revengerat | hxxps://gofile[.]io/d/nEXvhI

Resubmissions

13-01-2025 20:29

250113-y9mawswray 10

13-01-2025 20:26

250113-y76azsyqcn 10

Analysis

max time kernel
68s
max time network
70s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
13-01-2025 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/nEXvhI

Score

10^/10

revengerat guest discovery stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x00290000000462cb-169.dat	revengerat

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe

Executes dropped EXE 6 IoCs

pid	Process
4592	Rc7.exe
3688	Rc7.exe
420	Rc7.exe
5048	Rc7.exe
4816	Rc7.exe
1284	svchost.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
37	0.tcp.ngrok.io
50	0.tcp.ngrok.io

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 4592 set thread context of 1968	4592	Rc7.exe	110
PID 1968 set thread context of 2848	1968	RegSvcs.exe	111
PID 3688 set thread context of 4164	3688	Rc7.exe	114
PID 4164 set thread context of 1132	4164	RegSvcs.exe	115
PID 420 set thread context of 2948	420	Rc7.exe	118
PID 2948 set thread context of 1208	2948	RegSvcs.exe	119
PID 5048 set thread context of 1480	5048	Rc7.exe	122
PID 1480 set thread context of 1364	1480	RegSvcs.exe	123
PID 4816 set thread context of 4540	4816	Rc7.exe	126
PID 4540 set thread context of 4496	4540	RegSvcs.exe	127
PID 1284 set thread context of 2596	1284	svchost.exe	195
PID 2596 set thread context of 844	2596	RegSvcs.exe	196

