discordrat | hxxps://file[.]io/bAXXUDq1tkUV

Analysis

max time kernel
700s
max time network
717s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
12-05-2024 19:20

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://file.io/bAXXUDq1tkUV

Score

10^/10

discordrat evasion execution persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyNzk4ODU3OTk0MzQ0ODY5OA.GEjnSa.rCkhYiVecrt4rcdXOEEhOiD8PNZMRf86EQwBJY
server_id
1239256207454109748

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2452 created 636	2452	FNcheats.exe	5
PID 2452 created 636	2452	FNcheats.exe	5

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2588	powershell.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "2"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,22000,282"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "0"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Stubpath = "%SystemRoot%\\system32\\unregmp2.exe /ShowWMP"	unregmp2.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4228	NetSh.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	unregmp2.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 24 IoCs

Web Service

T1102

flow	ioc
455	discord.com
456	discord.com
487	discord.com
542	discord.com
545	discord.com
547	discord.com
147	raw.githubusercontent.com
451	discord.com
575	discord.com
454	raw.githubusercontent.com
495	discord.com
541	discord.com
576	discord.com
447	discord.com
449	discord.com
501	discord.com
524	discord.com
582	discord.com
250	discord.com
450	discord.com
543	discord.com
546	discord.com
190	discord.com
498	discord.com

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2452 set thread context of 5688	2452	FNcheats.exe	153
PID 2452 set thread context of 1676	2452	FNcheats.exe	210

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	unregmp2.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	SystemSettings.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	SystemSettings.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	SystemSettings.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	SystemSettings.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Checks SCSI registry key(s) 3 TTPs 16 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SystemSettings.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SystemSettings.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	SystemSettings.exe

Enumerates system info in registry 2 TTPs 13 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\e7d1091c_0\ = "{2}.\\\\?\\hdaudio#func_01&ven_1af4&dev_0022&subsys_1af40022&rev_1001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\elineouttopo/00010001\|\\Device\\HarddiskVolume2\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_fncheats.zip\\fncheats\\FNcheats.exe%b{00000000-0000-0000-0000-000000000000}"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\e7d1091c_0	svchost.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133600159200631878"	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\NeverDefault	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txye	ApplicationFrameHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txye = "2814749767500776"	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!mi	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867}	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play	unregmp2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000070000001800000030f125b7ef471a10a5f102608c9eebac0a000000f000000030f125b7ef471a10a5f102608c9eebac04000000a0000000e0cc8de8b3b7d111a9f000aa0060fa310600000080000000e0cc8de8b3b7d111a9f000aa0060fa31020000005000000030f125b7ef471a10a5f102608c9eebac0c00000080000000e0cc8de8b3b7d111a9f000aa0060fa31040000005000000030f125b7ef471a10a5f102608c9eebac0e000000a0000000	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}\ = "Toggle DMR Authorization Handler"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Rev = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByDirection = "1"	Explorer.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\fncheats.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3640	msedge.exe
3640	msedge.exe
3712	msedge.exe
3712	msedge.exe
2360	identity_helper.exe
2360	identity_helper.exe
1536	msedge.exe
1536	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
5284	msedge.exe
2416	msedge.exe
2416	msedge.exe
1016	msedge.exe
1016	msedge.exe
2452	FNcheats.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
2452	FNcheats.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
2452	FNcheats.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
2452	FNcheats.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
5688	dllhost.exe
2452	FNcheats.exe
5688	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3312	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
5852	msedge.exe
5852	msedge.exe
5852	msedge.exe
5852	msedge.exe
5852	msedge.exe
5852	msedge.exe
5852	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	FNcheats.exe
Token: SeDebugPrivilege	2452	FNcheats.exe
Token: SeDebugPrivilege	5688	dllhost.exe
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeShutdownPrivilege	3312	Explorer.EXE
Token: SeCreatePagefilePrivilege	3312	Explorer.EXE
Token: SeAuditPrivilege	2332	svchost.exe
Token: SeAuditPrivilege	2332	svchost.exe
Token: SeAuditPrivilege	2332	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2672	svchost.exe
Token: SeIncreaseQuotaPrivilege	2672	svchost.exe
Token: SeSecurityPrivilege	2672	svchost.exe
Token: SeTakeOwnershipPrivilege	2672	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
5852	msedge.exe
5852	msedge.exe
5852	msedge.exe
5852	msedge.exe
5852	msedge.exe
5852	msedge.exe
5852	msedge.exe
5852	msedge.exe
5852	msedge.exe
5852	msedge.exe
5852	msedge.exe
5852	msedge.exe
3928	SystemSettings.exe
3928	SystemSettings.exe
3928	SystemSettings.exe
3928	SystemSettings.exe
3928	SystemSettings.exe
3928	SystemSettings.exe
3928	SystemSettings.exe
3928	SystemSettings.exe
3928	SystemSettings.exe
3928	SystemSettings.exe
3928	SystemSettings.exe
3928	SystemSettings.exe
3312	Explorer.EXE
3312	Explorer.EXE
3312	Explorer.EXE
3312	Explorer.EXE
3312	Explorer.EXE
3312	Explorer.EXE
3312	Explorer.EXE
3312	Explorer.EXE
3312	Explorer.EXE
3312	Explorer.EXE
3312	Explorer.EXE
3312	Explorer.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3312	Explorer.EXE
3312	Explorer.EXE
3312	Explorer.EXE
3312	Explorer.EXE
3928	SystemSettings.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 4068	3712	msedge.exe	78
PID 3712 wrote to memory of 4068	3712	msedge.exe	78
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 4128	3712	msedge.exe	79
PID 3712 wrote to memory of 3640	3712	msedge.exe	80
PID 3712 wrote to memory of 3640	3712	msedge.exe	80
PID 3712 wrote to memory of 3372	3712	msedge.exe	81
PID 3712 wrote to memory of 3372	3712	msedge.exe	81
PID 3712 wrote to memory of 3372	3712	msedge.exe	81
PID 3712 wrote to memory of 3372	3712	msedge.exe	81
PID 3712 wrote to memory of 3372	3712	msedge.exe	81
PID 3712 wrote to memory of 3372	3712	msedge.exe	81
PID 3712 wrote to memory of 3372	3712	msedge.exe	81
PID 3712 wrote to memory of 3372	3712	msedge.exe	81
PID 3712 wrote to memory of 3372	3712	msedge.exe	81
PID 3712 wrote to memory of 3372	3712	msedge.exe	81
PID 3712 wrote to memory of 3372	3712	msedge.exe	81
PID 3712 wrote to memory of 3372	3712	msedge.exe	81
PID 3712 wrote to memory of 3372	3712	msedge.exe	81
PID 3712 wrote to memory of 3372	3712	msedge.exe	81
PID 3712 wrote to memory of 3372	3712	msedge.exe	81
PID 3712 wrote to memory of 3372	3712	msedge.exe	81
PID 3712 wrote to memory of 3372	3712	msedge.exe	81
PID 3712 wrote to memory of 3372	3712	msedge.exe	81
PID 3712 wrote to memory of 3372	3712	msedge.exe	81
PID 3712 wrote to memory of 3372	3712	msedge.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:636
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:464
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6598683e-6006-4d02-9d06-cc8d32888c6d}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5688
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f9d3fa56-367d-492e-b781-f0d8192e0285}
  2⤵
  PID:1676
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x4 /state0:0xa39ab055 /state1:0x41c64e6d
  2⤵
  PID:1932

