Malware Analysis Report

2025-05-05 22:33

Sample ID 241224-a7m8eawrhs
Target https://t.me/RELabDiscussion/30886
Tags
asyncrat default defense_evasion discovery evasion rat themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://t.me/RELabDiscussion/30886 was found to be: Known bad.

Malicious Activity Summary

asyncrat default defense_evasion discovery evasion rat themida trojan

AsyncRat

Asyncrat family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Checks BIOS information in registry

Themida packer

Loads dropped DLL

Checks installed software on the system

Drops desktop.ini file(s)

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Subvert Trust Controls: Mark-of-the-Web Bypass

Enumerates physical storage devices

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious use of SendNotifyMessage

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

NTFS ADS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-24 00:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-24 00:51

Reported

2024-12-24 01:09

Platform

win11-20241023-en

Max time kernel

1050s

Max time network

1079s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://t.me/RELabDiscussion/30886

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\Loader\Loader.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\Loader\Loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\Loader\Loader.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\Loader\Loader.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\Loader\Loader.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\tsetup-x64.5.9.0.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\tsetup-x64.5.9.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-2G75I.tmp\tsetup-x64.5.9.0.tmp N/A

Enumerates system info in registry

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "252771844" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31151523" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tonsite\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\0\NodeSlot = "10" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\0 = 7e00310000000000ba563294100056454e4f4d527e312e3328530000620009000400efbe98593a0898593c082e00000011b102000000170000000000000000000000000000007b4b0701560065006e006f006d005200410054002000760036002e0030002e0033002000280053004f005500520043004500290000001c000000 C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\0\MRUListEx = ffffffff C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tonsite C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tonsite\URL Protocol C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tonsite\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tg C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 = 800031000000000098593a08100056454e4f4d527e312e33285f0000640009000400efbe98593a0898593a082e00000075ae020000001a000000000000000000000000000000e6977800560065006e006f006d005200410054002000760036002e0030002e003300200028002b0053004f005500520043004500290000001c000000 C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 78003100000000005759f6711100557365727300640009000400efbec5522d60985970062e0000006c0500000000010000000000000000003a00000000004a924b0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tdesktop.tg C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tg\ = "URL:Telegram Link" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tonsite\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tonsite\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tdesktop.tg\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tonsite\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10 C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tonsite\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 840031000000000098593a081100444f574e4c4f7e3100006c0009000400efbe5759f67198593b082e0000003b570200000001000000000000000000420000000000e697780044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000 C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tdesktop.tonsite C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202 C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tg\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\tdesktop.tonsite\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000 C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 = 8000310000000000f656fa46100056454e4f4d527e312e33285f0000640009000400efbe98593a0898593a082e00000010b10200000017000000000000000000000000000000805a0f00560065006e006f006d005200410054002000760036002e0030002e003300200028002b0053004f005500520043004500290000001c000000 C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\Telegram Desktop\Craxs Rat v5.1 + Loader.7z:Zone.Identifier C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
File created C:\Users\Admin\Downloads\Telegram Desktop\VenomRAT v6.0.3 (+SOURCE).7z:Zone.Identifier C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 217847.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\tsetup-x64.5.9.0.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2G75I.tmp\tsetup-x64.5.9.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2G75I.tmp\tsetup-x64.5.9.0.tmp N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A
N/A N/A C:\Users\Admin\Downloads\rat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRatV5.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\rat.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2G75I.tmp\tsetup-x64.5.9.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
N/A N/A C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRatV5.exe N/A
N/A N/A C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRatV5.exe N/A
N/A N/A C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRatV5.exe N/A
N/A N/A C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRatV5.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A
N/A N/A C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 2796 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 2796 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://t.me/RELabDiscussion/30886

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffdb103cb8,0x7fffdb103cc8,0x7fffdb103cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6244 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6344 /prefetch:8

C:\Users\Admin\Downloads\tsetup-x64.5.9.0.exe

"C:\Users\Admin\Downloads\tsetup-x64.5.9.0.exe"

C:\Users\Admin\AppData\Local\Temp\is-2G75I.tmp\tsetup-x64.5.9.0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-2G75I.tmp\tsetup-x64.5.9.0.tmp" /SL5="$902B8,45613588,827904,C:\Users\Admin\Downloads\tsetup-x64.5.9.0.exe"

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,10287724896434070400,10942366322314844046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\" -ad -an -ai#7zMap1040:106:7zEvent22106

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\Loader\Loader.exe

"C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\Loader\Loader.exe"

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRatV5.exe

"C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRatV5.exe"

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRatV5.exe

"C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRatV5.exe"

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRat.xml"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRat.xml

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRat.xml"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\CraxsRat.xml

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\" -ad -an -ai#7zMap24769:110:7zEvent26782

C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe

"C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Users\Admin\Downloads\rat.exe

