crimsonrat | hxxp://roblox[.]com

Resubmissions

31-01-2025 14:27

250131-rsfnfsznhk 10

31-01-2025 14:21

31-01-2025 14:14

31-01-2025 14:10

31-01-2025 11:31

Analysis

max time kernel
373s
max time network
374s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
31-01-2025 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://roblox.com

Score

10^/10

crimsonrat revengerat warzonerat guest credential_access defense_evasion discovery infostealer persistence privilege_escalation rat rezer0 spyware stealer trojan upx

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

crimsonrat

185.136.161.124

Extracted

Family

warzonerat

168.61.222.215:5400

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000400000002a490-786.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/3188-982-0x0000000005BF0000-0x0000000005C18000-memory.dmp	rezer0

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x001b00000002ac39-523.dat	revengerat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/932-989-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat
behavioral1/memory/932-990-0x0000000000400000-0x0000000000553000-memory.dmp	warzonerat

Downloads MZ/PE file 14 IoCs

flow	pid	Process
103	2652	msedge.exe
103	2652	msedge.exe
103	2652	msedge.exe
103	2652	msedge.exe
103	2652	msedge.exe
103	2652	msedge.exe
103	2652	msedge.exe
103	2652	msedge.exe
103	2652	msedge.exe
103	2652	msedge.exe
103	2652	msedge.exe
103	2652	msedge.exe
103	2652	msedge.exe
103	2652	msedge.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
404	netsh.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat	xcopy.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat	xcopy.exe

Executes dropped EXE 20 IoCs

pid	Process
3668	RevengeRAT.exe
2156	CrimsonRAT.exe
3196	dlrarhsiva.exe
564	VanToM-Rat.bat
3188	WarzoneRAT.exe
4256	Server.exe
872	svchost.exe
2404	ColorBug.exe
540	FlashKiller.exe
4652	FreeYoutubeDownloader.exe
4048	Free YouTube Downloader.exe
3696	svchost.exe
1732	svchost.exe
3420	Nostart.exe
2248	FlashKiller.exe
2928	Box.exe
3944	svchost.exe
3244	Microsoft Edge.exe
3572	svchost.exe
2520	svchost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\Downloads\\VanToM-Rat.bat"	VanToM-Rat.bat
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\~~CB = "cb.exe"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe"	FreeYoutubeDownloader.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
90	0.tcp.ngrok.io
103	raw.githubusercontent.com
640	0.tcp.ngrok.io
79	0.tcp.ngrok.io
89	raw.githubusercontent.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 3668 set thread context of 2368	3668	RevengeRAT.exe	106
PID 2368 set thread context of 4712	2368	RegSvcs.exe	107
PID 3188 set thread context of 932	3188	WarzoneRAT.exe	189
PID 872 set thread context of 3560	872	svchost.exe	192
PID 3560 set thread context of 580	3560	RegSvcs.exe	193
PID 3696 set thread context of 4892	3696	svchost.exe	272
PID 4892 set thread context of 3124	4892	RegSvcs.exe	273
PID 1732 set thread context of 3556	1732	svchost.exe	295
PID 3556 set thread context of 4632	3556	RegSvcs.exe	296
PID 3944 set thread context of 648	3944	svchost.exe	318
PID 648 set thread context of 3200	648	RegSvcs.exe	319
PID 3572 set thread context of 5036	3572	svchost.exe	331
PID 5036 set thread context of 1428	5036	RegSvcs.exe	332
PID 2520 set thread context of 4544	2520	svchost.exe	347
PID 4544 set thread context of 720	4544	RegSvcs.exe	348

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0004000000025b8f-1511.dat	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe	FreeYoutubeDownloader.exe
File created	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini	FreeYoutubeDownloader.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 6 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ColorBug.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\FlashKiller.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
404	540	WerFault.exe	203
4140	2248	WerFault.exe	306

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nostart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Box.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FlashKiller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ColorBug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreeYoutubeDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
128	taskkill.exe

Modifies Control Panel 21 IoCs

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\Hilight = "249 157 31"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\HilightText = "243 82 22"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\GrayText = "19 236 228"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\Scrollbar = "195 116 128"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\Background = "89 99 195"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\Window = "149 50 249"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\WindowFrame = "77 202 221"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\ActiveBorder = "147 113 169"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\ButtonText = "220 20 238"	ColorBug.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\InactiveBorder = "230 176 37"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\ButtonShadow = "48 209 175"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\InactiveTitleText = "207 118 91"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\MenuText = "132 57 103"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\WindowText = "173 28 223"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\AppWorkspace = "8 157 143"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\ActiveTitle = "91 13 140"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\InactiveTitle = "250 172 245"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\Menu = "209 195 157"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\TitleText = "35 64 219"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Colors\ButtonFace = "13 211 229"	ColorBug.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 32 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\FlashKiller.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 898678.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 247661.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:Zone.Identifier:$DATA	WarzoneRAT.exe
File created	C:\svchost\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe\:Zone.Identifier:$DATA	VanToM-Rat.bat
File opened for modification	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe\:SmartScreen:$DATA	VanToM-Rat.bat
File created	C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:SmartScreen:$DATA	WarzoneRAT.exe
File opened for modification	C:\Users\Admin\Downloads\L0Lz.bat:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ColorBug.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 66036.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 686514.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 480776.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 380358.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 808360.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 510487.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 235166.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 839697.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 705810.crdownload:SmartScreen	msedge.exe
File created	C:\svchost\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 693312.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 20832.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\VanToM-Rat.bat:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 433227.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 194932.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 540931.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1848	schtasks.exe
3068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2652	msedge.exe
2652	msedge.exe
3380	msedge.exe
3380	msedge.exe
3576	identity_helper.exe
3576	identity_helper.exe
3084	msedge.exe
3084	msedge.exe
3556	msedge.exe
3556	msedge.exe
4716	msedge.exe
4716	msedge.exe
2404	msedge.exe
2404	msedge.exe
3196	msedge.exe
3196	msedge.exe
3188	WarzoneRAT.exe
3188	WarzoneRAT.exe
3188	WarzoneRAT.exe
3188	WarzoneRAT.exe
3188	WarzoneRAT.exe
3188	WarzoneRAT.exe
3188	WarzoneRAT.exe
3188	WarzoneRAT.exe
3188	WarzoneRAT.exe
3188	WarzoneRAT.exe
2524	msedge.exe
2524	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
5000	msedge.exe
5000	msedge.exe
2900	msedge.exe
2900	msedge.exe
2176	msedge.exe
2176	msedge.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe
4256	Server.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4256	Server.exe
3560	RegSvcs.exe
3380	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 49 IoCs

pid	Process
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	3668	RevengeRAT.exe
Token: SeDebugPrivilege	2368	RegSvcs.exe
Token: SeDebugPrivilege	3188	WarzoneRAT.exe
Token: SeDebugPrivilege	872	svchost.exe
Token: SeDebugPrivilege	3560	RegSvcs.exe
Token: SeDebugPrivilege	128	taskkill.exe
Token: SeDebugPrivilege	4256	Server.exe
Token: SeDebugPrivilege	3696	svchost.exe
Token: SeDebugPrivilege	4892	RegSvcs.exe
Token: SeDebugPrivilege	1732	svchost.exe
Token: SeDebugPrivilege	3556	RegSvcs.exe
Token: SeDebugPrivilege	3944	svchost.exe
Token: SeDebugPrivilege	648	RegSvcs.exe
Token: SeDebugPrivilege	3572	svchost.exe
Token: SeDebugPrivilege	5036	RegSvcs.exe
Token: SeDebugPrivilege	2520	svchost.exe
Token: SeDebugPrivilege	4544	RegSvcs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe

Suspicious use of SendNotifyMessage 53 IoCs

pid	Process
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
4048	Free YouTube Downloader.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
3380	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe
2960	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
564	VanToM-Rat.bat
4256	Server.exe
4652	FreeYoutubeDownloader.exe
4660	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 3260	3380	msedge.exe	77
PID 3380 wrote to memory of 3260	3380	msedge.exe	77
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 1116	3380	msedge.exe	78
PID 3380 wrote to memory of 2652	3380	msedge.exe	79
PID 3380 wrote to memory of 2652	3380	msedge.exe	79
PID 3380 wrote to memory of 2472	3380	msedge.exe	80
PID 3380 wrote to memory of 2472	3380	msedge.exe	80
PID 3380 wrote to memory of 2472	3380	msedge.exe	80
PID 3380 wrote to memory of 2472	3380	msedge.exe	80
PID 3380 wrote to memory of 2472	3380	msedge.exe	80
PID 3380 wrote to memory of 2472	3380	msedge.exe	80
PID 3380 wrote to memory of 2472	3380	msedge.exe	80
PID 3380 wrote to memory of 2472	3380	msedge.exe	80
PID 3380 wrote to memory of 2472	3380	msedge.exe	80
PID 3380 wrote to memory of 2472	3380	msedge.exe	80
PID 3380 wrote to memory of 2472	3380	msedge.exe	80
PID 3380 wrote to memory of 2472	3380	msedge.exe	80
PID 3380 wrote to memory of 2472	3380	msedge.exe	80
PID 3380 wrote to memory of 2472	3380	msedge.exe	80
PID 3380 wrote to memory of 2472	3380	msedge.exe	80
PID 3380 wrote to memory of 2472	3380	msedge.exe	80
PID 3380 wrote to memory of 2472	3380	msedge.exe	80
PID 3380 wrote to memory of 2472	3380	msedge.exe	80
PID 3380 wrote to memory of 2472	3380	msedge.exe	80
PID 3380 wrote to memory of 2472	3380	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://roblox.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffacf983cb8,0x7ffacf983cc8,0x7ffacf983cd8
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2448 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2452 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6372 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3556
- C:\Users\Admin\Downloads\RevengeRAT.exe
  "C:\Users\Admin\Downloads\RevengeRAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3668
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Drops startup file
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    PID:2368
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4712
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lqr49mk5.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4120
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC723.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5A50AAE667F84554B2A4C7A370D9C835.TMP"
        5⤵
        
        PID:652
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vrn2hjhz.cmdline"
      4⤵
      PID:1036
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF31AEC5642B841FA8B8C48E3803DC55C.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\euuo_bqw.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3432
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC86C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA3F1131668A645C380B8119167A81850.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4520
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mbtv6ltm.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4816
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA303B4E05FF44AE1AFD634F2844B171.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4132
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v7b0e-84.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3440
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC9A4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc99483156B0F94EC2AFDDBC1CAB45A255.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aivu6buu.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1124
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA50.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C27BA36B7194A7583FDA5C83504A84.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pl1vxqqr.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4888
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD48F9CBB33B44F98BA4585138BCFAFD.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1180
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7vaenyq_.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5096
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC25.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3219883C59104CAB8A8C27DFB97D6C3.TMP"
        5⤵
        
        PID:2072
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zfsjihdj.cmdline"
      4⤵
      PID:2772
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCB1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF8E448ABE38048939F5DC81EB0B91619.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3772
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\joye-ruk.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:564
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDEA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAEA024E32D7A434EAFCA7416D83C654B.TMP"
        5⤵
        
        PID:3432
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c2wllkwp.cmdline"
      4⤵
      PID:2728
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEE4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7BC5EB8FC0AE4297B5F5DB7D3D38524.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r9hzhhhc.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4664
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF9F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc363F7A1BA554774857CAD4EDF3C223.TMP"
        5⤵
        
        PID:2692
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ioqprhpk.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4904
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD05B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6ED66256954B4021B85F3174485765C.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yrj3vsw1.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3472
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD116.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6FCF97D6ED7241A8B03C6D8C61B8AD6B.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zyngu-nc.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4068
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD1C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50B6A79420E44CC4878EAA515C8955E2.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1zllkscg.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:472
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD25E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1BBEB629C7240009E38CBE4FAF874.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\owcurk2n.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2304
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD32A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc857067E83D0548A794428742FB2C143D.TMP"
        5⤵
        
        PID:436
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2bsl3tpq.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5076
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc67B812953335458091B436DBE15FCCF.TMP"
        5⤵
        
        PID:928
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gyz4cqqd.cmdline"
      4⤵
      PID:408
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD472.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc38F32724AFE4F359AFBAF48CB0ED3C.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3560
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mojgo1fa.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4924
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE4CBE6A4FA843CC8F455F82D94143C9.TMP"
        5⤵
        
        PID:2932
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mtory4d3.cmdline"
      4⤵
      PID:3444
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD58B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95DBDC7B53E644449736FCA8D7D842DA.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4972
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:872
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        Drops startup file
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        NTFS ADS
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:580
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3068
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\asoxdqb4.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB416F5F9E847450BACDD12353E495BC.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-qboetlt.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8469.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB1B1C6884E24564B0E1686CE5FFF467.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4656
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s_9dfszp.cmdline"
        6⤵
        
        PID:232
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8505.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc30FE0B6B717B4C67BD648CD4635D72A.TMP"
        7⤵
        
        PID:2864
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t8ot7ndw.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85A1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc969932FFCF784C1D89718EF3A8F270D7.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lcao0jov.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES861E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC54C85057257432AABF66FC5378EAF3.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:700
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a_86jv8y.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc874D77BFD3694B66B43AD6D97FC6EEC2.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gct40kki.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8776.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc636037F4B28A45F6AC41759BAC5865A3.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7lbkds9i.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8812.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9FB090F5193A42A081C8CC487E4F123F.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xhxutg-b.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES888F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF638939F8C472C81A4D95957A386B0.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_j8necmj.cmdline"
        6⤵
        
        PID:4008
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES890C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc797C42442FB84144927AD78E8EC0D046.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6548 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7140 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3196
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:2156
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:3196
- C:\Users\Admin\Downloads\VanToM-Rat.bat
  "C:\Users\Admin\Downloads\VanToM-Rat.bat"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:564
- - C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
    "C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4256
- C:\Users\Admin\Downloads\WarzoneRAT.exe
  "C:\Users\Admin\Downloads\WarzoneRAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3188
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDDD8.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:700
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2524
- C:\Users\Admin\Downloads\ColorBug.exe
  "C:\Users\Admin\Downloads\ColorBug.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5140 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7300 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7436 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5000
- C:\Users\Admin\Downloads\FlashKiller.exe
  "C:\Users\Admin\Downloads\FlashKiller.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 252
    3⤵
    - Program crash
    PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4648 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2900
- C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe
  "C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4652
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SendNotifyMessage
    PID:4048
  - - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
      "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7420 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7672 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\L0Lz.bat" "
  2⤵
  PID:2556
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:2680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:4944
- - C:\Windows\system32\net.exe
    net stop "SDRSVC"
    3⤵
    PID:348
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SDRSVC"
      4⤵
      PID:5092
- - C:\Windows\system32\net.exe
    net stop "WinDefend"
    3⤵
    PID:1788
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "WinDefend"
      4⤵
      PID:4940
- - C:\Windows\system32\taskkill.exe
    taskkill /f /t /im "MSASCui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:128
- - C:\Windows\system32\net.exe
    net stop "security center"
    3⤵
    PID:660
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "security center"
      4⤵
      PID:3644
- - C:\Windows\system32\net.exe
    net stop sharedaccess
    3⤵
    PID:4932
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:4484
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode-disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:404
- - C:\Windows\system32\net.exe
    net stop "wuauserv"
    3⤵
    PID:1212
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "wuauserv"
      4⤵
      PID:1460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo tasklist "
    3⤵
    PID:1108
- - C:\Windows\system32\find.exe
    find /I "L0Lz"
    3⤵
    PID:3964
- - C:\Windows\system32\xcopy.exe
    XCOPY "BitcoinMiner.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
    3⤵
    - Drops startup file
    PID:700
- - C:\Windows\system32\xcopy.exe
    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
    3⤵
    PID:2912
- - C:\Windows\system32\xcopy.exe
    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
    3⤵
    PID:2108
- - C:\Windows\system32\xcopy.exe
    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
    3⤵
    PID:4932
- - C:\Windows\system32\xcopy.exe
    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
    3⤵
    PID:2748
- - C:\Windows\system32\xcopy.exe
    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
    3⤵
    PID:1932
- - C:\Windows\system32\xcopy.exe
    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
    3⤵
    PID:5064
- - C:\Windows\system32\xcopy.exe
    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
    3⤵
    PID:4100
- - C:\Windows\system32\xcopy.exe
    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
    3⤵
    PID:4800
- - C:\Windows\system32\xcopy.exe
    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
    3⤵
    PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7696 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7748 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 /prefetch:8
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7480 /prefetch:8
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7588 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7552 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7316 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=7752 /prefetch:8
  2⤵
  PID:720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7664 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1144 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1148 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1948 /prefetch:1
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1268 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7784 /prefetch:1
  2⤵
  PID:472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7964 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7780 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,2375148527472099181,9716036919410791066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:1904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 540 -ip 540
1⤵
PID:704