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1488
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Modifies Internet Explorer settings
PID:1964
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004EC
  2⤵
  PID:1504
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004EC
  2⤵
  PID:2072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2104

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2576

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2680

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://file.io/bAXXUDq1tkUV
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdb4a83cb8,0x7ffdb4a83cc8,0x7ffdb4a83cd8
    3⤵
    PID:4068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
    3⤵
    PID:4128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
    3⤵
    PID:3372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1896 /prefetch:1
    3⤵
    PID:2312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
    3⤵
    PID:2288
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
    3⤵
    PID:4216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
    3⤵
    PID:2268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:3188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
    3⤵
    PID:1836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
    3⤵
    PID:2968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
    3⤵
    PID:1704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
    3⤵
    PID:3724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6260 /prefetch:8
    3⤵
    PID:416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
    3⤵
    PID:112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
    3⤵
    PID:3252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
    3⤵
    PID:4988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
    3⤵
    PID:4700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
    3⤵
    PID:4236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
    3⤵
    PID:1576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7212 /prefetch:1
    3⤵
    PID:4032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
    3⤵
    PID:1992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7556 /prefetch:1
    3⤵
    PID:4688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7788 /prefetch:1
    3⤵
    PID:5128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7548 /prefetch:1
    3⤵
    PID:5240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8012 /prefetch:1
    3⤵
    PID:5248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7900 /prefetch:1
    3⤵
    PID:5260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8272 /prefetch:1
    3⤵
    PID:5268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8140 /prefetch:1
    3⤵
    PID:5280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8548 /prefetch:1
    3⤵
    PID:5292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8556 /prefetch:1
    3⤵
    PID:5304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8696 /prefetch:1
    3⤵
    PID:5316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8728 /prefetch:1
    3⤵
    PID:5328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8968 /prefetch:1
    3⤵
    PID:5336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9852 /prefetch:1
    3⤵
    PID:5956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7724 /prefetch:1
    3⤵
    PID:5960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9372 /prefetch:1
    3⤵
    PID:5824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
    3⤵
    PID:2520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2996 /prefetch:1
    3⤵
    PID:5972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10016 /prefetch:1
    3⤵
    PID:5436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
    3⤵
    PID:6044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7480 /prefetch:1
    3⤵
    PID:6140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7352 /prefetch:1
    3⤵
    PID:3420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8608 /prefetch:1
    3⤵
    PID:5396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8392 /prefetch:1
    3⤵
    PID:5612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=10008 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9828 /prefetch:1
    3⤵
    PID:5556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
    3⤵
    PID:2660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9988 /prefetch:1
    3⤵
    PID:1240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
    3⤵
    PID:5472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
    3⤵
    PID:4084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
    3⤵
    PID:2016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10204 /prefetch:1
    3⤵
    PID:1292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8360 /prefetch:1
    3⤵
    PID:2452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:1
    3⤵
    PID:4780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
    3⤵
    PID:5432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6520 /prefetch:8
    3⤵
    PID:5004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9236 /prefetch:1
    3⤵
    PID:2712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7864 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7320 /prefetch:1
    3⤵
    PID:4884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7696 /prefetch:1
    3⤵
    PID:5760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9300 /prefetch:1
    3⤵
    PID:5276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10192 /prefetch:8
    3⤵
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:1016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
    3⤵
    PID:1448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9008 /prefetch:1
    3⤵
    PID:1080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16930005735918597073,13977410067349541681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9236 /prefetch:1
    3⤵
    PID:5336
- C:\Users\Admin\AppData\Local\Temp\Temp1_fncheats.zip\fncheats\FNcheats.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_fncheats.zip\fncheats\FNcheats.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pornhub.com/
    3⤵
    PID:5536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffdb4a83cb8,0x7ffdb4a83cc8,0x7ffdb4a83cd8
      4⤵
      PID:4292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.if%20you%20dont%20pay%20100$,%20your%20computer%20and%20your%20files%20will%20be%20deleted/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of SendNotifyMessage
    PID:5852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffdb4a83cb8,0x7ffdb4a83cc8,0x7ffdb4a83cd8
      4⤵
      PID:2340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
      4⤵
      PID:5904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
      4⤵
      PID:5784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
      4⤵
      PID:5096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      PID:748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
      4⤵
      PID:1680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
      4⤵
      PID:5184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
      4⤵
      PID:1252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
      4⤵
      PID:4276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:1
      4⤵
      PID:4760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4336 /prefetch:1
      4⤵
      PID:5132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
      4⤵
      PID:1432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 /prefetch:8
      4⤵
      PID:4744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
      4⤵
      PID:1844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
      4⤵
      PID:1672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
      4⤵
      PID:5748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
      4⤵
      PID:5156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
      4⤵
      PID:1836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
      4⤵
      PID:4712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:1
      4⤵
      PID:400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
      4⤵
      PID:5128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
      4⤵
      PID:5984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,10819124633510907623,16523390703062371040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
      4⤵
      PID:776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.f%20you%20dont%20pay%20100$,%20your%20computer%20and%20your%20files%20will%20be%20deleted.com/
    3⤵
    PID:1520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffdb4a83cb8,0x7ffdb4a83cc8,0x7ffdb4a83cd8
      4⤵
      PID:5328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.phub,com/
    3⤵
    PID:4116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffdb4a83cb8,0x7ffdb4a83cc8,0x7ffdb4a83cd8
      4⤵
      PID:2920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.phub.com/
    3⤵
    PID:760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffdb4a83cb8,0x7ffdb4a83cc8,0x7ffdb4a83cd8
      4⤵
      PID:2908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/
    3⤵
    PID:2820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffdb4a83cb8,0x7ffdb4a83cc8,0x7ffdb4a83cd8
      4⤵
      PID:2316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2588
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1604
- - C:\Windows\system32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4228
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2088
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" /L
    3⤵
    PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  PID:6080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffda2e9ab58,0x7ffda2e9ab68,0x7ffda2e9ab78
    3⤵
    PID:5420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1792,i,6072033382084789084,6716805688378872069,131072 /prefetch:2
    3⤵
    PID:3780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1792,i,6072033382084789084,6716805688378872069,131072 /prefetch:8
    3⤵
    PID:1596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1792,i,6072033382084789084,6716805688378872069,131072 /prefetch:8
    3⤵
    PID:936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2932 --field-trial-handle=1792,i,6072033382084789084,6716805688378872069,131072 /prefetch:1
    3⤵
    PID:3408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1792,i,6072033382084789084,6716805688378872069,131072 /prefetch:1
    3⤵
    PID:1704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3148 --field-trial-handle=1792,i,6072033382084789084,6716805688378872069,131072 /prefetch:1
    3⤵
    PID:1664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3700 --field-trial-handle=1792,i,6072033382084789084,6716805688378872069,131072 /prefetch:8
    3⤵
    PID:4592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4400 --field-trial-handle=1792,i,6072033382084789084,6716805688378872069,131072 /prefetch:8
    3⤵
    PID:2956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4452 --field-trial-handle=1792,i,6072033382084789084,6716805688378872069,131072 /prefetch:8
    3⤵
    PID:4688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1792,i,6072033382084789084,6716805688378872069,131072 /prefetch:8
    3⤵
    PID:5792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1792,i,6072033382084789084,6716805688378872069,131072 /prefetch:8
    3⤵
    PID:5880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3504