"C:\Users\Admin\Downloads\rat.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 desktop.telegram.org tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 34.111.108.175:443 cdn5.cdn-telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
GB 51.11.108.188:443 nav.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 nav.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 nav.smartscreen.microsoft.com tcp
N/A 224.0.0.251:5353 udp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
NL 95.161.76.100:80 tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.92:443 tcp
NL 149.154.167.50:443 tcp
NL 149.154.167.41:443 tcp
NL 149.154.167.92:80 149.154.167.92 tcp
NL 149.154.167.50:80 149.154.167.50 tcp
NL 149.154.167.41:80 149.154.167.41 tcp
US 149.154.175.58:443 tcp
US 149.154.175.50:443 tcp
US 149.154.175.50:80 149.154.175.50 tcp
US 149.154.175.58:80 149.154.175.58 tcp
US 149.154.175.58:443 tcp
US 149.154.175.50:443 tcp
US 149.154.175.58:80 149.154.175.58 tcp
US 149.154.175.50:80 149.154.175.50 tcp
NL 149.154.167.222:443 tcp
NL 149.154.167.222:80 149.154.167.222 tcp
NL 149.154.166.111:443 tcp
SG 91.108.56.183:443 tcp
NL 149.154.166.111:80 149.154.166.111 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
NL 149.154.167.222:443 tcp
NL 149.154.167.222:80 tcp
NL 149.154.167.222:443 tcp
NL 149.154.167.222:80 149.154.167.222 tcp
NL 149.154.166.111:443 tcp
NL 149.154.166.111:80 149.154.166.111 tcp
US 149.154.175.58:443 tcp
US 149.154.175.50:443 tcp
US 149.154.175.58:80 149.154.175.58 tcp
US 149.154.175.50:80 149.154.175.50 tcp
US 149.154.175.58:443 tcp
US 149.154.175.50:443 tcp
US 149.154.175.58:80 149.154.175.58 tcp
US 149.154.175.50:80 149.154.175.50 tcp
US 149.154.175.58:443 tcp
US 149.154.175.50:443 tcp
US 149.154.175.50:80 149.154.175.50 tcp
US 149.154.175.58:80 149.154.175.58 tcp
US 149.154.175.58:443 tcp
US 149.154.175.50:443 tcp
US 149.154.175.58:80 149.154.175.58 tcp
US 149.154.175.50:80 149.154.175.50 tcp
US 149.154.175.58:443 tcp
US 149.154.175.50:443 tcp
US 149.154.175.58:80 149.154.175.58 tcp
US 149.154.175.50:80 149.154.175.50 tcp
US 149.154.175.58:443 tcp
US 149.154.175.50:443 tcp
US 149.154.175.50:80 149.154.175.50 tcp
US 149.154.175.58:80 149.154.175.58 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 tcp
SG 91.108.56.183:80 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 tcp
SG 91.108.56.183:80 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 tcp
SG 91.108.56.183:80 tcp
SG 91.108.56.183:80 tcp
SG 91.108.56.183:80 tcp
SG 91.108.56.183:80 tcp
SG 91.108.56.183:80 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
NL 149.154.166.111:443 tcp
NL 149.154.166.111:80 149.154.166.111 tcp
NL 149.154.166.111:443 tcp
NL 149.154.166.111:80 149.154.166.111 tcp
US 149.154.175.58:443 tcp
US 149.154.175.50:443 tcp
US 149.154.175.58:80 149.154.175.58 tcp
US 149.154.175.50:80 149.154.175.50 tcp
NL 149.154.167.222:443 tcp
NL 149.154.167.222:80 149.154.167.222 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
NL 149.154.166.111:443 tcp
NL 149.154.166.111:80 149.154.166.111 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:443 tcp
US 149.154.175.58:443 tcp
US 149.154.175.50:443 tcp
NL 149.154.167.222:443 tcp
SG 91.108.56.183:443 tcp
US 149.154.175.58:443 tcp
NL 149.154.167.222:443 tcp
US 149.154.175.50:443 tcp
US 149.154.175.58:80 149.154.175.58 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
NL 149.154.167.222:80 149.154.167.222 tcp
US 149.154.175.58:80 149.154.175.58 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
NL 149.154.167.222:80 149.154.167.222 tcp
US 149.154.175.50:80 149.154.175.50 tcp
US 149.154.175.50:80 149.154.175.50 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 tcp
SG 91.108.56.183:443 tcp
SG 91.108.56.183:80 91.108.56.183 tcp
N/A 127.0.0.1:4449 tcp
N/A 127.0.0.1:4449 tcp
N/A 127.0.0.1:4449 tcp
N/A 127.0.0.1:4449 tcp
N/A 127.0.0.1:4449 tcp
N/A 127.0.0.1:4449 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7bed1eca5620a49f52232fd55246d09a
SHA1 e429d9d401099a1917a6fb31ab2cf65fcee22030
SHA256 49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e
SHA512 afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

\??\pipe\LOCAL\crashpad_2900_UJGIDPOSPXHJFIHW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5431d6602455a6db6e087223dd47f600
SHA1 27255756dfecd4e0afe4f1185e7708a3d07dea6e
SHA256 7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763
SHA512 868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 798ef1b30f5f1c2afa7166e671abac77
SHA1 1de1d17f2bb41f3c69318ca011a8b958fe2aaeb3
SHA256 5d6d2ac0e1a2fbe812cabdef9fa933081b7eb2f1630bc2d1026b67fe85de038a
SHA512 8ae46f9aafb844b1414500a825e4e248341535a409bc7bba9e5588eccecd15928c2b6cf25c672f27ed837f9e4cab0a0b79aae6c8f0732b54139b47dbfbc1cb08

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9062abba42470c4618ed3236ecea0f02
SHA1 67f93b12cde98f25d886880ee77e119c99cebc0f
SHA256 d7dcbbf5aa16cc030fbad0439b5bb5e8d797060a8fa15d2ba009a53c5160587c
SHA512 c1d0fb68cf556aa83f4bfffe3ae126ffb28309f9df00c4b8bc073d18f78feff6123c9969869be8685fe63475c975370168c38f07fc739c66ecb0cff69f618e7f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 96d4e554734429f9f592e7cb47a6c60c
SHA1 0e9be712f2545c26949ae1556d42b33f4bdfe941
SHA256 37c8afc2a54b7ec02cb1bf79a6c5d5632c89a6fb4264570b03b2790268fcf429
SHA512 760b5e8704a413ce6757129615f525b39ee55a530bee0b5fb9d514d09de14ec81dc47f7f0bff658a783b4d3e6f387f5fb00a55bc00eb13e737541fa44df960f1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 0137be688ef13e60148d61c03e717780
SHA1 e6905ed271b147684759dc4ae0471b66872e941a
SHA256 9020bb576baeebc7d552f304b235c184f7ebba25334069ca3a4c2e5a71515c8c
SHA512 2e43eac8f0ddd7737b3e91c5b4da1c74a670d291b9f6fed1cb7225306fac3aa498c4e1d492dcf05581624b7669f73cb2695d3e6867b7ee38b7ee3aa56c4c9c39

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9e752aacce4820534ba8e8ae67841f91
SHA1 83916b739c991d595954decf9a0cdc86b0a495a4
SHA256 d3b915f2c68761eb56282a96e964874c6a7b61c2db5e85a822e452d98bbcca98
SHA512 9da90f49c9d339af3b65f4415eb409aab4d2dfa0a6091105380159c1397d34f71a514bafeeb8ac95d5fd992b88e518fd46d2fe864a78b352227979a4e9fc48d4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 fee5345fa3ea07fae937980ed7987158
SHA1 13018ef31aeab1beff98cb78938745535d6ce2ff
SHA256 71e5572d82b5e7c59cea8c89b4b4e043d5f493385253f770633d415071b04fc9
SHA512 0d89a9792d0db185f03d478ecf279988a871f3ada96d3d352e5b2c63b47df31ce36647dbdad80073438285bc610486e49b81ad2cd669f7bc7e2c6c908e8d4ab5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586193.TMP

MD5 d3ce3607212818bdc8aaca1733980147
SHA1 ca1988f2e47ba70e772129a1237662b8ce141dc5
SHA256 e5b450b6e1b598e4a5491aff6362133f42da66c566fc4ad7a9af7cc9e65208c4
SHA512 033784301a44923d2757b0b39b7861755490e0289f73d71dd0f3ea793f77a70c23a50296bb09a1ba4e012505ea6dddf93056aa8d6fbaf030077a13e8b1b886a6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 60cbafa560ac2dec589b0845c325ef43
SHA1 92cc172e0e362c8dcd7c5151726beada1f2d76c7
SHA256 df4c9c56ae351b57a69bc306d95be973fa45c0d0cc382a1337cb0ce19aaa2831
SHA512 ff8a174216c6f5afb2680844832c8f4f331a1998a6882d3a51eb422a8d87c3e53ae87fb7382bdcd3c7a8f2213f344d31a3c9b89c463b948027e818fd9133beae

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 ac196ca407bb61b480966000174149e0
SHA1 92ac6fb9c6ed162e5ebe9655c6716ff06a1861bf
SHA256 2dfd58606a7fa924a4af0a3eabab644e2eef19b3db780f0491e9d7b512ed3bc6
SHA512 19c84cbf02a32c2b2b455f2f6218e247547291bef95baa88272550dc7e7271d894082ea6b2ecfb19d125152737a84d8ffbf8dda60e169a5cc2f30ba3206fc059

C:\Users\Admin\Downloads\tsetup-x64.5.9.0.exe

MD5 4d126a74212250584edad0f21daaf06c
SHA1 cac28f26e1d89c0c71ea954e5d79c72e5402f1a0
SHA256 ce397d1a47b24efe2b90da9e565386dbb69175d5e170468f498b82e5cd394b60
SHA512 2489d61f7b0e8228b0bc09a3f4c974724a1f1ff402f470a9d074f9f2d4e6386232a2eb6352ee8c1bf274c5dbbf9fa32cbad0f32f5f22a74ded2656a510dbc220

C:\Users\Admin\Downloads\tsetup-x64.5.9.0.exe:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

memory/2044-184-0x0000000000EE0000-0x0000000000FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-2G75I.tmp\tsetup-x64.5.9.0.tmp

MD5 ca8534026f0cdbdd4a5ed88a7f56c846
SHA1 e465106eaa5b9af57d8254e09dc5b853970ba90e
SHA256 4b55d6a2f77c5f365f544409ea9f5de7db8b954e99f1a7ac9f904bb851bd9f89
SHA512 92bbbcbf40b5b8d0ef1bc4fc6eabb9b1b7586cdf768b9e6feb6d6a9f7a2ab73710538544a14534ae539cfb9307586275799f118054e5f063335566883d41f563

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ca58710259b55a21a304598a6c03c41a
SHA1 30a451efe5f86eddd321c1dcdbbaf1b5e100c54f
SHA256 0b40fe5d9cffe01cbc4e82141010b38f64810bb9d82e3d5de38c6059b797364b
SHA512 fc247f772f34acaaaa2ca94abb7ba3e6692816518dccd8169030490268e91aef4df0581aa1810b0da4ea5f2eceb5dd58919093f50c5db90d0c358ad0542f8dbc

memory/2044-215-0x0000000000EE0000-0x0000000000FB8000-memory.dmp

memory/740-216-0x0000000000560000-0x0000000000897000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 79fc0abf1c001cd651a37b79d70d441b
SHA1 fc7dbb343012fad0ca0837fa5ca60eaf6bca1d26
SHA256 c65e8af0db21b0436600eb1f377741d981c9584f6d65f5b37240a917b8efb8e7
SHA512 ec38bcc9e8786b3212065227638fca9a9bdf07cf4372611e279e4b257f4719572791b24099cd5fbcc9d33c8e257b668cfe1ad9d1a884c0ab649b54aec941bdb3

memory/740-251-0x0000000000560000-0x0000000000897000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Telegram Desktop\Telegram.lnk

MD5 16dc5231e9cc4d644a69f330fbef2016
SHA1 2bdc5121a0c9f846afdc29e5d109e9af47936877
SHA256 32166b2a223105a377369b65a2ae9dcdbb9ef6f2625da0285148284be22cd2d8
SHA512 816bf8ecf326224c8216e4ff4aeaf1af303340b808ea6375a6bc65e5662a9a99ca0d4bf79781904d8cf64210f81b3a8af745812511ec3b59f7ebd2f8ca389e77

C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

MD5 a7349236212b0e5cec2978f2cfa49a1a
SHA1 5abb08949162fd1985b89ffad40aaf5fc769017e
SHA256 a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082
SHA512 c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

memory/740-267-0x0000000000560000-0x0000000000897000-memory.dmp

memory/2044-268-0x0000000000EE0000-0x0000000000FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 15d791e78c94cf88c95ec1e4935f742c
SHA1 3fa15e1a16d132b888688a62dd387e746579e7e4
SHA256 6505c6154b49bdc434b622658cbe7ce958b1f39bb21faf9057fa316a3c40a791
SHA512 c45174725dedca8f0b7139f783fff1079502e4ae1372dbad121eb5201220f9461f4bbacd2b61db4a8298d76cf9794257ae374baa834ee3fab309e3328e1627d3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 582dcdf78f2e5612c10a4f2ea8d848bb
SHA1 d0ed05faaa7891c081b50a260dc140a3d920bf77
SHA256 fd24e55e777f1432aa8905594ba2e93cf17cef55a745e961ee41ea95dfed14fc
SHA512 a75caf33a6ecd61a3709fb663c3f648ec74f244e43e6769ef429cb03b1de5f9b59bc6b770f448064661595a0d3f3318290818cb66ca22911c4ef35cb73c19907

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 14f705f549f3028d93387168a973b57d
SHA1 904d2cdfa31872976e6144d3049fd93241077cb6
SHA256 0994bef5e49e421d0af1c4833f5410e131f3f2a49ccc5d217a553f41ca59cb86
SHA512 2f7dc1827e66c6dbd89c189fa87250971ad033490489f657a6939b5bf30e6e7eadc36deb1d215afb622418b9cea01c7fce321acb2335d3f2b73795d8fccf2052

C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\user_data\cache\0\75\EB293C26BCF0

MD5 620f344bef69cb43ad1b03fb5e6e5269
SHA1 627f27bbcf9b8c8ff57fab6b8acafb4aa4eccc04
SHA256 f678bb540b3c12906ee4eb91847031873c95aa26782d3022c9d9608a27e654bb
SHA512 159014c44c97013c2d734e223094ff1a58e4a2649ee6afdb2f85b0ceab7de1f596e14faa61f59f63cef0117fe401d39418d07251a5aa414194768ed349db91d1

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\Icons\Apps\health.png

MD5 32bd051749a0fc05e1bb83707fb379ef
SHA1 479ef7feba3b01dc6aa39817104ab9f78ba6451c
SHA256 515a7cae5767ed438b9112de05d90bd36568cfa68d5284ce648cff45400fe0e0
SHA512 3a80f3f0890337ef0294dd4a1b473a136b732438dfb125a3fb80103451b471919621952a21be4b0cbc3fbc7b479545711c9a5dc498121de9b7fde0f77128685a

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\Icons\Apps\s_translator.png

MD5 bc33c93efd4900d799deb3cd6a195b42
SHA1 18a3527e1e4382e83fe50b470d8cc393d695542b
SHA256 5506ccae41f78fa556d449c2cf3aa95e6caeaecdce847eda5289037aa33c1824
SHA512 164439b404d354cfefdf55aea30ddc28c6a0ff4cdbcf3986b003eed0fffd35f9740ad7add000363e05b774ca80897848e3ef68248897a58cb0f5282e1b701f15

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\Loader\Loader.exe

MD5 cf8ecc93a3848a0f1af2d86a7583fa7b
SHA1 0c3a2f0c232269fd606cbc5878e79a9a7e9f5ad2
SHA256 2194e86e58b755f6e198fbcd1da59c59d407640ee546016511571a2831aed428
SHA512 4d51419d732e76b8957c94410eb0c2fb983a294b114b37f3e3eb6601917f119d519b235449a97aa720b05bbb57b6a058bf9a33e6f3167200c1d70e785ae335e2

memory/3460-2317-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp

memory/3460-2316-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp

memory/3460-2318-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp

memory/3460-2320-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp

memory/3460-2321-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp

memory/3460-2319-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp

memory/3460-2323-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp

memory/3460-2322-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp

memory/3460-2324-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp

memory/4864-2328-0x000001585F120000-0x00000158630B4000-memory.dmp

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\Windows.UI.Immersive.dll

MD5 1d2042cc4361cac2c13b0b33a4149080
SHA1 e5105299770c325bb7b5198542869002a9c332ce
SHA256 a9dd7159a39dd053806d36920f76da18ca5e8b488ae04167a7feadf3c1ea4fc3
SHA512 d0335fcfea1d6b7428ad6b070602b5765b4d07d2f0bb8819821544c6280ed1e4d76cc99bcd00414aedad954fd1b5bfae58d1bb80427600d619d9e0c910438a4b

memory/4864-2330-0x000001587ED20000-0x000001588033E000-memory.dmp

memory/4864-2331-0x000001587D700000-0x000001587DC5A000-memory.dmp

memory/3460-2334-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp

memory/3460-2335-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp

memory/4864-2337-0x000001587D660000-0x000001587D66C000-memory.dmp

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\LiveCharts.WinForms.dll

MD5 76c775d09b24798f6923452e920979b5
SHA1 3fe2c79512a0d1153fb07f6640b27106c90d333e
SHA256 a5b61c1726304e6b72e09a0f35ddbf52f89a75a4e28e6ed098c8d1df6081b4ad
SHA512 eacc093f8ac9401f617df7e07fd68a8a0f1f03aa150283de67ad8c338fcb1520b0f07335547cf533a646ff95f239c92b029f952a706e736bcd9508817c9be0f9

memory/4864-2338-0x000001587D6D0000-0x000001587D6EC000-memory.dmp

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\LiveCharts.Wpf.dll

MD5 e924f79f0b5f3e79c98477d75831813d
SHA1 64f71e20e1953b13c771d8a8e63549ad6d64216e
SHA256 1bdbb1b5c1a50653e5c26161e9b7c03edc518721a6e10ea180a84049d967106b
SHA512 063e9bdbdaf0accb46cef5fdb98b30a97b8a6ba097a80d43a9799ff73e820d1c56d41ca9f71d94497736e3def7fbd0109db4000ab1d9e46cdc96357bf3e15fd1

memory/4864-2340-0x000001587E850000-0x000001587E87C000-memory.dmp

memory/4864-2342-0x000001587E8C0000-0x000001587E8FC000-memory.dmp

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\LiveCharts.dll

MD5 9642899636959b7fc89bf34a8b998a90
SHA1 479a0254d1c9e5565c7d861bb77f54b7eae50c96
SHA256 9fcf89837b60f69c1c501e4cfa4d2860887afd0b8f325803367e795a4e3bc9ca
SHA512 435dccb57ff3e9d0663770768c866838b19fbaa5b8e79de0ca111d9c73276f016e016d1d268f72cf3435ecac122039764fada952e1a4f68f368b492bb866c9a2

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\DrakeUI.Framework.dll

MD5 0562b4c97f643306df491a938ae636da
SHA1 0807c37b711374ed4814a9518c9e264517de89a0
SHA256 70e72477f7fe0018e043ce8fe2228a289459058ee41caecd6f05855898bc5b80
SHA512 c969cd274b6bf65a34f1d129b6531616a3485a1f153088609ad2369d380fdec37c3e88a423495912715a26e353dd5498f7f9e73c895e9f3f18fc7d1e65d2ecaf

memory/4864-2344-0x0000015880340000-0x00000158804E6000-memory.dmp

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\GeoIPCitys.dll

MD5 c070f2421851420e832e4f5989a775a2
SHA1 d6af3c48ffbe0fa1e0e54860836d3bbf374b8b46
SHA256 d54fd6c5903eea49a75d620d4ba232f8effb1863f5f9c974e4ac0a8fb1904131
SHA512 75c3edeb4c16d8e82eedc5595b9c3fde4cbd4a3e9deae1967ad513474920a48e4e9275fdc76f44032b1be570a4ece1a6393c4680af8989f67bcdec039d06798e

memory/4240-2346-0x0000018AFA450000-0x0000018AFA486000-memory.dmp

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\Config\Pass.inf

MD5 e1b54e517318b3b3363551e926b9e474
SHA1 cdd2df4411afed1c9e44997dc9ebf85728eafcca
SHA256 dab8688b4d139db5ba57783791efbce34e9e46c37a2c506685cbc6d18e68073e
SHA512 edcdd405bf3d57cd524151e9f41670cb7c3bf693e59254c8a034c30a8457b936d507fa434d38e733819a11cf3afc6858d909fbe73bf091f3c96526cf99138728

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\GeoIP.dat

MD5 2fbec46d430f57befcde85b86c68b36e
SHA1 3ff9829e3242deb69a7fde0832b7d9345b925afc
SHA256 681ede512fe7ac21e976c754bfc1e1a75a9e02c3d931ce6849cfaa9d4080338a
SHA512 42036af6f57e446fec194ce71fa634dee9f4c77342f64a867fca8730d76349190960a7e7a5967ea59c250ca1b220d4845b4911dd63ee870f5620d9eb513b91d6

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\GeoIPCity.dat

MD5 fab3cc04a19ffdf90d775e27967a7c25
SHA1 723c1635338bec7c1c876769618789268b8faad2
SHA256 bf41a0a700e3b35415609d090b15c5355e5cf4ca703ab119626b2d450997c608
SHA512 fe013386ff799cda195222341ee601d7b8b3c5c8abacf3c80e3fa03af52ac848f8a79a7dd87d8831d5a366243343f1025f704f49d858da4b02235968f834a9e6

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\-1.ico

MD5 410e4dba1b3e1acd689425d024f3fd56
SHA1 d38fcae133db0cff918dc455acd8ffa437989659
SHA256 e10518132ded7ee51739953121f6efe77412aa85bd744ea7b256a5a6da751e44
SHA512 cac41002ef9ffe4592a0949ebb3a21b3837645838e623d3a188f7e70b6c82b2253c586a6a9395007849da0ef94d6dc47bcfce9cde554e8b6becdaf21082cf014

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\AD.ico

MD5 2cce7e02f2decbdcf648cc249eeabbfc
SHA1 4a9cc2ab3162a949d5f559ac2828813da7aaa6d2
SHA256 ffd5e4016c4bc247f49ded9d4ac463e7bd9d7f92c9889528f5f3a865dc8234e2
SHA512 be3d96046ec50bfd8e4399d1268856d0cc1f541635896ad128d660660294cfd98f79998dfa46849a2e6e5aa3e637626a94a062ab694444b7210f69b3a55d1686

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\AG.ico

MD5 93f8d14b56bf5f257f87ea438c7a3601
SHA1 31b71ace333e016408af2f18290463389206d1c0
SHA256 8e36c85a8ba6b92ea906d4dcda412b492449e668fac3b05f5fc512118fa71e5f
SHA512 a70adeb933e65ba11b28d11fad9a2eae29a623013f9bd8383afa5c794f214a6820f797f03f1714759bd38356b160b9c1e159dfcecbfa7e95f4ce2b24bfb24cf5

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\AF.ico

MD5 e18c650283441dfbdc3aa46a414f326c
SHA1 eda65607858d6b93db9ca4a9f20cac382cb685db
SHA256 ecf99e08bf15aca4325c4790ee20ccc674b6f4fc6dbbef0885f36bf8e6e8aa68
SHA512 f10cd2a31390bbb06546052214a817153f35ed9b5c5403995267e1e9b4987630c08ddf7db414146211b8cfb4769949cd660060bd2a5c8a51bf5bc381372a6673

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\AE.ico

MD5 5c22046c8b4f37adbd0f41a811238d5e
SHA1 e3c49202f86ff0718f169ce4cb82570457891bd3
SHA256 0759c987d55b3e2bc78ea1761d451b0b40928865c5b5652ef7b304426bc1dab9
SHA512 655c129c7456ce083a9eec235e04b871a16c4226f7cb1aa2ac4b119770b24ac61036950b0a77257af96352318a991037a1b9b5e2925ca84272995dd8135abca8

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\AX.ico

MD5 19169001a889e72fef769900ca7a8b27
SHA1 e17d9c371cc34d19f05c46d81e06f7ae2159dc7f
SHA256 5ac8c61a8ad2d7ecc3e76927fd6d52b4f279c4d3a92dd32715395581c4615423
SHA512 4c8247ab0f37cafa90ae34aa865af45b6b388fdfa8ab96935d2ae2064c620240dbb8f93c9958844a34fbd249422a9b5751639179697bab44aabda8afc18b0454

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\BD.ico

MD5 7bb2410b8a58504b0645e9e869cb903e
SHA1 a1d49a900e2367817575d581c34a3f4b5282db25
SHA256 f8d767b5e74cde08d614d64bc51f4d9db90dc056dba1c38ad8b21aa6c598a286
SHA512 a629b6e3a5fc4cc0499e18139260a7c67c629d76c8264ffd3d99c62154354b50bcc5d73b0475891cf38b90809de996648c211a9c2df0aa4e885e536fe4d3f825

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\BB.ico

MD5 a272b143736710d954a021e7b5b1fe41
SHA1 abf3a358da02a0d9786a022a1367d9bf805ae060
SHA256 f679b5b2dfe2c980b55b713a025936c10260db10254391c5b66dcec51dd97705
SHA512 9290ed552de75f080719d3e6f4954234b48cb1bf87952bf62d1799d64c0d0a2419fe6776d5a84f691f877a6e7ccb176824e7dd00f5ceec7da32458faf1ef6485

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\BA.ico

MD5 a603875f8aecceb0d62c9c346f250e62
SHA1 44b58245d17d8d205e6bc2015965b3ac9374245e
SHA256 b586dd987bd326d24ad3edddd1f649d2fc49eaf96028e62e6e14208591a31a9b
SHA512 62c218f9e7e30c056c02b0e9e35b39fa9b66faced7fa8c3a14e9636450d271da04aa5f04a627452be03d0df062b38db0bbeb4fcdedb0d7d820d0bb186cb38953

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\AZ.ico

MD5 3abcf274a070469b7fd5cc1f60408c9d
SHA1 a2fbdbc0028f398a90b351fe5e3a2e4b31153b07
SHA256 d3cc5eeabeae7f54a8c5600b5c2354b355492634031e32e8ba981806b0494b61
SHA512 14be128eaa0b49b7ad07ad2230732e923a30c204faae1c3afac766088836845fc385a99ef50938f6261456e0e45afcd17c0661345ab72cca8b66bd710eb3035f

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\AW.ico

MD5 49d969f363a153b7e1cb4dc2cb742238
SHA1 2a8fbfd37be58690dc2e0ca2b3ce04c2d15d6eec
SHA256 f0d730a0d8ce85f049a6d8a52733c506a8cf48584b18838f3d677b09d9c09b52
SHA512 97f17ab20ee96ae4e71e31c7864c509ef0b714215606413c801b3608770415ab63d6d5be0980af7231e4c2e270407fd273c36e0e47d524e59126b933fafa4eac

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\AU.ico

MD5 ae8189b2c04d783a2f68f0204f1baeab
SHA1 e5709598ed08427a1dd83e1d994330bba1b1b091
SHA256 047f9bd82ca7e2685c1dca4c065209977b5e8c32f78ee821bcc7aba12decb044
SHA512 ef1dd8330cf3cfa9840a5902e13c669e6de911ca9f383067506e2c106f05021aa79df60e2a867259bbd1dd056b9367d5814e9bcbafb242d718fa7fe0fe664248

