Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240220-en -
resource tags
arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system -
submitted
20/02/2024, 18:58
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.madmodz.pro/fortnite-multihack-aim-esp
Resource
win10v2004-20240220-en
General
-
Target
https://www.madmodz.pro/fortnite-multihack-aim-esp
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Users\\Default User\\msedge.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\msedge.exe\", \"C:\\Windows\\Fonts\\msedge.exe\", \"C:\\odt\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Users\\Default User\\msedge.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\msedge.exe\", \"C:\\Windows\\Fonts\\msedge.exe\", \"C:\\odt\\msedge.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\tracing\\taskhostw.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Users\\Default User\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Users\\Default User\\msedge.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\msedge.exe\", \"C:\\Windows\\Fonts\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Users\\Default User\\msedge.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\msedge.exe\", \"C:\\Windows\\Fonts\\msedge.exe\", \"C:\\odt\\msedge.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\lsass.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Users\\Default User\\msedge.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\msedge.exe\", \"C:\\Windows\\Fonts\\msedge.exe\", \"C:\\odt\\msedge.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Users\\Default User\\msedge.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Users\\Default User\\msedge.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Users\\Default User\\msedge.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\msedge.exe\", \"C:\\Windows\\Fonts\\msedge.exe\", \"C:\\odt\\msedge.exe\", \"C:\\Program Files (x86)\\Google\\Update\\sysmon.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Default\\msedge.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\"" yt_fontreviewmonitordllrefsvc.exe -
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3404 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3644 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3512 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4444 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4492 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3248 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4272 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3252 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4992 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6008 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3252 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3404 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4996 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6008 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3300 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3828 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1832 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 848 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4028 6004 schtasks.exe 139 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3964 6004 schtasks.exe 139 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\Control Panel\International\Geo\Nation Youtube-Viewers-BOT.exe Key value queried \REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\Control Panel\International\Geo\Nation yt_fontreviewmonitordllrefsvc.exe -
Executes dropped EXE 3 IoCs
