cerber | hxxps://github[.]com/glnklein/Free-Fortnite-Hwid-Spoofer/raw/main/freeSpoofer[.]rar

Resubmissions

12/07/2024, 12:49

240712-p2q5faweqd 10

12/07/2024, 12:48

240712-p1rdtatgml 10

Analysis

max time kernel
336s
max time network
345s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/glnklein/Free-Fortnite-Hwid-Spoofer/raw/main/freeSpoofer.rar

Score

10^/10

cerber evasion ransomware themida trojan

Malware Config

Signatures

Cerber 6 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
		3920	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		2424	taskkill.exe
		4724	taskkill.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	applecleaner_2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	applecleaner_2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	applecleaner_2.exe

Checks BIOS information in registry 2 TTPs 9 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	applecleaner_2.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 35004f00300048005300200020002d002000310000000000	applecleaner_2.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 64004f00620048005300200020002d002000660000000000	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	applecleaner_2.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 38004f00650048005300200020002d002000330000000000	applecleaner_2.exe

Executes dropped EXE 9 IoCs

pid	Process
1492	freeSpoofer.exe
3084	applecleaner_2.exe
2436	AMIDEWINx64.EXE
4564	freeSpoofer.exe
3140	applecleaner_2.exe
3524	AMIDEWINx64.EXE
1292	freeSpoofer.exe
2956	applecleaner_2.exe
5064	AMIDEWINx64.EXE

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00070000000234ab-185.dat	themida
behavioral1/memory/3084-186-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp	themida
behavioral1/memory/3084-189-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp	themida
behavioral1/memory/3084-190-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp	themida
behavioral1/memory/3084-188-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp	themida
behavioral1/memory/3084-191-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp	themida
behavioral1/memory/3084-249-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp	themida
behavioral1/memory/3140-578-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp	themida
behavioral1/memory/3140-579-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp	themida
behavioral1/memory/3140-577-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp	themida
behavioral1/memory/3140-580-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp	themida
behavioral1/memory/3140-591-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp	themida
behavioral1/memory/2956-748-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp	themida
behavioral1/memory/2956-747-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp	themida
behavioral1/memory/2956-749-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp	themida
behavioral1/memory/2956-750-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp	themida
behavioral1/memory/2956-802-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	applecleaner_2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
11	raw.githubusercontent.com

Checks system information in the registry 2 TTPs 3 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	applecleaner_2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3084	applecleaner_2.exe
3140	applecleaner_2.exe
2956	applecleaner_2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 63 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "1183c991-4414f82e-f"	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	applecleaner_2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "037ec1f8-94a1f557-8"	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	applecleaner_2.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner_2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "90f7a1c8-33aad01a-3"	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	applecleaner_2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	applecleaner_2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	applecleaner_2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "f1ce88f9-9b205907-9"	applecleaner_2.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	applecleaner_2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	applecleaner_2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	applecleaner_2.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	applecleaner_2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	applecleaner_2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	applecleaner_2.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion	applecleaner_2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "79a0998b-70d889c2-d"	applecleaner_2.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	applecleaner_2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	applecleaner_2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner_2.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "183fba5d-7fa09cb0-7"	applecleaner_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	applecleaner_2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner_2.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
1600	taskkill.exe
5064	taskkill.exe
2424	taskkill.exe
4724	taskkill.exe
5032	taskkill.exe
4004	taskkill.exe
2352	taskkill.exe
3920	taskkill.exe
5020	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
3888	msedge.exe
3888	msedge.exe
4708	msedge.exe
4708	msedge.exe
3296	identity_helper.exe
3296	identity_helper.exe
2032	msedge.exe
2032	msedge.exe
5008	msedge.exe
5008	msedge.exe
1076	msedge.exe
1076	msedge.exe
3084	applecleaner_2.exe
3084	applecleaner_2.exe
1492	freeSpoofer.exe
1492	freeSpoofer.exe
1492	freeSpoofer.exe
1492	freeSpoofer.exe
3012	identity_helper.exe
3012	identity_helper.exe
3140	applecleaner_2.exe
3140	applecleaner_2.exe
4564	freeSpoofer.exe
4564	freeSpoofer.exe
4564	freeSpoofer.exe
4564	freeSpoofer.exe
2956	applecleaner_2.exe
2956	applecleaner_2.exe
1748	msedge.exe
1748	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1292	freeSpoofer.exe
1292	freeSpoofer.exe
1292	freeSpoofer.exe
1292	freeSpoofer.exe
4000	identity_helper.exe
4000	identity_helper.exe
6000	msedge.exe
6000	msedge.exe
6000	msedge.exe
6000	msedge.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 39 IoCs