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
3372	msedge.exe
3372	msedge.exe
2852	msedge.exe
2852	msedge.exe
2644	identity_helper.exe
2644	identity_helper.exe
2468	msedge.exe
2468	msedge.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	Rc7.exe
Token: SeDebugPrivilege	1968	RegSvcs.exe
Token: SeDebugPrivilege	3688	Rc7.exe
Token: SeDebugPrivilege	4164	RegSvcs.exe
Token: SeDebugPrivilege	420	Rc7.exe
Token: SeDebugPrivilege	2948	RegSvcs.exe
Token: SeDebugPrivilege	5048	Rc7.exe
Token: SeDebugPrivilege	1480	RegSvcs.exe
Token: SeDebugPrivilege	4816	Rc7.exe
Token: SeDebugPrivilege	4540	RegSvcs.exe
Token: SeDebugPrivilege	2424	taskmgr.exe
Token: SeSystemProfilePrivilege	2424	taskmgr.exe
Token: SeCreateGlobalPrivilege	2424	taskmgr.exe
Token: SeDebugPrivilege	1284	svchost.exe
Token: SeDebugPrivilege	2596	RegSvcs.exe
Token: 33	2424	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2424	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe
2424	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 4820	2852	msedge.exe	79
PID 2852 wrote to memory of 4820	2852	msedge.exe	79
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 544	2852	msedge.exe	80
PID 2852 wrote to memory of 3372	2852	msedge.exe	81
PID 2852 wrote to memory of 3372	2852	msedge.exe	81
PID 2852 wrote to memory of 4728	2852	msedge.exe	82
PID 2852 wrote to memory of 4728	2852	msedge.exe	82
PID 2852 wrote to memory of 4728	2852	msedge.exe	82
PID 2852 wrote to memory of 4728	2852	msedge.exe	82
PID 2852 wrote to memory of 4728	2852	msedge.exe	82
PID 2852 wrote to memory of 4728	2852	msedge.exe	82
PID 2852 wrote to memory of 4728	2852	msedge.exe	82
PID 2852 wrote to memory of 4728	2852	msedge.exe	82
PID 2852 wrote to memory of 4728	2852	msedge.exe	82
PID 2852 wrote to memory of 4728	2852	msedge.exe	82
PID 2852 wrote to memory of 4728	2852	msedge.exe	82
PID 2852 wrote to memory of 4728	2852	msedge.exe	82
PID 2852 wrote to memory of 4728	2852	msedge.exe	82
PID 2852 wrote to memory of 4728	2852	msedge.exe	82
PID 2852 wrote to memory of 4728	2852	msedge.exe	82
PID 2852 wrote to memory of 4728	2852	msedge.exe	82
PID 2852 wrote to memory of 4728	2852	msedge.exe	82
PID 2852 wrote to memory of 4728	2852	msedge.exe	82
PID 2852 wrote to memory of 4728	2852	msedge.exe	82
PID 2852 wrote to memory of 4728	2852	msedge.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/nEXvhI
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff88d8a46f8,0x7ff88d8a4708,0x7ff88d8a4718
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,923414378476894144,9179385853988340937,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,923414378476894144,9179385853988340937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,923414378476894144,9179385853988340937,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,923414378476894144,9179385853988340937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,923414378476894144,9179385853988340937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,923414378476894144,9179385853988340937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,923414378476894144,9179385853988340937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  PID:4332
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff780b25460,0x7ff780b25470,0x7ff780b25480
    3⤵
    PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,923414378476894144,9179385853988340937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,923414378476894144,9179385853988340937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,923414378476894144,9179385853988340937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,923414378476894144,9179385853988340937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,923414378476894144,9179385853988340937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,923414378476894144,9179385853988340937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,923414378476894144,9179385853988340937,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,923414378476894144,9179385853988340937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,923414378476894144,9179385853988340937,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6620 /prefetch:8
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,923414378476894144,9179385853988340937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6628 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2468
- C:\Users\Admin\Downloads\Rc7.exe
  "C:\Users\Admin\Downloads\Rc7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Drops startup file
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2848
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zeu_zlaj.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3112
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES559D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6CF19E79E2F24FBE9EF9756E64768CD.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3156
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\euuqh3vl.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:712
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5649.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F4D8DBF40D84B14803791DB4475A050.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cd1wo4g-.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1400
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF9D8A8B985A4FB792B81A51D3D499F.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1284
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dmlw3sfz.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1200
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5743.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc672726DF5DA54BB2BF71ED98F32296E0.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:60
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e31mopse.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:944
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA70DA6C941E4CFF8EE73E567CF12CB5.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7omblwbi.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3852
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES587B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc702A13E4A3AF473C98436DE2602448AC.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:712
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\el_rm_tc.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2792
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5908.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8E2FDA6C8F03436EBCEB13B011F821E4.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jl9ihwk8.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:844
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5985.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6E526CD702B4E8FA88C186F771FFD6F.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w3utespb.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:908
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A31.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc72CA9DBCBD9A4082B9154EA74F608027.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4gornxci.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:972
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A9E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc76B38035C91C4DEA92184846999748D.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tyugzzd-.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1044
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B2B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCD67C4BF14AD448FBEF49E37032DDEB.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xpxblyyt.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1816
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BA8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc838F112B4DD742DF9EB346B65B1C4213.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z4kr8e7e.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3596
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C34.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB5471E8E75A34C82B96CB536433C7B6B.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3896
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\doguh3hg.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:872
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5CB1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc33271291ECB6406F871A9CB05148A4.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4496
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\miia6blr.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1820
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D1F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A9CBF65CE4E483CADF8F5632F767F.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q1igh7nz.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3740
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D9C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc51252C384E3049C3AF2495DE92D386ED.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c4hd1hb5.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4396
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E38.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9822DEEECB9C46D3955241F31572C776.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dgl4uq89.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1560
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EB5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc69B6F4422C343FD90A2EB7374626E83.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gax6kwzw.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:944
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F32.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0BEEE8BEF634EBCB136D1849F715AA8.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cdyja8mx.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4760
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F9F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1F4FA79169346ADAB13D62F119EBADF.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:824
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fsn1_fmv.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:456
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES603C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAD78D0E7D7EE47A6955E6821B642E99D.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1284
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:844
- C:\Users\Admin\Downloads\Rc7.exe
  "C:\Users\Admin\Downloads\Rc7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3688
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4164
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1132
- C:\Users\Admin\Downloads\Rc7.exe
  "C:\Users\Admin\Downloads\Rc7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:420
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1208
- C:\Users\Admin\Downloads\Rc7.exe
  "C:\Users\Admin\Downloads\Rc7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5048
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1480
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1364
- C:\Users\Admin\Downloads\Rc7.exe
  "C:\Users\Admin\Downloads\Rc7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4816
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4540
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2848