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4072

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4500

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:2364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3304

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:3864

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5024

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:3132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3552

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2176

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
PID:1728
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
  2⤵
  PID:5000
- - C:\Windows\SysWOW64\unregmp2.exe
    C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
    3⤵
    PID:1228
  - - C:\Windows\system32\unregmp2.exe
      "C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
      4⤵
      Modifies Installed Components in the registry
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      Modifies registry class
      PID:5716
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Desktop\TestConvert.mp2
    3⤵
    - Enumerates connected drives
    PID:1988
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  PID:5268
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    PID:2268

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:1888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4316

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
1⤵
PID:1452

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:240

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
- Modifies registry class
PID:4600

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3928

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1428

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:4856

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:996

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1856

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:756

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
PID:2596

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4980

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:1480

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
bb97b09617c2e7fc4d9b81cb96bb4fad

SHA1
a3a64e1a651658051c8d153abd35ba517475a465

SHA256
177d226237e1c632179932cc7880226043bae03a2a430e0b87d9a962dc617633

SHA512
2d65fbb87e2bff29d0bda67a56dcb6d7d7296c02c906432dd3dfd04f103537cff24c2c45e72d60b3b52cd50631de66568edbb1ebc543af63dccb5b19ad8d19c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
330B

MD5
c49db1414eba089c5f500114b3ea53be

SHA1
1ca4b3031120cf8344b075d308942744892738e5

SHA256
4a8bc1af87f4247c6354d83981e888ac9f058dacd2562f434c1f73757b63a90f

SHA512
5c4945f8c86c2be848586d2f0c8c0721177bc2873515ab270806db257d65e357034d4cc61a7c6847925842ef22f49d52c53d4b6b9912eb49301cd63fb12e1f7b

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\d1045fa42060dcaf\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b0a40f6847934b610c24822c5c1e60b4

SHA1
7a984562d0765a185ab4af0f6b574b326410e7eb

SHA256
baa3c6350471601390dda37570a20a23567c582df132eb0fbe997f36ac831da2

SHA512
05453981b9bd66438c4e707a2763e00f58929f41bc2802f01ba240f3d7d46a6f2a7be9c28192ba783ef42c33d0f1e50766a70edbd61e8c48f299e0da75712a8f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\d1045fa42060dcaf\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\d1045fa42060dcaf\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
992B

MD5
2e286dd0367aaf12ac7a61923b48c1e6

SHA1
6757cfcc28a86552fa5d535bd8e2c247ef7b722d

SHA256
d33e3afd37e7150f69f78c16355a039925bb53b624587ef37727f8954c801973

SHA512
c347fd6731e59da059863918e3bafa07bd50ea8f3e6f88ad8837b3301c3971376a0665d081df3d8501ae5538a306a97f06e237e679ea3bd725256cb497307511

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\62f9d546-172b-4685-8bc5-30faf6d2439a.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f6f13fd5ee00c82bec6db1bafbc9e911

SHA1
f57748a896e2a2e54406742f0f7d7b3aee8356ed

SHA256
fc7c492031f9c76d7f903bb3245ae86b12a2f95ce9b767099c918e595c3f771a

SHA512
cf9f6f90df820a599428da5164b892912cbc3fbd1cc1187c400f6efa11cf6f1e1d1ec369b39ef9b9084d356a9bac0b81b607b015b346979211dac483d30183eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5081f0618fee9530d6c4600b4fac5d3c

SHA1
2d9484412c3b03aba681a5d2e1c3fe90ff9717bc

SHA256
034a5af9ea2bb53ab1d77a847260fc8ec240a993c15b13bba9a2bc57dfa9d825

SHA512
421df36d617ada36646f6c888cd7173780dc34f31f1b1d26d16833a6386d8fc5a0ce02d27455168e93e7b22724eea9ce58a0b4b8fc044310a8d50d5c565d104b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b6de7b9d6981ef16717d1a9e381fff90

SHA1
5fd29d6366f12768cd356361676a46ae8c3848e3

SHA256
ba9ea311ef333d24eb82c308c39d8c846037ab4f54627997340e281f6d942b09

SHA512
35f4c487ec87bae9a49c73f44738ad0afba9309cab46536b1e3d37779bee6ebe2b1a7788ab5cbe5de4838bf9e5caccf24db9a841084dbb75701cb2962f8c3ece

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
b8d74af0cb1406bda91598a08f58d40a

SHA1
236e9cb5038c34ae00b996bae0340facdb67be6a

SHA256
ccb0023f1e79930cd3ea4cf6312c8ac0054de331d315a47ec76b9fe6ac39703d

SHA512
a922537e26ebcd14b4ca601854405d6314fb62fda311646e3544285a2e105f3d958fb116d834b141d369935b73cf912e63e0737f6df8d3857784f8104ea6d9e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
d04bbcbc360ec7b201907e15cb521bff

SHA1
1942433f22a10fe97beda507fcc172481b4ec21d

SHA256
8dfcf1cce9d6b986cec423f2ac97aabc79a7ef436cf590273360380dba7eaa57

SHA512
53237bd33f43dea180956d4939cb6088f602588d77a238577c732205b8b66c361850b7e4b46c5b366f2191804af3d67cef6afe7e6115e258e26ec0f9a97b6aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
36b8507d6a9f505463a3b67b25876127

SHA1
099a9291710fa9d4cc60b0a6e2096195151f8368

SHA256
d6cfc4354b48ad2f7328d1840cfe70f37e84aeac43b99e07361f8ec0476c955c

SHA512
ca895d345ac3a1f3404151941e62148e9033f3d30efb3c13cc2492934587261cd9c3c6127ea1a66bee57df39bbb64e202a0b895d614d82644b76a1badb1e82b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
de47c3995ae35661b0c60c1f1d30f0ab

