discordrat | 64cfb57e5ac63b3b59c2302710dba7dad93d9b27d39a950ff5e6be4315b7cf34

Resubmissions

16-04-2024 19:30

240416-x7s5zsae68 10

16-04-2024 19:21

240416-x21ymsbh9v 10

Analysis

max time kernel
1390s
max time network
1395s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
16-04-2024 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tic Toe/TTT.exe
Size

78KB
MD5

bea6449a9c00cf3667941b6d9de42610
SHA1

dd771bee34b16935ff90b3baea5f854e8371b3dd
SHA256

161b52b3f8b209d6ef096dd464d9ab5a749846f5593ed4b9e3d03aeb3a7a9861
SHA512

8913be46ebcba2a7ce997a8b93caf80e5aa1878afd18c12191c6af6f388969970e625f8299dec08f2261bed5f00fd7408c542128d33d9139a72a0adcfbbd356e
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V++PIC:5Zv5PDwbjNrmAE+6IC

Score

10^/10

discordrat persistence rat rootkit stealer upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyNjYzNzczNjgyODYwMDMzMA.G6KXZO.KhvjpXnxesj0UFK2f4VA8aIK-hpf6VfhFGsAVo
server_id
1224114376949235764

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\spoclsv.exe	Gnil.exe
File created	C:\Windows\SysWOW64\drivers\spoclsv.exe:Zone.Identifier:$DATA	Gnil.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spoclsv.exe	Gnil.exe
File created	C:\Windows\SysWOW64\drivers\spoclsv.exe	Gnil.exe
File created	C:\Windows\SysWOW64\drivers\spoclsv.exe:Zone.Identifier:$DATA	Gnil.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000100000002b27d-1322.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2880	spoclsv.exe
2328	spoclsv.exe

Loads dropped DLL 1 IoCs

pid	Process
1980	Floxif.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1980-1320-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x000100000002b27d-1322.dat	upx
behavioral1/memory/1980-1327-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1980-1329-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	Floxif.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	discord.com
6	discord.com
10	discord.com

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	Floxif.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4624	1980	WerFault.exe	160

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133577694538033022"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1734202354-1504186683-2192872036-1000\{C2A9AE0D-4E9A-4903-BC3B-FAD2FA4E5A5A}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MalwareLibrary-master.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
1744	msedge.exe
1744	msedge.exe
868	msedge.exe
868	msedge.exe
4696	msedge.exe
4696	msedge.exe
1656	msedge.exe
1656	msedge.exe
4948	identity_helper.exe
4948	identity_helper.exe
3604	msedge.exe
3604	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
5812	msedge.exe
5812	msedge.exe
2352	msedge.exe
2352	msedge.exe
1980	Floxif.exe
1980	Floxif.exe
1980	Floxif.exe
1980	Floxif.exe
6084	Gnil.exe
6084	Gnil.exe
6084	Gnil.exe
6084	Gnil.exe
6084	Gnil.exe
6084	Gnil.exe
2880	spoclsv.exe
2880	spoclsv.exe
4884	Gnil.exe
4884	Gnil.exe
4884	Gnil.exe
4884	Gnil.exe
4884	Gnil.exe
4884	Gnil.exe
2328	spoclsv.exe
2328	spoclsv.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	3796	TTT.exe
Token: SeShutdownPrivilege	4552	chrome.exe
Token: SeCreatePagefilePrivilege	4552	chrome.exe
Token: SeShutdownPrivilege	4552	chrome.exe
Token: SeCreatePagefilePrivilege	4552	chrome.exe
Token: SeShutdownPrivilege	4552	chrome.exe
Token: SeCreatePagefilePrivilege	4552	chrome.exe
Token: SeShutdownPrivilege	4552	chrome.exe
Token: SeCreatePagefilePrivilege	4552	chrome.exe
Token: SeShutdownPrivilege	4552	chrome.exe
Token: SeCreatePagefilePrivilege	4552	chrome.exe
Token: SeShutdownPrivilege	4552	chrome.exe
Token: SeCreatePagefilePrivilege	4552	chrome.exe
Token: SeShutdownPrivilege	4552	chrome.exe
Token: SeCreatePagefilePrivilege	4552	chrome.exe
Token: SeShutdownPrivilege	4552	chrome.exe
Token: SeCreatePagefilePrivilege	4552	chrome.exe
Token: SeShutdownPrivilege	4552	chrome.exe
Token: SeCreatePagefilePrivilege	4552	chrome.exe
Token: SeShutdownPrivilege	4552	chrome.exe
Token: SeCreatePagefilePrivilege	4552	chrome.exe
Token: SeShutdownPrivilege	4552	chrome.exe
Token: SeCreatePagefilePrivilege	4552	chrome.exe
Token: SeDebugPrivilege	1980	Floxif.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe
1744	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3556	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 1564	4552	chrome.exe	90
PID 4552 wrote to memory of 1564	4552	chrome.exe	90
PID 1992 wrote to memory of 4420	1992	chrome.exe	91
PID 1992 wrote to memory of 4420	1992	chrome.exe	91
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5592	4552	chrome.exe	92
PID 4552 wrote to memory of 5864	4552	chrome.exe	93
PID 4552 wrote to memory of 5864	4552	chrome.exe	93
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94
PID 4552 wrote to memory of 1052	4552	chrome.exe	94