pid	Process
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeRestorePrivilege	1592	7zG.exe
Token: 35	1592	7zG.exe
Token: SeSecurityPrivilege	1592	7zG.exe
Token: SeSecurityPrivilege	1592	7zG.exe
Token: SeDebugPrivilege	3920	taskkill.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeDebugPrivilege	4724	taskkill.exe
Token: SeDebugPrivilege	5020	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	2352	taskkill.exe
Token: SeDebugPrivilege	5064	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
1592	7zG.exe
1492	freeSpoofer.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
1492	freeSpoofer.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1492	freeSpoofer.exe
4564	freeSpoofer.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 4796	4708	msedge.exe	83
PID 4708 wrote to memory of 4796	4708	msedge.exe	83
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 4464	4708	msedge.exe	85
PID 4708 wrote to memory of 3888	4708	msedge.exe	86
PID 4708 wrote to memory of 3888	4708	msedge.exe	86
PID 4708 wrote to memory of 516	4708	msedge.exe	87
PID 4708 wrote to memory of 516	4708	msedge.exe	87
PID 4708 wrote to memory of 516	4708	msedge.exe	87
PID 4708 wrote to memory of 516	4708	msedge.exe	87
PID 4708 wrote to memory of 516	4708	msedge.exe	87
PID 4708 wrote to memory of 516	4708	msedge.exe	87
PID 4708 wrote to memory of 516	4708	msedge.exe	87
PID 4708 wrote to memory of 516	4708	msedge.exe	87
PID 4708 wrote to memory of 516	4708	msedge.exe	87
PID 4708 wrote to memory of 516	4708	msedge.exe	87
PID 4708 wrote to memory of 516	4708	msedge.exe	87
PID 4708 wrote to memory of 516	4708	msedge.exe	87
PID 4708 wrote to memory of 516	4708	msedge.exe	87
PID 4708 wrote to memory of 516	4708	msedge.exe	87
PID 4708 wrote to memory of 516	4708	msedge.exe	87
PID 4708 wrote to memory of 516	4708	msedge.exe	87
PID 4708 wrote to memory of 516	4708	msedge.exe	87
PID 4708 wrote to memory of 516	4708	msedge.exe	87
PID 4708 wrote to memory of 516	4708	msedge.exe	87
PID 4708 wrote to memory of 516	4708	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/glnklein/Free-Fortnite-Hwid-Spoofer/raw/main/freeSpoofer.rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6a4b46f8,0x7ffb6a4b4708,0x7ffb6a4b4718
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3468 /prefetch:8
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:3692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4212

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\freeSpoofer\" -ad -an -ai#7zMap23041:84:7zEvent13919
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1592

C:\Users\Admin\Desktop\freeSpoofer.exe
"C:\Users\Admin\Desktop\freeSpoofer.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1492
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c start C:\Users\Admin\Desktop\tools\applecleaner_2.exe
  2⤵
  PID:3504
- - C:\Users\Admin\Desktop\tools\applecleaner_2.exe
    C:\Users\Admin\Desktop\tools\applecleaner_2.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Checks system information in the registry
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
      4⤵
      PID:4004
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im EpicGamesLauncher.exe
        5⤵
        Cerber
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
      4⤵
      PID:2120
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im FortniteClient-Win64-Shipping.exe
        5⤵
        Cerber
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
      4⤵
      PID:3020
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im Battle.net.exe
        5⤵
        Cerber
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start https://applecheats.cc
      4⤵
      PID:4356
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1076
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffb6a4b46f8,0x7ffb6a4b4708,0x7ffb6a4b4718
        6⤵
        