SHA1
6634569b803dc681dc068de3a3794053fa68c0ca

SHA256
4d063bb78bd4fa86cee3d393dd31a08cab05e3539d31ca9f0a294df754cd00c7

SHA512
852a9580564fd4c53a9982ddf36a5679dbdce55d445b979001b4d97d60a9a688e532821403322c88acc42f6b7fa9cc5e964a79cbe142a96cbe0f5612fe1d61cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
23dfba32e23eb90811eb18ad9a4f23c9

SHA1
aaeef0e85a4131a37f473b91eda6cade387f8d24

SHA256
df38a3ab4cf82a8013896bab11b4069a40064809e4a4bce5f3120c0566fa834c

SHA512
6b1e7b8a96bbfaab02c2792b7ebfa1848c4b2bdce2ea863b5b0e96b9062426ea9d98c08b116dd59d4d0e26095c8bff73fe44790967e6f2e0139d2eb976425f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
343f4dd000c5661501f4ba8ee80bc38c

SHA1
42a42cc64436f60a292dabed54354a02489acb64

SHA256
c8e0a46b4614aaf5aa7c8a489f4f56cb1ad06d5abcf4d9ad4286adf001f3be0c

SHA512
d095ee62015e8eacb3c23f2ef062d058c7c67c247c5c11f7167bc42bda216f58aa8ad58e405b04ea273cf89cfb8aa640a0a9a14578499c7994ae564a128cf811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
704d4cabea796e63d81497ab24b05379

SHA1
b4d01216a6985559bd4b6d193ed1ec0f93b15ff8

SHA256
3db2f8ac0fb3889fcf383209199e35ac8380cf1b78714fc5900df247ba324d26

SHA512
0f4803b7b7396a29d43d40f971701fd1af12d82f559dcfd25e0ca9cc8868a182acba7b28987142c1f003efd7dd22e474ac4c8f01fe73725b3618a7bf3e77801d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
1024KB

MD5
4322f0449af173fb3994d2bef7ecb2e4

SHA1
b6ee5c6f76b8eee448f6b4b2b56fa1ec39653934

SHA256
0502e6e2f3fc54a30dea0eb07eb19a395c7ea6fc273321a49a4cc977a59b7cc9

SHA512
d8bae6131a5a8a1fcabb2d7efebc6cdbba27955fb77484a5d87dbce7a237c0cd5e19b74b4dad28312929ad732d3b80cf3d7f15f059c88438d0bc6ff9535ceeef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

Filesize
250KB

MD5
29b1adf527657e404731bcb7271b79f8

SHA1
50aae42abf35013822edd2004b109c1dca12e96b

SHA256
4fbab2df29d82f1d5d1ab88a4cd42dfbfd777934ed5b177324542239df37bcc8

SHA512
17d123f7b9e62a158ab2589750da30e0d8290f910052d0d464a7f5a40d4e5011c8c33ee4804000fbc52f1c4e27b8d04cf7fd1bf13a9a9b07ac2376fad1e6ed56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

Filesize
64KB

MD5
475b50689dfe5ac600b3de04ace088ea

SHA1
fbb328c285b985d98e436e1a2025dc2ef814f08d

SHA256
bb3580399452f7fc44aa591302242cc83e1a1c5daad646fcc2d1d3e81b9b7bc1

SHA512
55bef283c23fe00a25ab86c8e62df455236bb4a114d72da8986d0ab51b46567f195d35f94de1e133ae61e95d121de99938aa02e80abfd38c3c841fde9214c381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

Filesize
19KB

MD5
fba47837a4f1869cece43900ea928039

SHA1
58a94b50fdcdf1b65972f37781f28c2225c10e5d

SHA256
858f19c7c56b26332a91c653c5ca46dcde48424af28a37f6a1da74e68be4ebbf

SHA512
b1f32081bd582e825232bcfd2cd81b0d7699471b42c447539965721f27acd7d49d0153a5a3b458c2f305c09da0f345eafa2572f9acd42bbddae3f5e255eab3d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003c

Filesize
19KB

MD5
870237c2b6be011684ca753277ae15fc

SHA1
19a2186ff4358f09afb3dff4330f57c2ae5efbd1

SHA256
17fc0d18ee50f297234ac524b495f01b4d4d34cd19b3316bcebbac930a522b3f

SHA512
d4c615d2b80dc1ad5509e7f528fc03f2d5286dbc55ebd0ebe573fc321a1c93e4a710e1c49a24c4d9858f1d0962913b20469b7aefbfd2332c5e69a66d8f271eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041

Filesize
18KB

MD5
fe25151fad2965222d7894dfede59e7a

SHA1
5bbba86e9fe710d80c150e05d780d4bc4b88d1e6

SHA256
ff0a4097bc0c1f877a59efb3d6be2a4df8895a8227f48022a70d60e33b7b81f2

SHA512
895402dae22248c884a0eb553298405190d3dee1a7efe997631c194720f8c76bf7a16f8c0503bf0b43377a582b05c05fa15deb1a84f600b8d2fd72cb860cec50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000045

Filesize
1024KB

MD5
099d8e1f3f8203715803f284eebd02a6

SHA1
0275efc65797bcdbe502594f2938e215a7bfe80b

SHA256
1bfdab24a0f2ad3a40a43db5afc6ce4f97e4a4092d35768300399ab99fa07730

SHA512
bc57372f13e4f1aa456b0a77621790bfaebe35665e44bfbe5ee1fc22707ebc98c34fa0fd7679cbc793b520160dbd4c387523f645bda5e6a90edbdbc20e61c7b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000090

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d5e42077b85df235_0

Filesize
38KB

MD5
65e5eaedc677dadb53cba3295b63e51e

SHA1
fea0a6ea069d3c556d596b054d99968dd0b81332

SHA256
7ee74d275a332e64bf350f7c8a5e86389172efbc37cfd705d3226b39edc7522b

SHA512
9c1a7d456e7b913b48cdc2137e64a5e9bc22e7b81b399e89ae4acb2e6195afc9d7f6b41ee577f6f57341d002299af529b7ba25f4c93be6de7cec848b94c12d54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\de354b09abd8c116_0

Filesize
53KB

MD5
ccc0d1774d04a8e7a4fad85aa68a764d

SHA1
93a9dd673c0134ed361d1a518ce34d106aa6af18

SHA256
d6a473a6625536d5e4d11c33a8e928f6d48af03fec5720981e81d6e25897c728

SHA512
2579347cced019bd1345aac72667fe4462600cfd33a5a4635e9ee06073699fd3948260bff93cd8e8f002d64700aa21306bb42891d8eff585fa61e8f580cffc15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
803ed41ebdee45826a6ad1bccfe53fcd