C:\Users\Admin\AppData\Local\Temp\Tic Toe\TTT.exe
"C:\Users\Admin\AppData\Local\Temp\Tic Toe\TTT.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb91a7ab58,0x7ffb91a7ab68,0x7ffb91a7ab78
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1916,i,17925662470902836295,11128072099180743644,131072 /prefetch:2
  2⤵
  PID:5780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1868 --field-trial-handle=1916,i,17925662470902836295,11128072099180743644,131072 /prefetch:8
  2⤵
  PID:1316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb91a7ab58,0x7ffb91a7ab68,0x7ffb91a7ab78
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1936,i,2174519468309026862,11714363188820855197,131072 /prefetch:2
  2⤵
  PID:5592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1868 --field-trial-handle=1936,i,2174519468309026862,11714363188820855197,131072 /prefetch:8
  2⤵
  PID:5864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1936,i,2174519468309026862,11714363188820855197,131072 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1936,i,2174519468309026862,11714363188820855197,131072 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1936,i,2174519468309026862,11714363188820855197,131072 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4272 --field-trial-handle=1936,i,2174519468309026862,11714363188820855197,131072 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4240 --field-trial-handle=1936,i,2174519468309026862,11714363188820855197,131072 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4512 --field-trial-handle=1936,i,2174519468309026862,11714363188820855197,131072 /prefetch:8
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4648 --field-trial-handle=1936,i,2174519468309026862,11714363188820855197,131072 /prefetch:8
  2⤵
  PID:5988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3332 --field-trial-handle=1936,i,2174519468309026862,11714363188820855197,131072 /prefetch:8
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1936,i,2174519468309026862,11714363188820855197,131072 /prefetch:8
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=1936,i,2174519468309026862,11714363188820855197,131072 /prefetch:8
  2⤵
  PID:1296

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb779a3cb8,0x7ffb779a3cc8,0x7ffb779a3cd8
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,2668056385225453596,16355572183018822822,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,2668056385225453596,16355572183018822822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb779a3cb8,0x7ffb779a3cc8,0x7ffb779a3cd8
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1792 /prefetch:2
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3952 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:5628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1740 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1308 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,5732461981582740707,4735438732814453259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2452

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:728

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3556

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:2276

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 444
  2⤵
  - Program crash
  PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1980 -ip 1980
1⤵
PID:1968

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Gnil\Gnil.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Gnil\Gnil.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
PID:6084
- C:\Windows\SysWOW64\drivers\spoclsv.exe
  C:\Windows\system32\drivers\spoclsv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2880

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Gnil\Gnil.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Gnil\Gnil.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
PID:4884
- C:\Windows\SysWOW64\drivers\spoclsv.exe
  C:\Windows\system32\drivers\spoclsv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2328

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"
1⤵
PID:3772

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe"
1⤵
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
72KB

MD5
ccf7e487353602c57e2e743d047aca36

SHA1
99f66919152d67a882685a41b7130af5f7703888

SHA256
eaf76e5f1a438478ecf7b678744da34e9d9e5038b128f0c595672ee1dbbfd914

SHA512
dde0366658082b142faa6487245bfc8b8942605f0ede65d12f8c368ff3673ca18e416a4bf132c4bee5be43e94aef0531be2008746c24f1e6b2f294a63ab1486c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
b8e407fc2ce007ebedb805315e742825