        PID:3232
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
        6⤵
        
        PID:1988
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5008
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
        6⤵
        
        PID:4732
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
        6⤵
        
        PID:1912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
        6⤵
        
        PID:4396
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
        6⤵
        
        PID:1592
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
        6⤵
        
        PID:516
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
        6⤵
        
        PID:876
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
        6⤵
        
        PID:1488
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3012
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
        6⤵
        
        PID:3132
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:1
        6⤵
        
        PID:5068
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
        6⤵
        
        PID:4972
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
        6⤵
        
        PID:3920
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
        6⤵
        
        PID:2968
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
        6⤵
        
        PID:2436
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
        6⤵
        
        PID:720
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4404 /prefetch:1
        6⤵
        
        PID:184
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
        6⤵
        
        PID:3656
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
        6⤵
        
        PID:4340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
        6⤵
        
        PID:4468
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
        6⤵
        
        PID:3296
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6072 /prefetch:8
        6⤵
        
        PID:2740
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
        6⤵
        
        PID:184
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
        6⤵
        
        PID:2096
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
        6⤵
        
        PID:2352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c pause
      4⤵
      PID:4724
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c net user administrator /active:yes |start C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Desktop\tools\alt.txt
  2⤵
  PID:4560
- - C:\Windows\system32\net.exe
    net user administrator /active:yes
    3⤵
    PID:3664
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user administrator /active:yes
      4⤵
      PID:8
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Desktop\tools\alt.txt"
    3⤵
    PID:4464
  - - C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE
      C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Desktop\tools\alt.txt
      4⤵
      Cerber
      Executes dropped EXE
      PID:2436
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1972

C:\Users\Admin\Desktop\freeSpoofer.exe
"C:\Users\Admin\Desktop\freeSpoofer.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:4564
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c start C:\Users\Admin\Desktop\tools\applecleaner_2.exe
  2⤵
  PID:4480
- - C:\Users\Admin\Desktop\tools\applecleaner_2.exe
    C:\Users\Admin\Desktop\tools\applecleaner_2.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Checks system information in the registry
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
      4⤵
      PID:2288
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im EpicGamesLauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
      4⤵
      PID:1944
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im FortniteClient-Win64-Shipping.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
      4⤵
      PID:3596
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im Battle.net.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start https://applecheats.cc
      4⤵
      PID:2412
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/
        5⤵
        
        PID:1480
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6a4b46f8,0x7ffb6a4b4708,0x7ffb6a4b4718
        6⤵
        
        PID:2792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c pause
      4⤵
      PID:1048
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c net user administrator /active:yes |start C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Desktop\tools\alt.txt
  2⤵
  PID:1600
- - C:\Windows\system32\net.exe
    net user administrator /active:yes
    3⤵
    PID:3660
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user administrator /active:yes
      4⤵
      PID:3596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Desktop\tools\alt.txt"
    3⤵
    PID:2192
  - - C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE
      C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Desktop\tools\alt.txt
      4⤵
      Cerber
      Executes dropped EXE
      PID:3524

C:\Users\Admin\Desktop\freeSpoofer.exe
"C:\Users\Admin\Desktop\freeSpoofer.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1292
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c start C:\Users\Admin\Desktop\tools\applecleaner_2.exe
  2⤵
  PID:2184
- - C:\Users\Admin\Desktop\tools\applecleaner_2.exe
    C:\Users\Admin\Desktop\tools\applecleaner_2.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Checks system information in the registry
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
      4⤵
      PID:3248
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im EpicGamesLauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
      4⤵
      PID:3860
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im FortniteClient-Win64-Shipping.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
      4⤵
      PID:3140
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im Battle.net.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start https://applecheats.cc
      4⤵
      PID:1560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:1792
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6a4b46f8,0x7ffb6a4b4708,0x7ffb6a4b4718
        6⤵
        
        PID:396
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
        6⤵
        
        PID:2224
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1748
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
        6⤵
        
        PID:3128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
        6⤵
        
        PID:3100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
        6⤵
        
        PID:348
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
        6⤵
        
        PID:3732
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
        6⤵
        
        PID:1988
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
        6⤵
        
        PID:224
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
        6⤵
        
        PID:5108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
        6⤵
        
        PID:1136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
        6⤵
        
        PID:3188
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6340 /prefetch:8
        6⤵
        