pid Process 6024 Youtube-Viewers-BOT.exe 2584 yt_fontreviewmonitordllrefsvc.exe 5716 Youtube-Viewers.exe -
Loads dropped DLL 2 IoCs
pid Process 5716 Youtube-Viewers.exe 5716 Youtube-Viewers.exe -
Adds Run key to start application 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\Default\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\Windows Sidebar\\Gadgets\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\odt\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files (x86)\\Google\\Update\\sysmon.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Windows\\Fonts\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Windows\\Fonts\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files (x86)\\Google\\Update\\sysmon.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\Windows Sidebar\\Gadgets\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\tracing\\taskhostw.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\Default User\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\odt\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\lsass.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\Default User\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\tracing\\taskhostw.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\lsass.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\Default\\msedge.exe\"" yt_fontreviewmonitordllrefsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\assembly\\GAC_MSIL\\backgroundTaskHost.exe\"" yt_fontreviewmonitordllrefsvc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 6024 Youtube-Viewers-BOT.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Defender\es-ES\msedge.exe yt_fontreviewmonitordllrefsvc.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\msedge.exe yt_fontreviewmonitordllrefsvc.exe File created C:\Program Files (x86)\Windows Media Player\es-ES\61a52ddc9dd915 yt_fontreviewmonitordllrefsvc.exe File created C:\Program Files (x86)\Windows Media Player\Icons\msedge.exe yt_fontreviewmonitordllrefsvc.exe File created C:\Program Files (x86)\Google\Update\sysmon.exe yt_fontreviewmonitordllrefsvc.exe File created C:\Program Files (x86)\Google\Update\121e5b5079f7c0 yt_fontreviewmonitordllrefsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lsass.exe yt_fontreviewmonitordllrefsvc.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\6203df4a6bafc7 yt_fontreviewmonitordllrefsvc.exe File created C:\Program Files (x86)\Windows Defender\es-ES\61a52ddc9dd915 yt_fontreviewmonitordllrefsvc.exe File created C:\Program Files (x86)\Windows Media Player\es-ES\msedge.exe yt_fontreviewmonitordllrefsvc.exe File created C:\Program Files\Windows Sidebar\Gadgets\msedge.exe yt_fontreviewmonitordllrefsvc.exe File created C:\Program Files\Windows Sidebar\Gadgets\61a52ddc9dd915 yt_fontreviewmonitordllrefsvc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\tracing\ea9f0e6c9e2dcd yt_fontreviewmonitordllrefsvc.exe File created C:\Windows\assembly\GAC_MSIL\backgroundTaskHost.exe yt_fontreviewmonitordllrefsvc.exe File created C:\Windows\assembly\GAC_MSIL\eddb19405b7ce1 yt_fontreviewmonitordllrefsvc.exe File created C:\Windows\Fonts\msedge.exe yt_fontreviewmonitordllrefsvc.exe File created C:\Windows\Fonts\61a52ddc9dd915 yt_fontreviewmonitordllrefsvc.exe File created C:\Windows\tracing\taskhostw.exe yt_fontreviewmonitordllrefsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4992 schtasks.exe 320 schtasks.exe 4996 schtasks.exe 2356 schtasks.exe 3300 schtasks.exe 4272 schtasks.exe 3644 schtasks.exe 4388 schtasks.exe 3972 schtasks.exe 3252 schtasks.exe 6008 schtasks.exe 1832 schtasks.exe 3404 schtasks.exe 4492 schtasks.exe 2832 schtasks.exe 