SHA1
355376f1bb34019a4f0bf161d158c64f5ac757e7

SHA256
4af275ae35df5a5fe1537446e69255b995b43a7f17695ca49ac9d517995513ee

SHA512
2af16b71e84cb3359ed5268ee665ff0a13dde7c6a250c5c7fd82e595b65cd9be65059dd33207eb5e1537a270cf7b4a3d0f87f9825b7fe37c4c1fe3ddfa69c2ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
22469473f009c92a2d86a1387f37eefb

SHA1
d92603abb52acbfc8e5c709ee5f3c5043afd36fc

SHA256
ca5644ae4a0ca9e2343569d86eb5c5466408a20849d49008fe7b8e79e31859a5

SHA512
7750be01b5749200c62cba05a5645c37dc3beb52b2931ecfc17f48975da063fb7f1177bc6b43ffc0f5a918db974e09a9085ca5c36c926a2e77a9149b4b6ee282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
1091c5d0986057ff32fee7ea79c97ebe

SHA1
00e24333204e410df10ba308a494ff6522848f11

SHA256
2562830bcd3109bc0c7670661ca728fe20fb2b237dd500ea052729d41235a67e

SHA512
4a641c5ce058567f280425c8ac06ef95cea4a636245484c26bc95e8e72f766ecf6349b6af76a7fe2931ece1041a47bb94f2067aa96edcaea854d1a1c67ecf1ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
c8f4356f03810fd1601e18377e06856e

SHA1
5e80d575f34f9bbf7907c127c7a5029c18139e18

SHA256
8f5c2f03f2f5b2b6ed0e1ac8c5a0047cf62237d02a53f73687b981765ab2da43

SHA512
6b323840f7ebfd12a9eddf4e187eb48c377fcebe82f9e8f2c4b5f1d126372f204036bb9d44272ea92dbc91360ce32bd9b030c77fcd48cfabb3db431c6598629c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a2cba077a2c07b1c858b302a91148648

SHA1
a0d13e01332db2429c56419e55665c6869f43529

SHA256
a760a515870f90fa0311865dae251b0b831f9aa0dc358d83224dc65ca5be4121

SHA512
1e793c0f3828a2f96a1ac292e58d3c1ebcb1ed83028fbf2853fbf217ddb0d1a9d78ad5ee501be38a5997931b0a05d969d6fad1691bc68dff1a5c595de4d72e09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
b7fe11a059385958a638eb665bc672ef

SHA1
bcf8e7cca9d4476bd168ec11d22aae6a6920b443

SHA256
784aefa461d16cae5c142dd1037167b8c5f2d2f7c7cf018ae83f996d58c838fc

SHA512
edd82f2239297c769eb21cd1709cf52c261d3d8305353715def1227d0fbbd9172b8c359e56bf6884526ad774bea05b39e80c51caa54e4931f15362208a845af9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
12KB

MD5
38552719bcaae5dead828ce616e313c9

SHA1
5e0b7aab1695c437e10baf10f7091c27a29bd78b

SHA256
ee4549608c01b8e36a8fd2e899a766aac29303bb6e04a1169e23c16dfbe52c88

SHA512
0060a65d46f9a8ef03bf6bb6d3d74f2d6099cf949c0007a31078d3c9ef5917863c426127e31e2f58841d73a5c00d588c431515157e1fd8216da97e9fffa84b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
12KB

MD5
b8deeac06cca09f82098de6887bbca59

SHA1
0e7d335f5bbd7f5a80c8b1d8b0904f3d13df709b

SHA256
58b41ca3d8cf901568be254c4b00207e6e3a75eaf3f82db0c96c60708f33e77d

SHA512
7ec7fd09ea367b0776790674cd095068e0bc866d603e2d0363ad6dbc2f536fdeb6e8c534cc864c574e48ba63512573f06506813ab65eb0b30e12779fd897308b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
18KB

MD5
a78196e7ac84c413e8b4e27cdfcdc7ab

SHA1
cdfc1d3eebe4fb3c3e1920c2656b7e620e56cff5

SHA256
644debaa9ac44784bb273460c41bb0d4791b16c651ddefa70ca1652fac52fa3b

SHA512
04f4d89838a88f2272797a743319b0e0badb88d39787d3025a1ba010bf9310e7843dea6009b96143d69aedab5742efc483cc6145df919cc652c66464364eda8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
17KB

MD5
4149a969e9c09da94e1fe745c7310dcf

SHA1
71f234af36711b6f2351ab9a597f15d9d7762452

SHA256
89875b7e50ec95b96fc33a7d0dfc4612c14c46259b7a1dcd1ac61970c9fdad17

SHA512
05a7abe1976c6d5813425980a0dee21e0ed278c242209995dbd26b05e51f1f5bdc30b5235585e34a47b06e0b4c90240a2de19cd2e4b481b6463693deae5d7701

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a3f0740ba9b489f8d81377f7c8cb2708

SHA1
c6186121421fce9a1ca8adcdfd204d459054a796

SHA256
ca7b5b5d45017f21572029e3149d9fa1b8aa5304a8b9290cd2bc22cd8de5b92d

SHA512
799a4e1ed7308e560155b3f333d9d4b73dc908f4aaf31e0f96fb8204b99818b2936eed7d6b62057594b14bb5ca2f0e12a6389a035b02c1da3e97b64831041047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c44773a3d42409e4e2528be89c5e55ad

SHA1
818c572489ac915e34ef55fee83dc19fe4d91cfc

SHA256
48d6038cc7e7ce1e0a53876d6b7ad8f9d5e1fad9ef3fd9e99abd30abc65a6e46

SHA512
b3482888cdaf1f10fa4070fc54c6d34ec07438230c21cc9197dd0e2a8bb2e8feb8863bc75841aba96605d8647921d477e339895af0f1732e021d33e96dda22a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
6c7421ad9c63f566d1481175bda4a85d

SHA1
9547371ac5addae6efa0f50c56a09e28de621f00

SHA256
e01802b066fbab473ddd3735eef652438547ceed572030502f96feaed9f9eb50

SHA512
49e0050860c74930b58f046422dd43fcdeb5d16a175e8ba1bce753f23e70a7022c84afd0d2245950eb02de0084263847980c72d3008adebc23cd411d01b5fc2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
a8c8721888918be69836067b77881567

SHA1
09e8eb256dce5ddb4b80d1c1a206086ffccbe7a1

SHA256
0c0200416761969d942a281ebd2a79e04ba039295c34da30c695a3a470296643

SHA512
cbe45568595f1969318383e8fe9f2a3dcccd54e08535b8321419c738dca2fe03b67c34014e3a0d6e0b440497a3526424d6b6c4c46358102b69c02855d031ff8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
729b71acb6a08931b39e11cf9609e348

SHA1
f17ff33d1e8a5c2aaddaf906efacbd8f6106cc9c

SHA256
e803a92962fe948d65404e7d5dac1889cc080594a4674d881f1b4d7decbe22a0

SHA512
4728c71e4c5486b8d1255476f3590f0cb298b237bbb69902414ea78823194c27fae36f0011cfd7e5e29dbbab5d9df172ceb8eb01b041f4869a1b0d8c9c6a3a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
71b48a36b653a3c7cfa3779e095e2f93