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico

Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log

Filesize
120B

MD5
50dec1858e13f033e6dca3cbfad5e8de

SHA1
79ae1e9131b0faf215b499d2f7b4c595aa120925

SHA256
14a557e226e3ba8620bb3a70035e1e316f1e9fb5c9e8f74c07110ee90b8d8ae4

SHA512
1bd73338df685a5b57b0546e102ecfdee65800410d6f77845e50456ac70de72929088af19b59647f01cba7a5acfb399c52d9ef2402a9451366586862ef88e7bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
17ce65d3b0632bb31c4021f255a373da

SHA1
a3e2a27a37e5c7aeeeb5d0d9d16ac8fa042d75da

SHA256
e7b5e89ba9616d4bac0ac851d64a5b8ea5952c9809f186fab5ce6a6606bce10a

SHA512
1915d9d337fef7073916a9a4853dc2cb239427386ce596afff8ab75d7e4c8b80f5132c05ebd3143176974dbeb0ded17313797274bc5868310c2d782aac5e965f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
63af7b2048710d6f167f35d94632a257

SHA1
812c8f140a72114add2f38cab52fd149ad8bdcfb

SHA256
15aafcc88226b6178e02a93858555ca48fb205ae317815ce31aa547555329046

SHA512
0519b7dcbce66aecefbd2aaea6120c0da213d8bb3e00a7599bf2e390bee3f643baf952cc553766f8c2779fe9fa303570a56a8c846c11e2fcf9c2075c1e41ccc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
5184433559a1231cfca535841456187d

SHA1
c18ee8d4fb6ec81a85de9d71a75bbf34f9fbdc21

SHA256
178b91bd67f9980326e3bad6dea0ec2a68d6c5fedd4c213afd12a4a3a6cbab7c

SHA512
4764c75bf7ebed056b0a9ef71459168f90a7cf5a284bf060283715ed146cfbaed876856b778d6c98ec71a5bbad295c03eae4717309c523fbbe94df27f01c75dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
ab5c5139bb5c6b3dc70cb34a8efbc617

SHA1
1a9835b3c40a54e78e70a2dca282acc491d0bd8e

SHA256
a016dc55e952f2834c41683200fe57ab05b20c7ef4c9c1dbc1ec2bf85d40fed3

SHA512
ebfef9d91b8a6b0547fb87d1de721bc161112d1095bc11b17c60ba773b2174c61d658dc762e9c4cedd7756e1a77e07c8087226b1e6a9ad7b6ab86b1fd7e495f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
64eb909132690cf084cb0ba3ec259b81

SHA1
d648f073739ced0e44c392994ebf833a6ed24e9d

SHA256
3763c9ad8cf23474ecefb8c51717d536f105bdf53efb0e71224b8616c086161f

SHA512
5ded4180aea333a12e76c6e18b4f96c04364921dcb1972ad4afcbab731b75fbb190a805dbbdd3b6724d81e40b3b4729ee7bfb2a60ecd1bc7e310903aeed3b187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
23bd7adecb28cad2b5b7269b4ebbdb7c

SHA1
18ffcf3f9a6320220d977ddf14d98102b6617c88

SHA256
726b85d6bab0ef4824d57d0f37a779e12d354d7b0df9f77df94d05840b0fcb59

SHA512
c5f8cac86515dfbeceda442a751e6d70e17228a63ac0b2c4b51bacae48cd0574c10746ee522f75d3c8c8eaeb5c48e7f3529ac6d9c28f6a9a71c1493b65d0fe78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ea2dda0ac8b7f9f3cd2389ea7013d4b0