1740 schtasks.exe 1372 schtasks.exe 2004 schtasks.exe 4444 schtasks.exe 1740 schtasks.exe 2004 schtasks.exe 6008 schtasks.exe 3972 schtasks.exe 3404 schtasks.exe 4028 schtasks.exe 2004 schtasks.exe 1832 schtasks.exe 2364 schtasks.exe 2364 schtasks.exe 1372 schtasks.exe 3252 schtasks.exe 1800 schtasks.exe 2624 schtasks.exe 3972 schtasks.exe 664 schtasks.exe 3828 schtasks.exe 3248 schtasks.exe 3512 schtasks.exe 848 schtasks.exe 2804 schtasks.exe 3964 schtasks.exe 1832 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2097088205-1470669305-146258644-1000_Classes\Local Settings yt_fontreviewmonitordllrefsvc.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2097088205-1470669305-146258644-1000\{8E262D4B-BC30-4132-B685-51A251D588D0} msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 452 msedge.exe 452 msedge.exe 4412 msedge.exe 4412 msedge.exe 3452 identity_helper.exe 3452 identity_helper.exe 3124 msedge.exe 3124 msedge.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 3232 7zFM.exe 3232 7zFM.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe 2584 yt_fontreviewmonitordllrefsvc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3232 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs
pid Process 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 3232 7zFM.exe Token: 35 3232 7zFM.exe Token: SeSecurityPrivilege 3232 7zFM.exe Token: SeDebugPrivilege 2584 yt_fontreviewmonitordllrefsvc.exe Token: SeDebugPrivilege 2364 powershell.exe Token: 33 3256 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3256 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 3232 7zFM.exe 3232 7zFM.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe 4412 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 6024 Youtube-Viewers-BOT.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4412 wrote to memory of 5060 4412 msedge.exe 30 PID 4412 wrote to memory of 5060 4412 msedge.exe 30 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 2044 4412 msedge.exe 87 PID 4412 wrote to memory of 452 4412 msedge.exe 88 PID 4412 wrote to memory of 452 4412 msedge.exe 88 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 PID 4412 wrote to memory of 4728 4412 msedge.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.madmodz.pro/fortnite-multihack-aim-esp1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecd4b46f8,0x7ffecd4b4708,0x7ffecd4b47182⤵PID:5060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵PID:2044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:82⤵PID:4728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:2388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:2248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:12⤵PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:12⤵PID:4268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:12⤵PID:2848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:82⤵PID:2780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:12⤵PID:4168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6104 /prefetch:82⤵PID:2716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6352 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:12⤵PID:2160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:12⤵PID:3732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:12⤵PID:1608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6832 /prefetch:12⤵PID:2388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:12⤵PID:2096
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\YT Livestream Bot v2.4.rar"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\7zO0ACECC18\Youtube-Viewers-BOT.exe"C:\Users\Admin\AppData\Local\Temp\7zO0ACECC18\Youtube-Viewers-BOT.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:6024 -
