Analysis
-
max time kernel
329s -
max time network
330s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-01-2025 15:45
General
-
Target
http://rmax.site
Malware Config
Extracted
revengerat
Guest
0.tcp.ngrok.io:19521
RV_MUTEX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
RevengeRat Executable 1 IoCs
-
Adds policy Run key to start application 2 TTPs 3 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 32 IoCs
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 20 IoCs
-
UPX packed file 19 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 10 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
NTFS ADS 10 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://rmax.site1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbcbc46f8,0x7ffbbcbc4708,0x7ffbbcbc47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5948 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6728 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\OperaGXSetup.exe"C:\Users\Admin\Downloads\OperaGXSetup.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS086B00D8\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS086B00D8\setup.exe --server-tracking-blob=ODhiN2Y5NzZhYjg3ZmU5ZjdhZGNhOWFmZGE0NTk4NDcxYTJmNDBmNDE0NzEwNzY3Y2U3ZjUwYmZkNzc2YWJiYzp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9HQl9IVlJfMzczNiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTM3MzZfJnV0bV9pZD1lNWQ3YjBlYjEzNjI0ZDcyODNkZGRkMTIwMmEyZWUzMSZodHRwX3JlZmVycmVyPW1pc3NpbmcmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkYmdXRtX2lkPWU1ZDdiMGViMTM2MjRkNzI4M2RkZGQxMjAyYTJlZTMxJmRsX3Rva2VuPTg0MTYzOTk2IiwidGltZXN0YW1wIjoiMTczNjYxMDM2Ny44MzgzIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzkyLjAuNDUxNS4xMzEgU2FmYXJpLzUzNy4zNiBFZGcvOTIuMC45MDIuNjciLCJ1dG0iOnsiY2FtcGFpZ24iOiJQV05fR0JfSFZSXzM3MzYiLCJjb250ZW50IjoiMzczNl8iLCJpZCI6ImU1ZDdiMGViMTM2MjRkNzI4M2RkZGQxMjAyYTJlZTMxIiwibGFzdHBhZ2UiOiJvcGVyYS5jb20vIiwibWVkaXVtIjoicGEiLCJzaXRlIjoib3BlcmFfY29tIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6ImNmYmQ3ZGM4LWY3NTUtNDhmOC1hODFlLTVmNDA5NmJiZTRiOSJ93⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS086B00D8\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS086B00D8\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=115.0.5322.142 --initial-client-data=0x330,0x334,0x338,0x310,0x33c,0x74e8ed4c,0x74e8ed58,0x74e8ed644⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202501111546271\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202501111546271\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202501111546271\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202501111546271\assistant\assistant_installer.exe" --version4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202501111546271\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202501111546271\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x6c4f48,0x6c4f58,0x6c4f645⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS086B00D8\setup.exe"C:\Users\Admin\AppData\Local\Temp\7zS086B00D8\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --vought_browser=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=5912 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20250111154627" --session-guid=d516adfe-35fd-4145-a5ad-b06a9c99919a --server-tracking-blob="YTI5MTU0MzM0MDVmOGQ3OGE4NmI2NjRmZGU2ODc4Mzc1ZGU2N2ZmNjkxYTFjY2ZlYTM4YmM5NGQ0ZTVjNDViNDp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6eyJuYW1lIjoib3BlcmFfZ3gifSwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9HQl9IVlJfMzczNiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTM3MzZfJnV0bV9pZD1lNWQ3YjBlYjEzNjI0ZDcyODNkZGRkMTIwMmEyZWUzMSZodHRwX3JlZmVycmVyPW1pc3NpbmcmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkYmdXRtX2lkPWU1ZDdiMGViMTM2MjRkNzI4M2RkZGQxMjAyYTJlZTMxJmRsX3Rva2VuPTg0MTYzOTk2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzM2NjEwMzY3LjgzODMiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOTIuMC40NTE1LjEzMSBTYWZhcmkvNTM3LjM2IEVkZy85Mi4wLjkwMi42NyIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9HQl9IVlJfMzczNiIsImNvbnRlbnQiOiIzNzM2XyIsImlkIjoiZTVkN2IwZWIxMzYyNGQ3MjgzZGRkZDEyMDJhMmVlMzEiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS8iLCJtZWRpdW0iOiJwYSIsInNpdGUiOiJvcGVyYV9jb20iLCJzb3VyY2UiOiJQV05nYW1lcyJ9LCJ1dWlkIjoiY2ZiZDdkYzgtZjc1NS00OGY4LWE4MWUtNWY0MDk2YmJlNGI5In0= " --desktopshortcut=1 --wait-for-package --initial-proc-handle=C40A0000000000004⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\7zS086B00D8\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS086B00D8\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=115.0.5322.142 --initial-client-data=0x328,0x32c,0x33c,0x304,0x340,0x7253ed4c,0x7253ed58,0x7253ed645⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7460 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7368 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6152 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5712 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2628 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7464 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7836 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1020 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7404 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5908 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8012 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8052 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8020 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pf_fonra.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3DF0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc438C4D55262E41F99624DD722B5C175F.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qadermbg.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EAB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2FB13911D9F04C59963546399F5F6A.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3qckvxua.cmdline"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F57.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1AD4793F51334E539181DAC6D19C67B3.TMP"5⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x0zm7xnz.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4003.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C0B18826F9842B282492ED461BEBC98.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dmewahte.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4090.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc78F20091FCED44CBBE8A941060965738.TMP"5⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ex8o7n1e.cmdline"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES411C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE399976624F14EC39CE4B1C8F7B11D60.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l4w0h79j.cmdline"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4199.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A4883B877964D40A99C968D781C876.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\twohqwnz.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4226.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60BCD9D1AC8C4302B11AD563B749451.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nwyxzlhe.cmdline"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42B3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc44376C5AA503457DA515A6D1BEE9B76.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4l-zauoh.cmdline"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4330.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6950D264EB14F78AD94B32390C9913C.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\09ktgpey.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES442A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA5A31E9307440BBD1D607983402C1C.TMP"5⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sogtlmey.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4533.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA0579CC4C10940789BC4AC443724F8D8.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\blbrf2im.cmdline"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5573BED65CD49948E92917C54293644.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hgeafn1x.cmdline"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES463D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9670E2FD34E74B458433C1504D671C89.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8qb1nmzw.cmdline"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES46C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC6880492EEF4628B081DC4474D7C7DB.TMP"5⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dccszyc_.cmdline"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4746.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc88AE55C2B234649BA85BA7EFB2C469.TMP"5⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zssxon3b.cmdline"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4860.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB5240A5830141669D928A833EE1D837.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\23hw-fnt.cmdline"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES492B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1348C7B755943CEBE5A49B4C9823EB.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6yx3jmsc.cmdline"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49A8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF6D1170A9FD4C06BC5982BED7D515E6.TMP"5⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mkpdmhlu.cmdline"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A92.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD0431ABF580E4F82BB41A7E360E1AC88.TMP"5⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gcyysdee.cmdline"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BAB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDBB0C8FC80584100BA55E595C61D4AD6.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"5⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6ga_6uuw.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFBB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9FB8674910142EE8F269660C4670A2.TMP"7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\srbmg-pz.cmdline"6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF096.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc33ACF0F636EB468FAD43CF7F1A63666A.TMP"7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eoz_oc0q.cmdline"6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF132.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc35F4925993CC44CC9A926B942D337D69.TMP"7⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zosi3mv5.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc72EDE5CEA4234E81AD1052E03549E2DE.TMP"7⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vfuztrms.cmdline"6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF21D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEA04138EF22A4DA386E16B8FB782F959.TMP"7⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fbktcfks.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4AB47EC95A8E47E596A2FCFEBDE9715A.TMP"7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\udis97r9.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF365.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc919E5A41D6C249C38585C76F51353CE7.TMP"7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oqqwhvsc.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3D2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC91158BD474ACC9E6F907422ED730.TMP"7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-xyr6i3f.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF47E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFE137746310A4860BDCE2125A7663E4.TMP"7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\heoh3m69.cmdline"6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc77AD81BBD5894B7182CDE7BCE4374ED6.TMP"7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_7kge-vy.cmdline"6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B30.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F67CE35E21E431EA9752EEAD13C9F5A.TMP"7⤵
-
-
-
-
-
-
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
-
-
-
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
-
-
-
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
-
-
-
-
C:\Users\Admin\Downloads\RevengeRAT.exe"C:\Users\Admin\Downloads\RevengeRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=904 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6184 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3032 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\AgentTesla.exe"C:\Users\Admin\Downloads\AgentTesla.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\AgentTesla.exe"C:\Users\Admin\Downloads\AgentTesla.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5060 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6768 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7996 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6032 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\Bumerang.exe"C:\Users\Admin\Downloads\Bumerang.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ddraw32.dllC:\Windows\system32\ddraw32.dll3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 3244⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\ddraw32.dllC:\Windows\system32\ddraw32.dll :C:\Users\Admin\Downloads\Bumerang.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Downloads\Bumerang.exe"C:\Users\Admin\Downloads\Bumerang.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ddraw32.dllC:\Windows\system32\ddraw32.dll :C:\Users\Admin\Downloads\Bumerang.exe3⤵
- Executes dropped EXE
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7912 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8152 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,1168145015014619550,47852764229104782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7428 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\Heap41A.exe"C:\Users\Admin\Downloads\Heap41A.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe" MicrosoftPowerPoint\install.txt3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Drops autorun.inf file
-
C:\heap41a\svchost.exeC:\heap41a\svchost.exe C:\heap41a\std.txt4⤵
- Executes dropped EXE
-
C:\heap41a\svchost.exeC:\heap41a\svchost.exe C:\heap41a\script1.txt5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\heap41a\svchost.exeC:\heap41a\svchost.exe C:\heap41a\reproduce.txt5⤵
- Executes dropped EXE
- Enumerates connected drives
-
-
-
-
-
C:\Users\Admin\Downloads\Heap41A.exe"C:\Users\Admin\Downloads\Heap41A.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2172 -ip 21721⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5fde1b01ca49aa70922404cdfcf32a643
SHA1b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25
-
Filesize
471B
MD58eaaa1ea8e7cd255482e9076b6a84fd6
SHA155c6d9e03ede1d15559a9f80636c2319c8c5c20a
SHA256bfd892ad976b64c1a932ec4e5e7e45f1c247068abfcfbde434eb9bfd7faeadc7
SHA5123e8926aea20fde3bd1b5deb03f8076f09282595b7e51a4fe14e3054d10b734ca5e7a52fac73970d08e44f4b9d7dfa1b7f75d3a2d478fe3b2225ef18995832530
-
Filesize
727B
MD5f003ce7ba601c6c1bdb683c875c99742
SHA1384f3965d8df2e061916b413d25f7a6e263a593c
SHA25649e38c86d988f61715eb98023e965433a7b9ad5a362c145bb8930e85138a7076
SHA512e08260c801c4d740184fa17e6399d6d3c13c0f684a4dac6f3fda4c32713afc7b0ba20053176811acb1c4a01f662dda43a5bea7873b7fd03d69ce60345bfd3c2a
-
Filesize
471B
MD545bf2abfd1a60226d1329f9bb2c5bdb0
SHA1156e77b78601352f568237f72fea309540b983ed
SHA25659c76126ec916c0e191f2de03327c83531cc50d60eabd997f1fd7f1ed84e4357
SHA51288f2fffd11141bd6314961460558352636b04cc73326a866e9e01bfdcf5912cda62283fb4b92f14082d69ae5842105d9ce8f89e0b0c85067a89f16b9804034fd
-
Filesize
727B
MD5c0a0c86dd99c50f73a1e595dd3af937a
SHA11e14113699fb8284f88db01b9ccd796da54a36b1
SHA256bed690884f77464e60d669d63150aa7217de87f4ac5aea2596b23e25cc926787
SHA51290f507f0fc59c363e2fec3c66afbce6d868c3eb466002427e334fe63f24556e04f5dc242a36dd180798155dbb1e5b765c9e646fb2553d20a01ae29bd93bfac5a
-
Filesize
471B
MD51ad120de27f91abc8c21e8cd78dfe279
SHA1f75bd0db424d53dc719396d0f31a5ba1e5641076
SHA2568bd9355cc657c6dbe56359c991ed65f2cd5ba13432c82d9372c140089df9f189
SHA5129ec635d44bc437ee2858180ff2474fabd0551dbc73076fef9e69c687d11e242e8f8962769ff8849e9660ab646852c42a21b78ed0bf69be78f0249de0f23c4291
-
Filesize
400B
MD57b68fe9194aa041042763d9ee493c3c8
SHA1a612850058eed0123e6e5b3e8e9722de825c1e78
SHA256418b6c83848bc7110ccb2e3887e493bfe258846f9e957d1d895f5c8a9ffd58bd
SHA51295f3c14da34db0dc136827214c89630018daa67fa1609eb0bad17d5691c0b66c0118285b2a60afc8eac9fb1d0f7e08f0db0a1b30149827ad29b891d895cf01dd
-
Filesize
404B
MD5e9da3565b2020bb542ca0c5f1c7b205e
SHA1ed859aa88b286aa58e94cbf57ec6a46a25196519
SHA2567dcfc124d9efd62d7e9d1b4ceb55ba4e2d7a2e1ff81a6545fced44c80c66b584
SHA5125e884ebe730a50796fa7ac5d3d66a2577cbe40d4f60a156deed1cd2cc4dfb3f176b69c3fc0492c7c8daa861d36d6b89660f084f0448cabacca94bade0b4d3152
-
Filesize
400B
MD583848a0dee303dae6e93cfa917dfb7ba
SHA147951e6755557270e9713d1493eee69a616f0d15
SHA2566721c80239cbabc7a025fd3d1f41960452adb77b670351229a99411df525bc07
SHA5125d586a9ad6bddaa0204eb9e42b7325e6ab25bc82790e292849a022332a66a4d1a04d72abc5f563e6c1e1ff800037c11c8f09425c702e0539e9d2783e65fdf2fd
-
Filesize
412B
MD5ad92e3bfe91d09efb09c5aafb0124172
SHA121b13f63f1fe4fb194cdd71d56ff355311b9ee84
SHA256870ef333f1342a90fc181ab4c9ae751b3aa1d6b26e2040c6567f1d978e062a54
SHA512570070ed5fb76eb9e8142a7bff549bd5676ad11f70e1022dbe76af26bd47b35222a36c94af1258108679dc47b827f93078f5767349839fd4b52bb86cf9aa832f
-
Filesize
412B
MD53dc68c2e908a55af8cd914333948ecfc
SHA1a70fdf31a8c5500de831fe0008ff840756992995
SHA25603ce663604f5449fc9b1e163e02b5eed936f3d1d9c5bb80b592eba8fcd1d84ac
SHA5122955a3be14100683036ac96e8d99536f5ef3a365ef270739a797ceeb08f74bfb9f121df039aaae9eede54356deec1919bc2a7c1e18ab5502cc3731125ac96b40
-
Filesize
152B
MD50a9dc42e4013fc47438e96d24beb8eff
SHA1806ab26d7eae031a58484188a7eb1adab06457fc
SHA25658d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f
-
Filesize
152B
MD561cef8e38cd95bf003f5fdd1dc37dae1
SHA111f2f79ecb349344c143eea9a0fed41891a3467f
SHA256ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA5126fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d
-
Filesize
104KB
MD51b1fcf15c265917d465dd9e1b7451d01
SHA174bc4500fc0a36fe8f700a4ecdff9ec131e7585b
SHA2562f03442a1f19b4f82b6e77cca8aadc425d6cef3d34a0819e43da44fcf717c57b
SHA512c061a9ea55c4784544286e0c792186c753d4f73d93dab5027cbbfa8eedc089dfa65278471a54e36635a2149065d2cb98e2f04c0ce1a4a9abf723387837cf59b5
-
Filesize
135KB
MD561073bebbecb44e3c127f243abb5e08c
SHA18bf7917b448402438bdf83410879adddacf924ff
SHA25617048f945c7afa531042491bbb5a0424407023bbb3d817f11da4432ec8dfbc9e
SHA5129cd3e1c94116abe0610cc9fad92f2d448604d48d044a01019fbab4512c6f1269d385b2398131dd2d9965245b8901867e6eaf01b2547f00d23b6bee397cd184ae
-
Filesize
132KB
MD57a0d3de9cd9218bb03f9b514ed50f789
SHA1b2beb6e56c8256219c3cadfce890c12535461e14
SHA25616e10942df8f4e2d9b6d6da840de52f83c2c2ec091b28ac0dd8eace01864cf1a
SHA51215558de1fef18152ceefecf89f5ade098d4574a7c0ac5bb67053f475cd91487ebaa0ea4c320741989049ec7d38353cc1a849678f87363abb26bb4817c1113d28
-
Filesize
20KB
MD587e8230a9ca3f0c5ccfa56f70276e2f2
SHA1eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7
SHA256e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9
SHA51237690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8
-
Filesize
1KB
MD5d0e139c1a07bc95bfaaa9d38968e344c
SHA1010f2e791807a87e1baa3c57c71ea7afd6b5e846
SHA256a56f591156670ee2f5a8e67ab16b75ede349ab78214cab07520d0565497892f6
SHA512d5945d062032e459a6f1114b2f76a10d272e3ed434aac9cb05589789c3bd5ce222cdc517aff2f71992859fe370795b5522ae793816ba9b53fcdc77a9595861b2
-
Filesize
984B
MD57fca7119bb3597842f707b892dd70d61
SHA130b62b51521dce83c15b9ec92543b7fc138b53af
SHA256504118b98c5790725ddcc1e308791d41081b3360b76f056bcb00e0f87ad6e17e
SHA5123d5c1e127b390a3bcd9c66f059cd0b7fedf06ce2c277309098d32e9188bbec4173efd3e6132b41e68a64bd96e795590d63bec5b0cfe8bb79535c61f812a92f2c
-
Filesize
4KB
MD593344ac931cb8e466d338cbbf178f626
SHA18f175eda2b18e3c9ee063abbaf632e532c55e7b7
SHA256dbc71e665ff288967a39379d3212275b53642f54c65d52334ee0369a55381764
SHA51226ef8aff20a415ddfb74f27c94c917aa4948234283a6a191acdd2114b6f5971da003071820d56562a1142f8c9de27a929b091e8780154a220bc76c562494f113
-
Filesize
5KB
MD56ec7e11f376c48a87103d1837de1e177
SHA1ab9c0e774ada7034e9112296cbabcc9b99cd386f
SHA256cf68e179964b811d67c74d534170670102bbe9a692e269f71d7c39b7b69f26c6
SHA51272a1b840eb94d776c56e57e4fd06342761ecbcb6d2d130eb40049bb1a17e63649aa99d53389e4906d18516a946efce1e264e064e02305e9ded1c6f3454445aac
-
Filesize
4KB
MD51937ee313c962cec1a1f6bfb493609e3
SHA1935a4fd3aa7cb430b19b7152ee95888e168e1168
SHA256f07f039659795b78602bc88b2ece5c934f0d91ac72e0ca4f8f9ea14cbcc8257f
SHA5120aeee1b5127d9dfdf4b7938761b63a701994ad91a92fda506ef6346c655eb50c16ef4e7bcc5664f1ba2732634b3210e724d630f53ecb31a8e0ad39af0f6af89e
-
Filesize
9KB
MD59276189712d727169a5de96ca66e667c
SHA154363de9a3114026dbb37a83762f48c2f6fd52dc
SHA256b3ca2fd8f3ad28d5eee490f03a982d37b53ee34fcbd0fabcc8031046a66ad79f
SHA512734bb354305caff801f51083f40348e94820d24c1f3db6f86780ba27193f74994477fcb047d0d34bb484203e030c68caca020e30fb0c18818fbe3fa7fe5dedf2
-
Filesize
10KB
MD586736747dd55aeb05e9c16362d9c6d0e
SHA10b2d19f1e0af4be8d29dc55ab2f39bc782755c4f
SHA256b1c6f7fda05781fdc439a895fea682f0b18805b7480e6821021bed77af02f597
SHA512aa3fed14847fcf855978813562bc6ef19019922b57a486319077b4406c0e6a1724161a7cc291475befe67266a5b672585a1247b6f638c855c11410cd28dbad17
-
Filesize
5KB
MD57de6bd6c3d4e59218f84077d678f5171
SHA15bcd320ef441defe40df29155e3dec56690b857b
SHA25699324029218168474cd9c52cd736da0f253a29f437bfeb430e4609126c57c0d8
SHA512231b5cbfaad559025bbef53c9219baa972c5ce453736e8cc4c7b973a4b7295e911cbde20964eb821459f1c508d75db8e28c63db27986222eaeaab21e8b11a294
-
Filesize
7KB
MD5f5e99fad9bb444d00bf99f78be31db27
SHA10b06cc5000d3295effd5ae846947878bbb4ed118
SHA256828c2e38cefd6cdbb89951ad43b7c0480ff40526d5a02d8674d29887bc9e541b
SHA512742cc8a1a1b0e6f35fd8103bf5230f8ba01d6a2cb1176fa29a71272d43836d1aa4bf19678f0fe99467f8c1851a0f7f6b3a6f8f1abd9f7b880ba7db160fb520c1
-
Filesize
10KB
MD5f5e3f227c12464015d8cee8756dc4478
SHA17c519143eb2cf577f6e37795a83498db1c5368ce
SHA256d364df6e257b47739ad8e9e31c8f68e9344b4ed674f391c4b4fd347907fc5740
SHA512377fc2bb213e6d8ff0497f1a36985f176bd808d26d37fba393d097871ffc3d4602764789fd03520c96a0e9e93e067a9c303b6871b585e3b29aedd658d0607224
-
Filesize
6KB
MD5e5007676db3c43ac6bd1cbe932558aa6
SHA11a681afb38a44f6d7bdc296a04dc3670f0f41f56
SHA25684ae81c5b35405090c0c640640f0882e943b8c0a07e7144bfdfd9955aa6f6486
SHA512a8a6c616d51778bb9ac5c5b0e973e2b9deac54de607cc5fed5e3060443cf9f871a8603163648ad48248adac33d2fb8d2ffec53c27d8dddbc72b31a12d84b2e78
-
Filesize
8KB
MD5825746e551c1395ccda61b68f0a6bedc
SHA18fbeca78c8b314c52c4bd767d589b73798feebcc
SHA25688c925a35492c0a1491fbb607f10466ed5826c3f89da11170435aab1a214d166
SHA51290fab3539a8c4644a618f5fd322b0f9dc934f5580ca3de2eca1c517c0b68223eb8b8a3da6c64f8793448cdb595452dc60805184be7cd5439a16007010e8f9339
-
Filesize
26KB
MD530b20a893bc934a279c2e0ffd900c274
SHA10e48c33db887b2fb3dce559a939ca0ed5c8003b5
SHA256d7451a4a16c71e70cc6e420b77adf412a6de4ff740391e3057a03993acf4802a
SHA51221fa0c2b47e4ccbc93b720a78a268f8fe70894cb0157863dbc6fbe95245dfcab7271b6a205ecb027d68ff3e96b1306565bf45cfdf031d3536987b2daafc72a32
-
Filesize
72B
MD52f12cd2f081bdb2f07313eb2e96bba06
SHA1ff61844636ea9b901e031e2b78cdb574edabc2c1
SHA2567d5dbfa28490079385fbde5aaf7398cf0142a3b59c4b21b15115c771b5e70643
SHA51265fd8165f3e4da9463c28afd4671caee7389bf4acc8f59c033b018d6ae7035fb06e8d96f09537d3ce5423cb6bbebec950060918c3a0c0ed35ccb1223d9d81817
-
Filesize
48B
MD5f7fb64ebe752fa4185d10bab07b38923
SHA17da4be82a6e406d47a0f9e471be2f0bd0be7acd9
SHA256a8adad6cf7a97f067cb87e069b86a5b6cefd328ab918c4f4d9715ee3489e2895
SHA5127413c0e51c6dc15196bf75daca48ded5e5b3f4a3c3128eced6d9c583a3bd88912c74fa30569471969d1ae602bc5cca3fefd00db34fad195c2e8fedb683c7d2cc
-
Filesize
4KB
MD52c521bc4a6a9e308afa3fa02602ae3b0
SHA1dfb40c943f836c3702ca6a8c5e330386b65b24c3
SHA256e611f985707b40d7fcd6a4704de1f6667bfdf3b2cf24c522d4c635fa033d38f3
SHA512b84a84631b1f7851619fd0ad8883dfe1f42a91583b261c0778ad1faf85bdffa8ea6d36e03dd5710e6539bc09c3a0557be5148b53f0ccf59491a26fe197d20349
-
Filesize
1KB
MD5670eb011d6eb62e0c2a62b5a24c08312
SHA1e2d4ec13924e83b2944e2430384aaf00cd4c1446
SHA2566e4878eac11149ae7c8432e293a9dacb6a153e335965445406ca0997b2dc95a1
SHA5123741bdac0037cea0d42556ed9e69ed63566440e23646833dd4a58c0dc41c60a9e6b28fb86f248dd81f68ccfcf01fb01b4a3400571289be34a86f0edd5f8174a9
-
Filesize
2KB
MD5904dd12903906ce081f4472591f36d92
SHA1b8e666eeb9193032b12366a82bfe2b8fc0be1c13
SHA25675e13d1568a8dd50e639b3d9c0c5d03141cb4fe8f00b34d0229b6d55913ecca6
SHA51270831dec65a124b1c6850f67e55247eab00a5edab5d3461eff04552065459d86bfd1a9154a73ed69107a7dd76c3b8b74bcef84b013f2100a6d08cf9803e1a21f
-
Filesize
3KB
MD52fabb5e3966b1bdb217f5acb849484ef
SHA145816e1efede99f713631327ebbff32c6bc2291c
SHA256d619a07bbee9d4f98d40026e31e3b9f1264cd55a654cff08780b589cf58b62fb
SHA51286a090470a0c2b3cdc73cd9d90cc635442150d8a8b097e4696affe363c706212fbd0a9d7b237d2d824449b78aaa1f8ed66c0ae97f6ae046c88011974774e9b97
-
Filesize
4KB
MD5acee68eb11cd1120d72b1adb66892259
SHA14e7cede05bced46f1fa406dfead8b77e23376d6e
SHA2562a9ece5bcb96e91ad7cbdb7937ed9fd44efc0759b119b5b50750aa74d032f226
SHA5123401e657cefcabfae5131dfd0659628901bc1f1d68205060d87c9f580480214c0551bf7f09f7748bd64ec515b9c934539da68891d9bba347552b7618a9ccf1ce
-
Filesize
4KB
MD5300cf80b1d893263e933a7233a2111ce
SHA14c70715afb9dd01d95f296e6c4484c0b632af98b
SHA2568fbc2f1abc78b47e41e0a54e025300a44eb3ceaf5c83c2257a2da10204d20448
SHA512bfec8e55b43fcd500bdcb64b5755d3943411eaeecda3b81896d2325a7bd079e61dba2ec11d890ce15580cbcb5a40b493660c54f37893503c11d5df58cc5284fc
-
Filesize
4KB
MD5fdfa547a0b8a9d72e7139f7634d12a7f
SHA102ed635033bd98a55a003df1dcb17f151c599c33
SHA25609bf0fa2d19584ddf4931d9d642ed4799c092bed1af56bce1657ac1ac6291221
SHA51249e982dde153e55ed1ed50d49e13c5d4f86572e5aa1a44313f66263ad3dec114943cd78a7968331bfee91115d93fc98be2887f42665228f4326eadebf892ad9e
-
Filesize
4KB
MD5b3eb2ad616108bb3e6394b896b516ff0
SHA1a02dceb65e594eaa3f7b8cce713360faab4e3ac2
SHA256db54580f1a1b2f2b1b7ea5f4da88fda698fbb0fea8865a884e012da0dbf74204
SHA512f2b5be344d7ad65d64edfe6286190d1ee86f88d260e141f50d0fa829643196f8aedef76e8a809bca46d1b76cf29070996228e53ee86159bad678ffbef545c844
-
Filesize
4KB
MD54cc079b3ff1f7e4d0cdb662903fad67e
SHA1be14c0c072f1f89b3b0f0cd1e53f7c498544e76e
SHA2564943afb08e5193d670824439b0021991bfd30bf3b1dfd804dd5887b3abd636e2
SHA512b62e4358e4e3d10c818e92a5549db96ec84a1d6b2d42a3b4f5328374f25e5a6dad9df4b4b05d8f5b72666ecd9efa1ef5c96ddc2a4c31cb42c29365dc22f8c538
-
Filesize
1KB
MD5516460d94e5405572ba44a00b82bf6b1
SHA107043d18cc153447dc7c905928b6959ad7afbd9d
SHA25649fb7e86a69b193f03e10d9a6b4142db967321d8fbccffc123e78e93156763ad
SHA512fa778b14a28f420ac1b20caa3f47b0119407429816997cd55760dc2b86ffac5750e4a952284580ce13237627335340dd334e7c287a11d2531bb8667ba902ae33
-
Filesize
875B
MD5f8fb4923da9f5cb1c1279836723f9015
SHA1a56600782673481ea6dfc76c990ced613d034924
SHA256e0f64c9804fa4d22c896231d261ba9dd52ec31721add6ee2980b052b7ada48ea
SHA512f5a06f73e197349d4a21ee4180126fc27e839e90079f1950dc2ea995a278b5014180a340024ba4d63750ce6e26fa2359f5c8910624c77bd1c163fcccbc4e35d3
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD53b72ecebd4172bf666f868f5b953efb7
SHA1835dbd99d82bdc812f0a772f6ea7374cf073f408
SHA2562ae5c57ffc95ca07c0c19d151a8784070f71bd3f03aaf4b18a5529f3123c7072
SHA51228e6e0561da5c6d9406b5c8174b830647c1b09101c7ea3d186b11992417ea1cf05cb725d1c9695f9f2dd8d71461137d0c962d19422754d134d209b84c9c0af48
-
Filesize
10KB
MD562f8db60f39674cda6dda054a610d025
SHA15b2cfa46249256bc90fb46f07134e2c9e9392380
SHA2567ea2496c6be7092f0c8aeee483fe30b1cf25b2bbd7a3febac86e590e86c51e79
SHA512e4bf17e6f8184b76b02e7f0207ba943f4f18b096e0e807b5d569f7061fa352a132697efd96d8917d06c54a78f8551996cd6f1321c724106324d1a3c9cecfd5a2
-
Filesize
11KB
MD567816f1c7795be69fcb337cb63adc542
SHA1711c0d22435f4e34dd26b5c462f708cf26ca192f
SHA2567aa39de6f0c8cf0c21b13e3c045f100012dd1064f7f6de8ebeb9592338545d6b
SHA51262edf4b2e6f23085a6b96af7fc24c4d5f0d7348fa3cf04d7dc8bff5076ce84aeadb3bcb053ad4584db9b80aa66558c8facc040fb402184717ef08838bf2116e4
-
Filesize
10KB
MD532ea70325c12277ee06263796bc62e5f
SHA11b67b64ec8078f9f74233549fa6f6504d9772b10
SHA256dc82821e811d8671bcf34b3e3c27837e068e95ff5a258b26da6672cbfddec702
SHA51290282fc072361d215bbf106022dc9aeb82d1c979d9e6dc25109d3a27b32e92c5bdfa650183af100b6f85516ef588953d7302004dbf36be66f6b7cec9b5e523af
-
Filesize
11KB
MD578c88151718e549fe11205a2e2cb66e9
SHA16c1b605761e237a3984a915c1313f5b9e1b329c2
SHA256d141b243cbf72cd44bd460f635e04fc68d8c29b434b1fc5aa328084a8c715a6a
SHA5126c62ea0fb7dc78ad51c6f0787349b18283cebf721fffa47851594afa841c2e0cb28e48480dc2868e613a88ad095e209dd44bc2c17a06328907f389ed04b7e18d
-
Filesize
11KB
MD5768a196e83631072971c1b42a083dea0
SHA1127c311ec6a4d4e42e1e852f2fd5ac82ba691b16
SHA256bfdd7beb5538772945774be3b7c96a5b73edf6cd681924b20df1319dc0e89118
SHA5123b73b0503c5545d37433b307921b0b8f43954a9c28abbda462c2e6723e20565d4b5207f66a5347b6fb77e3e6a755f5f090e89bd65bbcdeb0225befe5ae48b2d0
-
Filesize
11KB
MD5e3436e447d1c2d36134bbb61c7cab2f6
SHA1ce1813f5a20505b8f2714d73e95f83b4219bc027
SHA256d47c14a708ea168a6f2e0401398841b8cbec8fbcfb3818bcd0d45fc6214a8ad7
SHA51271cd32b0242ed03b56e52ec3cfd466395c6d6d026ea73029bb9bd52e8ba80e08b6ee03caf1d26505e111a909bd965ce471658dfc81e49a6da5f55b1f559f9576
-
Filesize
1.4MB
MD5e9a2209b61f4be34f25069a6e54affea
SHA16368b0a81608c701b06b97aeff194ce88fd0e3c0
SHA256e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f
SHA51259e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5
-
Filesize
1.8MB
MD54c8fbed0044da34ad25f781c3d117a66
SHA18dd93340e3d09de993c3bc12db82680a8e69d653
SHA256afe569ce9e4f71c23ba5f6e8fd32be62ac9538e397cde8f2ecbe46faa721242a
SHA512a04e6fd052d2d63a0737c83702c66a9af834f9df8423666508c42b3e1d8384300239c9ddacdc31c1e85140eb1193bcfac209f218750b40342492ffce6e9da481
-
Filesize
7.3MB
MD531824cf3d0d413089f861f703997857e
SHA13f9f8b948abf1c5f968444f0b2fa6ea64d74c344
SHA25671e528e4c023b2acafeaa8551c691f83d563abacf534a05d2d3b9d10ed02fbe6
SHA51270f4d0b5721ed1f785f31082f59acf529c847489824301651353c3aa079d53d4b8e77b1a86df4adc3b35db4731ce2d0bc685fbfa6899dc03702d673c9fd7288a
-
Filesize
55KB
MD5996867ee0cfd71ede0cda93e57789c75
SHA115abbe1362ca9ae1889ea56d3ea07f793ee76665
SHA256c3d83fa6b168c9c53b7f9f4324be6f8053e47047e63199c05665a6bad5a587ed
SHA512e4c3505e9f3c3f4469c858f08e612982e0a24b05b0c3e5aee5c63cd028b48f232c4e7470be50f3443f80b09aa74f2f9e59fc78fd8aba52777a1811033fb6cf00
-
Filesize
318B
MD5e4231534c2813fda3a98d6d6b5b8b3b5
SHA1c22ac56a296756120228cfe77fcc17b9000934c9
SHA256143c93447046030853857088e31ee6c121d63fdfd03f10d36dfdcf6f0634ba43
SHA51259aa526796c7e1de9bf2074fecae7b7520f34fd0f523bbb4c1f111b1b289f0a5bb7b94dc73fd8fec6187076c10d87a56273a09c79c718e388fcbaf5f0dd676cd
-
Filesize
72B
MD5343c6f5dcbc9f70509a2659b6dcca34e
SHA1573ce994df7f433ba8d897a03b8beebc1a1e80b7
SHA256375c1af6f2d1fec8595df303bced33d9f80da01fea7d4968e24ef64dfccf78bd
SHA5124b92a1a45c2f1d00eaa58feda3a0de94d91727824c5ec5472f0eb4ba0ee8edfcae8f05b01bacba5263e870f79e5737137f75434e009260d53853b7f86f94ba4e
-
Filesize
233KB
MD5155e389a330dd7d7e1b274b8e46cdda7
SHA16445697a6db02e1a0e76efe69a3c87959ce2a0d8
SHA2566390a4374f8d00c8dd4247e271137b2fa6259e0678b7b8bd29ce957058fd8f05
SHA512df8d78cf27e4a384371f755e6d0d7333c736067aeeb619e44cbc5d88381bdcbc09a9b8eeb8aafb764fc1aaf39680e387b3bca73021c6af5452c0b2e03f0e8091
-
Filesize
6.7MB
MD55614930f6f984c8f2e36ab2df60a0bf9
SHA1495a0e214cf5b97336a0bf7d419a0e6f08b271ff
SHA256a0f1430b90e328b644e58446b716366449696fbf8a10e2bcd804fd4ea2bce542
SHA512bd43755d662be76e3b15ed3fe1c1f25974b9a57d93c09b15732efb2c9ebd2b411a92c216062f6b28f0187e11d2ed0ccc2657f9ac878e631bef11b409b5948ca4
-
Filesize
39B
MD5502984a8e7a0925ac8f79ef407382140
SHA10e047aa443d2101eb33ac4742720cb528d9d9dba
SHA256d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c
SHA5126c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17
-
Filesize
668B
MD53906bddee0286f09007add3cffcaa5d5
SHA10e7ec4da19db060ab3c90b19070d39699561aae2
SHA2560deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA5120a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0
-
Filesize
644B
MD5dac60af34e6b37e2ce48ac2551aee4e7
SHA1968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA2562edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA5121f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084
-
Filesize
676B
MD585c61c03055878407f9433e0cc278eb7
SHA115a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA5127099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756
-
Filesize
40B
MD5098fdf8fe25a95a13d1b7af9a7d06724
SHA194926c543956b7e7f0e8aa159ac2585d4589bb1b
SHA25694da5170cba4a49803b39502328c3905908533bd633b9ffbb46544975b02487c
SHA512bd79294ea9f6765d994becb8af81baf11f295097e9a593dfb68b8f05fada1f2567a64aefa6a10ac34b2e51f1e44f6d2c4be9271a019fdac02d8f01c45a1114e4
-
Filesize
3.8MB
MD5491d718268e220385a4f985fe3e14f63
SHA12c1cf8957436576ee57c0ea7cddff1726ac3725c
SHA256c32e4c7827bef72d6f9420afabf04bc1329458d03249e1ef31d25463645e6244
SHA51217aa6a70d5cdb3766c0c19e2ccca660d21f91e296acf6240cc1b1615e018e62b094833dcf7aa109d20cb945e3774d9d0b2144269a90e7e7f8add7f38e83b2bb5
-
Filesize
26KB
MD5b6c78677b83c0a5b02f48648a9b8e86d
SHA10d90c40d2e9e8c58c1dafb528d6eab45e15fda81
SHA256706fce69fea67622b03fafb51ece076c1fdd38892318f8cce9f2ec80aabca822
SHA512302acca8c5dd310f86b65104f7accd290014e38d354e97e4ffafe1702b0a13b90e4823c274b51bcc9285419e69ff7111343ac0a64fd3c8b67c48d7bbd382337b
-
Filesize
451KB
MD54f30003916cc70fca3ce6ec3f0ff1429
SHA17a12afdc041a03da58971a0f7637252ace834353
SHA256746153871f816ece357589b2351818e449b1beecfb21eb75a3305899ce9ae37c
SHA512e679a0f4b7292aedc9cd3a33cf150312ea0b1d712dd8ae8b719dedf92cc230330862f395e4f8da21c37d55a613d82a07d28b7fe6b5db6009ba8a30396caa5029
-
Filesize
4.0MB
MD51d9045870dbd31e2e399a4e8ecd9302f
SHA17857c1ebfd1b37756d106027ed03121d8e7887cf
SHA2569b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA5129419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909
-
Filesize
5KB
MD5fe537a3346590c04d81d357e3c4be6e8
SHA1b1285f1d8618292e17e490857d1bdf0a79104837
SHA256bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a
SHA51250a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce
-
Filesize
2.8MB
MD5cce284cab135d9c0a2a64a7caec09107
SHA1e4b8f4b6cab18b9748f83e9fffd275ef5276199e
SHA25618aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9
SHA512c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
2KB
MD5a56d479405b23976f162f3a4a74e48aa
SHA1f4f433b3f56315e1d469148bdfd835469526262f
SHA25617d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a
-
Filesize
392KB
-
Filesize
4.8MB
-
Filesize
664KB
-
Filesize
200KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
64KB
-
Filesize
128KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
128KB