SHA1
dab23e571896c2f01a03abba0bd9d1d815bcce91

SHA256
31387ec7739ee0a568cae55d3b47ce5f7acd6d754e37c891e2345d68d4353f0f

SHA512
6e649b00804d5af4acaacd84a8178f5df4c5670f09397b1b40eb191bb7258cf95a0f544a7f315bb4be535b782759975c3ddb6b1b98946f07b2bf6b7fb386e184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
9ad912f7b7381c9ed96c2924cd675e41

SHA1
747ec595c466b4667bae4f9cdf9e78b7813241c2

SHA256
7fd560a3af7a3afa3d6f17a3b83e6130e68087d64ffcec0bed25dbe389bb0b0a

SHA512
33e0c25168ed42390c8468407e3e9503686cdffd08b180ffcfebe0064de103d5f98079a224cdbe7892dc4a361cddb8ac17230517e3bfd689978939c0b1887d53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
5da560ba5355fbcfb08e0acd7f9f5dd0

SHA1
f8f884033f061c010b6b996ed56242e983544b11

SHA256
01fb18479b4982e48f287ee6fcd1bb7f6dbc99dad1d7b10e21539dbfec415e3e

SHA512
2774402845af9457fdb8517bdf3fd650c4743812a9709fb95798c8a441b4015107285c5e05986ceeb66e16a4dbcf3af91895a05c29187d357d73446185f51831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
2a2ddaa208f3b6aecb7d4d4864297a54

SHA1
8338639f184e768f4af380b288a87fb1b74d0d3b

SHA256
3eddff159b2f4631db25437ab015db19a46c656526a80e197f405deed76ecfe8

SHA512
eec076ba7aedb7d92ccc2154344b417bbca5fd81d406808704ced28d6a2b5e714178999fae3e19a0f91ebf61f562fed304cb3c53862598deea6df32a2c5aeb72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
a92c11b9f36992c04fba83e7ae266394

SHA1
92cc85133680ea8fef00c437d3c71e7eaee4e1ba

SHA256
490104f89ed6609b48a269097199aeb6e4dec1aa22a73193c331cc84925b97c1

SHA512
296f59fd7ad0dec67e075e7f73d52c04b313c3a5373aeac00ae93537e2c7be7dcda81062c486c30a221a0cb94306ced00fea90c4f20fefaceaaebf0d7246df49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
ed193a89658263015d21f324501e2655

SHA1
9d049a02e5411ca7d681e977b94c73728e995c5e

SHA256
73fe1b31a6eaf3386b9bfa6d8eedfbc7e51907629322a7d5b503beb5c08493b3

SHA512
8271c53469d1938699e9126ae7c939dfe4e230c1553f0fcf397bb9bf22d0fdd528de167b4c888852ec5dbfb51c1c9834eb59ff657eae0c4306bb117e580194ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
f794bc127b85aed673b0910c612327d3

SHA1
a7ce412b26d5dfe983e875826e2cced9fae6c774

SHA256
c0c1b63e797213a9d342096613c5d75f295a9d01e1b462fc25f6eb26c8ae29d8

SHA512
c0d3b856abc3b34acb302fb5a6b37e3818325f6483fbb9b5ce38a6fc274ff52051040d6a7762411151c196002dd2810d73676cc51da9ba1a2bce0f1cf58822be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
85c12491b18491688f205f78ed1bc7d0

SHA1
5dc045ba29311c14ae42faf8b2ed62e17f82589f

SHA256
d3a9fb1ec7fbe76fa67252cdb60e7f91a3544db8c1e25632b445d8b6fa183611

SHA512
1370adcdcd27e9f9330542139b52d765b0261531f890e8b46336e82c46f1f5c3c687a08abcd33c8d4ec2600c0969acf50dfe344fe1b76420c1d6b5222d0e14ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5c915a.TMP

Filesize
48B

MD5
55a04521b5a968acaa9ccf1de804c658

SHA1
c27bc042c61aacef1f536254b73ea25f10611f5e

SHA256
4eba23d387e48de5dd2e5c91fed638f75e82791756a5709d6035d4e6c6692c44

SHA512
05fd7dcb8b35e7166fd2d90ff8819353039a674e6ad70b9dd193c088172af4245396388acb6eb27e5cdbab3b751c12aa787aef19a8aea421f4577935391b6d0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
1679421fcaa7091e6b418af90ab1fe4a

SHA1
1e41b0a8fb8c8cd0570a86cc5f410767dc24d96b

SHA256
0efe1f2a65e9cadb2c4b67baa9358bf4d50923d404215ab49a557ec9e454bf1b

SHA512
38c8365bd0353c865c52ceb064f0a6b125cedc96d454c307dd5ff26a7100aac101e93f0804ad4a73a71b96d845d79795dd39d25950546773736adf714c7db3be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
227fcb59ef0ca0b310d8d580537e4105

SHA1
0a6e9dc3fdcea71d1bc52e69ffbae2ac85a6c609

SHA256
4b24c04de55683a96ea74c5ab8f17be0a0313d5cedff9caa44f04166bdc78b4d

SHA512
e6b8c56ee6710391ee6ccef2542f91514303948d17c321d30c73c783644ff3060c9ca82238a9a13bec33a4d8a3520be88346dde35b4c385132449433f86bbeb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
ed06eac1cea3ccb91241e74511853efb

SHA1
60f0ae91610dbca65ef5c70a48eedbbf21b91bca

SHA256
de4c14d8df8156023c33d4d78eaaba679d8745924b6e16d48bf97fcaec25e79b

SHA512
59c5d700321c804be253aa8b526b36382104b37dd4f1b15d16ad645a2486c6225345e515db4d961466ed2709c5c252b1594caa63ff06219daf396dbe12d6e622

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
1cbf59b2c853cb95ee6bb1194aa9d496

SHA1
b717144097cda936e51f9ffebd4c682111ff6313

SHA256
1d4b0babba22ef817300478d8a0cad47d6d8b1b73395125a25710a7eeab3d86a

SHA512
46a036568b1f7d063e98887d5eb85025948f3fe568205b9e9b2f7c63107bffc5fbb700cb6f2323a4fd21cf69a2ed0704e83719f01662139e786656b0d04f5a1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
c8490d99f59055e8ac0fce245e2763f0

SHA1
dc5e59066b8e4c230b5ed733832b45ca7c56f31b

SHA256
955fc53a7898dea960dc61ccf97f5be8e62dfedf49b5b1dd6b8692a33cea7e6c

SHA512
f9e027a8ed7671351e8854811da88ecb408acf6256797310f594eb9e9806cfd732f35a793c18a2dbe738880a9fcd6dd3a9ed27c4a34e177fc62d7ba3bae03e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
19efc91b6fc0010b1aad01aff6255b13