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3696
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3124

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1732
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3556
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4632

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2596

C:\Users\Admin\Downloads\Nostart.exe
"C:\Users\Admin\Downloads\Nostart.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3420

C:\Users\Admin\Downloads\FlashKiller.exe
"C:\Users\Admin\Downloads\FlashKiller.exe"
1⤵
- Executes dropped EXE
PID:2248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 216
  2⤵
  - Program crash
  PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2248 -ip 2248
1⤵
PID:3572

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3944
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:648
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:3200

C:\Users\Admin\AppData\Roaming\Random\Microsoft Edge.exe
"C:\Users\Admin\AppData\Roaming\Random\Microsoft Edge.exe"
1⤵
- Executes dropped EXE
PID:3244
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3572
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SendNotifyMessage
  PID:2960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffacf983cb8,0x7ffacf983cc8,0x7ffacf983cd8
    3⤵
    PID:3444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,13027473528198157279,17546980611007691915,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
    3⤵
    PID:4944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,13027473528198157279,17546980611007691915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
    3⤵
    PID:1108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,13027473528198157279,17546980611007691915,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2492 /prefetch:8
    3⤵
    PID:2912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13027473528198157279,17546980611007691915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
    3⤵
    PID:2952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13027473528198157279,17546980611007691915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
    3⤵
    PID:2424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13027473528198157279,17546980611007691915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
    3⤵
    PID:964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13027473528198157279,17546980611007691915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
    3⤵
    PID:3904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,13027473528198157279,17546980611007691915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4016 /prefetch:8
    3⤵
    PID:3208
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,13027473528198157279,17546980611007691915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
    3⤵
    PID:3852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:336

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2520
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4544
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:720

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
602ddd0c457eb622800ec2b65d1a3723

SHA1
e322f2927b3eb868f88f61318589cdbc9b5e4554

SHA256
6491b2ebfda073e601f99be125c6ce0c4a72162e0995c673605c673581023a82

SHA512
eb0cd42b7178ee205af959b3b811bf85c44343c2e3ead6678ece7bc340fd0efdde3067a583649d12aa2123b555a4cc2a7be7a587fb2874a9f9aa666093df782b

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico

Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\ProgramData\svchost\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

Filesize
4KB

MD5
28d98fecf9351c6a31c9c37a738f7c15

SHA1
c449dee100d5219a28019537472edc6a42a87db2

SHA256
39445a090b7ce086d5efb4ac35add13672fac9bf40eb481b54fa87302a3f45e0

SHA512
f5c2458348347798304393fdb5c77f4f7ed7245c0d4c7594deb0113262828cb8e210e7b48a4aa7c4d2fe1e31201b4e326cd60a6f9d4e3ba1a7fbef322dde0971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc285b8e46347cefbadd495fb6305ddd

SHA1
a793e816d21648f4630785dd7bc99c81164b0e31

SHA256
988559ebd23a7c91d89ad477aea5d28a7c36743cf41cf420262e96a48fc18c2a

SHA512
eda1f44aeea0dcd8082dbb84798d589941fe068804d2af062740962e64868841c05a774be97bb2449f738f422cca245cbc46ac957f07e6486adf7a902912cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7885de98d30321ad7d8cff1e573214fe

SHA1
1443025d023faaaa73b646b9064ed261cbc59126

SHA256
512ace5ecbbca8b0d3ac8a8d7ab05ed6cd163f95e75cf2fe4fb79c3c0420c7c7

SHA512
e2c8c9c97246e1ad7888a52db337eb95289b4b0c9cefc9000facb692d83672853648563780e2a0e26019fc691d3583060b5e1eca4bed735b6a181b68b44b5c20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
21KB

MD5
6ff1a4dbde24234c02a746915c7d8b8d

SHA1
3a97be8e446af5cac8b5eaccd2f238d5173b3cb3

SHA256
2faaca6a253d69be3efb96620ba30e53ecb3de12d5285b83ecdba8cbc36e7311

SHA512
f117b822aeb0a434a0750c44cbf4cdf627bfebc0d59e266993a4fcb17a7a0519659e13b3bcf8706eed7d80d0ce33b0ce5915afe5872c37c010a401dd6bb1187b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
2c26767e8f66e6ca4451e7b63cf89394

SHA1
2fdfe3f9469303952cd231d19b8f1d5ddf7d02c4

SHA256
c49bdfa1bf1cb13fa734d21758c9e6a5b12e9663bc176fff4e1b1c54e551d59f

SHA512
c8000521632143781a892f3eace2c7c101721b4d9a02e6f18d265b22b666d24d3a3850c83f97d3f6a06374027745bb47f93431131b96afe343173a828e15d21b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
a26baf0d3152ce115ca9706d7dff9585

SHA1
8075a7a7f95fa30bc3737afac3c8cd23a67200c2

SHA256
255a6eea22da603a21c222b5ffe9ecc94191a37f3b7121d9f06407f410dacfea

SHA512
7091c59a363c25e93f58ac62c39cfb6f076ec864326126ef151bcdd6747f2e6c2ab6ca730e91e46cc6207f849b2aafe06d4ab0cd32d3dc7b48338ce689b136f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
35cb1072db8815620daa3217a124bb44

SHA1
256110eab4a494b135de27e2afbc4d243e177da1

SHA256
354d7fbbea5fda770f88e574e7898dd5dd612667667569093883126d59c0b88d

SHA512
4f932d0dfb41b366705d82b828693985591096c5325c6087aa1fc46b06ed926309403d03765b8182d8a625207ed228130cf49bc1fef22f36a81e26f30a0686f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1018B

MD5
95b63cbecad1b05fa5096d10dee2f44e

SHA1
b1d66f3eb2ba2040b8d65ffdcd9219cb2bcbf304

SHA256
f7aaab04210624b93629463b8ef79180d9abfa964af0da617f977ed37b607de9

SHA512
2c1417bd10ee47bd2a09900d6a5da86956183ee318dd3f4267f08f17aad08a9318c0bf972e588b68b238bca4704e28653b85d757b2daf7f8d3313d1ffe00fa02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1018B

MD5
111a142778ffb0d7566edb483349239d

SHA1
83ed79eeb8ea2ad758e75e8d2a11c2af2547d957

SHA256
48d345f16472a1c4bea1dcf8ee45210b6eba270841f4a3f31f7dc8458eb05eb7

SHA512
1a1055ad7d118586aba4e25ce6f7b6882fc309b38b15e7026d079ee79c81f108d603d23be0309a06747521cf76a9b5de4470f39b4f922c4d259b8b776c7b80dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1018B

MD5
8101c342ad90b635aa28a71cd0c148a0

SHA1
8eb9fd42a468450f668fb02bba19d84728b7bb82

SHA256
4154312dd0fde83ed7ea0851074cac802576b47d62e300ec71db9d7b22d6f0fa

SHA512
9c049654312137a04d47315ec68609844564f724c3f6d27d47fad81d8a5a9fa7fe4d3ffa1acfbc8488cae59966e9cc8927d29fb629bbf3fa65d2630547a42ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4e9ab4645b72336a92106cb54c1750ae

SHA1
7457a16a8204344299a6239931db494a7c574e9e

SHA256
ccaf5c73dd70359fbae9267e747e9df3009a085e272f0b34a918a44e048e66ce

SHA512
effc5a52daf2c93f2718687ad0b736bd6b6bfd1bacc325ce20adda9263f13d518a3a391921d597a03da8feda63d50bad9cf647be093512da88df1a21d7f23341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8ec7e4dee9e13c6af45200104d1bdd99

SHA1
20ddba19ecd640bce030fec78e8ee9c95718ef8d

SHA256
0ef42fe90bb52d2dd143c4b54329f826caa1317ba8d643bd2ba0264f7ac4084a

SHA512
1daa930e3ee787e1913f905a890f61989a8c582e2acf6c8485ea61241cd55be5d2f27f08b18ec2c17b24a742ad30f919c0b1f204761244b53b8104f18e87a7d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1c9bdaa07c70241675550a0c76d43c78

SHA1
2f347c350789ea461e085fb6bce26ef571d41909

SHA256
30ed8e4c1afaa73c0002e750263662e38f2b21adae42a55932b99f02d2487a21

SHA512
3f987f561851711796a2d4d0a9aec586fa83607901f30070a05eb166dd31ca21901ed84447e014bd398da22a90be0a23591c868722cd30357c883fc935d66f13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
958f35979ad661fc7518904d60ac9df5

SHA1
1a7dc74a5e84cdb201347196002de056f50702be

SHA256
76b8e8dd8377a9348a5c8e8e450b03fb63f17b7c18d9290c4a8cef6e0defe8f9

SHA512
eef0ef25194b06e689fc6c71c7b4f08fa6971fbc3963f5aca8b3534faff8293916b4aac167446321e6019c0abb1e5c871ff6ec493592d5f2cb2118c8280138b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
402f24864531f0d9b7e85e09cf30ed40

SHA1
4d014754420f38dce1a1168c54b29aa6ee778778

SHA256
5188df633242ba6a0dab7b69c172f5ef8fabf771b0b229cebddd3848a1cfcaad

SHA512
2653eb22086d02b17430ba35e4f435d764910222e186bad3c3301ff833c57369ecf90eeb2b2331b50d4d9882ba626c7d53dd581eb1aeb9260fd20ad566ac4de8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0a2fbee080812ce2c472f9cc23d673d1

SHA1
67ba722047a370a888781b87b49eaf40fe99da44

SHA256
ce70befb04f236400aded37fd7e0c81b7d0c1bc6f60d3f282ef6fb3801c90c8b

SHA512
c46fd3a7e33b76517bea884fc2ca8b60c29ab1219b8e855bafa93457dbaac20cb00d6cae05f303e9f766b126918abdc52b14990cdb911617003e36ee0b9ec5ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
906e2e85610c7347ece2d3395c4e20b8

SHA1
ebc1dc6d97ea67984f8ee3d6f7c8b98b57c8aec0

SHA256
a17fd3b4bca839c767b1ad11ef30be7277f8e6564a6baf4b33f219813e115b22

SHA512
3b7b01ec5e9ac6eda6b5316c5fdb252eb5bd308b13a9b11eef28b32ddb79cf6e3ed53020542fe72c5241349d9cfb53aaa96fba649d23c08192746059f949abc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3b0c3fef1fab9467de2574f68246429d

SHA1
33739b87b8be01b4458027042ac08a7a0c3d9343

SHA256
5eb8915f2f9865962b542f8b1523c5814045bffdaf33b99dc81e244e3a8a1c91

SHA512
b8e7870da2d34e37c7686ea5e36b370aeea7e06196d0284f1d94c9a8ba31438f493cc6d25b14d0651008fca4fe183296508adc4e6062fa730aba2cdb670865c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3db1a029c6fcbaa051cb7fe99c615e62

SHA1
b9b48b9bf0d60da0647f83ff302c69e5a34ed4db

SHA256
f38679d512313abdb486cd2d131429d9177617ae2d6f31e84dea94e19616d61a

SHA512
70d20b3c94cb7e1ebbec8bcbf9f06f8a52d27cc4330ccf99830f0a72f08a41af6bfebad672dd5c61e8825e46e277f86b0c6142228cc14dac15f3f29b470eb2f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1cf4dbafad234309cd07d146e649f420

SHA1
7edff035345419b5a8f6777ff79da8c4c8734dd0

SHA256
bcca1c7e28881c0d4888fbcad2ad1f1ca2f44129782f0abe23165690100a252a

SHA512
ca812b7bdb14e3e4ca1c2447f05a9cd1746b59a4bd6d804dcde7490552465ad018ddff740450106e1cc7fe1e577e4f7edf2821c354bc73b4a83363b85916d519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6388844a9d6c56dc03958ec63f83b5b4

SHA1
dfc74ae43c820dd59391b9f45864117a0fb4aced

SHA256
d4152a399f207864a0c6e7636f222bc616b461be7c128212dd4183da4deb1c26

SHA512
e591902a5f112e0c89b4deb9b4767f9a4490d1ef084890ed801c9105f1155606aa2630a916a123ba9e4d4d8fa57f13ed013b2d48b9439b38a3b8cf79f69aadb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1e98fb19c6db714f8821298d40c71d69

SHA1
61eac9f1504e0d016f44f6b4857ace39d1be1ec4

SHA256
be84b189f63f776e6a0c9b80ccf87474a5a484bfcb4dd2173a6fb9c16b213f54

SHA512
1adfe7cfa3991c48aea4d8fb3b9414bbebf6d52bc99dd7df6dca48e753548df7b8026884de159f1c25fc2b483263550eb8205def1930b3ec1b010b70a8f6e30d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
fc01d0b3d05b7c99b27ef1f77dc00373

SHA1
218507faca0ac69e667a2b6987a0442930084287

SHA256
3056b3756ae61e21a1109997d4d7bcb0a564369ae2f41e6a5338fd9aa8c1060f

SHA512
f672de117d9458a99c4030a8cccded092c0ef2b53554f759d21e9753de2ea41b69e1777b00575ec5a55e6cf05afcbdf9f301b76a75c940d4460714208dc5bb46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
621a12e9d8e6ad55d000114fd1caae19

SHA1
17cc6120645fe24b2e229db146f2178f63e0f00f

SHA256
88359d39b4debf9b3e2837e0bf9d522af3e908e7eed1228630e81fc8ddfc73c2

SHA512
d3bcf45e887057ddfcf473858fbef6d7a740cbb6eb6656ef0ef21c06a3210822866f398c06be6358cf1f791256ee4b6d043bef9bb1e07691469ad91220abad1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4f4ea90dd70cd900212bb3fc595047bd

SHA1
315de53441a290b8f410f188f425732099d25178

SHA256
d187dba5ab1c506470085555a9b4e28f1c48c4584d938037a75a48e490b868f9

SHA512
d78e41fc54edc699e49059a356ba1b5e221a911d16dc90a7e473550c1539aaac72d779680e72c28d8c316358c78bd1313e5838292a6d5b3f1a3e593c33146953

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
89c9b800d09205f7dd4dd1f10cb16559

SHA1
6c2652732870e50bfdf69b0603bf6c6cff92183e

SHA256
0958e6122500778a6c66ff9644464b5d9708afcd6fb12d77a4307c9baab66204

SHA512
98a098833ccfbf39b9a793fb71d8947d6b7a45d60c89988a2d206039e9dfd4d88f851371efd5a41477feb0346510aec9b598c9814e66909ee4d9c0e96df6b059

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
89cf7f55c19f91b01a018da082f6be18

SHA1
1bc97dca3932d27157bb925bf1eaa7c4762734d8

SHA256
f5dfecc0d8a399a4b55ff4493ec1ae47aeeaa50d590e17760a8fd93adfff6ffd

SHA512
22b9e59296ceb96aeebfaf6e8969bd9bc4b8e9c01f6fc6bd659a6ebbc9d64793a7984849155c6b3e05ec0aefdddfeb06e4a1587b124731e513b80a8cfb35ae58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e05834b915274fcfccaff8fa503e2a00

SHA1
134b63e1dfe02400bcb762956e462210103dc4d0

SHA256
bf27484fa6434bbc1b11fcc1207f9d8575466c53b8d25936459254c80302e7f8

SHA512
98131875ac1cdcdbf9ef918a110c12199c09dfbef27068f6fc3b8ab141dba67df1f7c31183b56735ec30f7e4a570b4aca0c012252bdf8487aa4b380d2ee03c8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
fe8b9f9b7f7ff22eb5458c2c89832110

SHA1
657369f213b182d01d8b19e8011afa5b1bca4565

SHA256
573079886792d49c1d5367b67f2e857dd899b95ed74de68795628f5a886dd56e

SHA512
e3b65129c6727dc919c02f5c83120d2ccc7dffb94eb530cb3de6560611d29e6ecfe4db2f4886559d69a2b94210179dbe8e0288f0ef91f45ae577c5a0142809f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e7232daf1c82fed01c37b4a59578750b

SHA1
b0406b782d5e232a7fb5a7742375f8a7f900c747

SHA256
95b3f1bf372d16b318dd3110d15ff09837a4f68afa96eb4ff94edc81dfbbb184

SHA512
b4ba0089a6a18c350aa97cf3ddec83c91a5c83a9b6baa390727e5282033e613fde287502a289028dd4a293a01b93bcab4a85bad2ac0810d115fe39048ba64a05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e8703dccaede7d69cb15cdcd66af3204

SHA1
af5b2dc9ef5694ab3c304359c05be5a898d8ac22

SHA256
1c59e3b520d544d008715e629760695d5c893a6942d7c4039ad39b9f82e768d4

SHA512
42dfb24a8e921a79176befb07f5fe18b0392207035a2d5c08e435c73b86a4e7f8ad843304c047992012fc9ba0c58e0312af33466424fe902d20b93b97f67765d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2e6eb51ceb58c4208162ec2907c766d4

SHA1
087b17a1e36f70935f58644008a9bbf5293b90c2

SHA256
c38f1fdd363f3790439802423cb27a61f041bd341215bc9d4cb8f7df0704331c

SHA512
64ea477f86ced839e65d206775c496a627b22ca8bb7d6ba62ee51a56450565ae13f22c6516c9ab1d0d7bc1e53db14701a6e8564a6cd39fccc6db3c57d638df8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d6be205b935f41796b5bf7a6f717d8f2

SHA1
d9782f85a14cceccd49baae10b673d6913f8daf7

SHA256
188ebb008dbfd7078e935776c0e102fa7f35159c5815868020fbd5fd33155266

SHA512
d3c132387c329bfd3a5596f793272176ee34a03c3f565a0a66f7b8710a4cab94bba50b288f11783f40cb3285ba465d887bf47128f107a1b23db28c5c21a20be8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
de30337eb405ac6d2041fe137c70bd63

SHA1
4bc7badadcb3148d8a467f1a2c5678d4609b67a8

SHA256
ace8877518fd84c3cea75d7c816c0379fb755c42aca21087aa97502802d52746

SHA512
09a409057fc802632dc91276ee20c162f7bfaa9cdb70ffc0311c8114fc582c087cfc46fea5a0fdef9893a7ece8143d98f5081e3b8774188b1f9bf6fc61274d0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
fcc98e29147061030f31e0ec6d81d1f9

SHA1
d0109956ced6b14ac5718ce8a6588ee4b36215e8

SHA256
7b1a67c6b9cddd84c820c33043d53e1c65189e7aafd17d1029627b1aba4af266

SHA512
2c247feb18a136243d5805a0cac6a76c411e5b5e4ae076f58df94d52e14d641c25f07aabbacf2e43566a900e79d9157d55664a2a9e7853043ba9b293f1adf0cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e645b8fbe2aba21b11e1db41e1e31f61

SHA1
76b3d4bb7a9b620b5b40e9dd20ebc8b2c7ffd76d

SHA256
b8204ed004a38a05861efa16f8eeaa609428726fa5d6db6684155c2cd5051eb4

SHA512
bc544b2a5759dade5d68bd63caaa48156ef178790d8a5af7c412b152d43722ccfc8ef152b15093c7bade8aa13292c62ebb580cc3938885c045aa3111eb17b335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5ae49b259d8f6bdaa0e27f01e41e88ee

SHA1
ea91ba9970205c94573c5eaa3ce227e9f8b93beb

SHA256
93340f445ff126bffd600ab3456c64cd1c7dce50c3fc410bffa0db272dc5d4b7

SHA512
f4fcc89007bef408e882b00088eef3343644753ecb1a25a815924ed74cab24113b1709aa14e0826ded7c8b3ebbba061f92a813c91692d096d317b634ccbbcedd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
fd9b133d78862d52a89fef89713b2aea

SHA1
dbbf6c6c247be9d2e69cb97dcdee2d4287572583

SHA256
efba23c61ed01306be2c839e8ed82ae2d4a39b56ff3aa2fc1e1b4fedeeea104e

SHA512
b3b80f5566d42bafaa05a8772a7b50875c9ba6e5b59201b5bd506309cc72a0741110c0969835a441917b8bc52564a2974c061e3906a6e54171113cb88773a48d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
23f64fbc0fd24490583666e0cdca5f18

SHA1
02dd6f5b302d5ce9f7e701d81c19071351773132

SHA256
ff97ab65cb89329f66a57fc4f7f686a9f71fb8b96509b309c150ad90bbe6c096

SHA512
b8b9e86bf1e1d9c355b41ce7325e95173ca2b261046019975d2871e5bb1881cad7c8863b6fd9f8717581641e007290e74653ba990c2e5062e950ad800ea1eade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6de153e5677f1c93be5a1459cdad72be

SHA1
54c5a61c4be2f6dac78d4c68d70a5c766bd37e11

SHA256
d68638d60cc66abde12d75a9e8e0973de98c20fcd679fc481d9631476888cec3

SHA512
9bd899e57745a3a3c75e7ef34091109e264206f3c10501114cd4fdaa31ab2fd4fafc7dacd99a1f944311dc23064c7ded742171c0017cd7a71ff28d28ba3ddc33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d978.TMP

Filesize
1KB

MD5
a5d2e3ee81a56ea8fa0c87585e9bd16d

SHA1
03b689a466097606c34dd1817735212907cb2ec6

SHA256
14f1e0df36a137825170082016c39693cf70acfe7a887e1f0b60a674952cfb30

SHA512
a268d14ab011cefa4fa9dc44d41b901804e4a83c8927987dd63b840d4f37da187b36a8ba43f60fa06fbe79f8471f62ebf294ea00617149988fcff7ca0ec086fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cde8bbf3fbe657147238d6a7826a622d

SHA1
f99e51fcae40a15c1421b74c7780a72da4a05a16

SHA256
531867cb0185506144837869180e2ddd4561a6d8780a0a6df0b31a74a3120c68

SHA512
8b566fec2b16897061a0f3d653e520bcc3450147fa0ea4c5aa72b4d1f01e9296e8691ca00d6a1961c2c494aebddad91eb940147bbe5d9db2be794da496d7c8a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3e1f51185af33b404ce82075a2baa281

SHA1
9d1a9cafcc301bf83707ee6534a87c92b2e4e168

SHA256
749428e577edb4385b847eb0a8de60bb08087aba9758c6929d80a6da8922d11f

SHA512
3e7412fc84047fc6c185626bbd74a06c8e541a55e12fb43152790d0c4af363c1cdca22b5a8c0422caa20c55ceeffad8d3786e1eeb195c3c270a6dddd8becbe40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
50e65fb14e72bacdd97d9f3e0a21f309

SHA1
77a1ee2e19a994d8266501b2e91f269449522ca7

SHA256
e7a14253dbf1028975f1d958481379c52eb9e440f8413216006d7a37448221ab

SHA512
ff9ef2829547644843646072db277bb63288ac0ae854126468a8aaffb85a6c458b2d18aa30c6b87813e038a8bc2ff406a2bbaff225934c5f2a1a794983e51011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
261c0e13a49dc081781ea77d8d58aa78

SHA1
a5c25ed7587041b51c240390b2a69a492b78fff4

SHA256
1b5c3ad1cd9a81ba835480399fb88351675431043c253909576404cb526500a9

SHA512
a4a411a8ce47d41c6bae5556c5ed041624f47060663bc21409e9970e0350edcde026700f256ac3f7c75e2c593ae5a33eee73bfbef04695c04d7563cb693a5b33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
902f712b3dff9a8e691c60b9b190b30d

SHA1
d60f1c8e53d6caf591646963d322d712b1763813

SHA256
f675a13de25d49e29ed86e489a7b9cf1aeeae4dccf60efdd7369019fb278a140

SHA512
977716781503c96bbc43b874718a4cfd50664e8da6bc856e587882be2f2670fc6cb7241ccc5dd22340fc9118d8b19b64c4bec7b0db88f513e61c4b80b1a82292

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
371771819ca78279ba6a6bf7930bb32a

SHA1
bdeecf506f6d8d1f3b16cbed3261ced7b65cfbe9

SHA256
69584856314270486235123a9d72d48f79bb211d76b1f3f959d11cb26994af96

SHA512
d26eaf0afbf2013c55e790bd1c55a9d0c3bd53e34ee82e1e30bce7b23f4372c4c77fe5057a14ee443f4fab45db7a0662f203b86d6f8ca58cb44f30bb14ad9890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
98a85772ce2d682920efd2dae04aa175

SHA1
0bd1aa957a15b7d48f11ad7917727ed3a63cc409

SHA256
3d8c0f78a26325edcb5776b79d8cf4318465571f653e8e27f28d964394fdb47a

SHA512
bad9b2a5075c9983ffdfde85f9f630dca7b677658a8b1555f84bb464658f5616836a1113ac49af155f829279ec4ef7e5afd464c6208e042913d6e53a51e85d96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d043394120cc2c2c17f80ba3135f2832

SHA1
b7a06a87246c6b33e231ffa5187e63ee40dabfb4

SHA256
747d24fe2fc7897a9334a60ad55464baa0e44ed1c5b33c5ea6f974368bd1845f

SHA512
c697ade6277eb6cb257bf2b46865dd309c3ea0b62fb2720725f89810e1f14918ed4fb1c361810716e1efaee3355b622c2bde469405c0bb3973858d65fea3291d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6d10c4f8ed265b4b31166cb782015938

SHA1
a726189c2629aa50e63db7cbdd51d5589a459c41

SHA256
464db76d063452fddd21b23301d82ab01c6b5ca6938b4f9deaaa0629e2d07bea

SHA512
9d04929317c6ce5d15ecb0e587ae4a1ad9ee9c1d045d21716b89e2ed9c7bfd713f5af32da7699013b152bacab25adce8951e26fc9e4396865fe9805d171d574f

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
77a8b2c86dd26c214bc11c989789b62d

SHA1
8b0f2d9d0ded2d7f9bff8aed6aefd6b3fdd1a499

SHA256
e288c02cbba393c9703519e660bf8709331f11978c6d994ea2a1346eef462cb8

SHA512
c287e3ae580343c43a5354347ca5444f54840fba127a2b1edc897b1dfea286fa37b5808f6e89f535c4022db8b3f29448aa4cc2f41ab0f308eec525a99fac4e5e

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
b66799d715b113faf28da5aaba5528ef

SHA1
1b20576808d17c24f7abf2c49a7facfbc1480da4

SHA256
bb7ed85e7a1833e5a31d62882937ee6b094f2421b9d1c8d9b6e64b9845b29868

SHA512
93d4708a2f4bb3ca7b5bcb0f3dc13eb5e93bfa5e485845822d67770e4c0217797f330ab9395598b1d7452cc8191e4d3848a1b268a6cd1b7a5001266ce53794d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC723.tmp

Filesize
5KB

MD5
3021640e711157410bb3d3c8f12fa514

SHA1
96746957a1c24bfd4853e590b72cfa86c89f3875

SHA256
df37d3ece378031e8367072e716125b79d34684ec9599cdaa7b1c6355cc156b4

SHA512
59c682904657f30ad75710ad6c35ebc163fff930f09c7668adb13a862dac0b6665fcfed8b70770e6784c8415fa61ca4904a6b7c7807fe83a895f55b93ce1af79

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC7CF.tmp

Filesize
5KB

MD5
edd16e722e30a6cdf9d50acdef417ff6

SHA1
577eba2d129b675e5221bdd8623e9283be4379ba

SHA256
1466e696d427ddb1d3ec9ac77de1490323a2ee0ead24b8cf4c171e983c7cb77c

SHA512
c457d81fe66ac36b6f491ff7d5e2a2d1bea47107fa660e744c60a4c100823319675c070fc612e25146450d024596fb275e02a59f43c9ab033c4788577bacefa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC86C.tmp

Filesize
5KB

MD5
bc2b7bdb61876fa75238e4a01a054cf4

SHA1
e3a43449859c4e51f655f375eccc41efdc5c5896

SHA256
8ecdc84387444e649e37b792249f099cf60790b536e0881353a04ff91cb5c356

SHA512
8c4c9e5b519b2c2d46cf82d77ca0f188050fdb6b948470c7629030c2336e26bdf65a50b7d088d01d0511e11e8e45ad356117b6637446e891d31f1cff9b5b516c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC8E9.tmp

Filesize
5KB

MD5
4c79be3773b34ca78676d06dd2c8cd50

SHA1
b57b91d5edafc6c5cf536117acf70375b8a722ec

SHA256
96236cc7036cb073df088ba951e59de77437f88869c4379c33d2db5277a83d56

SHA512
4ca6657107c28405d610be69fff0a43d4a28832d9991b7c36b722eec4e41bdf2c5f5f18128bd043aee133b9b00fdc9603cea35bfb113ee8a4700eb71293603e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC9A4.tmp

Filesize
5KB

MD5
9ce7ee3ca3b78cc0dc781e771da9207a

SHA1
6617366736ea87647cda3ff33aea531db9102bdb

SHA256
52a24327d71f0f82dd4c0ea4f7424615dea07986448d8a42cddcedd2b6d0a983

SHA512
6ec333208602a567a45ef87ad75f9268a623ed24b1d2f848c612ad4da711c6a1d1406d6c019b31137e4cf3854d7859b108436134c8c8ecfdfd1009b4559e27d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aivu6buu.cmdline

Filesize
267B

MD5
31049807ad75330bf2abf08d7a262c69

SHA1
ce21790a7aec56c95f7307ca557b792487b2926f

SHA256
1d3083d6c1db17b6508c894623bfd102b496ea85227574ef132b5aa093e3969b

SHA512
de594ae813310d90e03b9654fecdf5cf30a5d51692c1b170149c4a005267ca310edef16d3c191a0496a0a96546c26c3753864cb4f64df5a817c99854ed5eab60

Download Submit
C:\Users\Admin\AppData\Local\Temp\euuo_bqw.0.vb

Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\euuo_bqw.cmdline

Filesize
253B

MD5
0ff94c27ae9359c0d4e57ecf7e7450ff

SHA1
bc858de045e4ca8f09abbd11beafed16bbf342cc

SHA256
aafa7c458c7518dff853400fb119ee94774ad90f92d1c9de632b44e01237f703

SHA512
882334d8f9f38b5cb90ea7b2adfc9f16db49203ba8b000979eb6d03d8be0a3e8fcae66805c9e03b1eda44787e0522e9871f9b6acd1287e22817612a2f025b6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqr49mk5.0.vb

Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqr49mk5.cmdline

Filesize
253B

MD5
fafe289bba7143a700093a00d37b9708

SHA1
d8b6104e5aa414a646c41ce1f38610b0ec7e09ca

SHA256
27c09bc50bdf4730ca29497d3782bd3b4ab61f9fc9f3c59106b3fab71c2fae2c

SHA512
3eade68d272ebc54a1b5027e064ae3c3da14558584c8f3adcd3b482f5bacad6aff9444a23867f9e3bbcb334fdb6e127a7225a2bcf676cb9785b0537213f4ee34

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbtv6ltm.0.vb

Filesize
355B

MD5
6e4e3d5b787235312c1ab5e76bb0ac1d

SHA1
8e2a217780d163865e3c02c7e52c10884d54acb6

SHA256
aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706

SHA512
b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbtv6ltm.cmdline

Filesize
224B

MD5
f0354b008d01c99eedf201546f4ff48f

SHA1
48f66b14388a3310db276c50757d9d5b5865f2ec

SHA256
747884be92f2ccd1befba60261a2fdcb5a07f17905d65c60612fb5d5fc2befda

SHA512
0d84629619b22b257944ae1b221037c4957e34cf974a72464793c4c4a9b53173f1b39009c444769db5e28f17da19f0bf2b9b7df2b73791c638aa008ceafae474

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
88B

MD5
afcdb79d339b5b838d1540bf0d93bfa6

SHA1
4864a2453754e2516850e0431de8cade3e096e43

SHA256
3628cee0bef5a5dd39f2057b69fbf2206c4c4a320ea2b1ef687510d7aa648d95

SHA512
38e7e92f913822cc023e220035ada6944ffbc427023687938fe5cbb7a486abad94808239f63577c195afb520fe1a1a1b14e1050c0c03c7d324ddbf7cffdc304c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
39B

MD5
502984a8e7a0925ac8f79ef407382140

SHA1
0e047aa443d2101eb33ac4742720cb528d9d9dba

SHA256
d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

SHA512
6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\v7b0e-84.0.vb

Filesize
373B

MD5
197e7c770644a06b96c5d42ef659a965

SHA1
d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc

SHA256
786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552

SHA512
7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\v7b0e-84.cmdline

Filesize
261B

MD5
61b7617be1ba23b585517001a43a7974

SHA1
786039b91cdb44882c010c411acb6fcae956f65d

SHA256
303e4f0e882d9b34090fcc155d7e2b4c3f0095f01740f9d875d5817383144c1a

SHA512
fe8c40fdb05042d82058490cb66950fb6ca7f100c626c0a535fe90edda764086793ffdb91a842e885afca3e529cf2d5c73a84a1bd7ff03a6bda6787574282ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5A50AAE667F84554B2A4C7A370D9C835.TMP

Filesize
5KB

MD5
84e9754f45218a78242330abb7473ecb

SHA1
3794a5508df76d7f33bde4737eda47522f5c1fdd

SHA256
a979621de3bcabf9a0fa00116bcd57f69908b5471341f966c2930f07acfee835

SHA512
32b51e82e505e9124fa032bfd02997de6d6f56e0c0dfb206aec2124199048168ec0f7927a0a289f4653662bdeb5089d91db080019a9556491ef111df99b12623

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc969932FFCF784C1D89718EF3A8F270D7.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc99483156B0F94EC2AFDDBC1CAB45A255.TMP

Filesize
5KB

MD5
4a0d9970022b9e7d0066dea49c7639f4

SHA1
6a576f471355762c7dec0b258fa8268c06b352d4

SHA256
b9fc51192ec614b38899c981eb6cfe47429047df1af56226e87da01f95089cc9

SHA512
92bcbbbbade44c91abe5bc4b4633892036b19ea6b0c5007a98ddc102aa41dca5d83568a9a243060a9a5153fea77bf7a56c7612d80881341358b1dcf190d42c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9FB090F5193A42A081C8CC487E4F123F.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA303B4E05FF44AE1AFD634F2844B171.TMP

Filesize
5KB

MD5
d56475192804e49bf9410d1a5cbd6c69

SHA1
215ecb60dc9a38d5307acb8641fa0adc52fea96c

SHA256
235e01afd8b5ad0f05911689146c2a0def9b73082998ac02fd8459682f409eee

SHA512
03338d75dd54d3920627bd4cb842c8c3fefad3c8130e1eeb0fa73b6c31b536b3d917e84578828219b4ffd2e93e1775c163b69d74708e4a8894dd437db5e22e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA3F1131668A645C380B8119167A81850.TMP

Filesize
5KB

MD5
11cb9aba8820effebbb0646c028ca832

SHA1
a64d9a56ee1d2825a28ce4282dac52c30137db96

SHA256
2a1e197c5f17c60b3085782d3c8c97bd9aa2ac1e3a4a721122c0b5ec56d276c8

SHA512
d227b39d5d67c18703730fd990ac41077321054d4f24198cafbc0b7af1ed6c72e7ef7eb626fb558f9407e11b5b9f0d194237400d248a80560d715c88971ad375

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC54C85057257432AABF66FC5378EAF3.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF31AEC5642B841FA8B8C48E3803DC55C.TMP

Filesize
5KB

MD5
abeaa4a5b438ffa58d07d9459e5c1d6c

SHA1
69631de7891162dd4840112a251f6531feae7509

SHA256
ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd

SHA512
c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrn2hjhz.0.vb

Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrn2hjhz.cmdline

Filesize
224B

MD5
e4b2d3648a475da82991562a1268b88f

SHA1
3dbdd90b2e2b59373b2ee46f547be67769baaecb

SHA256
f6b3a4ed93bd035c8b03788c0396c20d5ab083f9099aae7c9f49444753ba6f2e

SHA512
21c8d0821c53c4570d72ad5dc0849f9685a8de6de423a85ea4a0673730537b5ad71eb10c12da972466d1b5689fc63d6fa8b97656f27ccf5032e8a7119a805dc5

Download Submit
C:\Users\Admin\Downloads\BitcoinMiner.bat

Filesize
262B

MD5
1b95e04dbd98deeabacd15b8cd17d161

SHA1
223280d1efaa506d6910fa8f0e954bf362b2c705

SHA256
76a32e2efb8b97a8c226bcb8bc5b113b4b6fce1077de6513405955bc6d74b169

SHA512
e2be3706491c1cdb9654d0720805dd96536c66f48bd7d8a4d781b5daeebfd22655cdb2d84ea1a1ec5c0d963b0f3982735975f032373c9083986cd1c01d379e70

Download Submit
C:\Users\Admin\Downloads\FlashKiller.exe

Filesize
4KB

MD5
331973644859575a72f7b08ba0447f2a

SHA1
869a4f0c48ed46b8fe107c0368d5206bc8b2efb5

SHA256
353df4f186c06a626373b0978d15ec6357510fd0d4ac54b63217b37142ab52d3

SHA512
402662eb4d47af234b3e5fbba10c6d77bdfdb9ff8ecfdd9d204f0264b64ea97fc3b5c54469f537173a26c72b3733550854749649d649bc0153c8fe3faacc50a1

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 194932.crdownload

Filesize
26KB

MD5
b6c78677b83c0a5b02f48648a9b8e86d

SHA1
0d90c40d2e9e8c58c1dafb528d6eab45e15fda81

SHA256
706fce69fea67622b03fafb51ece076c1fdd38892318f8cce9f2ec80aabca822

SHA512
302acca8c5dd310f86b65104f7accd290014e38d354e97e4ffafe1702b0a13b90e4823c274b51bcc9285419e69ff7111343ac0a64fd3c8b67c48d7bbd382337b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 20832.crdownload

Filesize
451KB

MD5
4f30003916cc70fca3ce6ec3f0ff1429

SHA1
7a12afdc041a03da58971a0f7637252ace834353

SHA256
746153871f816ece357589b2351818e449b1beecfb21eb75a3305899ce9ae37c

SHA512
e679a0f4b7292aedc9cd3a33cf150312ea0b1d712dd8ae8b719dedf92cc230330862f395e4f8da21c37d55a613d82a07d28b7fe6b5db6009ba8a30396caa5029

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 235166.crdownload

Filesize
53KB

MD5
6536b10e5a713803d034c607d2de19e3

SHA1
a6000c05f565a36d2250bdab2ce78f505ca624b7

SHA256
775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de

SHA512
61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 247661.crdownload

Filesize
28KB

MD5
8e9d7feb3b955e6def8365fd83007080

SHA1
df7522e270506b1a2c874700a9beeb9d3d233e23

SHA256
94d2b1da2c4ce7db94ee9603bc2f81386032687e7c664aff6460ba0f5dac0022

SHA512
4157a5628dc7f47489be2c30dbf2b14458a813eb66e942bba881615c101df25001c09afb9a54f88831fa4c1858f42d897f8f55fbf6b4c1a82d2509bd52ba1536

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 380358.crdownload

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 433227.crdownload

Filesize
6KB

MD5
74f8a282848b8a26ceafe1f438e358e0

SHA1
007b350c49b71b47dfc8dff003980d5f8da32b3a

SHA256
fc94130b45112bdf7fe64713eb807f4958cdcdb758c25605ad9318cd5a8e17ae

SHA512
3f73c734432b7999116452e673d734aa3f5fe9005efa7285c76d28a98b4c5d2620e772f421e030401ad223abbb07c6d0e79b91aa97b7464cb21e3dc0b49c5a81

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 480776.crdownload

Filesize
300KB

MD5
f52fbb02ac0666cae74fc389b1844e98

SHA1
f7721d590770e2076e64f148a4ba1241404996b8

SHA256
a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683

SHA512
78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 510487.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 540931.crdownload

Filesize
222KB

MD5
cf83de40dac03316b96d9e93c3a44b24

SHA1
4503613ca5c214c343a39e5b6bc99dd06b18ca19

SHA256
0fe99882f7fda7dab37ec874bd5998bb07b941cbbe3a01ebb20d5ad5a03719d0

SHA512
c8ce88ab39bf778f0517c86bb19256f5e19a5a9f9babc2e1ddaf75d89d9e03ffb83235200706d334ae4ac3ed7f132de7f912524623dfcc7afd2f7175ab46f66d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 66036.crdownload

Filesize
396KB

MD5
13f4b868603cf0dd6c32702d1bd858c9

SHA1
a595ab75e134f5616679be5f11deefdfaae1de15

SHA256
cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

SHA512
e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 686514.crdownload

Filesize
373KB

MD5
30cdab5cf1d607ee7b34f44ab38e9190

SHA1
d4823f90d14eba0801653e8c970f47d54f655d36

SHA256
1517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f

SHA512
b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 705810.crdownload

Filesize
321KB

MD5
600e0dbaefc03f7bf50abb0def3fb465

SHA1
1b5f0ac48e06edc4ed8243be61d71077f770f2b4

SHA256
61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2

SHA512
151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 808360.crdownload

Filesize
183KB

MD5
3d4e3f149f3d0cdfe76bf8b235742c97

SHA1
0e0e34b5fd8c15547ca98027e49b1dcf37146d95

SHA256
b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a

SHA512
8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 898678.crdownload

Filesize
233KB

MD5
20fa439e1f64c8234d21c4bc102d25f8

SHA1
ba6fc1d9ba968c8328a567db74ef03eee9da97d8

SHA256
2f10f1384f3513f573a88e1771c740a973a5a304387e23aa4bf310794532fa8e

SHA512
19e9d62a852293ffa99a412ba8fa5dd0336a7753af4975e06cd53c02ee6f0058485160f8f8a64a8bca19d88eb426a4a2785885c02a494f33f2b6e383204a7f39

Download Submit
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

Filesize
153KB

MD5
f33a4e991a11baf336a2324f700d874d

SHA1
9da1891a164f2fc0a88d0de1ba397585b455b0f4

SHA256
a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7

SHA512
edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20

Download Submit
C:\svchost\svchost.exe:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\svchost\svchost.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
memory/540-1117-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/564-963-0x000000001ED20000-0x000000001F030000-memory.dmp

Filesize
3.1MB

Download
memory/564-948-0x00000000016B0000-0x00000000016B8000-memory.dmp

Filesize
32KB

Download
memory/564-949-0x000000001CBA0000-0x000000001CBEC000-memory.dmp

Filesize
304KB

Download
memory/564-941-0x000000001C940000-0x000000001C9DC000-memory.dmp

Filesize
624KB

Download
memory/580-1027-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/932-989-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/932-990-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2156-702-0x0000015B9A010000-0x0000015B9A02E000-memory.dmp

Filesize
120KB

Download
memory/2368-553-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2404-1063-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2928-1643-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

Filesize
40KB

Download
memory/2928-1642-0x0000000000240000-0x00000000002B4000-memory.dmp

Filesize
464KB

Download
memory/3188-980-0x00000000030D0000-0x00000000030D8000-memory.dmp

Filesize
32KB

Download
memory/3188-979-0x0000000005AD0000-0x0000000005B62000-memory.dmp

Filesize
584KB

Download
memory/3188-978-0x00000000060E0000-0x0000000006686000-memory.dmp

Filesize
5.6MB

Download
memory/3188-981-0x0000000005EF0000-0x0000000005F8C000-memory.dmp

Filesize
624KB

Download
memory/3188-982-0x0000000005BF0000-0x0000000005C18000-memory.dmp

Filesize
160KB

Download
memory/3188-977-0x0000000000CC0000-0x0000000000D16000-memory.dmp

Filesize
344KB

Download
memory/3196-803-0x0000017457000000-0x0000017457914000-memory.dmp

Filesize
9.1MB

Download
memory/3420-2044-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3420-2077-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3420-2190-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3420-2191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3420-1612-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-551-0x000000001C3C0000-0x000000001C422000-memory.dmp

Filesize
392KB

Download
memory/3668-550-0x000000001B830000-0x000000001B8D6000-memory.dmp

Filesize
664KB

Download
memory/3668-549-0x000000001BE30000-0x000000001C2FE000-memory.dmp

Filesize
4.8MB

Download
memory/4048-1298-0x000001A196440000-0x000001A19646E000-memory.dmp

Filesize
184KB

Download
memory/4652-1297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download