SHA1
f8dca61082a774bfeae94e2c7ef7dde32d984f01

SHA256
412d327657b2f1b6a04fb6277f34c742f886c25c2cf3d93566f38c0d14fdb52c

SHA512
6c1fb3590add7412257a5a84d04b71d8220448550d71ba20c5183541e92e004559296bd39f00973b3aaa6965ef122746062965e2beffffed5e889d3fbf0a058c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b8d5a6329bbc5edf31844f6bfa4ae972

SHA1
1014d91ea7a8867459e7014a725794728d75793d

SHA256
2d90e12869f60c869911a3030ea58211b6b0da7c53d396769f4b3dea0c406309

SHA512
d6b4a08d7188e48b3ec2dbaa78f1ccc23334f43266602c677ba5c52d54554ad02e5ffc32e852de47291e3f1291dfc34db62d4a1eb5f631aad0a0340d30e5f7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8ade2f3a82060e6d5b1e97b275213d86

SHA1
a13c13d850addf7c1c1d58c583255f77b40b7834

SHA256
fc73beb5ec396531d7267cd4980e720590ae4c7c34b6bc63bcceef59730d324d

SHA512
51d989a44462ffea680e4bd9b20c46705793236712d11f0400e12caaac3512d662a41b4b49e7e309c8e752dc7738eda080451b74736c6428541196dd7bb8ca98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
46afabf11679cfe41ca2fa3a03e71842

SHA1
8f777cd6b30f8b9926c91fb74aeed62ed1336ea1

SHA256
131ca91bdcd68096cdcb5115f1c232e2aebd962f658f972b49fe62fe6749cee6

SHA512
8a6096aee325c4bffbede0ffc6eef04659ad602779b333ea4f7477da4d8fd7f51fcdddf6808504b4edd93d0545124d0b9169d1fab8a472c37de4b4e6638db529

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e6974c7e4df7a9af9f879efda6b10ff6

SHA1
ce2efaa5d40c8921bfdff4dc644a81390610c8b2

SHA256
d498fb9a1ba4bb6fa741de99adb565ee0e686212b848f7fdf1f3c01d2cc3f9c2

SHA512
410893632f360f21df10d73e509bff5a8f67d984272e37a37fecd707b6ef7de73010c428fb602d538dacb3c5e70d8767a3c5de72c52425c516cb0b05b5ed8a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\7omblwbi.0.vb

Filesize
376B

MD5
7a8e43324d0d14c80d818be37719450f

SHA1
d138761c6b166675a769e5ebfec973435a58b0f4

SHA256
733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909

SHA512
7a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715

Download Submit
C:\Users\Admin\AppData\Local\Temp\7omblwbi.cmdline

Filesize
267B

MD5
0e957ea0adecae253a8d08b7efbe20f8

SHA1
d106bed6a0094f57b4b5d6bf01a39e5ac7b2dac6

SHA256
b459691117f98d90b895786f32b97b052222c36d294f1b91549d4d5d79e1da7f

SHA512
2a5ebaa4bb8e4136cd8108c094c86d03e6b17db799ab081058cdcf1222a8632844a7dec9ce2ce102daaf39032dbd5483e61dce04f17b21d801001c32916c53f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES559D.tmp

Filesize
5KB

MD5
38b46089794179ea79ade8d2c04c6bc7

SHA1
5a3164efd067ed670a7a69c3ec511dc6202f2f8c

SHA256
4e7bf2492f6ee730fab8edc7e6a911a7cfdf5a92d19063ab0a83cf61a32c37ba

SHA512
6b4dff01278cf29881d98b3fea02f8575c614119f56ca5d039d410ef63e9f926353ecc2c28f75dabf20abb39a7ca4bc3eb0535b70cdcd58e58e27fcbb650c20a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5649.tmp