C:\Users\Admin\AppData\Roaming\yt_fontreviewmonitordllrefsvc.exe"C:\Users\Admin\AppData\Roaming\yt_fontreviewmonitordllrefsvc.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2eCd0aPrmk.bat"5⤵PID:1460
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2716
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe"C:\Users\Admin\AppData\Local\Temp\Youtube-Viewers.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5716
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:12⤵PID:5196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:12⤵PID:5204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:12⤵PID:5244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7360 /prefetch:12⤵PID:5236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:12⤵PID:5228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵PID:5220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8448 /prefetch:12⤵PID:5492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8384 /prefetch:12⤵PID:5596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵PID:5888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8932 /prefetch:12⤵PID:5900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9116 /prefetch:12⤵PID:5908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9444 /prefetch:12⤵PID:6064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9144 /prefetch:12⤵PID:6136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7996 /prefetch:12⤵PID:5816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8700 /prefetch:12⤵PID:5784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:12⤵PID:5856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9388 /prefetch:12⤵PID:5876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7988 /prefetch:12⤵PID:5872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9436 /prefetch:12⤵PID:5696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:12⤵PID:3996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9192 /prefetch:12⤵PID:3068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8636 /prefetch:12⤵PID:4364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7512 /prefetch:12⤵PID:1740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=10072 /prefetch:82⤵PID:2320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=10208 /prefetch:82⤵PID:6108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:12⤵PID:3332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7420 /prefetch:82⤵
- Modifies registry class
PID:1456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9616 /prefetch:12⤵PID:432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,13742255995230811961,5103222062212960130,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=10224 /prefetch:22⤵PID:2228
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1808
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Users\Default\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Default\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Users\Default\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Default User\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\GAC_MSIL\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_MSIL\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\GAC_MSIL\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Fonts\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\odt\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\tracing\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x344 0x3481⤵
- Suspicious use of AdjustPrivilegeToken
PID:3256
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2160
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53300b8028991d6e234684db7803b66f9
SHA196df26150566233e1e0201bf17b4ea896861862e
SHA2565b7786b5ae4ba62b88bdbd0992a8fd96b37e4c7068e2fd23d0b33acf769d00cc
SHA5122f2dff4c24d4fd60160f70d544059bf02eca983309ff46bb7a1cb4d7c413e291c1520842e1922be55a4058380cd041cb6b4d9e70cdc5e4e00880fe13472df031
-
Filesize
152B
MD5a7f6a4b84d93993fde98d6553834416b
SHA14b4a227af10826f5a2f2e9b232ddb0336b3066f1
SHA256843a9671b3fab9337d8d600e170f9ac8b200a2faf63b5a8cd16f157bcf73c21d
SHA512ccfe39c47109dbf71c74ff6950526be7fcd521462f80e69e27388a9757d7f1adebf5f723c46b1631ffe3e2b4aa5829655d556bff8bd7e0f9f87fca46545bfb97
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4231c341-d0b1-4346-a3ae-d81f4c678944.tmp
Filesize6KB
MD53bb3c94b4758ff81197a2cecf88e50cf
SHA1c37ad80fdaa5dca985fa8d79d6d66ba197a41c79
SHA256576cc4aab2c6fe066ff9aefa67c11827292683ea364b8c3e090956b969739ae7
SHA512060b4f05f998061eb26120e017b90224b74488b9896141c68c2b503d560fa671f6d175a7bd29efe965eefc979df55ad564fad0fff19d4cbd29a40b8443242435
-
Filesize
22KB
MD5c5ad332aeb7c702c2db2c7b915f9a55c
SHA1ba7a187d9aebb94d046484d3cbebe7ae15130b26
SHA256d24ffb7e1667d900d0b1629f33e9fea5cf90a58171e63c182c3722d58e02275d
SHA512d0ea2446aeeeb5fe419f48f1fcb8c66a1fe094ad345580f3f7282dbb96053fe0d3752c54d1082061e0819ae0df127d848a689fb6fce09f45b7b54ad37fc06e44
-
Filesize
4KB
MD5bde50bf87f62bc450bdadafb6abee1dc
SHA13c90db42799fca821b54c51874f33f397b5d5ffa
SHA25619a85fb338f02989a1658fe2527bb58672d9792cbc5c5998e7a9385acc092edd
SHA5120cc64abecbdb96f08f1335afd7399062f9e905126c54c9528265ed52662b6ee7cfd67fb35533617db31f4677f7e28672b905d87e2ac38aa11ec88070c01b2194
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD59161d089ab7f4a7cee96684da5f27999
SHA1911408a5b14e66bb48802c96fcc95ff5a19a94ba
SHA256bfb0e87b1039b1ec8783df8ecae6e552d0e3eeb45d166e0593f8f8f354961bbe
SHA51250b877f8ec2cd1a2f8fbe5165ee4c9438f43c569a1693a6dad73e7d3ca228cbc934b96651ded1ee894b85b07689b36122533fa398bdb13e27af1967bcd1116c7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
14KB
MD5e1c8078577cd8e4981cde03daea28bf2
SHA1dff9b2cf073d7769347e55285836413eeccd9089
SHA256feb40eb7e048c0ed95f63b720a2302837a12fdeae0d3a83bc0401d8f20b7f0cb
SHA5126d0f92ec81fbc02c4915473b5ec56428c56fd8ddec91921f570b4e546b1a8bbe05d8df50d0e973e9383e1541e700093814417322684d669eb53ceeb68e9245dc
-
Filesize
10KB
MD53445e496bc060686cd6da67464f4e600
SHA1beb8afa8e84f41d7fb36911a22d6aa7dcc282221
SHA2565334eede30fe0b26cbfca253bc6d991c834d618fcb680883e3305bb745ac5c30
SHA512ecd329f84bad33a3698f5b1004b193eb9ef91eff446db5332ea608d2948df026bbc895a4ff9237d6d92ff1cce19406128e4951d5bfefb601fa7c7c44938cc440
-
Filesize
6KB
MD54c8622172e362a38046ce246205a8d24
SHA1db5c0d4dfd0d6b46292d23497150518f5fcf3008
SHA256714c1915813547bd5e9c89c638e0bff84dd2a745d7b563c3032d3c97a162b391
SHA5128fedff147fdb9ca2c72d88f2e66ec23398aea6de9b19d6453121b5f9b31921a2e3437dab3d655de21d03019fb461bf8a083781b253d963e41cd452c7b14efb42
-
Filesize
9KB
MD5ef48c19b0f0f5b45d49d94da8ac75918
SHA1a8e5067cb5a8ca78d1a3aa0feef72216e135b1f6
SHA256696fee71f2f220bc954027b74a5be1f63aa7a6e470f281139ff944b342698fca
SHA512cc59146041ac6a9a84d04147432a9a807237076c8536f5f436546a9f1402b3811e3486df0c39182de99955a590571ef95d773cb202e4f50c47142419839b7ad2
-
Filesize
14KB
MD5ca245e47225cb06f056b031044e9f860
SHA1c3b2ce605ec12e4fb084102ffc5953178c937796
SHA256ee4bda8b9e17ad2bf690d2700a363253d9696d2d608aa54a7a0c2245e4519b42
SHA51296b3ce558bfdce49af112b87fd06ba6d92b299577c98fccb8fc5dfb7e7c52e6d91282cc08718e288a08574b2a6291bf2fe8f9d4ca2e285c2400a7366c107bfff
-
Filesize
14KB
MD5fcde5f434f398ba2b7f2a38bc0671cb3
SHA1b2b03b74befb6e66388ab09532a943934de83e29
SHA2560e26cfaf3edb57616ec9d720bbaeaa688b61c7b5b57d93f35279a0d2bbb8931c
SHA5127b5001d79ccd333b33aee2ac7c14501f8a7089a8e6ec2b5ef42ec57cf144c6258842f9e96ee126710b0243b8bfef548c4eb359b932171403b92c1cf5cdbb4dac
-
Filesize
14KB
MD5571d72ec6a4d86a50fef30d20b7eac0b
SHA15cfe0e6679fb9f086b76f3f432bdb712db3d6f91
SHA256b2afb7cb45c5c370db97e7b8d7c43d4ddd7cdaf052e335bb2270d86f4d27a837
SHA512717cff8eb3eaaf5237564c7f2dfa22f5fa6519c02bdefa3937182de7243b0722adaab860d8998b34ded837e851251b9c885c7df91ced6f33739ffaf3f7778491
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\830a0b0d-2ded-46c0-abf6-485552f9a3fb\index-dir\the-real-index
Filesize2KB
MD5df3a649981c32ae767b0d870ca7e2e11
SHA1eb1f694e8401cd03b8cbeaa5bcbcdbd7e150d82d
SHA256131278263d4ba44481f74efd26bc8ef76f9c69cef5afa7c66ea6d1c3bcdd987f
SHA512aef838c3d7ca3cefcf9bf8fed6f47e32421b4916d92aace6023cb690a058be518acb212d97a155ea1f01cdfc15931c7f830d6dd466848e7afa695c27d8185e09
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\830a0b0d-2ded-46c0-abf6-485552f9a3fb\index-dir\the-real-index
Filesize3KB
MD5eaf1206d67c15681d303131889a78a84
SHA175796c5a856e9c2157f2983cf1d30a41d9d74787
SHA25678d67ee17b50d2d3e3696879a7d1665f4326e4699122b8a313458fd7ffb6722a
SHA5122dfeca23d263c4f8f0b94b14e53f2a57e4ea4626a0943617e40b50ac881641d4a1f347d4d1f711e1180c84d636bca013d8207357c6726329456082812fef1215
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\830a0b0d-2ded-46c0-abf6-485552f9a3fb\index-dir\the-real-index~RFe58f817.TMP
Filesize48B
MD579000cb115b0ee6a2a78e8bbe1a7f722
SHA182fb6b217a88a254df05e5cfacd8a5c684090248
SHA256cdcdf24378b6c5f3939f8cd061b424064b32075d97db267d8ac980f764893997
SHA512119b8a503dbe7dd45e197bd8dbda72b99d63d606cc086d252cc6485f1c5baa94a69f4f09b89e53232533185e51bd0a6e934c59d38293ee4ec9f87657b2a6813f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize146B
MD5e84629016ea526b97be03c9154463dfe
SHA15fabf675b443e95fc657e13a99dff03e8c70abb3
SHA256bea75f25fdb54ee566303bb7298aaa7508fe8d975b49d7da2025faeb2b7c776d
SHA512a0efafcf6ebe8d8f994679c1eb983c9367f5b811604d4e999fa873e37aa1190eda5cc249ba987340cebe3acceba244346185cd4c7bc840f1ba598c8b7a16dcb4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize84B
MD5761369aa970a7a129f7f5caea5f35f23
SHA1ad9e0dc1d5a90bbe13522c23dd3b29e8b40d52d2
SHA256ac76da89cfffe106b60b91ee889617394769b58a82f8b33729aed72ee03a7c89
SHA512449e35d78f0f1a6094f89c628334485a596e7296a99becb61309a8f6fe6ad45901a15194d2b4d7cd6b5747a244566f1dc99079ab779fce992099a8b1a9b60427
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize82B
MD50a999d9ee2e8f049f55cafbe8a22c0e2
SHA115ec3be9659b088b8092b2675ae5368011fcfd2e
SHA256b7d29bda3acb9afba9b4950e15ca8c677f50bf6df35f2187b5626bede6e1f819
SHA5128821dbea7b1708e4e48f233232649ec245d1bf842de5f009bad4c49e39bd9fd3a801aa7bdc76ee0561fd5b26597f4fba9133f5854a9dd1baab87fa6e0dd36257
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize84B
MD5dd6e51b6bcc7387d4058e9355f6d5dcb
SHA15390d64b6a9d7967655e44b2ec22fc8e6c8df84f
SHA256761e4bb090e488aa66b16d68fd61d360c3a90afed354c2de60b3b5df6d5e8fa5
SHA5126d16736962b2e63d22bee3fc80082921a0029f76c94c8a10e541b9e1bae11bcd60f4597f9d64cb1f54817918fff0f4d3a78c01073582bf3728ea173ad14b5499
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe589640.TMP
Filesize89B
MD5f5ea821b566ec6eeecbe166c6d7671e0
SHA1c99c19fb003a1c3e2c73a510f38c5473710372bb
SHA256ae05fe7c448f0d1a38222e3e34566aa71b6482dd77a0c8bca56bc29d8975e252
SHA51218a8ae5f2387283e9cf7c5b238f5371a0283109acb1a79132a0889a2e43895f845e9e577093190568b9d3f7e9b04b1ee154608e73fe46c0c80dcd59766c93aba
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5d262af82403056e1f4b14c6e67b16316
SHA1002d308db4289ed316309cc16d21d34160375194
SHA256b16bd35f888905db382366cb7327213c68a782c9951bc48dbf198294ab8ccf74
SHA51240061eb30537cbbdc823591beb7762b521ca964d92bb5ecc74ade47d483da16175ae3d13e355b855c8547701f79591f9f8847e942c75f372291946dc46d402e4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58e6b2.TMP
Filesize48B
MD5ff292d57575779525ff34470ae502083
SHA14c5cb7a8e6a4c1a8cba7c93715bb8ac89559bf86
SHA2562ea79c6d8c96c881705744552bda04bd9ccef04b32dccaaa8d5a0ce575e78759
SHA51236341e0c294e11fe1f26ddd264ad25f4f5ff5d35d605e378005df5f96c1bbdfaabe67ad455247ea7d54e0397bd96dacd0091e8c6d3cc0ded14ec4971c376cfa7
-
Filesize
204B
MD5fab0b8d9ea5961fdc856a04617f76034
SHA185fb85e142689a78e29f526bd79633a42de3f7d6
SHA2567310a642db349f38f071c2a8b168a33f52a02069102ec602bfe631bedff1c996
SHA512340744b65b92db69806c096a0f6dde52254fb73186c63a9c6256ea2fbed4aa36eb1000142a30937c62e5bea1a36b2fd53771476e4e73c6511b0dcc0b2e0185eb
-
Filesize
3KB
MD5f08b4d25780f9d814b15b83b252882fb
SHA1f2c56465ab3640cc8785dd0f38c13e460e183498
SHA2561c54e5a85c5ab294729dcf0459964578fa23f4f7fa06a0df8b7f43dc4c3226f6
SHA512759412473d2b87298964483d5277481d42136a2efe1d067b24745f36b982ca59aff0e8f239328c60a8e736a28dcbff3cdedbab0d8301431b8507de9763d5049d
-
Filesize
4KB
MD5fd4e532a3aa9c9e402d679cba11eb085
SHA1783bad58abfecf9566dffa14a7f917c99ba7194e
SHA25629e3868eba5a26342dd554a21260555a226c97d5f48c74921546328b40d6012d
SHA51228a4524d8651db5ad3841e458e1b8c9d7743cb5a2e78791bef7595f1a9278b8e22ca93657737e97d2275acd70c0c6ee3bd54f363a70b924274ccfffadb3b35ff
-
Filesize
4KB
MD5f6d64cb63212523b62c482a80d77e11b
SHA12e1cae498e16546dadde73958e0108fb88a04694
SHA2566db4e7a45af4072b3c09cab5eb1bdc402970e58798e94f71f8b13b076dae18c3
SHA51298948eb76e4d1d59aeebbbed11348c234442d3892c5b1e540d6df0553580d58e45505a0c4a315fbd2b9f1a154d61f6e3a38e9fe325c3aa9e31f7075db335b07c
-
Filesize
1KB
MD529b53744de8608c6198b802f25f5da98
SHA10b291b3de9a3e2044e95ebf36bf06360c590e2e3
SHA256fd142bda645ecd907e6b1f5a510a07c31f89004593845b1cb1f5be164c3651eb
SHA51284f6de161fb6d0b2dab1717f70ac6efaf4ebf0c15720087b505c28fbbf3edeaf12df210da96d87cf41dce6779bb2ef999b7091b2f8bd6bae9d8c56d5d390ce32
-
Filesize
3KB
MD50eb03ed6548faafbc02cf6f7288dff38
SHA121c4c7e3abb4d53e1271d82941f25a65f2ac46f9
SHA25638ffdf8dba38f33554b3c90272ffeee78263507834e124566b433f802087a5a2
SHA5124b541832a16f697f885b1fdd0a9e4dd501b5422efda03a58f068fb7833d506df7554368964808969e223c3b3de17663054fed783d64fd8ebad5c9badaef6093e
-
Filesize
4KB
MD53a60a96177714330eb9456dfde15d9c7
SHA1c8b2e7d6674afaa9135a20b955356a95c3d1f145
SHA25632cb55047a5d56ed5c6067f13eb58bcac847307369d08b3f7866158b71d3fd17
SHA51205762d5b39a02286b4413bf38be101434deb80771512f658c031b429190dc7b882136bf0d6804fb7890226d589f5d9fd62ad77e261166897955cd619a0fca76a
-
Filesize
202B
MD5c6bf79e01b9ed896fbdbab84ef5c31fd
SHA1f8dc15ad6b1611c10575aa178c5cea642a342be1
SHA256a686cb1f706ce09640897ed90c8cc90580d2efa539f224192278927900f52f3c
SHA512702e375a9803e3f0b8509c1201715c6d206dc8a3b2db96538937812f109b32257a979b275581496be0d042e0265813633be585af666c7229f3c0a4d99ac1dbad
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD50953bc4244adb98365b88b218fd9f211
SHA134d6df10ca671e08fba2dd4ceac16ec6c4233dcf
SHA25682b52236885f9d533e9c138168ab9281e6594abb21ded21b6e39d85897526b1a
SHA512c48025487b8a188ff6fe610d54bf4c445367285d4fcba0c4e9278710973492b190bc1bf931a464fa917955adb8f057f1d10a406f3891fe4459490dcee4546351
-
Filesize
12KB
MD5475677e6de0211acfef94da1e76e9ba8
SHA1949eea2264e465fac56c0c975203d0f88df3e0d3
SHA256a1c98d29db9442980e06c0ccc71469c19ad1cddcf75c57085aeefabfe20f11ce
SHA5127d76161e41ccacee4b4b2caae018a14f9f2d2bf6438aef687cc67abb6e1588f3621c1fccf5f90d1a0b1f491de84a27089910f07d7dff66f28acde984d462463a
-
Filesize
11KB
MD54a9adad1bf436763fcdd145c72cd669b
SHA19825aac8643bf268957c9d8413b3d4101ca2bc30
SHA256b86c462bdd13be40c665d6bd5a98dc9c4cb2a569b706731a7659a8beb6fc3eff
SHA512a98e9487af8f5d9cc5e5259cbf2308600a96ee09b4ca18d9a0d97ce4bb88e0abcef6e457db0de1d8fc6f02d891018d13d9c1ef1f9423977a08f02abcb41061cc
-
Filesize
197B
MD571e857aa1f63571c14a0a65092291645
SHA1738b6a5ffd129ecd1a0191ad649ba3775a31c0b4
SHA25677f5c7978b340cfb03bea5c54cbc258334000e2640169f7d26567bed0ff4e4ae
SHA512f6306bd95f7527ad07255222d4e35b1bcf9ec942bc5e1f01ec32bb097619e3ca17202ec6d10fc933c150338f35e60b3532c53cc9a4bfaaf520ed2cb3e5609022
-
Filesize
4.2MB
MD578b62284d357197a8ea74a02fd60c354
SHA1eef3f0afcb210cc55f02668dee3b9846a84379f2
SHA256ef3a776613760be4a6e4bfd4d7eba37a901b28db81c80a43580765d4ac5de49b
SHA51230326af2c559a00ddfc614a0b778844e80c26f37cb2be03e913d1ec31c9cb7630fa0333876c98714a2ac302a09b6c57fed321c6357a8db156429b0da974a61f1
-
Filesize
4.1MB
MD5ec232bccd1014914df7510a4966905c0
SHA1e640f500c6988f308c884b8b30683c8cb12f6783
SHA256975b0b7eb194b51b8f10197212c9305b5d67df6de7b00896ed651be67dfe3279
SHA5128120cd23ebf46f0294c9130a4d3acdb1afdf2107b4dd45030ebf942f13261782cd2133296c96791c853466f8ff0c87e2619b91bfe3907b69e020ab1cbddd85b0
-
Filesize
3.6MB
MD5a614bda287ae08012808751f77f2e323
SHA162add1024854809dbb61aa917a51d8821c848d7f
SHA25697e8c8577971502f8c16b30d185231ff11dc5d8634873c4ede485a39198b810c
SHA512dd6988fd0f82cdefab0c15bde402128bd7c0fa4dcdfec017e89e30a58480bef7d8ac6eecf1bcf41c98ddeaf7eea409fbc52246a819f3417ecaf935dedd11c81a
-
Filesize
115KB
MD5ee1bf6ec7bc004640cf127a64e186d90
SHA1a0fe27b40dbd53171f374fcc27d75b8a15454a7f
SHA256d802a8f100e7292623c6692d3d9d85727c632daa69637219df9dc4fabaabc62f
SHA512ce4a6c31b0c3e8193ce3fb49852269b4ecd6334c92afd1fc4120cd055e477c259f9e4a048d0dbd07d2b54a324e854c9e5f4add415ca72d7b5e31aadbd3001f07
-
Filesize
105KB
MD5b4bac9401a2e33354f560efa40c676d9
SHA166c28300d8dfecbfb5008ab488abf734601de495
SHA2563e217c5e6c4b8ba19d6575e771fd5dacfc58bef36cc5dba5f163bad96e710260
SHA512ff4ece636a522d8784b9c7dff271fa1ac420fb23c25bbe439927054ca6d479499c3e703d14c02212c4fa15ccb795b8c64245e1ce54d6c782fb707fa21ecd253e
-
Filesize
33KB
MD5a7878575f2e9f431c354c17a3e768fd9
SHA11824b6cb94120af47a0540af88bfc51435a4c20d
SHA256375552e53a0c25aa36cd66827b97f7576177d1fa81efd978a55b2ec93a5b5fdd
SHA5124f9de23fc13f414c8d6c82a7cd9ef5dfa2e7855ba642b745f62ad8b4af8dccd9269b4dec5468632af0ff5353b0d4c8e85f758ea794469f355f762cb1cc747019
-
Filesize
184B
MD5cc46a0995713ba7cb577b4bbbedf83e8
SHA16cc50a0e444e33f65d42423195ed045a3a55daf8
SHA2565fe1ad802f68d7c47dbbd8e60162ba88abaed162da5d381c85d3e4935311962e
SHA51236f5b3acbc520504cfe56e5fe19de2a22ae3d2ddddb4c0eb3e441f884033077fb411e69976c3e250c3ef01189d0e48016bde67a73a0dbc950dd5d8ec7783fd2a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
834KB
MD5ed0f35a0e6bc0933673ed6b0b6472b48
SHA1dcd6ec8d61bde05975e190e28bf1f3ec644c40fe
SHA256aea7ee785ea7dad89a7c7678b2942cb46dcd0d7a97d4c338a20f5b00444888b6
SHA512c03364d532028ebf9048aa3cc8d9033888e1508acbe10d5f28b84d1d484528903a8f43aa1946f78c882dac7636ef44a581e999e27d86275e92ae1caccbf8e381
-
Filesize
4.4MB
MD5fa8f4b4df2626f6690bed9ad1d941119
SHA1e3293df65dee6e0049557b514c26a8572a2ba32a
SHA256b86bc75e4838299a3778da52a0adc5c8653bc09a76a3d498e50ceb89d9f7dee1
SHA512c22493e36a4b3266a01e5d798190d23a4805b57d5f05e0a77066a2b6adae81295c39ac26a46f7adc3069d683986555a58c582b91d86f44a8486d5e6de348dbe4
-
Filesize
1.4MB
MD5c09692a5ceb48abd1094080eb07fa332
SHA1e3c55af01e0ef7867720e3b8549146e4980bf149
SHA2561fed130e95911c93ff0c1d507d6271dcb99159a803ee9d76fc539bc4379618c8
SHA512c8fc38c0d70ffb773c8dfc525dd9b45096c719ba487346a13ae215e83e51b78454dc57419b573d9bc8cac1060bb99f711cd9a5acda4d0dbe297daf7a6b22199f