SHA1
4a220eea50f40e19e2c0530df983ea594ddc3cd7

SHA256
c9634dd4bc177baf37af47e478f7a59f0bead11ac5c7205a68923c6cca38cfe2

SHA512
b2894280beb8dae17547cc79c6f9ad7d4ef49ed01ae503fcf10350a0e7ff4f18d6ae42934f1741d0d143df8f053a15213c41f2cd1539aaaed19abc8fccce0b1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
cf5f8cf36bf69cd91406d7e1c6e56345

SHA1
f26a4936680ed1931a705d15ced5a61ec90d8f43

SHA256
f4ec3867be1af34a28432bcaf95fbefbe1e32f3f9a26759a78a801a02cc36ce6

SHA512
9b737bf4040a942fa9c857b534c3d7b5e9787aecbc9e5353664b7d46ebf69ff90a53fe16991acfce2b3c56e8437ae13adc540fcd237b992e01eb37d4f59b8c79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b275827c90b925ad666e2ddbc25879e3

SHA1
01382252efd37e94aa24edd5a1437c0b90b93a02

SHA256
525083ceeeafbac542c532a47ef36bc4c03fe5b4377a546beef4357b1ba12b5f

SHA512
449564e45de80a37a148fd1819b40bcaba4e0cc2bf3cccb6bfdf46762df1163b71f240acf3022182cdf645ebf2430dd59eb30d7c4d857d6b15bdb3d99c1ff73e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2a9a2036ade9c4f0389cd83fea430ca0

SHA1
3c4d2a2c093ef418facc333fa028a7fb2aa2fb77

SHA256
bcf5fd0a33d108ebcc5063a89b71b105f759e1344b666f62257d6ec62acf6bab

SHA512
585addba85a4ce176b91907d286a2c763373685100937f2bfb3d0b7a775e882eb9dbd463875ed8970fa99e7ce182c1bfe2577abb1d8b5ba5dc1d7e37a41e6302

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
fbc4a8d61209d62eedf5fcbe37415c23

SHA1
b9a01890299dd14f014b4b5c69a60c186d479393

SHA256
293dddbefd3b576beafe79e52882bca5f4a785f2a25e9baf72c8b1bf62867719

SHA512
25c381f09aa3107444893669c9d564b88f9a278a7f8a5163dcdebed66ff8935e39365df21abf9d0a7780c19ef64cdf74051d1f841add43d9f75f78f3462c3946

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
251KB

MD5
d63da5c5ce06c862a4faf333a012560d

SHA1
7a669836a3d0ac1249669152ec54bd631db2d725

SHA256
1cf3202ac013e496679b459031708179c89dfd0630104442230d4203e8e379df

SHA512
8446190638388f803376650547b741a20ec911c6474c6fc394b9dd77f78241479e4b809dbc803f81ca3630f563476ce986836de8f9d6b293bea23186f7fa40ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
251KB

MD5
b081489e60f88b05009a3640f3fd9410

SHA1
e437916b09846da58c22e7839704d22093b99253

SHA256
d23093e5ef88c6ce5afa369de8743bb12b464afc4eb1fce7dea8e006bb4dce60

SHA512
592f5eb04454d736dd0e98b29752c25e5048a43bb3d2a69e124ebe210ba9c9d3d4f527a79f30bffab639d5c68c6810cb21e2af47cf378f077934b0c40878593a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
127KB

MD5
2f7fe37ba6588b43b375e6b2b6fbb4c9

SHA1
b5b529ee7a2cbd0bdbea49acf026a1b86c120ef9

SHA256
948e0fc39ef395d7a12d2118fc612ffb8cbb6a923449603882800b1e777cb8ed

SHA512
73209325886b3d1f9ca48cf412f60effdd033f06d9a6c5a699f83e1dd5aa7727d809096f68edb8730d9e8978b8166d3ecbbed9d9794bac8231ad57809580e226

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
15fe2ca7fbb19bce73b3127d3ce38b40

SHA1
3b6d7bb9a2a45706b41570c3237620977f91bfe3

SHA256
fdc0d483560fd857db4fd1f96c8dd963c4400095e8191206cc1400e07cfbe097

SHA512
8a2ed9de98c5e82d7924695caf8350a4cb702fe52bd6183f929966bfa9909e4b55471cccde3c0324024061bc4d6ea50076708fed9fe4e0cd976106784caf5fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
387bda50a259f550e0a5b9c3f441359d

SHA1
9e0a87fad07a1fc8e67b5f44244aee8c49289a28

SHA256
f7a53d094bdb8498f4a5edf5dbfa6f1f04e62013a9173d48cab6f31e7fdc4f68

SHA512
060019710d5059241e00e23d6780ff44a016774f4658d16443d1ca7b7187aa4ab4ec484b18d380692f75dda19b882411749cc29545c9e3e57488a758bf618e24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
69KB

MD5
aac57f6f587f163486628b8860aa3637

SHA1
b1b51e14672caae2361f0e2c54b72d1107cfce54

SHA256
0cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486

SHA512
0622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
36KB

MD5
e436e9f7d0b7a7fef1edc1dc7078abf7

SHA1
a5aabaac39d2163e619fcec4b1fbf1af8c6302d1

SHA256
6515ec9bdd51dd67a3018772b42b7d8ad3e83d22844f4baf0c888328bb73a1c7

SHA512
c3c1649c9c5e7e9b175305e73757346030bde5770693ef3947a0b6f2da2852a425bffc5785dbd880551f4c6821a11c560af58de75c585a257ed2128b974dea82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.1MB

MD5
d404b61450122b2ad393c3ece0597317

SHA1
d18809185baef8ec6bbbaca300a2fdb4b76a1f56

SHA256
03551254e2231ecd9c7ee816b488ecbde5d899009cd9abbe44351d98fbf2f5fb

SHA512
cb1a2867cc53733dc72cd294d1b549fa571a041d72de0fa4d7d9195bcac9f8245c2095e6a6f1ece0e55279fa26337cdcc82d4c269e1dd186cbbd2b974e2d6a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
9707dac1c512ccc3f88caaa6a0d3c772

SHA1
4e053fe8d5d1c3c28660edc8c5ab2d65d20aa971

SHA256
bc83c7f5d9d5ecdb6ee434b96b38e780eaf39ed6b13b56669c1e250937425249

SHA512
0845972d46175b4c1d11ee80a5f8d14dd732454189285331d8408aa5efad543cf0078baaef729decfe7c972bbcf3dcf1686043389109b13bde056a2726697eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
71d9dfc9ea56eef1eca18565d9c083fc

SHA1
4757a688bf42156775d57c033504074f52d233cb

SHA256
507b96558d9ae68a066ae34c99e7a239ec3fd845d275f31043e4c0d1c1e59237

SHA512
a1fab1c55c2fc2efac4bfabaace4c33a7ca9c54bc177a49bd424eacc97d21cff7faac938a4742e596113b235e24d38457b3fe5373c0c792718040b5a4e312775

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
19eeee23cb92b3eb44039ce78978c343

SHA1
3247bcb0ba2d17069986482f4ce2edb5d9e7a161

SHA256
3a9ee214ad2bb5c8e9325f06f73ac437a6df071636986f7bae53f4e2cd876359

SHA512
e103068ce8e5c785da868ecc9b813b3f6f1c1d5ed759f5074ca99dbf372df88f2ce07a1814c65f661ca0ac5e3143e358fee81117f2d145cb3836a8ef951d4dd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
80e4348f9c2de12de060a5ae0ad3738d

SHA1
2b96a9fd7efd31c1916c3d1315645fca0814769c

SHA256
37e1158feca672f0cbc6835d907f3526d5b1eccac8dfe5c9cf433e3b209038ea

SHA512
0f798edf9cafd77f519f790aa136c1cc89599a2dbc00501ef3125c0233ca71606cb58fd2f4a22dfe6eab99c36e410ad8da7709f01fa3da1ed8e56eb6fb824a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
0a00b20c336eaa5a5756db89dd9c6316

SHA1
f28b0cea1fa95d5eb9d11bd09a2ce4de9d12da9a

SHA256
00512ba8e9c1d6ee6c9ee053c3ff3d1e60b8044abb8e5094569c6bf77ec98307

SHA512
3f6dad623c3077dabafdec8bd29f8d19352ab5ae881f3f242bc0f6201dbdab8fd1f0309a03736bafe9ba4c3fed34df2c0a04539b290effe522ede6e0e2b1c076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2bbb7e72f2395a264bece30385c2a8fc

SHA1
bb1467db425e3243f7bfef3b8106685091eb06c5

SHA256
a28b92677d49c318c6a3e6c26e2b02e7ef1b2f7df77f9ec091e6c7b37f3c6f00

SHA512
13b7d4b66b9bc8757705e620294f23d8f0f8c366d0ca7eda6889fc9031abba40ee763247227d76d9f045cffe500ec98de037cff37bd56b51d148ed8ef9c6a52f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
bd183ed455e42eac930645eaa2edf91c

SHA1
d627c4a4c59d859e98fa439e56e701de52a82883

SHA256
2fb3a6c13a687d45677aed5912a5b28d9991da374bfcbfb9981218629505ca7b

SHA512
af53e2e5faa1e6f0fa6b92e4e5396b7a1acde7a1c858bf685fcdba28a0d6cf3696795ae6b8a82d8b810eb1f0e4a896b9c484ec8ea200f2365299dc097af2c1bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
24f3e40530c4e364b6dc5b4d5b5eccc2

SHA1
02fe115c229d35e8a823ef739881693442fb9588

SHA256
96157e50570ed44597cd29586da4a731fe1e3ca41234910c32472b5ea01e7f63

SHA512
42de26c7f292c468fcf3a2b883b2a00b954779967f1493306e19937d2649f9253b8a0d5beeaee0d5afa5babc3ccefbf79f5f132b4a0084193aae88525d166842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cd15a3ba5d4b2bcd9682214e8d27b5d7

SHA1
f504d5cf17190c51a2ad0c536c0e5aa4a0f3a1ac

SHA256
2742592f7b9cfff28639c0560b3e32436b8196c9b4a96fd11e4930d4d2f99ee2

SHA512
d60776d29fd3c3c7b7fb32a8ac24ffa8ce325cc0bb91b4579b67ccb34e1b9b941ab36a89eec6f04432a9cbb5f24f8c67d6391d11d8c5cea1d06d7d1478ff23ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3d52248f73a399639a1da5f235e50dd

SHA1
4c1f4fa9e881a93188e14c2a8ab9056d937495b3

SHA256
d4f30b04fd73156b239af5c8ae010f6299195bfaed9ef7e2a1bbd48219e74f8b

SHA512
2e2bdd0b61a8aee0d01fb9507581dc3d9ca979f040b3c2c482e6fcc19f5d9ab5f3b66dcce7048e09cf5392cd689bb850b7d472ab81b47c183ea850aa686dbed3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
66d035161ae6add8807c64ed708f2365

SHA1
274130cb689f7ee553b2c6fe62a33b913c8e421b

SHA256
cc6040caa90b7176863bb5321d7fb4e328dd9dd76d2836cd6eecd47c9bc9c3af

SHA512
2dc3d7cdf48c2a8782853051b7e87cb3f90d82e6e6969e9fbdb64e53e5a35a1b25be1025be548c03ccdef61aad61c016dc93a6903e8293e955f058037d64d1b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
534974f1bcdb8fa93ba695cae1c4ac96

SHA1
4b4dd96f5d3a67cdbb242b00207383133cb1402d

SHA256
0d9110bacb59a2c81f0a3a3bb0c1c422f8efc6533eb2b2029f20da2070cc658c

SHA512
7ffcf3fe6ac87ad9244da4ed9fe9810bf50e9d30b88390b0391e8a88a6827a967657416a80f8167b110d8e42fa3f0345b7a1baf853194a9a972fc3f97f1b2360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ee5375054b29eb73546724c9043250aa

SHA1
ef9a2c7026217654a4a6bfa3504278b35b75d5a8

SHA256
34e683bec85abd7cf9a2ad952ba11099b1a78a198f187ca8b06f278bfd2d2526

SHA512
15b2806bb62a3f5327288523fca326056eac75155cdc4c646bce2e4a6728396153953f9f144d1ecf3ea3679362f65cb5fc169be40e08c1e078a835469f098db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8a1b21aa4602a495da4e3f96341b9872