Filesize
5KB

MD5
64c5c70c875dfdc42e397fd38a242c10

SHA1
b1992f16d271d89fcca96d0d99dc113962b55ace

SHA256
8efccf6759dbb7ff60a6f4ea1739baae5aebea16ab84007426bc1d1e4b50222f

SHA512
558cccb744b5c3216b28806fe14c1ef8f6373498919c076f225df93831bb6bcb6e05ba01213d73b71a160faa2166d41afd12e4f7a912432526a68f82f17ec957

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES56C6.tmp

Filesize
5KB

MD5
7917ffa995808727168b616ec728867e

SHA1
7e62ed50014749caed72e95596ad6c13321a53c8

SHA256
9d85c2aae09ddb85690efa2fc438f5c291d9374b751dbaa8b0c849336f6fad3f

SHA512
ec184ea708ab1dc4e0c387e68ded53083008f87eb5b044cd6c03a9b2fffc1c1e81b8991a13c05de33567fb7c5b69a745d9ff479644b5d58f689664dd3e2131d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5743.tmp

Filesize
5KB

MD5
bf5cb14e6f85bd86b0c5cf7c211d4b86

SHA1
e4fde440d92ea25857b345dd0592b151959d8498

SHA256
cd1856289d42b13ffb571931e845922fdbb393c70c4af1ab1b05088df3946784

SHA512
06523d10cc71bb8e6e92f71e513e77e7e8bb640cf919339b78472a676cc9c5739088f385a1f7c74e524c81becae716e04f421993d8db78098ba4c0438a201469

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES57CF.tmp

Filesize
5KB

MD5
1d5dd3270f68d37e0e13aa379c2c5d11

SHA1
1fc2dd0bf22d3fe98d065f37022bed129369edc7

SHA256
9ffcf161d8c94874c975f925f459f72af9a3f4c092c8c50b0375acb6bf16d952

SHA512
c40fed7a9a04f29a36b2442efb2815d6d4df017a5b12eea8ed969ab35c4988b45fc3a0bbff3c6d4ad0b9fdd481e4ee7c26466c8bf1a35385c58ad9b477b4866f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES587B.tmp

Filesize
5KB

MD5
c880e5c9abcb27fb7b1f5cb48710acc3

SHA1
55f542ae607f9d0f4a8d89dd76672edcbb88e895

SHA256
3497237381cf076e340c9bf637c67d7b29281e6627baf5269d7108666eea5390

SHA512
4219a870ade40c9893e89359c5d0765b09166fe13eb23a503e8875c8473da2b58d6b34ed5452ee8b32c9d4b449a8c59827b2627a052094c8f39dd1aea1b8dcaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5908.tmp

Filesize
5KB

MD5
166e3f4e615cd225a9ae425214dae0b7

SHA1
341ef59d7883a25813020d603fab90dbbcb52862

SHA256
c32fb61f6f0c270daff35f29ccc6eb72ecadb648196e7d30c6d18024f4dd9341

SHA512
5f0a6cb4d6a697e964c5338eff30fe46601ceaa1e272c9a6af6b7563af928fbc9a4e58b09808c70b748478d3700eef9fe5704084271215da7e22e29be4b422a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd1wo4g-.0.vb

Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd1wo4g-.cmdline

Filesize
253B

MD5
165c6aafd70cfe1d8fd937bb06902fde

SHA1
36be091288071cc7b62924557cb5fb7e491094ee

SHA256
e27d87c003011fd21cae5c094cac563c319c5bbdaaa05bfcde7695c03b3654d6

SHA512
985b95e3524f8b1a501570e92b9bdc426c3409f1a0ab741628738e4448e7d7a9d03854a4239d38013b3c244963db8fe0a96baebde288896eb71b3cde13abcac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmlw3sfz.0.vb

