3ac503957523581d9c6d60b5a1e03fed79092d54588be7d9a676b41412f7746e96be4915ef02709931dc2755d202b27e565 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 76142e9653e49c58ccfa02182c2ec03e |
| SHA1 | 34b79f3246851e65d27f064451993de04bc51946 |
| SHA256 | b4ad8ad5ac400532c010e88f788b07cdb5ee10c9287014803435567b296a0f70 |
| SHA512 | 2e76fe8f1769eabb8a2f34b2b990ce324fb4e14ffd081090d2e6879d66321337fdd48f64e65f9d81b7adca1bd76bfa4d3a8f33ed3f4f9830093342d54e2853ac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 5a0c2b4edcdb560b027f42df5844f434 |
| SHA1 | 8c1fb0fd33d7e88b3d535afa2377319aee9a91a2 |
| SHA256 | c5b0df6e39cb65f1f2194c09e82502fe4022dad374aeb19a3581b577bc550b16 |
| SHA512 | 36fa3d106e5fe653bbd0ae75995f8e9be630bb939973015bbb613e148c537c20bbe8b1dd3e9c6b1a7f36edf21c4636a260c919ea7bcb78ac284538dc4604da2d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 372bb02148e723dbb09adfd09240f41c |
| SHA1 | 4c96817d9b0bf9a836f87dcff7cbaf27afb55369 |
| SHA256 | be7dc629e761a0e0855a6b30777dc2f13205b7f41cc041232cb7793cedb093e8 |
| SHA512 | 85d12d08a0d76e1022b9d314cf863bec2d451dadf6f4428f23ab72138136aba41c344abfeadec071228fcbe292f0c77141535c85330d46acb3ec2f56f7f60f8f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | b04a1a9976d7967d038b35eaafc21017 |
| SHA1 | 4dd7beb67c309a09586a7ab3b3e33bcb851b4d6b |
| SHA256 | 00c971b46c7dd40fcc544e9c4a87ab952acfe1ffef1eada6454bc4e77fa6863b |
| SHA512 | c9bdcf624cae1fcc787c9a10db0314ae903ec28c456ca32457cee3a7569b1338eca1f2390192f9a7032b52a94ac3d24c4d56f55f8f854190d734825531809595 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 51addba6003dfda6deb80aea42492845 |
| SHA1 | aa1a12ab2e944d3c5fd9a02cb89642d13a792d38 |
| SHA256 | b37b83b0521d0424b7b80dfed27cf8f6c5b6659c2cf4b314c9642ad0e765da63 |
| SHA512 | 6ec052d4127600fd40257a1744d5d250bbc526ca89ffd5e9ae8905c56733aa19e07a006dabdac809347631d794afdae8f81ebb4d306b9c1c048c6855513c54ff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c791.TMP
| MD5 | dd852faa313bd4c08e96d034f8db42b3 |
| SHA1 | 46ea865a61d99eaac3e592519c0802ff666252b5 |
| SHA256 | b9ab666ecc64108ce740fef5a612494085513bf8e5ef4f137d7322867c8f45f4 |
| SHA512 | 39bd21df79904a1c4c6ab7f32873b97469a5456c5d446b7224b55adad897eb698d4fefed1a52b7a71dca793c1cf06121aab4a884f1ef3fbccd7153acc38f5716 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | d08be33a660245ca07159b827a7efd63 |
| SHA1 | 51928ee57ad29c600e5ed36e86df15658f23dd70 |
| SHA256 | 7df1924f3abf37f33dc7a35e7a7f35f70607ee6e0508271604660081c4063b4b |
| SHA512 | cca4e42e253234940b1a1a96d713cfb8e7c6843451ed1495c43d452232f0f5241329109a3d32817779a83908614b94cc603a5507279547fbb2983b30f559f665 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | cf5a26364ff760c14096d8b3f3cceb41 |
| SHA1 | f48d74be37fccc8fbf51d980329fbe4ba7b6f450 |
| SHA256 | e15d137747d131093417f928076665562d7977282b843d21d8a775d0246039f7 |
| SHA512 | a2a4a1fc12845cc12d7770d60f0eb4c92192983f23f0faae42100f370af22ae418e038880201b22dcffed70c31d425314ba50dcbaf6a0d987d5f573796fb2609 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 0aa94fb8bdb0a20843384d7837991585 |
| SHA1 | 560eee8ae9110bf5930370ab5ae5d98841fdaa46 |
| SHA256 | 18e794ebf09cd888b887914acd25df652e04381e4d8ad50013bf022713deb7a2 |
| SHA512 | 35e955d2b71dec897de43fb04ef8f6f53f5499739a5b061a749ad62256ecabef556a06f24ddaf1806da1531ba3411c8dbcba6a4dff7db41944b72ec2414a64be |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 18c3f5bc41abf0b3ec64ec0b5e09d3a1 |
| SHA1 | e3db07fe1dbd0e4bb53c9a67896188934a0f48c3 |
| SHA256 | 8dd48f45213a574e0623a0e740bdda7b87ace406b979ae041e88b67d60482590 |
| SHA512 | 4fa5e3a7d867237fa276666e5a4b35151e37b5c867c13ffa6106d822cf3aac2b7d9189ff643fae686df014c02c5766e355dab38cb88e6e81b9eb2d33752b2752 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | d7201dfba14b4283a45ffa644a1bdb5c |
| SHA1 | 8166fe9945f8fe9b9a2e7c5ca9597819574947c4 |
| SHA256 | 2e6ad1ffae49ac20bf18068260e3cbf78af839c3ec8570927987539aed526180 |
| SHA512 | 0626902c4fd4750b23177fc6058baae9ba2708d7199c898d6e9d26eb910e80a20e52c73c9242364df9b7396823c01f32cc376f63db615ef047dc9bdf156c2666 |
C:\Users\Admin\Downloads\Unconfirmed 283797.crdownload
| MD5 | b6e148ee1a2a3b460dd2a0adbf1dd39c |
| SHA1 | ec0efbe8fd2fa5300164e9e4eded0d40da549c60 |
| SHA256 | dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba |
| SHA512 | 4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741 |
memory/1392-677-0x0000025F4E480000-0x0000025F4E49E000-memory.dmp
C:\ProgramData\Hdlharas\mdkhm.zip
| MD5 | b635f6f767e485c7e17833411d567712 |
| SHA1 | 5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8 |
| SHA256 | 6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e |
| SHA512 | 551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af |
C:\ProgramData\Hdlharas\dlrarhsiva.exe
| MD5 | 64261d5f3b07671f15b7f10f2f78da3f |
| SHA1 | d4f978177394024bb4d0e5b6b972a5f72f830181 |
| SHA256 | 87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad |
| SHA512 | 3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrimsonRAT.exe.log
| MD5 | 2d2a235f1b0f4b608c5910673735494b |
| SHA1 | 23a63f6529bfdf917886ab8347092238db0423a0 |
| SHA256 | c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884 |
| SHA512 | 10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086 |
memory/1292-713-0x00000230CC6F0000-0x00000230CD004000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | cf83547944dded445bc2d8a5f006ff7f |
| SHA1 | 5abc79895446ebc295108311ba7b6471c117d5c6 |
| SHA256 | 9f0abbaa8c2180cc76779009e81b54dfc91062ea0742fbabd3e3f1abc65e2b11 |
| SHA512 | 20dd72b8fd40f6174efec490f16800c1679fb3c28119645766dbb1109efd82dea518596757a5432c7bfab17753cc97714995b2a26e83b2f643fa5d328e0246e8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 386cfd2a4d3f7e39d0cb141f724989f9 |
| SHA1 | 31888697478299575608a36ef38cd9c657c35412 |
| SHA256 | 2b5ef0739dc5e72eae79c8323ee1c580c3b753d211c62412f41194b7ecbb6188 |
| SHA512 | 68ac8bab67c0b2377d4f037952a5e84c1cafcb14aa2544c56f74e21a7356c869b219c67fd2626b01e6ae0b58d9f3f1acf2d2b2499655811e63d57fa6bfdf1a73 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 80de552dd16bcd6d5dc06e894024046b |
| SHA1 | bebb221bfedf3cdbbb27d0e0f8485a9a3be881e0 |
| SHA256 | 055747d4fc52e1aa38bff18d2c6bf15358f7f16ce23d0f71d4fb4013aca7f676 |
| SHA512 | 268325c8d1098ef4c904d77f84d76ef3e44444cc8edd102fa2283dab0c73ac50ebd0f4e5e4ced0752a8186e34baf4113691be60df63125a0d6ccf349a74be953 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 1049c0d2bedcd73aa7a4d750f86406ef |
| SHA1 | 514c53a2e995ed549328011f52a2f32f2f3e0575 |
| SHA256 | c2cc33e5f64efe7be75218f0bd8f4a30b32a7ddb09c2eff36a5460bdcbfdbc92 |
| SHA512 | 15f94e700d772f11b4d5792a30915ee6ffd64d61002d5d4376a768514b093416b24a5848e991cd746ead3039446a224de3c8f4dfea4fdfb958bda7b4513f3557 |
C:\Users\Admin\Downloads\Unconfirmed 196010.crdownload
| MD5 | 29a37b6532a7acefa7580b826f23f6dd |
| SHA1 | a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f |
| SHA256 | 7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69 |
| SHA512 | a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 17ae01e63ebaef6954e8eff246160b08 |
| SHA1 | 6939bbaab668629dca2d4029be810d247f4333e9 |
| SHA256 | 911ad8cabee32edd6b662ee50c61c495f21fee1557e14d290ebfc2d1d5c073f7 |
| SHA512 | e0a98fc6fbb14a3871c3c6b612d0c3e3a59244668f2cd24cfeb331621bb95cbe9c6a85f7a6ed776fe54874b0dff292801bdf83d50b32c4324822cb9615f1f63c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 24e1adcf29e1e07f9e2e8fb34f578bc2 |
| SHA1 | 7cbbe1ed35175175cf1ba606ec4d0c8bf53d3469 |
| SHA256 | eaf78bca1bef3d8c5167d066e78eadbff1a0529c469b37e3bb0d3687b3b24293 |
| SHA512 | 0ddc98af8e10d4aa2431edf9af6a5ecb59446e175dac40276dcef03651e15961a4c85df1d81fa180bde7e031036b66b19ff2e0d91e146d681efd5ce57f1fd5fc |
C:\Users\Admin\Downloads\Unconfirmed 979983.crdownload
| MD5 | 3d4e3f149f3d0cdfe76bf8b235742c97 |
| SHA1 | 0e0e34b5fd8c15547ca98027e49b1dcf37146d95 |
| SHA256 | b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a |
| SHA512 | 8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f4fb3f046e3f63fba973b010c83072b9 |
| SHA1 | 22bc7082950a1d4ca84d4765c709d20f2df0a00a |
| SHA256 | eaca129b67f9addd8a17b64f7d15c72d1540e0f320db3844e66b7dc5333c0698 |
| SHA512 | 6b75bcc86e8893da175024b0368ea694a3082cd202da7475c02f3f62729b28dd3e8c96bceb97a5210ea0e44ba8d52f7ab627ba74b47bd044d8ae8e6c99075233 |
memory/1416-891-0x00000000018E0000-0x0000000001986000-memory.dmp
memory/3544-892-0x000000001B550000-0x000000001BA1E000-memory.dmp
memory/3544-893-0x000000001BB00000-0x000000001BB9C000-memory.dmp
memory/1416-894-0x00000000018C0000-0x00000000018C8000-memory.dmp
memory/1416-895-0x000000001CC20000-0x000000001CC6C000-memory.dmp
memory/1416-896-0x000000001EFD0000-0x000000001F2DE000-memory.dmp
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe:SmartScreen
| MD5 | 4047530ecbc0170039e76fe1657bdb01 |
| SHA1 | 32db7d5e662ebccdd1d71de285f907e3a1c68ac5 |
| SHA256 | 82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750 |
| SHA512 | 8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 755a3f7b8daac610a0748a47124f663d |
| SHA1 | c6388188080b636c11b6bfe92f154aeb898d532e |
| SHA256 | 5969fa5349f3480874bec97a39851344b47a5b21ab05356d6dd3e7b8d4db6629 |
| SHA512 | 5ad291bee34a7c79e045e22e3b580d804d3031bb79591d01e7e6fafa9997b168d3604e3055006d5b9de71de8d1f8def5208a038d19830ee7ad941bc57f643eb5 |
C:\Users\Admin\Downloads\Unconfirmed 732203.crdownload
| MD5 | 600e0dbaefc03f7bf50abb0def3fb465 |
| SHA1 | 1b5f0ac48e06edc4ed8243be61d71077f770f2b4 |
| SHA256 | 61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2 |
| SHA512 | 151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 19a537d3358a79d625472c05cc72f007 |
| SHA1 | 2ede6acaec348c0cd64154fdfa864d574d1473ec |
| SHA256 | 91ba7a1c8cbb14f35bdcb072cb75bc8753498dca1f81e985a6dc664b25db998d |
| SHA512 | 47e5a42dfa76dd04271356a8b6b7de3d5e63e7ec17e7d34cc4c6fed76d91f0a83bbd3f6e071fea430fe990dbd0ba05060b5fb74d79bae8ff42d9ca91d30a0411 |
memory/928-969-0x0000000000780000-0x00000000007D6000-memory.dmp
memory/928-970-0x0000000005A60000-0x0000000006004000-memory.dmp
memory/4476-971-0x0000000004E60000-0x0000000004EF2000-memory.dmp
memory/4476-972-0x0000000004E40000-0x0000000004E48000-memory.dmp
memory/4476-974-0x0000000004FE0000-0x0000000005008000-memory.dmp
memory/928-973-0x0000000005990000-0x0000000005A2C000-memory.dmp
memory/2372-979-0x0000000000400000-0x0000000000553000-memory.dmp
memory/2372-980-0x0000000000400000-0x0000000000553000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 42d31035799091ecd790aef1811903a3 |
| SHA1 | 9c6308eb9e0787dd028f9877e6e27113dab8678f |
| SHA256 | d044f3fa472c0d507ba1db16300d206b42209bcd72b21d1621a42c99080d43f8 |
| SHA512 | b43352bca386f5c1ec72a5e82cc4ba60feeff21b41c77459ef9e0adf33c1d1a141ccab9db5f3dcf49cdd4355806a8e98302b3d0ddecd69a81e485ea93ad0dd91 |