SHA1
f732b1fcea09eff2c854ce85e43b64cd49918212

SHA256
06b427afba08947a88664a1909ce1b7f6932158b44d6fb8ec8afec031ec44fe2

SHA512
a84e419c5348e432d389c1d09032d4084433bc2db3fab25c0e0da446de08b441472fb5c8953f1ca6d458b38b12949fa834dfc50d8a158f915295784e94b44d07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a2a4e6a7105818cc9e041bf01e717378

SHA1
3d44a3293a412367765782a2a7f5d809e803417a

SHA256
8ffcd0f3dfcc3603aec05bc225d8389cbb0b2d18ddceef9143ff01214a20380f

SHA512
a23f13009687c21fe5f6e01a3c74a69d33cc3eaa417c7d137b54774e7105e92a6c31ada9a3339b961e408f1f71b000549271b7a64333412cce3b4065192aa478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ab1ddc9419462a983deb24ec7e80e9c9

SHA1
64a7ca401ac135d24ebbe168df79a69d2f6eff11

SHA256
b6ab7bdc1775786d1d8639389420229ea6948166cfb265320978bab6ba25261e

SHA512
f243b97f51b9851991199617f6dd62f13cc3c0c720eb7d8ccb65c0ba5bd5fe24580e2f1688e8d9b20162db30bf65b61ae46d5d2dd778274875e9240e5d08a497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4c6da8f8aaf18f2bd28e73556776d89a

SHA1
a89fd8b837bc2eac15aff7a47a947bb6d98ea9b5

SHA256
018cd96d17640d437370a0f5d353f7995b9e961f34bb9a146bdd9f1253c675ae

SHA512
6066ee662746595aa7528a23c7e4fd3e2281a82c1c986f67014dcbd0f60cf26f1404bb01843cdf987e785df088ca9498d3c598f153f27c492517c47dca909c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
06e32c0bbdc1685e506d837a359fdbf4

SHA1
67a02551584997031e3ecf1baefe792be13bf8a2

SHA256
0654d1992fe5ba5087e94130dd2c20ca92861fa1e3a3c7f4b2a7ed9a53962a08

SHA512
3ab3cd8cb5de296de00c17afae8febdea945d4d4a5896d183e0bbbc167495bebaf3ec81cbfd2e683a41e4e23a4d10e25ed824033488b9d034e62bfe30d79d3b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
22427898d772bc79a74bccfa94a9ba26

SHA1
c14af3df79af7a0b187290c53930610346769092

SHA256
411191d5f5b1e7e3353eb97c96e882246834e410c184e84ea0f2f905ff9ca70f

SHA512
17b3b3d1547ad9aa962412c72d8a76218fae938def622477bb8e474f8d1194d9d94485ee91c8669c4044b04f324366e932a125ce80ad32be79d2449a32669d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e0f92b26ab623cc8b023fded37cd0f61

SHA1
34a0ae75cea071f1340af0f5f86d1a0efdf41c47

SHA256
5a66c26c1ffe51b75ddf328a92fe662806bc893d443b8db9a4e474838efd5bdd

SHA512
522b1a0db347c60dd4286e6353a19c08860239528ac78c123fbe5e664f9484fb5810e448032848371d85234be1deaa41e679052183d33aec6141e7c1f6c891c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d8b9b1bde5ec5e717d06c0b53dd5da31

SHA1
58e27e493fe56311795866bc57e8b10ac81688b5

SHA256
735fe43cfa6ed720302d066513b7415cab7155582fac6a46bbbdfb3ef76bcf98

SHA512
42fb4769c538261a2e5b128a900ba24c85c6719c80c4201ffbd02d162adc3c8d5e1c4b3f53d9dc657ebb01c052cf21eb5c29a31726d5bbb7fe4d5157b98b43bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58da0f.TMP

Filesize
538B

MD5
53b234d08db2b3e6e1fdd9dd908728c8

SHA1
df71c32517efcae3b781b44152575b5eb59eb953

SHA256
1452ec3de3750c14cea89975b9bf726f666bb96407057738332a3ab753bda19a

SHA512
1aabae6ae38d061de1e5b241f4c9306fdc2e9357fd66f8d956bcfd38cdd4d7d99c79c6b2218b73543b3a52a2022de0631fb54c63df1892de6096c62b2f2e8170

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
27412bc37f46dca196328ee02ffde68f

SHA1
c0886442b1f9a6a50d1a7666d5b3fee2a58f8e81

SHA256
aa7ed103d7aeb343a65417085fa113ae0a22717440be813e4e12a123a68d04f9

SHA512
3ce9cb9bedffc52312bf2788bc1e4c483b35a4edab11afe0190d64eabbb2f46f5387602dc7b3ceac97c4fc09aa88f0cd2cc718a5c28c68f5ea093e016f179bd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6b9762eeb7f6b483265a05b77aded85e

SHA1
44a74a0b323aa5e2c8989f6df3949acf64998e62

SHA256
e289c3ccff85961d05753479b56cf92f375d71aed14b84a8705bb2f07b53b31f

SHA512
0e2b0467138591cc0ea4659f511aec586356572d40f1ca508d7be2c31221a252fb98509e2b4ce5fc3a20a22f983d6daae56f5f8c04cc5b8b88bf3c2b1296fd6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cd47bf5a6b948deedf94570965bb3e3c

SHA1
3300cabad70592242a8528bbcbcf710f487dcaa0

SHA256
f964f4dd6959949089733993631e237ff94ebbf1382e0cfa07e3b1cd414e2831

SHA512
1673859c3da56f51e57c09414e15bcb03d39b9b92ff11453d27a1dacd120c5d0ff46e6c8b61297b509c0dd653f63285d6ad0d82f9aa0e8747baed64de9aa9f50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9d35de7e199fdbb5050182424db5cdda

SHA1
cd46bdb93d157f19cc14bd96d8938b36d2289718

SHA256
d8ab46e893b050593e94e48e23eb00ed001576d7d2db45c5c947577f7a07da95

SHA512
2b318f0ebeb651117f41fbecf4fbe87b7a4ac1fdcd7f9b1b143e2ca44dca7ba3981f56d632535b45e7826fb5732c1098680ab88ed3afa38dd1788f6bbb917ed5

Download Submit
C:\Users\Admin\Downloads\MalwareLibrary-master.zip

Filesize
581.7MB

MD5
ff706790ea4d6460e80ee94ce56d9517

SHA1
3e3212cec7aaebb7d1965f657244c50e2394632a

SHA256
a3dab994d3e4581685a8bb8db60fc8ae80904e1bd2a384202af281c210028c8d

SHA512
0634c5c753e24ef96208a5d2425f9cf32daebc5f4ff316130f606a875f581541fb719dfce1218b03b0de864d194ff2da862a2adea5a4ec5a3801e9edd347b448

Download Submit
C:\Users\Admin\Downloads\MalwareLibrary-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip

Filesize
198.8MB

MD5
af60ad5b6cafd14d7ebce530813e68a0

SHA1
ad81b87e7e9bbc21eb93aca7638d827498e78076

SHA256
b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

SHA512
81314363d5d461264ed5fdf8a7976f97bceb5081c374b4ee6bbea5d8ce3386822d089d031234ddd67c5077a1cc1ed3f6b16139253fbb1b3d34d3985f9b97aba3

Download Submit
memory/1980-1320-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1980-1329-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1980-1327-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1980-1326-0x00000000006D0000-0x0000000000745000-memory.dmp

Filesize
468KB

Download
memory/2328-1343-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2880-1336-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2880-1335-0x0000000000620000-0x0000000000622000-memory.dmp

Filesize
8KB

Download
memory/3796-4-0x0000020DF3DE0000-0x0000020DF4308000-memory.dmp

Filesize
5.2MB

Download
memory/3796-3-0x0000020DD9460000-0x0000020DD9470000-memory.dmp

Filesize
64KB

Download
memory/3796-1-0x0000020DF1EE0000-0x0000020DF20A2000-memory.dmp

Filesize
1.8MB

Download
memory/3796-2-0x00007FFB7FCD0000-0x00007FFB80792000-memory.dmp

Filesize
10.8MB

Download
memory/3796-0-0x0000020DD7760000-0x0000020DD7778000-memory.dmp

Filesize
96KB

Download
memory/3796-160-0x00007FFB7FCD0000-0x00007FFB80792000-memory.dmp

Filesize
10.8MB

Download
memory/3796-1345-0x00007FFB7FCD0000-0x00007FFB80792000-memory.dmp

Filesize
10.8MB

Download
memory/4884-1338-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/4884-1342-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6084-1330-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/6084-1331-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/6084-1337-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download