SHA1
df6f3aa0a9e3888dffce9fbf980cf2b6efd3fd86

SHA256
5804a161d1d8881cacf8003c50205b246b4a221e76e0a587ac61eafafc31a4d3

SHA512
36e3634a73eb7a857fa6892359c93e6d1a87d32e483e285242f17003fafea83d7c643af399675501dae482ae38b7bf5dc234af8226011b42c05879582a7642ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
3e8f8293e4b59230dd385ef008658589

SHA1
9f2bed21249eb3b39390f64f51504a604d648135

SHA256
4f714e4b89614ba5ff697a4089262f1a66cd3800750788536c7cbcbc2eefd512

SHA512
d4986175eda0a9690257bcf7032cfd8c2350ed7ed6dd77ab12bb7d622100b737b60332db98b1ebd228d09233f0262daea12ab65f3ab6a119c818f2b35a3fc129

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
7ea02a82339185ea9b9fe3d80c60bd86

SHA1
f709405306dc2d5dba33d5af23e717e7ec57f1d8

SHA256
ed231b9ebe28e20cb0d6dfb08506cbe24157db95acae69787e0178d31632eac2

SHA512
8640fddad01972a9c704c1a003fa4ea657e4c8abc5099fc3f4906af30db7879875200c3012f8ffbe2f83ad3d3ee4281e075d9c1030c12c14198df57f27850063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57de1b.TMP

Filesize
1KB

MD5
d85e035a0ddefa7390a31b13af176729

SHA1
5f06c4d39bebbe7e94e4e199d5d9dad6fb0f2a9d

SHA256
488baebb93afd9f60440f20c0bd03cc394230eb08f943f5083bc3fa7e5d9d529

SHA512
5a7d8199049a7003c7455cc2e0848906ca57e5b567b7f701282688b3d700df36b75759579775dbb213a182ff8964eb28d3442f873839f350778c04fd27b4f1f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e2e71378c177ac3a5cea9586bca208fb

SHA1
d482b1b2eb7a043a17f022f77efcd02513c4745e

SHA256
93923fa6253fd364e061b7a8004f29a83e635df20e22c94288f23b865d017de6

SHA512
d0666c5d838a8573f66437f9def5b1c477613c19135b29ce83bd354700015eb232aff5cda2ac9f0a3acf40bf45968c04b1c84b2a60d1bc430a09b8606b84fa5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
56a5e1f5d9ff33e038c43e35c8908995

SHA1
b811fd6e366962e6645656061a34f6aaf0b606a6

SHA256
bff8b5b2904b7006bf1cc1eeb7e7603c685c4995cd43f060319bd2e9e1c99efc

SHA512
ad19f188f9989342eb5ab10b731c049d328b7996a8a4250e643eb3ed133ac900fa1948a933ca89bf7a1acc6d7d661e66bcb10fc93e91154b631d149dde86826f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
db216c1950824881f99831c5f502e61f

SHA1
15623e6ea43f338f44ff837d9f5317c2b30dedf2

SHA256
cede3b25dc8dce0e00dee4238f358de7eea21efce7dacb5d919c0c1ef89616a4

SHA512
6fe11248bc29c36c689dc1974251592d6acd8a8e9abb37004912c3794c1e6403d8bd67e444d38c522c313dbd2f15a499c0867d279fd85168ab51fea1a96fe067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
697df78259a29f8c009683519f4a765d

SHA1
71221f6def2b757efa4f88ffd4d2a24c0f500662

SHA256
159198b1a98412f237ae817b465f545d74a4dc54e7c7b47b46fcb1d83bd3650e

SHA512
ebebaf7f606a7b3743697b25da6511d51a7522b948bc84c7d74374aad49e4a6db308d15a0752bfca7e5c7b6d42e5e6da057c1333ee4275fcc7035089d02fe4f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
704KB

MD5
f4d2e2d63d4a903f6b0dd748843eb6c7

SHA1
53552cfd1230685b22594285fd2f4f1971920fe9

SHA256
ba9cfbef3f11d4fe670dfe1616b52896de2be953d0faf5eb0b5113a0be69d666

SHA512
101fd9b47640a07ff5e17e0790fce0c23a8b53dd4cc23780787a2b3f6d7efc71c889f2b780caeacf9257ffbd88836a9e34305f4cb21ab32e994fa22266a6237c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
76f78e3e5c1037907fb39472ed929f93

SHA1
05a3b3be7efecee2adcc7e3dc3da2a48173ddc64

SHA256
2a340d9f2006a1c4a7aab982e7d873581492bc9e48e5cb8bcc6e90b9250eb241

SHA512
3b99e6c4a7255429c90cbe8b467b9150830f5741b043610713f02c410afabf083566f9e36dafab5e8ce349132272524689a5b27d6eb6c69021673f73353d3bd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
b6b78ac468f7275502bd567df719e7df

SHA1
fdfb0eebe4c66fe39ea9bf7796a56fcf593417db

SHA256
2a036d6044d6e153ba74a16143aa9bdbe89c3ee442a12b5ef27112d1c8ecb955

SHA512
3d0805d7c66322bdb8ddc3b23a4908cb5dd5d73aa34105ec77d008952749122d424bef673a675a0cf36b03ae6afee1ef426cbfeccb89fca6913efa3c4e962c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
f1edb6e563037b3bf4e657e4907e9ccb

SHA1
cc1b08915c14bc8936a0fd01e23a30db07535e7b

SHA256
f96d9c2deacd42e35a62b216abd3a1312f92b149026c56d9e1b76525e0bf444f

SHA512
c6f279a26220122411e8e79adb3270d45c665f0a8b9c3300c9b5b5cc4242a861e0698ee0d1de44fcc2151eee3743a315cb7cfcfb7cd1f80f27ad278ec9bb27a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
3e1cb8cad8b1d190d9b4281a2c8836d5

SHA1
c6c917afae58dbe281ed0dd1511615ed4d10851c

SHA256
3871fff4aa3fbd257aaea64f853f050b4149668ba919c09f723b279b64489b68

SHA512
5bac386065c484b0fa9113147b4137824f1b34f8a2fd7cc4131e0104a1e534f49958152c3b4463b50da42fe40d451c92dac134bb058eda7c2fb491aa4116051b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dtjv4rqf.z25.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IVXCMW3KYQU5CN4JIVZX.temp

Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
12KB

MD5
cc35bac471df92818b39145a43fae86e

SHA1
86f923428b71a686efe7dca2cd221742db3b9b72

SHA256
73682926ef3ad303bd99e0cdaa7f4af0fdc99d9d8a9e9edc7350b9f6867c56e0

SHA512
28394611f317d467cb46897fe8e237dc4eb26251a90a060f0e5770ea4a9e987ec78b9a7a2aafd77c6068196bab43b7559cfc2efdfeeb924afe9d9fbdcb7e6420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
15KB