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\AT.ico

MD5 8effa2f5bbcecf6415b04f9408c0a65d
SHA1 3f3249fe921c1d4767b76b0c3a720cba0262b565
SHA256 236c59500b9bd83212375ca7514c0d62dc088203ed269e9cd55ca6349adbc8f0
SHA512 3f8a1f0683207ed616819a0e42b18e5b02eab0300fcf6eac1c399f0e5475f45d62e0bdebfe0055d411d529649938623acfd4b3b02fe80fc9da6a0492dcd31822

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\AS.ico

MD5 caba1e66c954bc8d784efe2a3c02d808
SHA1 ef1d5ba4735c99b55648503513d9ae7393a3a6d6
SHA256 4946c58e14318696ea03cf9bcb5d8a7334273c2f9e30173a3c7ae0bb7ee70bc4
SHA512 430806d048e383411e36a8e3777a27b7efc1819cca50c7d7eeba662d32351a366d3cc0b892f819b6a96db8281c5e249d3faef13e8a4ec3bef75e67b9567bd466

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\AR.ico

MD5 bb4f489b2ae1f6601513296357fb478b
SHA1 b8337772e2e17d48412f44373ea8a821b85e9c54
SHA256 af2f591584f6c59da15fd42e5175dc136844442e1c755fac047b0efae3956c50
SHA512 547e0753a1ac4058ec609ddd2d6ce54b50cc47177ee319f5bcc82eca9e231d01d74b7c2d02de90557c08224bed962c74f8c4079a1292153cbff32db234ddf6a6

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\AQ.ico

MD5 be6fa7ab4980735841141d4d3f642a4a
SHA1 c6d03cda7f73a959a3d20d0e3897595fbe2915e9
SHA256 3439ebcdd8e7a614f157f58d7f77d190aac7fe514129a01024a8b68b7008fbb2
SHA512 fbc116df306de7a04f43cb2becfecbbaf103d6b252336e0bd37f006506140ceb14f114cdf62e203bc12f78c25906066385eb6caa67f694d8526b341bcf3462f2

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\AO.ico

MD5 a5c78266329a1eb0f3e52bc0343783b5
SHA1 e0b254e2176f0eab8d2b76213a64c24ba1788675
SHA256 550a1b6e2b97febd865cd130b0c0d484cf2fd02b8066ddf6d7290b9cffb35059
SHA512 61a7bf67f9019e5f4c653246e1844703619d6421c3625c963862ee9b0b3975b26ce2f785c9b3cc79e77181c098f0e3d60c9f0e21203928117c6cd45f104af36f

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\AN.ico

MD5 ed05e0515da2b4c11d839493abf8d44b
SHA1 8862a2bd75632d916fdd049b31f2155ac7894524
SHA256 8f641c948721c9e7e92f28224b8b1beeb27382e5bac8a4014a57537dd7543a8d
SHA512 31613012f4ea1da8d1318f69e6e9a4be068e9e490f01ef0e1f880b33f50d715d92d7498ca99223ce81d6656ccc4293a7fbd272939e99dbc21d62176a6c6d9553

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\AM.ico

MD5 16782d3d013fbdd1277424363dd8a0ad
SHA1 c26e1fd52de7ceb24af6f01fb4486d39e1932bfe
SHA256 faf3d661a09912ff0c1f6cc92dd8775c3d2be31e9a72fe0962c144d679021d86
SHA512 44bda0a5d59f1ead6939a6af13b81ab23b28be44a61e7e736d5e21cbfee813a3a44c5832b16036717f0e18a418dc449b5c3aa1e0f05c4830cb3b64698ce0901a

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\AL.ico

MD5 5dbcdfb9a2f9120ba42006c997e22b42
SHA1 01fe537ccabec19b252e07ed6ab557a46a70e6df
SHA256 8f726d2132b2b7764936aaffb52ef7b0271abf857949588c36b32fb3c769bcc4
SHA512 519b0757a1bba205915aea9f8bb715072420fae126a4917f146c9ea7567fc231d74f93ded8dead86dcffb0fc293de1a4c85a161dd894b490e57806df67cf01da

C:\Users\Admin\Downloads\Craxs Rat v5.1 + Loader\Craxs Rat v5.1 + Loader\res\GeoIP\Flags\AI.ico

MD5 2d5ee470e51e769e649109d2721937d3
SHA1 89bb18a904dc2857e52cff3a384df50858d5e17c
SHA256 08afe88e8a0475e320c6da70ff530ada3a6fb426051a6337a769c14dc37ae316
SHA512 d6801a6b238a9779b0b8829f79412c227ed8480ec060e3d1992c9b1024c94a8f1f6ed32097c8a93a6f2600ad68b2ac537fba5f0982a41fef01a832994cc0cc20

memory/3460-2372-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp

memory/3460-2373-0x00007FF65A790000-0x00007FF65B4C2000-memory.dmp

memory/4864-2374-0x000001587EC10000-0x000001587ECC2000-memory.dmp

memory/4864-2375-0x000001587EB50000-0x000001587EB72000-memory.dmp

memory/3068-2377-0x00007FFFAA2B0000-0x00007FFFAA2C0000-memory.dmp

memory/3068-2379-0x00007FFFAA2B0000-0x00007FFFAA2C0000-memory.dmp

memory/3068-2378-0x00007FFFAA2B0000-0x00007FFFAA2C0000-memory.dmp

memory/3068-2380-0x00007FFFAA2B0000-0x00007FFFAA2C0000-memory.dmp

memory/3068-2381-0x00007FFFAA2B0000-0x00007FFFAA2C0000-memory.dmp

memory/3068-2385-0x00007FFFAA2B0000-0x00007FFFAA2C0000-memory.dmp

memory/3068-2384-0x00007FFFAA2B0000-0x00007FFFAA2C0000-memory.dmp

memory/3068-2383-0x00007FFFAA2B0000-0x00007FFFAA2C0000-memory.dmp

memory/3068-2382-0x00007FFFAA2B0000-0x00007FFFAA2C0000-memory.dmp

memory/2548-2386-0x00007FFFAA2B0000-0x00007FFFAA2C0000-memory.dmp

memory/2548-2390-0x00007FFFAA2B0000-0x00007FFFAA2C0000-memory.dmp

memory/2548-2389-0x00007FFFAA2B0000-0x00007FFFAA2C0000-memory.dmp

memory/2548-2388-0x00007FFFAA2B0000-0x00007FFFAA2C0000-memory.dmp

memory/2548-2387-0x00007FFFAA2B0000-0x00007FFFAA2C0000-memory.dmp

memory/2548-2394-0x00007FFFAA2B0000-0x00007FFFAA2C0000-memory.dmp

memory/2548-2393-0x00007FFFAA2B0000-0x00007FFFAA2C0000-memory.dmp

memory/2548-2392-0x00007FFFAA2B0000-0x00007FFFAA2C0000-memory.dmp

memory/2548-2391-0x00007FFFAA2B0000-0x00007FFFAA2C0000-memory.dmp

C:\Users\Admin\Downloads\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (+SOURCE)\VenomRAT v6.0.3 (SOURCE)\Venom RAT + HVNC + Stealer + Grabber.exe.config

MD5 a1c2a2870001b66db41bcb020bff1c2d
SHA1 8c54c6a3564c8892aa9baa15573682e64f3659d9
SHA256 0aa9e3ab5c88c5761120206eff5c6e35c90288290b3647a942059705ef5b75e5
SHA512 b3bf53120203cfaa951f301b532849cb382d2404c9503916bc1ca39925a9a1530b01045f341fc75d47d65130d0187dcbbf4288b9ef46aa81624b59ba7802794b

memory/4284-2960-0x000002BC71780000-0x000002BC725B4000-memory.dmp

memory/4284-2961-0x000002BC76120000-0x000002BC77524000-memory.dmp

memory/4284-2962-0x000002BC75230000-0x000002BC75742000-memory.dmp

memory/4284-2963-0x000002BC74F70000-0x000002BC751C2000-memory.dmp

memory/4284-2965-0x000002BC74EF0000-0x000002BC74F40000-memory.dmp

memory/4284-2964-0x000002BC75830000-0x000002BC75908000-memory.dmp

memory/4284-2966-0x000002BC78B80000-0x000002BC7933E000-memory.dmp

memory/4284-2967-0x000002BC799E0000-0x000002BC7A072000-memory.dmp

memory/4284-2968-0x000002BC79340000-0x000002BC796DC000-memory.dmp

memory/4284-2969-0x000002BC7A080000-0x000002BC7A504000-memory.dmp

memory/4284-2970-0x000002BC74470000-0x000002BC74490000-memory.dmp

memory/4284-2971-0x000002BC7A510000-0x000002BC7A722000-memory.dmp

memory/4284-2972-0x000002BC78670000-0x000002BC7871A000-memory.dmp

memory/4284-2975-0x000002BC760F0000-0x000002BC760FA000-memory.dmp

memory/4284-2981-0x000002BC789E0000-0x000002BC78B04000-memory.dmp

C:\Users\Admin\AppData\Local\Server\Venom_RAT_+_HVNC_+_Steale_Url_qkamrgd2yxc3i0qepbewoqwa2m5juegt\6.0.3.1\user.config

MD5 3fb8d2a2cd510948957ef43af5de1a6a
SHA1 165c56b69c45db04546436b8cfcd21bf543fe1e3
SHA256 095a2b7ce003847ea27f3eb98eca1c5bf9098c194c137c550bed549fe8d46306
SHA512 ddf025953f0487612cab831866ce03285aa810a406d0a92d4491a2d26c7eaba2c4108c230309732a7ab6184c1578419164afe2fdc8e0179d8584bfbc7e75f1c6

C:\Users\Admin\AppData\Local\Server\Venom_RAT_+_HVNC_+_Steale_Url_qkamrgd2yxc3i0qepbewoqwa2m5juegt\6.0.3.1\user.config

MD5 ec49b7f5618d420d4c61a527d52c2638
SHA1 4c627db09339ea9d8266671a866140c5c9377c89
SHA256 1e5fc255b1d6ff6b9fcb242f9aade5db7d5ce869a7bad4a216cf92c90f239def
SHA512 d33bbc0e55aa55a52b12a476d570bc2f2bb649313d416d94cd7bf73c0e76bdbf016b8cecf2eb3aaafb490e36238a8bec3e41e88201b65d032daaed757ddabd6c

memory/2196-3001-0x0000000000A20000-0x0000000000A38000-memory.dmp

memory/4284-3004-0x000002BC796E0000-0x000002BC79792000-memory.dmp

memory/2196-3006-0x000000001C890000-0x000000001C906000-memory.dmp

memory/2196-3007-0x0000000002B50000-0x0000000002B5E000-memory.dmp

memory/2196-3008-0x000000001C830000-0x000000001C84E000-memory.dmp

memory/2196-3009-0x0000000002B60000-0x0000000002B6E000-memory.dmp

memory/2196-3010-0x000000001C610000-0x000000001C65C000-memory.dmp

memory/2196-3025-0x000000001B6D0000-0x000000001B6DC000-memory.dmp