Filesize
355B

MD5
6e4e3d5b787235312c1ab5e76bb0ac1d

SHA1
8e2a217780d163865e3c02c7e52c10884d54acb6

SHA256
aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706

SHA512
b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmlw3sfz.cmdline

Filesize
224B

MD5
206eebebc53e21531c2c96a8ab299119

SHA1
eaaa4e6defe287bb9bce85cab1ca249917267bcc

SHA256
4150eb123290d1c44ad91db5f02ee52784702539a7eec92b7f131e0abc8b8a5d

SHA512
3f01e19adeceb414046cdc5a32da536795d2896484799659c9e4a69abd49e4626234289ee99f80cb9d39083f3f79976aa93869c755e0ffcd4018f30f59df3210

Download Submit
C:\Users\Admin\AppData\Local\Temp\e31mopse.0.vb

Filesize
373B

MD5
197e7c770644a06b96c5d42ef659a965

SHA1
d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc

SHA256
786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552

SHA512
7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e31mopse.cmdline

Filesize
261B

MD5
e974d1e6da0bf970b35549eafcb4c1ab

SHA1
e50ef7d1a33e3365ae2a8427761d2b7094c2de65

SHA256
88611336a0c0830ef2990d20afb9e6fd9f99ce759fdd8ab75600ca99191c4442

SHA512
9c2f97c707d4af0650c77084e194bdfbffec1941e5fcbeb0afbd5011148b4e2c001744d0a990b5275204c68f9fa46d76968e1be99754c8a83d20f458cdc2f9c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\el_rm_tc.0.vb

Filesize
373B

MD5
7d0d85a69a8fba72e1185ca194515983

SHA1
8bd465fb970b785aa87d7edfa11dbff92c1b4af6

SHA256
9f78b435099106c2c3486c5db352f7d126b3532c1b4e8fe34ef8931c7b8968d5

SHA512
e5ef339dc329dbba2ab06678a9e504aa594d2f21ade45e49bccd83a44a76dc657f5f44dcf368f4d112bb3b01af2e577a487c6078751943770e90780fad202989

Download Submit
C:\Users\Admin\AppData\Local\Temp\el_rm_tc.cmdline

Filesize
261B

MD5
e05f30513fea96f216d41109a367fca3

SHA1
32567d88d63d6bf81fffeeccabaff288f09ce0e8

SHA256
75f8365d968b1253de5611e7a56e5113036da26b47d4526d190f2eb7573219c9

SHA512
f06862814c7b2d8449c929929bd54e636ad26af62e69719f8543d29d882e2d2424997e78d47fd3923fb204b0a95f6792d9468231f011c6b1bdb20f9dad41baf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\euuqh3vl.0.vb

Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\euuqh3vl.cmdline

Filesize
224B

MD5
d02e223aec1a3cc27eba8f987337bf55

SHA1
c5c3be487b6a49faf8a464551cb627f5cc681c76

SHA256
c8879f6d94b6e4bccf41c115e3e5ac9519be9736009c9a38496e8b94f111006a

SHA512
037f1622a9703e05dee99615f4f211eb146d588dedf85ef63b101b47e45219e16420b817231444e393a51e58e8798c2e9e907cf14e279f5a2815b30a49d71abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jl9ihwk8.0.vb

Filesize
376B

MD5
688ef599a13c30230d9c00287511e084

SHA1
496834103ac52660dd8554590a2f92cbda8ab759

SHA256
9ce0d8e22177e91d78bf3e578b8b5f0d22d724ae17931195de2e3b5b46255051

SHA512
0f244536f83308c7db23337dadcef882fd258954d7e3c8a5f3f66ee0861fec0cd6ea7b3310db65a306de380da410af1e8e4041fabbc917b6af4b94d9424cec8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jl9ihwk8.cmdline

Filesize
267B

MD5
5c86b69e5bfe21d51462dddb89eaafff

SHA1
34e0be2d23ad383138176979026d817cf340e87c

SHA256
12b39b0ce659c88a7152e76a5857a7636b421b0e085a8cea92bc27e4307ccf77

SHA512
f4a78c3bae47a097dc859a1b931def1231bb4f15eedd1f3380169f66e81ace70a6cd91abde62c8b90d3630c46eecb59910063c2dcd582f96697a2b17f3bf17aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
32B

MD5
e0acfe2c555c8addd7c51d8f55a5716d

SHA1
c4eed48bb5516e577736876f61c6b3801533efd2

SHA256
8e8f68c9769dd2172df86d3b1b45f0477c75f3020d70a4c9c9f84a7b044e1f8c

SHA512
c2a7449e10ff80bd6a158bb87483cf1ed3e68fd8e3582b2f40f04796a314759515531dd6efd3668256b3a1cbf7731ffb105f9a4d98b77f1da79563b142111782

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc672726DF5DA54BB2BF71ED98F32296E0.TMP

Filesize
5KB

MD5
d56475192804e49bf9410d1a5cbd6c69

SHA1
215ecb60dc9a38d5307acb8641fa0adc52fea96c

SHA256
235e01afd8b5ad0f05911689146c2a0def9b73082998ac02fd8459682f409eee

SHA512
03338d75dd54d3920627bd4cb842c8c3fefad3c8130e1eeb0fa73b6c31b536b3d917e84578828219b4ffd2e93e1775c163b69d74708e4a8894dd437db5e22e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6CF19E79E2F24FBE9EF9756E64768CD.TMP

Filesize
5KB

MD5
249d49f34404bfbe7ed958880be39f61

SHA1
51ec83fb9190df984bf73f2c5cd1edc0edf1882a

SHA256
fcb5a4d24f24fbeaf4dc9d8e29f2701b2bb71411acb13c4fa67fe7025892912b

SHA512
082f47f59b9184dd6c88f64214e10b82656a09c5a5cf3f0eccbf7935505db473eeb9a395cb5b59ec5009e731f2aa1891670c94ff6315a0b2d4fcc0392cff0e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc702A13E4A3AF473C98436DE2602448AC.TMP

Filesize
5KB

MD5
5fb831248c686023c8b35fa6aa5f199c

SHA1
39760507c72d11c33351b306e40decaad7eb2757

SHA256
d062acbeea69acb031b014cff19bed988cf9df34c230ee23d494457461b41908

SHA512
2244f84bff19e1f43a245569d03712ab62a9655bc6f3eb4ae78ca3472ddfc6ad7950dc76d10cdc1c7b2235a9045582554c200e93c3cd34c18e494ed60dd3b3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8E2FDA6C8F03436EBCEB13B011F821E4.TMP

Filesize
5KB

MD5
2f824fea57844a415b42a3a0551e5a5a

SHA1
0e0a792d5707c1d2e3194c59b9ed0b3db5ce9da4

SHA256
803a596fd573096225dd07568b8b459d2fbbfce03fa60ca69d05d7d92b64c5ee

SHA512
7ec7ea88364f2e18747192ac2913f326a6ebb19c64be4ae9fc4f811d31deb5dc3b0b83d46814ddb836b36ac57e70c9b63be0cc4c84e6e958acf2512c57877008

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8F4D8DBF40D84B14803791DB4475A050.TMP

Filesize
5KB

MD5
abeaa4a5b438ffa58d07d9459e5c1d6c

SHA1
69631de7891162dd4840112a251f6531feae7509

SHA256
ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd

SHA512
c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBA70DA6C941E4CFF8EE73E567CF12CB5.TMP

Filesize
5KB

MD5
2f97904377030e246bb29672a31d9284

SHA1
b6d7146677a932a0bd1f666c7a1f98f5483ce1f9

SHA256
7e033003d0713f544de1f18b88b1f5a7a284a13083eb89e7ce1fe817c9bb159f

SHA512
ddf2c3a3ec60bed63e9f70a4a5969b1647b1061c6ff59d3b863771c8185904d3937d1f8227f0e87572329060300096a481d61e8dc3207df6fe0568da37289f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF9D8A8B985A4FB792B81A51D3D499F.TMP