MD5
fdbe6b956fa26b9e3e497984240de3ee

SHA1
b69f10d50501c5535f7ace97a60251736981c02b

SHA256
96cfc1ea81fce31a45abcb1465be98ed7b3e3ca852312c403c16943d05edbc72

SHA512
ae83900668e6c5ecb0c83d4efc41dc899293e0b118d1b9f79bcd6e72814f089d9abda24364e03e9b89fc3929fcad029583d4263d7b106ab0ccbd0a99dbfb5fa8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
15KB

MD5
21b7d219423911ade30f8a442385e52e

SHA1
dc758118f3eb45f30a60fd17b1a6678f2442e3ba

SHA256
1638cf6d2a98c62e086e60b3bbed2ba2f9aeabf82db83c0f5d7717d4808be5bd

SHA512
d4d008d410b426198705e5e0e538c8b9f38857a99dabf1ccb905cd2f333828d1b54b683b827a0f462ceea383746702713b95e51865d39ac218148b9eb4e8255d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
14KB

MD5
ec3880aca02b25101f85c8e31d1dc1d7

SHA1
792795bb856b51111fefdf2991912cb5cf2d3030

SHA256
4f941dde013752646686a63e52f316419e89971093679fda97b15046326fbc98

SHA512
8b5c92543368ee1be9a727b9229f146420c20b3a2a51ac26150368c0313768b36468533e91996be9b0b28464c3e1273460f15350382b9c5a9134d4bf5f86d287

Download Submit
C:\Users\Admin\Downloads\fncheats.zip:Zone.Identifier

Filesize
152B

MD5
015a84264b7ca1f53872f1e0d8aa3b91

SHA1
a7e718dd4a697b877a42db591d68ed0759d65590

SHA256
a84aaa1f14ebb0bbd492dae31a0a19a8d57efe099b35a0225393db6bac63380a

SHA512
ca661d27bea693df07225ad60a5098d7b2421acfa4459b0a5c029db34f7b86980cf8e1bc12d93f05bc7cf5c8343ff406e7f0477c7d02e74b4f304edc94c74599

Download Submit
memory/464-1290-0x0000025E005F0000-0x0000025E0061A000-memory.dmp

Filesize
168KB

Download
memory/464-1291-0x00007FFD83BF0000-0x00007FFD83C00000-memory.dmp

Filesize
64KB

Download
memory/636-1266-0x00007FFD83BF0000-0x00007FFD83C00000-memory.dmp

Filesize
64KB

Download
memory/636-1264-0x000001ABB6450000-0x000001ABB6473000-memory.dmp

Filesize
140KB

Download
memory/636-1265-0x000001ABB6480000-0x000001ABB64AA000-memory.dmp

Filesize
168KB

Download
memory/684-1269-0x000001FA6C8A0000-0x000001FA6C8CA000-memory.dmp

Filesize
168KB

Download
memory/684-1270-0x00007FFD83BF0000-0x00007FFD83C00000-memory.dmp

Filesize
64KB

Download
memory/752-1278-0x000001A950D80000-0x000001A950DAA000-memory.dmp

Filesize
168KB

Download
memory/752-1279-0x00007FFD83BF0000-0x00007FFD83C00000-memory.dmp

Filesize
64KB

Download
memory/984-1274-0x000002C984D20000-0x000002C984D4A000-memory.dmp

Filesize
168KB

Download
memory/984-1275-0x00007FFD83BF0000-0x00007FFD83C00000-memory.dmp

Filesize
64KB

Download
memory/1068-1288-0x00007FFD83BF0000-0x00007FFD83C00000-memory.dmp

Filesize
64KB

Download
memory/1068-1287-0x000001E9E6970000-0x000001E9E699A000-memory.dmp

Filesize
168KB

Download
memory/1084-1293-0x00000148A7940000-0x00000148A796A000-memory.dmp

Filesize
168KB

Download
memory/1084-1294-0x00007FFD83BF0000-0x00007FFD83C00000-memory.dmp

Filesize
64KB

Download
memory/1156-1297-0x00007FFD83BF0000-0x00007FFD83C00000-memory.dmp

Filesize
64KB

Download
memory/1156-1296-0x00000252C6940000-0x00000252C696A000-memory.dmp

Filesize
168KB

Download
memory/1232-1300-0x00007FFD83BF0000-0x00007FFD83C00000-memory.dmp

Filesize
64KB

Download
memory/1232-1299-0x000002678C310000-0x000002678C33A000-memory.dmp

Filesize
168KB

Download
memory/1296-1306-0x00007FFD83BF0000-0x00007FFD83C00000-memory.dmp

Filesize
64KB

Download
memory/1296-1305-0x000001F456C00000-0x000001F456C2A000-memory.dmp

Filesize
168KB

Download
memory/1332-1303-0x00007FFD83BF0000-0x00007FFD83C00000-memory.dmp

Filesize
64KB

Download
memory/1332-1302-0x000001D4D2660000-0x000001D4D268A000-memory.dmp

Filesize
168KB

Download
memory/1368-1316-0x000001EA18D70000-0x000001EA18D9A000-memory.dmp

Filesize
168KB

Download
memory/1368-1317-0x00007FFD83BF0000-0x00007FFD83C00000-memory.dmp

Filesize
64KB

Download
memory/1488-1319-0x0000023D95E90000-0x0000023D95EBA000-memory.dmp

Filesize
168KB

Download
memory/2452-1253-0x000001E340110000-0x000001E3402D2000-memory.dmp

Filesize
1.8MB

Download
memory/2452-1252-0x000001E325AD0000-0x000001E325AE8000-memory.dmp

Filesize
96KB

Download
memory/2452-2286-0x000001E343110000-0x000001E3431BA000-memory.dmp

Filesize
680KB

Download
memory/2452-1257-0x00007FFDC1FF0000-0x00007FFDC20AD000-memory.dmp

Filesize
756KB

Download
memory/2452-1256-0x00007FFDC3B60000-0x00007FFDC3D69000-memory.dmp

Filesize
2.0MB

Download
memory/2452-1255-0x000001E3407B0000-0x000001E3407EE000-memory.dmp

Filesize
248KB

Download
memory/2452-1254-0x000001E340910000-0x000001E340E38000-memory.dmp

Filesize
5.2MB

Download
memory/2588-2638-0x0000025CEAD40000-0x0000025CEAD62000-memory.dmp

Filesize
136KB

Download
memory/5688-1258-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5688-1259-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5688-1261-0x00007FFDC1FF0000-0x00007FFDC20AD000-memory.dmp

Filesize
756KB

Download
memory/5688-1260-0x00007FFDC3B60000-0x00007FFDC3D69000-memory.dmp

Filesize
2.0MB

Download
memory/5688-1262-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads