hxxps://www[.]madmodz[.]pro/fortnite-multihack-aim-esp

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240220-en
resource tags

arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.madmodz.pro/fortnite-multihack-aim-esp

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 14 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Users\\Default User\\msedge.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\msedge.exe\", \"C:\\Windows\\Fonts\\msedge.exe\", \"C:\\odt\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Users\\Default User\\msedge.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\msedge.exe\", \"C:\\Windows\\Fonts\\msedge.exe\", \"C:\\odt\\msedge.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\tracing\\taskhostw.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Users\\Default User\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Users\\Default User\\msedge.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\msedge.exe\", \"C:\\Windows\\Fonts\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Users\\Default User\\msedge.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\msedge.exe\", \"C:\\Windows\\Fonts\\msedge.exe\", \"C:\\odt\\msedge.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\lsass.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Users\\Default User\\msedge.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\msedge.exe\", \"C:\\Windows\\Fonts\\msedge.exe\", \"C:\\odt\\msedge.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Users\\Default User\\msedge.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Users\\Default User\\msedge.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Users\\Default User\\msedge.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\msedge.exe\", \"C:\\Windows\\Fonts\\msedge.exe\", \"C:\\odt\\msedge.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sysmon.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\""	yt_fontreviewmonitordllrefsvc.exe

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6008	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6008	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	6004	schtasks.exe	139
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	6004	schtasks.exe	139

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\Control Panel\International\Geo\Nation	Youtube-Viewers-BOT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\Control Panel\International\Geo\Nation	yt_fontreviewmonitordllrefsvc.exe

Executes dropped EXE 3 IoCs

pid	Process
6024	Youtube-Viewers-BOT.exe
2584	yt_fontreviewmonitordllrefsvc.exe
5716	Youtube-Viewers.exe

Loads dropped DLL 2 IoCs

pid	Process
5716	Youtube-Viewers.exe
5716	Youtube-Viewers.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\Default\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\Windows Sidebar\\Gadgets\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\odt\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files (x86)\\Google\\Update\\sysmon.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Windows\\Fonts\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Windows\\Fonts\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files (x86)\\Google\\Update\\sysmon.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\Windows Sidebar\\Gadgets\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\tracing\\taskhostw.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\Default User\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\odt\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\lsass.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\Default User\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\tracing\\taskhostw.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\lsass.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\Default\\msedge.exe\""	yt_fontreviewmonitordllrefsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\""	yt_fontreviewmonitordllrefsvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
6024	Youtube-Viewers-BOT.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\es-ES\msedge.exe	yt_fontreviewmonitordllrefsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\msedge.exe	yt_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\61a52ddc9dd915	yt_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\msedge.exe	yt_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files (x86)\Google\Update\sysmon.exe	yt_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files (x86)\Google\Update\121e5b5079f7c0	yt_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lsass.exe	yt_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\6203df4a6bafc7	yt_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\61a52ddc9dd915	yt_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\msedge.exe	yt_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\msedge.exe	yt_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\61a52ddc9dd915	yt_fontreviewmonitordllrefsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\tracing\ea9f0e6c9e2dcd	yt_fontreviewmonitordllrefsvc.exe
File created	C:\Windows\assembly\GAC_MSIL\backgroundTaskHost.exe	yt_fontreviewmonitordllrefsvc.exe
File created	C:\Windows\assembly\GAC_MSIL\eddb19405b7ce1	yt_fontreviewmonitordllrefsvc.exe
File created	C:\Windows\Fonts\msedge.exe	yt_fontreviewmonitordllrefsvc.exe
File created	C:\Windows\Fonts\61a52ddc9dd915	yt_fontreviewmonitordllrefsvc.exe
File created	C:\Windows\tracing\taskhostw.exe	yt_fontreviewmonitordllrefsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4992	schtasks.exe
320	schtasks.exe
4996	schtasks.exe
2356	schtasks.exe
3300	schtasks.exe
4272	schtasks.exe
3644	schtasks.exe
4388	schtasks.exe
3972	schtasks.exe
3252	schtasks.exe
6008	schtasks.exe
1832	schtasks.exe
3404	schtasks.exe
4492	schtasks.exe
2832	schtasks.exe
1740	schtasks.exe
1372	schtasks.exe
2004	schtasks.exe
4444	schtasks.exe
1740	schtasks.exe
2004	schtasks.exe
6008	schtasks.exe
3972	schtasks.exe
3404	schtasks.exe
4028	schtasks.exe
2004	schtasks.exe
1832	schtasks.exe
2364	schtasks.exe
2364	schtasks.exe
1372	schtasks.exe
3252	schtasks.exe
1800	schtasks.exe
2624	schtasks.exe
3972	schtasks.exe
664	schtasks.exe
3828	schtasks.exe
3248	schtasks.exe
3512	schtasks.exe
848	schtasks.exe
2804	schtasks.exe
3964	schtasks.exe
1832	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings	yt_fontreviewmonitordllrefsvc.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2097088205-1470669305-146258644-1000\{8E262D4B-BC30-4132-B685-51A251D588D0}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
452	msedge.exe
452	msedge.exe
4412	msedge.exe
4412	msedge.exe
3452	identity_helper.exe
3452	identity_helper.exe
3124	msedge.exe
3124	msedge.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
3232	7zFM.exe
3232	7zFM.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe
2584	yt_fontreviewmonitordllrefsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3232	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs

pid	Process
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	3232	7zFM.exe
Token: 35	3232	7zFM.exe
Token: SeSecurityPrivilege	3232	7zFM.exe
Token: SeDebugPrivilege	2584	yt_fontreviewmonitordllrefsvc.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: 33	3256	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3256	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
3232	7zFM.exe
3232	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6024	Youtube-Viewers-BOT.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 5060	4412	msedge.exe	30
PID 4412 wrote to memory of 5060	4412	msedge.exe	30
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 2044	4412	msedge.exe	87
PID 4412 wrote to memory of 452	4412	msedge.exe	88
PID 4412 wrote to memory of 452	4412	msedge.exe	88
PID 4412 wrote to memory of 4728	4412	msedge.exe	89
PID 4412 wrote to memory of 4728	4412	msedge.exe	89
PID 4412 wrote to memory of 4728	4412	msedge.exe	89
PID 4412 wrote to memory of 4728	4412	msedge.exe	89
PID 4412 wrote to memory of 4728	4412	msedge.exe	89
PID 4412 wrote to memory of 4728	4412	msedge.exe	89
PID 4412 wrote to memory of 4728	4412	msedge.exe	89
PID 4412 wrote to memory of 4728	4412	msedge.exe	89
PID 4412 wrote to memory of 4728	4412	msedge.exe	89
PID 4412 wrote to memory of 4728	4412	msedge.exe	89
PID 4412 wrote to memory of 4728	4412	msedge.exe	89
PID 4412 wrote to memory of 4728	4412	msedge.exe	89
PID 4412 wrote to memory of 4728	4412	msedge.exe	89
PID 4412 wrote to memory of 4728	4412	msedge.exe	89
PID 4412 wrote to memory of 4728	4412	msedge.exe	89
PID 4412 wrote to memory of 4728	4412	msedge.exe	89
PID 4412 wrote to memory of 4728	4412	msedge.exe	89
PID 4412 wrote to memory of 4728	4412	msedge.exe	89
PID 4412 wrote to memory of 4728	4412	msedge.exe	89
PID 4412 wrote to memory of 4728	4412	msedge.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.madmodz.pro/fortnite-multihack-aim-esp
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecd4b46f8,0x7ffecd4b4708,0x7ffecd4b4718
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6104 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6832 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\YT Livestream Bot v2.4.rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3232
- - C:\Users\Admin\AppData\Local\Temp\7zO0ACECC18\Youtube-Viewers-BOT.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0ACECC18\Youtube-Viewers-BOT.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:6024
  - - C:\Users\Admin\AppData\Roaming\yt_fontreviewmonitordllrefsvc.exe
      "C:\Users\Admin\AppData\Roaming\yt_fontreviewmonitordllrefsvc.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2eCd0aPrmk.bat"
        5⤵
        
        PID:1460
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe
      "C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7360 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8448 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8384 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8932 /prefetch:1
  2⤵
  PID:5900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9116 /prefetch:1
  2⤵
  PID:5908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9444 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9144 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7996 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8700 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9388 /prefetch:1
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7988 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9436 /prefetch:1
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9192 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8636 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7512 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=10072 /prefetch:8
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=10208 /prefetch:8
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7420 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9616 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=10224 /prefetch:2
  2⤵
  PID:2228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Users\Default\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Default\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Users\Default\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Default User\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\GAC_MSIL\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_MSIL\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\GAC_MSIL\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Fonts\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\odt\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\tracing\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x344 0x348
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3300b8028991d6e234684db7803b66f9

SHA1
96df26150566233e1e0201bf17b4ea896861862e

SHA256
5b7786b5ae4ba62b88bdbd0992a8fd96b37e4c7068e2fd23d0b33acf769d00cc

SHA512
2f2dff4c24d4fd60160f70d544059bf02eca983309ff46bb7a1cb4d7c413e291c1520842e1922be55a4058380cd041cb6b4d9e70cdc5e4e00880fe13472df031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7f6a4b84d93993fde98d6553834416b

SHA1
4b4a227af10826f5a2f2e9b232ddb0336b3066f1

SHA256
843a9671b3fab9337d8d600e170f9ac8b200a2faf63b5a8cd16f157bcf73c21d

SHA512
ccfe39c47109dbf71c74ff6950526be7fcd521462f80e69e27388a9757d7f1adebf5f723c46b1631ffe3e2b4aa5829655d556bff8bd7e0f9f87fca46545bfb97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4231c341-d0b1-4346-a3ae-d81f4c678944.tmp

Filesize
6KB

MD5
3bb3c94b4758ff81197a2cecf88e50cf

SHA1
c37ad80fdaa5dca985fa8d79d6d66ba197a41c79

SHA256
576cc4aab2c6fe066ff9aefa67c11827292683ea364b8c3e090956b969739ae7

SHA512
060b4f05f998061eb26120e017b90224b74488b9896141c68c2b503d560fa671f6d175a7bd29efe965eefc979df55ad564fad0fff19d4cbd29a40b8443242435

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
22KB

MD5
c5ad332aeb7c702c2db2c7b915f9a55c

SHA1
ba7a187d9aebb94d046484d3cbebe7ae15130b26

SHA256
d24ffb7e1667d900d0b1629f33e9fea5cf90a58171e63c182c3722d58e02275d

SHA512
d0ea2446aeeeb5fe419f48f1fcb8c66a1fe094ad345580f3f7282dbb96053fe0d3752c54d1082061e0819ae0df127d848a689fb6fce09f45b7b54ad37fc06e44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
4KB

MD5
bde50bf87f62bc450bdadafb6abee1dc

SHA1
3c90db42799fca821b54c51874f33f397b5d5ffa

SHA256
19a85fb338f02989a1658fe2527bb58672d9792cbc5c5998e7a9385acc092edd

SHA512
0cc64abecbdb96f08f1335afd7399062f9e905126c54c9528265ed52662b6ee7cfd67fb35533617db31f4677f7e28672b905d87e2ac38aa11ec88070c01b2194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
9161d089ab7f4a7cee96684da5f27999

SHA1
911408a5b14e66bb48802c96fcc95ff5a19a94ba

SHA256
bfb0e87b1039b1ec8783df8ecae6e552d0e3eeb45d166e0593f8f8f354961bbe

SHA512
50b877f8ec2cd1a2f8fbe5165ee4c9438f43c569a1693a6dad73e7d3ca228cbc934b96651ded1ee894b85b07689b36122533fa398bdb13e27af1967bcd1116c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
14KB

MD5
e1c8078577cd8e4981cde03daea28bf2

SHA1
dff9b2cf073d7769347e55285836413eeccd9089

SHA256
feb40eb7e048c0ed95f63b720a2302837a12fdeae0d3a83bc0401d8f20b7f0cb

SHA512
6d0f92ec81fbc02c4915473b5ec56428c56fd8ddec91921f570b4e546b1a8bbe05d8df50d0e973e9383e1541e700093814417322684d669eb53ceeb68e9245dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
3445e496bc060686cd6da67464f4e600

SHA1
beb8afa8e84f41d7fb36911a22d6aa7dcc282221

SHA256
5334eede30fe0b26cbfca253bc6d991c834d618fcb680883e3305bb745ac5c30

SHA512
ecd329f84bad33a3698f5b1004b193eb9ef91eff446db5332ea608d2948df026bbc895a4ff9237d6d92ff1cce19406128e4951d5bfefb601fa7c7c44938cc440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4c8622172e362a38046ce246205a8d24

SHA1
db5c0d4dfd0d6b46292d23497150518f5fcf3008

SHA256
714c1915813547bd5e9c89c638e0bff84dd2a745d7b563c3032d3c97a162b391

SHA512
8fedff147fdb9ca2c72d88f2e66ec23398aea6de9b19d6453121b5f9b31921a2e3437dab3d655de21d03019fb461bf8a083781b253d963e41cd452c7b14efb42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
ef48c19b0f0f5b45d49d94da8ac75918

SHA1
a8e5067cb5a8ca78d1a3aa0feef72216e135b1f6

SHA256
696fee71f2f220bc954027b74a5be1f63aa7a6e470f281139ff944b342698fca

SHA512
cc59146041ac6a9a84d04147432a9a807237076c8536f5f436546a9f1402b3811e3486df0c39182de99955a590571ef95d773cb202e4f50c47142419839b7ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
ca245e47225cb06f056b031044e9f860

SHA1
c3b2ce605ec12e4fb084102ffc5953178c937796

SHA256
ee4bda8b9e17ad2bf690d2700a363253d9696d2d608aa54a7a0c2245e4519b42

SHA512
96b3ce558bfdce49af112b87fd06ba6d92b299577c98fccb8fc5dfb7e7c52e6d91282cc08718e288a08574b2a6291bf2fe8f9d4ca2e285c2400a7366c107bfff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
fcde5f434f398ba2b7f2a38bc0671cb3

SHA1
b2b03b74befb6e66388ab09532a943934de83e29

SHA256
0e26cfaf3edb57616ec9d720bbaeaa688b61c7b5b57d93f35279a0d2bbb8931c

SHA512
7b5001d79ccd333b33aee2ac7c14501f8a7089a8e6ec2b5ef42ec57cf144c6258842f9e96ee126710b0243b8bfef548c4eb359b932171403b92c1cf5cdbb4dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
571d72ec6a4d86a50fef30d20b7eac0b

SHA1
5cfe0e6679fb9f086b76f3f432bdb712db3d6f91

SHA256
b2afb7cb45c5c370db97e7b8d7c43d4ddd7cdaf052e335bb2270d86f4d27a837

SHA512
717cff8eb3eaaf5237564c7f2dfa22f5fa6519c02bdefa3937182de7243b0722adaab860d8998b34ded837e851251b9c885c7df91ced6f33739ffaf3f7778491

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\830a0b0d-2ded-46c0-abf6-485552f9a3fb\index-dir\the-real-index

Filesize
2KB

MD5
df3a649981c32ae767b0d870ca7e2e11

SHA1
eb1f694e8401cd03b8cbeaa5bcbcdbd7e150d82d

SHA256
131278263d4ba44481f74efd26bc8ef76f9c69cef5afa7c66ea6d1c3bcdd987f

SHA512
aef838c3d7ca3cefcf9bf8fed6f47e32421b4916d92aace6023cb690a058be518acb212d97a155ea1f01cdfc15931c7f830d6dd466848e7afa695c27d8185e09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\830a0b0d-2ded-46c0-abf6-485552f9a3fb\index-dir\the-real-index

Filesize
3KB

MD5
eaf1206d67c15681d303131889a78a84

SHA1
75796c5a856e9c2157f2983cf1d30a41d9d74787

SHA256
78d67ee17b50d2d3e3696879a7d1665f4326e4699122b8a313458fd7ffb6722a

SHA512
2dfeca23d263c4f8f0b94b14e53f2a57e4ea4626a0943617e40b50ac881641d4a1f347d4d1f711e1180c84d636bca013d8207357c6726329456082812fef1215

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\830a0b0d-2ded-46c0-abf6-485552f9a3fb\index-dir\the-real-index~RFe58f817.TMP

Filesize
48B

MD5
79000cb115b0ee6a2a78e8bbe1a7f722

SHA1
82fb6b217a88a254df05e5cfacd8a5c684090248

SHA256
cdcdf24378b6c5f3939f8cd061b424064b32075d97db267d8ac980f764893997

SHA512
119b8a503dbe7dd45e197bd8dbda72b99d63d606cc086d252cc6485f1c5baa94a69f4f09b89e53232533185e51bd0a6e934c59d38293ee4ec9f87657b2a6813f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
e84629016ea526b97be03c9154463dfe

SHA1
5fabf675b443e95fc657e13a99dff03e8c70abb3

SHA256
bea75f25fdb54ee566303bb7298aaa7508fe8d975b49d7da2025faeb2b7c776d

SHA512
a0efafcf6ebe8d8f994679c1eb983c9367f5b811604d4e999fa873e37aa1190eda5cc249ba987340cebe3acceba244346185cd4c7bc840f1ba598c8b7a16dcb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
761369aa970a7a129f7f5caea5f35f23

SHA1
ad9e0dc1d5a90bbe13522c23dd3b29e8b40d52d2

SHA256
ac76da89cfffe106b60b91ee889617394769b58a82f8b33729aed72ee03a7c89

SHA512
449e35d78f0f1a6094f89c628334485a596e7296a99becb61309a8f6fe6ad45901a15194d2b4d7cd6b5747a244566f1dc99079ab779fce992099a8b1a9b60427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
0a999d9ee2e8f049f55cafbe8a22c0e2

SHA1
15ec3be9659b088b8092b2675ae5368011fcfd2e

SHA256
b7d29bda3acb9afba9b4950e15ca8c677f50bf6df35f2187b5626bede6e1f819

SHA512
8821dbea7b1708e4e48f233232649ec245d1bf842de5f009bad4c49e39bd9fd3a801aa7bdc76ee0561fd5b26597f4fba9133f5854a9dd1baab87fa6e0dd36257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
dd6e51b6bcc7387d4058e9355f6d5dcb

SHA1
5390d64b6a9d7967655e44b2ec22fc8e6c8df84f

SHA256
761e4bb090e488aa66b16d68fd61d360c3a90afed354c2de60b3b5df6d5e8fa5

SHA512
6d16736962b2e63d22bee3fc80082921a0029f76c94c8a10e541b9e1bae11bcd60f4597f9d64cb1f54817918fff0f4d3a78c01073582bf3728ea173ad14b5499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe589640.TMP

Filesize
89B

MD5
f5ea821b566ec6eeecbe166c6d7671e0

SHA1
c99c19fb003a1c3e2c73a510f38c5473710372bb

SHA256
ae05fe7c448f0d1a38222e3e34566aa71b6482dd77a0c8bca56bc29d8975e252

SHA512
18a8ae5f2387283e9cf7c5b238f5371a0283109acb1a79132a0889a2e43895f845e9e577093190568b9d3f7e9b04b1ee154608e73fe46c0c80dcd59766c93aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d262af82403056e1f4b14c6e67b16316

SHA1
002d308db4289ed316309cc16d21d34160375194

SHA256
b16bd35f888905db382366cb7327213c68a782c9951bc48dbf198294ab8ccf74

SHA512
40061eb30537cbbdc823591beb7762b521ca964d92bb5ecc74ade47d483da16175ae3d13e355b855c8547701f79591f9f8847e942c75f372291946dc46d402e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58e6b2.TMP

Filesize
48B

MD5
ff292d57575779525ff34470ae502083

SHA1
4c5cb7a8e6a4c1a8cba7c93715bb8ac89559bf86

SHA256
2ea79c6d8c96c881705744552bda04bd9ccef04b32dccaaa8d5a0ce575e78759

SHA512
36341e0c294e11fe1f26ddd264ad25f4f5ff5d35d605e378005df5f96c1bbdfaabe67ad455247ea7d54e0397bd96dacd0091e8c6d3cc0ded14ec4971c376cfa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
fab0b8d9ea5961fdc856a04617f76034

SHA1
85fb85e142689a78e29f526bd79633a42de3f7d6

SHA256
7310a642db349f38f071c2a8b168a33f52a02069102ec602bfe631bedff1c996

SHA512
340744b65b92db69806c096a0f6dde52254fb73186c63a9c6256ea2fbed4aa36eb1000142a30937c62e5bea1a36b2fd53771476e4e73c6511b0dcc0b2e0185eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
f08b4d25780f9d814b15b83b252882fb

SHA1
f2c56465ab3640cc8785dd0f38c13e460e183498

SHA256
1c54e5a85c5ab294729dcf0459964578fa23f4f7fa06a0df8b7f43dc4c3226f6

SHA512
759412473d2b87298964483d5277481d42136a2efe1d067b24745f36b982ca59aff0e8f239328c60a8e736a28dcbff3cdedbab0d8301431b8507de9763d5049d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
fd4e532a3aa9c9e402d679cba11eb085

SHA1
783bad58abfecf9566dffa14a7f917c99ba7194e

SHA256
29e3868eba5a26342dd554a21260555a226c97d5f48c74921546328b40d6012d

SHA512
28a4524d8651db5ad3841e458e1b8c9d7743cb5a2e78791bef7595f1a9278b8e22ca93657737e97d2275acd70c0c6ee3bd54f363a70b924274ccfffadb3b35ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
f6d64cb63212523b62c482a80d77e11b

SHA1
2e1cae498e16546dadde73958e0108fb88a04694

SHA256
6db4e7a45af4072b3c09cab5eb1bdc402970e58798e94f71f8b13b076dae18c3

SHA512
98948eb76e4d1d59aeebbbed11348c234442d3892c5b1e540d6df0553580d58e45505a0c4a315fbd2b9f1a154d61f6e3a38e9fe325c3aa9e31f7075db335b07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
29b53744de8608c6198b802f25f5da98

SHA1
0b291b3de9a3e2044e95ebf36bf06360c590e2e3

SHA256
fd142bda645ecd907e6b1f5a510a07c31f89004593845b1cb1f5be164c3651eb

SHA512
84f6de161fb6d0b2dab1717f70ac6efaf4ebf0c15720087b505c28fbbf3edeaf12df210da96d87cf41dce6779bb2ef999b7091b2f8bd6bae9d8c56d5d390ce32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
0eb03ed6548faafbc02cf6f7288dff38

SHA1
21c4c7e3abb4d53e1271d82941f25a65f2ac46f9

SHA256
38ffdf8dba38f33554b3c90272ffeee78263507834e124566b433f802087a5a2

SHA512
4b541832a16f697f885b1fdd0a9e4dd501b5422efda03a58f068fb7833d506df7554368964808969e223c3b3de17663054fed783d64fd8ebad5c9badaef6093e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
3a60a96177714330eb9456dfde15d9c7

SHA1
c8b2e7d6674afaa9135a20b955356a95c3d1f145

SHA256
32cb55047a5d56ed5c6067f13eb58bcac847307369d08b3f7866158b71d3fd17

SHA512
05762d5b39a02286b4413bf38be101434deb80771512f658c031b429190dc7b882136bf0d6804fb7890226d589f5d9fd62ad77e261166897955cd619a0fca76a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b6ad.TMP

Filesize
202B

MD5
c6bf79e01b9ed896fbdbab84ef5c31fd

SHA1
f8dc15ad6b1611c10575aa178c5cea642a342be1

SHA256
a686cb1f706ce09640897ed90c8cc90580d2efa539f224192278927900f52f3c

SHA512
702e375a9803e3f0b8509c1201715c6d206dc8a3b2db96538937812f109b32257a979b275581496be0d042e0265813633be585af666c7229f3c0a4d99ac1dbad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0953bc4244adb98365b88b218fd9f211

SHA1
34d6df10ca671e08fba2dd4ceac16ec6c4233dcf

SHA256
82b52236885f9d533e9c138168ab9281e6594abb21ded21b6e39d85897526b1a

SHA512
c48025487b8a188ff6fe610d54bf4c445367285d4fcba0c4e9278710973492b190bc1bf931a464fa917955adb8f057f1d10a406f3891fe4459490dcee4546351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
475677e6de0211acfef94da1e76e9ba8

SHA1
949eea2264e465fac56c0c975203d0f88df3e0d3

SHA256
a1c98d29db9442980e06c0ccc71469c19ad1cddcf75c57085aeefabfe20f11ce

SHA512
7d76161e41ccacee4b4b2caae018a14f9f2d2bf6438aef687cc67abb6e1588f3621c1fccf5f90d1a0b1f491de84a27089910f07d7dff66f28acde984d462463a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4a9adad1bf436763fcdd145c72cd669b

SHA1
9825aac8643bf268957c9d8413b3d4101ca2bc30

SHA256
b86c462bdd13be40c665d6bd5a98dc9c4cb2a569b706731a7659a8beb6fc3eff

SHA512
a98e9487af8f5d9cc5e5259cbf2308600a96ee09b4ca18d9a0d97ce4bb88e0abcef6e457db0de1d8fc6f02d891018d13d9c1ef1f9423977a08f02abcb41061cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2eCd0aPrmk.bat

Filesize
197B

MD5
71e857aa1f63571c14a0a65092291645

SHA1
738b6a5ffd129ecd1a0191ad649ba3775a31c0b4

SHA256
77f5c7978b340cfb03bea5c54cbc258334000e2640169f7d26567bed0ff4e4ae

SHA512
f6306bd95f7527ad07255222d4e35b1bcf9ec942bc5e1f01ec32bb097619e3ca17202ec6d10fc933c150338f35e60b3532c53cc9a4bfaaf520ed2cb3e5609022

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0ACECC18\Youtube-Viewers-BOT.exe

Filesize
4.2MB

MD5
78b62284d357197a8ea74a02fd60c354

SHA1
eef3f0afcb210cc55f02668dee3b9846a84379f2

SHA256
ef3a776613760be4a6e4bfd4d7eba37a901b28db81c80a43580765d4ac5de49b

SHA512
30326af2c559a00ddfc614a0b778844e80c26f37cb2be03e913d1ec31c9cb7630fa0333876c98714a2ac302a09b6c57fed321c6357a8db156429b0da974a61f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0ACECC18\Youtube-Viewers-BOT.exe

Filesize
4.1MB

MD5
ec232bccd1014914df7510a4966905c0

SHA1
e640f500c6988f308c884b8b30683c8cb12f6783

SHA256
975b0b7eb194b51b8f10197212c9305b5d67df6de7b00896ed651be67dfe3279

SHA512
8120cd23ebf46f0294c9130a4d3acdb1afdf2107b4dd45030ebf942f13261782cd2133296c96791c853466f8ff0c87e2619b91bfe3907b69e020ab1cbddd85b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0ACECC18\Youtube-Viewers-BOT.exe

Filesize
3.6MB

MD5
a614bda287ae08012808751f77f2e323

SHA1
62add1024854809dbb61aa917a51d8821c848d7f

SHA256
97e8c8577971502f8c16b30d185231ff11dc5d8634873c4ede485a39198b810c

SHA512
dd6988fd0f82cdefab0c15bde402128bd7c0fa4dcdfec017e89e30a58480bef7d8ac6eecf1bcf41c98ddeaf7eea409fbc52246a819f3417ecaf935dedd11c81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leaf.xNet.dll

Filesize
115KB

MD5
ee1bf6ec7bc004640cf127a64e186d90

SHA1
a0fe27b40dbd53171f374fcc27d75b8a15454a7f

SHA256
d802a8f100e7292623c6692d3d9d85727c632daa69637219df9dc4fabaabc62f

SHA512
ce4a6c31b0c3e8193ce3fb49852269b4ecd6334c92afd1fc4120cd055e477c259f9e4a048d0dbd07d2b54a324e854c9e5f4add415ca72d7b5e31aadbd3001f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leaf.xNet.dll

Filesize
105KB

MD5
b4bac9401a2e33354f560efa40c676d9

SHA1
66c28300d8dfecbfb5008ab488abf734601de495

SHA256
3e217c5e6c4b8ba19d6575e771fd5dacfc58bef36cc5dba5f163bad96e710260

SHA512
ff4ece636a522d8784b9c7dff271fa1ac420fb23c25bbe439927054ca6d479499c3e703d14c02212c4fa15ccb795b8c64245e1ce54d6c782fb707fa21ecd253e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe

Filesize
33KB

MD5
a7878575f2e9f431c354c17a3e768fd9

SHA1
1824b6cb94120af47a0540af88bfc51435a4c20d

SHA256
375552e53a0c25aa36cd66827b97f7576177d1fa81efd978a55b2ec93a5b5fdd

SHA512
4f9de23fc13f414c8d6c82a7cd9ef5dfa2e7855ba642b745f62ad8b4af8dccd9269b4dec5468632af0ff5353b0d4c8e85f758ea794469f355f762cb1cc747019

Download Submit
C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe.config

Filesize
184B

MD5
cc46a0995713ba7cb577b4bbbedf83e8

SHA1
6cc50a0e444e33f65d42423195ed045a3a55daf8

SHA256
5fe1ad802f68d7c47dbbd8e60162ba88abaed162da5d381c85d3e4935311962e

SHA512
36f5b3acbc520504cfe56e5fe19de2a22ae3d2ddddb4c0eb3e441f884033077fb411e69976c3e250c3ef01189d0e48016bde67a73a0dbc950dd5d8ec7783fd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zsddtny1.frb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\yt_fontreviewmonitordllrefsvc.exe

Filesize
834KB

MD5
ed0f35a0e6bc0933673ed6b0b6472b48

SHA1
dcd6ec8d61bde05975e190e28bf1f3ec644c40fe

SHA256
aea7ee785ea7dad89a7c7678b2942cb46dcd0d7a97d4c338a20f5b00444888b6

SHA512
c03364d532028ebf9048aa3cc8d9033888e1508acbe10d5f28b84d1d484528903a8f43aa1946f78c882dac7636ef44a581e999e27d86275e92ae1caccbf8e381

Download Submit
C:\Users\Admin\Downloads\YT Livestream Bot v2.4.rar

Filesize
4.4MB

MD5
fa8f4b4df2626f6690bed9ad1d941119

SHA1
e3293df65dee6e0049557b514c26a8572a2ba32a

SHA256
b86bc75e4838299a3778da52a0adc5c8653bc09a76a3d498e50ceb89d9f7dee1

SHA512
c22493e36a4b3266a01e5d798190d23a4805b57d5f05e0a77066a2b6adae81295c39ac26a46f7adc3069d683986555a58c582b91d86f44a8486d5e6de348dbe4

Download Submit
C:\Users\Admin\Downloads\YT Livestream Bot v2.4.rar

Filesize
1.4MB

MD5
c09692a5ceb48abd1094080eb07fa332

SHA1
e3c55af01e0ef7867720e3b8549146e4980bf149

SHA256
1fed130e95911c93ff0c1d507d6271dcb99159a803ee9d76fc539bc4379618c8

SHA512
c8fc38c0d70ffb773c8dfc525dd9b45096c719ba487346a13ae215e83e51b78454dc57419b573d9bc8cac1060bb99f711cd9a5acda4d0dbe297daf7a6b22199f

Download Submit
memory/2364-555-0x00007FFEC9D30000-0x00007FFECA7F1000-memory.dmp

Filesize
10.8MB

Download
memory/2364-552-0x0000022EFC260000-0x0000022EFC270000-memory.dmp

Filesize
64KB

Download
memory/2364-537-0x00007FFEC9D30000-0x00007FFECA7F1000-memory.dmp

Filesize
10.8MB

Download
memory/2364-538-0x0000022EFC260000-0x0000022EFC270000-memory.dmp

Filesize
64KB

Download
memory/2364-539-0x0000022EFC260000-0x0000022EFC270000-memory.dmp

Filesize
64KB

Download
memory/2364-550-0x0000022EFE230000-0x0000022EFE252000-memory.dmp

Filesize
136KB

Download
memory/2584-484-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/2584-480-0x000000001AEB0000-0x000000001AECC000-memory.dmp

Filesize
112KB

Download
memory/2584-498-0x000000001BBA0000-0x000000001BBAC000-memory.dmp

Filesize
48KB

Download
memory/2584-497-0x000000001B030000-0x000000001B03C000-memory.dmp

Filesize
48KB

Download
memory/2584-496-0x000000001AF10000-0x000000001AF18000-memory.dmp

Filesize
32KB

Download
memory/2584-495-0x000000001AF00000-0x000000001AF0E000-memory.dmp

Filesize
56KB

Download
memory/2584-489-0x000000001AEF0000-0x000000001AEFC000-memory.dmp

Filesize
48KB

Download
memory/2584-488-0x000000001BED0000-0x000000001C3F8000-memory.dmp

Filesize
5.2MB

Download
memory/2584-487-0x000000001AE90000-0x000000001AEA2000-memory.dmp

Filesize
72KB

Download
memory/2584-486-0x0000000000C00000-0x0000000000C0A000-memory.dmp

Filesize
40KB

Download
memory/2584-485-0x000000001AEA0000-0x000000001AEB0000-memory.dmp

Filesize
64KB

Download
memory/2584-483-0x000000001AE70000-0x000000001AE86000-memory.dmp

Filesize
88KB

Download
memory/2584-464-0x0000000000250000-0x0000000000324000-memory.dmp

Filesize
848KB

Download
memory/2584-545-0x00007FFEC9D30000-0x00007FFECA7F1000-memory.dmp

Filesize
10.8MB

Download
memory/2584-482-0x000000001B850000-0x000000001B8A0000-memory.dmp

Filesize
320KB

Download
memory/2584-466-0x00007FFEC9D30000-0x00007FFECA7F1000-memory.dmp

Filesize
10.8MB

Download
memory/2584-467-0x000000001AF20000-0x000000001AF30000-memory.dmp

Filesize
64KB

Download
memory/2584-469-0x0000000002520000-0x0000000002594000-memory.dmp

Filesize
464KB

Download
memory/5716-472-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/5716-473-0x0000000000080000-0x000000000008E000-memory.dmp

Filesize
56KB

Download
memory/5716-477-0x0000000004850000-0x0000000004876000-memory.dmp

Filesize
152KB

Download
memory/5716-478-0x0000000005260000-0x0000000005804000-memory.dmp

Filesize
5.6MB

Download
memory/5716-693-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/6024-468-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/6024-465-0x0000000000400000-0x0000000000FF4000-memory.dmp

Filesize
12.0MB

Download
memory/6024-438-0x0000000000400000-0x0000000000FF4000-memory.dmp

Filesize
12.0MB

Download
memory/6024-437-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/6024-436-0x0000000000400000-0x0000000000FF4000-memory.dmp

Filesize
12.0MB

Download