Filesize
5KB

MD5
d01de1982af437cbba3924f404c7b440

SHA1
ccbd4d8726966ec77be4dbe1271f7445d4f9b0ce

SHA256
518d9922618db6eea409cee46b85252f0d060b45c2f896cb82eeca22eb715598

SHA512
a219cd3df17bcf16cb57bdeea804e206a60be50084e2cb99d6d5e77d88957d79535d110b34735a4b549d3fcae528cdff8bfa5286582028ef22e8b4d60e146878

Download Submit
C:\Users\Admin\AppData\Local\Temp\zeu_zlaj.0.vb

Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zeu_zlaj.cmdline

Filesize
253B

MD5
d4aeda489e7aa545c4622cb8fcaf4143

SHA1
21dc4b2cd826096691646385db9d31ceccf05f5b

SHA256
5b6dedf4482f5d1ff4c8957720fd110e08598c62028589c6c5ffcc2a25ab08e7

SHA512
f31bf51b5134d87d303ce8627041245f9106b2da2cc254b6d6fabc5faaa0beb1832d66d859f7017dae4c2576ee47ebc1a8ccdf557676c5933dd22e6ae6af387c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
9f79b9c0eb248935c77c363c36ccce6b

SHA1
e80a41f7691fcaf8e38e546b85e832dc902135bf

SHA256
665ea406eeeea86901e7af1c366fffa8425c92241d929422d74a4101ea72dcf0

SHA512
42e53176638efe5b824641e4225a454d71473845a3d013335fe1f319d544537bc69034e76e7f497eeb0a61a8e5d8980322ef91d99fca45197af6c4fd62de4ef3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
6aaf0cf4f510bcf2872f822eafd62216

SHA1
040b0277ee5c7674cf82034691b7e32b24b243aa

SHA256
d06f7f6863c934492ea157d206795c86726b0dee3b545fd3e2a3ef8decb633fe

SHA512
923b18e5477937a93e06a768defcbb0231de1e3d21b55d9ea5dda7a55097b81c13cff94afbd01063cf7848bbf282a8427e50f1bd818e55bb2408e89fdc14076a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 834953.crdownload

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
memory/2424-277-0x00000198FA230000-0x00000198FA231000-memory.dmp

Filesize
4KB

Download
memory/2424-283-0x00000198FA230000-0x00000198FA231000-memory.dmp

Filesize
4KB

Download
memory/2424-281-0x00000198FA230000-0x00000198FA231000-memory.dmp

Filesize
4KB

Download
memory/2424-280-0x00000198FA230000-0x00000198FA231000-memory.dmp

Filesize
4KB

Download
memory/2424-279-0x00000198FA230000-0x00000198FA231000-memory.dmp

Filesize
4KB

Download
memory/2424-278-0x00000198FA230000-0x00000198FA231000-memory.dmp

Filesize
4KB

Download
memory/2424-271-0x00000198FA230000-0x00000198FA231000-memory.dmp

Filesize
4KB

Download
memory/2424-273-0x00000198FA230000-0x00000198FA231000-memory.dmp

Filesize
4KB

Download
memory/2424-272-0x00000198FA230000-0x00000198FA231000-memory.dmp

Filesize
4KB

Download
memory/2424-282-0x00000198FA230000-0x00000198FA231000-memory.dmp

Filesize
4KB

Download
memory/2848-247-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4164-252-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4592-243-0x000000001BDC0000-0x000000001BE66000-memory.dmp

Filesize
664KB

Download
memory/4592-242-0x000000001B840000-0x000000001BD0E000-memory.dmp

Filesize
4.8MB

Download
memory/4592-244-0x000000001BF30000-0x000000001BF92000-memory.dmp

Filesize
392KB

Download