        PID:1172
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6340 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:1
        6⤵
        
        PID:1668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
        6⤵
        
        PID:2932
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:1
        6⤵
        
        PID:5312
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
        6⤵
        
        PID:5320
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5040 /prefetch:2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c pause
      4⤵
      PID:4152
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c net user administrator /active:yes |start C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Desktop\tools\alt.txt
  2⤵
  PID:3296
- - C:\Windows\system32\net.exe
    net user administrator /active:yes
    3⤵
    PID:4412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user administrator /active:yes
      4⤵
      PID:2980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Desktop\tools\alt.txt"
    3⤵
    PID:1488
  - - C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE
      C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Desktop\tools\alt.txt
      4⤵
      Cerber
      Executes dropped EXE
      PID:5064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c00b0d6e0f836dfa596c6df9d3b2f8f2

SHA1
69ad27d9b4502630728f98917f67307e9dd12a30

SHA256
578481cd359c669455e24983b13723c25584f58925b47283cb580019ef3142b1

SHA512
0e098ab5f5772fec17880e228a0dccbbaa06dc1af14e0fd827f361599c61899fe07d612a7f7b049ff6661d27fdc495566dd20fc28ceed022b87c212bf00be5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a870d1e22451fe178c351580fa9e31f4

SHA1
70ae09e0a1852c76122a2fc202b9ab60a14a2213

SHA256
50a798dbef7ab0f49c686f3408d423d2e6d09f2b3440e3cfadec288b8fbf1512

SHA512
ca5f8ff302c48d50dcf4bffddbe8155855875a61b72c3aabee4c54b24ab6bf1d558318d1278afe1103e9bcdd0605e409b69dc64ddadc426a2d5e6e27053958e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e6d055237cc5ac8b34e2616da0e1e391

SHA1
0ab1fe501cfaf1266be8ba01c79bf33468b9dfae

SHA256
21de8724287101fa4f2d99127c971545025185122f35ff9ff6cc5bc11b885909

SHA512
59b22aebe2d3979bc29a8ae34df813f9f12321a8cac855e6258e6b6965c53efbab75f2c6a531d5c3b844ddbffbafed7639d750592db716de7452ce05876e48d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54f1b76300ce15e44e5cc1a3947f5ca9

SHA1
c978bfaa6ec6dae05464c6426eaa6cb3c3e2f3b7

SHA256
43dec5d87b7ee892a3d99cb61f772ba403882ac0772423f36034e84244c1ca24

SHA512
ac26e5676c675be329eb62b5d5a36a0e6014ab8a6366684b0fc2a59ae5f061f596f462b82eb4e9f135d2235a0cbd4af96680d234eecc873a8397fd81507d277a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
93d978de0b4283f57495b59545cf4360

SHA1
a545b4f9bae3ac46a1fc8b0fbbecc9b6b79b3335

SHA256
04cb42b49eb17c31d955cd51d2ddebf4d296779fe3a941d3334c7d8061104630

SHA512
ec262d72d9d723cf6da8c72abf4e50da4b4e392e0397d61b271413db645a5483b1caa24fbd96c4478e06419eaff9aa15972dafaf92c4ccf88fd83d1fb8975b5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9f78f61c-ae45-4645-a34c-8e49c17aca0b.tmp

Filesize
6KB

MD5
cf28ecad96a2d54ffec10b929f2c33a9

SHA1
d9ceb140566fa7c436fa0ea596f13c5a18c0c860

SHA256
30f5e9c77acbeb3192db1a7f9d9fc5c0809b70c3d6ebba19431eb4ca9b8e8f66

SHA512
8a4bc202c4f689266707ddf2fea52a7641a44ea1d13b1ef21ccce20d742f614d74281136d5bbca0ba76305fbf6b97a88a56e71f0235c47be28b27e04507dfc51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
5bcf01a100018b0b1800c60316916f14

SHA1
82461356567aa396886a799f36f439fa4da3c2bc

SHA256
829229eb1a5f18ccfbe785c8889447b9a50da859fd87b0bd996560310f8e4a5c

SHA512
ed322f68f7989311c03a0d3ccaa77a941105050d63ef5bea8d383e8cadcc23438424226fe79b1948d80662a19a22cf671daf62a876e266d5b4b5f035a6d4a4a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
6acdcae5bff38b5f02dab8987f8d4989

SHA1
7b96e1cc4ef39b8133fc61f366e2b784a2a72108

SHA256
509d80a8b8e5b5f0352a356fce3f84fca1b2b7a10c987dc6602416bb41b6565b

SHA512
d37e333e0313be190fad640a9cfc8259a90cef92b8d230e2462dbd7af21fa6deef8d3a1c3a5c2d6a1ba86d2883322eee8cbc49139cd6b28221e5cf46aeb54829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
9786b84d535c348037bfc0af6cad9af9

SHA1
70233bda2d9868648479618bcbfe5fc5d96bddfa

SHA256
6e97e86ee1c908fd737f9ac0cf5ebc34a95e33d47f2cb58148f67aed8af9ee14

SHA512
6ec9633c089f79899c9989074575d1a5c10b104cd1916597994ef30bbdbeea3b32d39303666870c759439873eaf4400dde24a3ad6dfbfc99d48c6841506c1a02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
51KB

MD5
5f5c9972f65ac63c264e607072c64576

SHA1
9d84385f8e8bf337bc647eabb4e00b3763ca70c5

SHA256
4ea5c6296a4e344eb8cb9c770d0dc0d483e97b53fd59859c2c178d16cbf4f94c

SHA512
dc011715e0a5ff0a7d7c3106b57db5b5572ea6d4b74fa2a04216e85c7a24b44a52bf284c2bcb457f6ec0183268206650fdc19ac07d9ea8f26320357124d88ccd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
31KB

MD5
63a94abb30126570d75daa3cfa625fd2

SHA1
cdcd527e56935e2cf5e979c92588892ae337fd50

SHA256
9c3ef951aa98b46a38044ba52dc2912439697719fa6850255e77db28d499b58f

SHA512
2e18d7d794900758728c7e9197b3a4d9c3df41cf40addf05a8964e468d41642a125aaac90afbe88e09eb2758515ebcb9b8f5693f279e6a64a48a5bfdd9f102c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
117KB

MD5
c86148d2d825ca014d4d1312195172d5

SHA1
417287c872c3fb419b39c4d2d6c1208904093edd

SHA256
1d9d2cb29e07816ec51064a7a1cb754a129544c1482723f237c4fdcc54702808

SHA512
1e372cb5bd5da1330c9d0a8199be41a26b07a950b8b7de94ba21e693798aa2bf22a1ab999dee62602b7c1fb1cd837a9728e51202c43c0772989259df82adad8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
95KB

MD5
57de6d6cb74ef45508f1bfa04589d952

SHA1
43f564cc15ac70f107f2076b1535c812aaad4292

SHA256
7d5a74904b65595d38a7dac3f74b90e7aa582e302a2e446239338b83992de0af

SHA512
c9222718f3cfbb64fefbf66faacb25eccde0f125a3cead87057507103beb64670f191b62bf82e1e160506c9d96e7c2576213ff07818debe12c5fe79be109af60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
63KB

MD5
2a0b5da6166ad4b50c461647a29fe427

SHA1
e198444731b76661941cc4628024324dfbd728c4

SHA256
e2f6d4e250b3032229e3105e4a0fc3e849c5184ff0e366a3877b0c7a4b9618bc

SHA512
60cb1582b1c65fc8fe8796be3b6aed9e4c48206a4b2534f15a292fdc694bf9a0502184b4bce182784cbbd41dcb9a7cdb28086c5fb2e78e379242537c84be525d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
22KB

MD5
9c1283510cbfaca7e8e531b4336cfcb0

SHA1
500285b207303d5c569595e055891b7964d7c405

SHA256
33714bf8b8291cb0a726b156b0be60c317bf900812f483b714ef94bcf2db8644

SHA512
794917f221c72ba02089f7fdcf60e9518fa4e77a4ebe9721ed9a27731341c2c5be63931b76a2223ca95ae0120e2e0d3a2b7f75d653b9d53eeea46f8f6fdf418e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
22KB

MD5
709199329241af6565ff9647762ecb79

SHA1
2b2ce61b505f57d6e6e7a179d45fa1b4ee0634d8

SHA256
bf95260685ff141dd90227e75659ff11edac6e60b7b897c5638a778015bcad0c

SHA512
5a8c5f7da77f4ea16ef5b06896c149d38cf7a831a96edc8d3d42f8cbef88a20b0be5971f5baa2ef97221e85ecc2275ad5088cac58ad7c73b3b155a85af4785c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
33KB

MD5
ca27923986447745810849e975265b5d

SHA1
0b21bafa12cd1a7eb220c85f77d07f8b0a24922b

SHA256
d441a9cd526b61901b48ef28bafc61f71d1ee9b6c6ca5a670d5f86dbd301f481

SHA512
71d96f71e19462a6a8d4b08244ddf361251099af8556b6cd5b7cdff7f2701d7fe818e4e8a4d7219900a1052492861794e9a7e9a17e29d1485857212576b7828f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
75KB

MD5
af7ae505a9eed503f8b8e6982036873e

SHA1
d6f48cba7d076fb6f2fd6ba993a75b9dc1ecbf0c

SHA256
2adefcbc041e7d18fcf2d417879dc5a09997aa64d675b7a3c4b6ce33da13f3fe

SHA512
838fefdbc14901f41edf995a78fdac55764cd4912ccb734b8bea4909194582904d8f2afdf2b6c428667912ce4d65681a1044d045d1bc6de2b14113f0315fc892

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
38KB

MD5
86b73ab5f530be7984b704414f2a711d

SHA1
8e297794ed7b6f5ea476d14b5270df12e8f3e42a

SHA256
1a48b70f97555c13f84b8f088a417f9179d99b5101250819350acaf6e91bb92f

SHA512
468f8d4ae9419cacdf913fba2da37055e3469d935d7b7b362717cf17d2c4c27882ea3bb34510273312dd80dc2dea05775ce65bc3f9d1048f50aad4b27e8188ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
c0748fd5fed69fd96bb6d3e0332cb30f

SHA1
5f60f042fcdda38d42ca798417cc2627d96efd71

SHA256
11ca424fa58451d4aef3681ce6f9e183732fa0c025e934ce1547611b1a9ab350

SHA512
2e7cc3043c5d5a170e7aab3dc71364deeb043ec96d715478919390448a6a76dd534ee99ee7793aa87a8469ad36f6bda0208975041a674d09c90bef4d03c3251e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
b40073c0ad07f4ca85969f27f64e1516

SHA1
32a11c1c2bf29423f0054928495615667e12c839

SHA256
09dd39b67ef7da5e9e1e77c279710dd052c5dbd639493b24c2fdab7411457d07

SHA512
b68be306cac5c66aa00f5af81daa43509cc3b2449136737ccf8e2518a9f6c9791a87a6d7776f2d8cfcf0cf5b82db491e7005549388907418e006b2b47b01de0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
574c0caadb51a9e04a1ec2433d16034f

SHA1
8bd4f4015d64dbe0a6d628e5e681967363ad53f9

SHA256
79052d59ebd69a8133a56fc4552a7aaf4d7ae9dad1c104b34ad3ec93a3a4dd7c

SHA512
7fdd117d23a0cfff0af11bf01b84010a4affb28b1791266bf2b69a3ec1949036d90342d939d320cb6cec8aca072a6050d8070344b61bb81fd9b499dfac9ce2f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
b0d5ad5ec142c1f88a21a5b85e0eb3a3

SHA1
df3f3af8d14e996e7dcb4a9d22fc0d17ee52ee10

SHA256
8596fc656e4e86e70e80dbd6e52f1a32e9ceb56afbc056fb21bab9e852134407

SHA512
48c4dc4019e8f58f3051291b50737b7a5090d82a07d63b92b2efd77a4915cbe6c52cbcad4217389a9b12d0197d352ba189dcbbbf1771df551432e8cae8d0759f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
5e67f28dca1f3c7d65b77738f6b77a79

SHA1
000533c874a6c3df4646f722d2a91d7132cbd2a6

SHA256
1a6907cb7e23d1425ca2263fc726ade424b0f01fabac9adf5dd60c6bdcd88b24

SHA512
af556dab9272321d32f5a8dbfbbd1f3c8bafd981c1982c57e909ee8b5b3c46d7b29e046d53dfd54e32bdde11f4b30ecce02c8a942bc40f11fc0402e08cd310f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
317173c9c06d3143684b7afb3182f7de

SHA1
3500fb8997468ed6c53eb7f54b86fe172a6c43d7

SHA256
d2aca3124bd82267965b6d50f12f395e54cc7ae621273e9e74a2cd93bcd5fed5

SHA512
7fcd79c829a848e02d21fffa7bc7471100f57c752a3c6f0c0fde86e0311608c4647fae67ebf3b2e4eabf07bb93f7dcd27fe2fe91db56c63d2c5e477ac831aafa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
28KB

MD5
0d0c3b92f0a9e33242ef33ef276e4241

SHA1
bb30677994f9b2f9321eaed881a4fb934962e728

SHA256
f71ac1cafd9611c8faae05bf07f81d44b34c2a41920542cc789f9468ebd1661b

SHA512
08ffb157883c230b311cc5ee262006cf691f2bef8c282972749c9bc3ab84b874ad560cec2344a6b3d189fa31c4533fb4d9043b75fa0b46edbe507962a6eb6b07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
ade0f96630e1c027cb9b2a5ee69993a5

SHA1
af347164dbdaccbed69958e88b456b0363cfba1d

SHA256
af340fb76a30daabed7aa6e38dedd1b7d5b25fd15b64901960a4f3a748c1b4d1

SHA512
a52464c2fda4055cb7bbd2690fc0c45dcdbbb9338c234594df98fc15bd628b825bac7f7d0f717d992873a231cdc90f3700283649e13f152f3bd15d1c8870345d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b6d2bda5a79a11779073313b8b455674

SHA1
dd90a5d5e7580ce0dc54e51e409c31204957e069

SHA256
bd383abbd1978f59336582a7d5b7a3662db583bd43ed68c6e864a837a1aff6b8

SHA512
b435058d0b8b7933f4fcf2c2c49b87f21e1892bea8d7a7512baa3301bd1cbe53da556b65221c858a0438477c718674abba753eb0ba7b01a5b05ce13cf9e8a5b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
ea6101af916b8a064c91315a27925c88

SHA1
22628eff073a96f427272e667ecb533a0f26c441

SHA256
ae55ecf0d9ceb7ec84f910e4b595c80c1c6bb5c87706c125b59ef1ca94b55ec3

SHA512
855c268f1b7f3f3b6206e5394fcbb72679f782ddc3a344836d3717d5decdcc9c0f1062375c871c238df42297b5712266774db6e320fd8436ad24d97ba23fe53f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
c6ff7148b5b29e4cd4c307b68d831c53

SHA1
57caf26598eb3c7572d3c6ffac013604467472c3

SHA256
7ec5484e8adf0254d85da5aa5304bb00bc7161341070c1b9449e21193840f72d

SHA512
200416bf199bbe30904137e50334db976542e10a4db5805707d97ed3b7cd78057599aa96fb725442112ef21818e20407bc852dc579accffb04f1dd3235b6e08f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
33a861b31d1e5da81ae509a983e4b7bf

SHA1
8a942e5f9a2c90df39d6ed8b04bbb64d713e0827

SHA256
6b19c70dd06a7f7f36a5cba484e2cafa40019746f72e4f060e537601d072966c

SHA512
04164dd76aa529b6d3911f10835a5c9d98e0fe9999ea4403cd8a55b2790ef462f656e4d1e786e7c7603aa6d0ba492360222bd991fcd2bc31841726af37dead3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
561027c7f5f91577b07067e208b12332

SHA1
10108671f6472fd4506441e34265cfcbdade9f4b

SHA256
1e23adaf83591a891eb3fb9a65ab7fc21fa90985e5c5f5f55e0221b03290be70

SHA512
c5caed9359e7aafcfde66cfbe96f271ba65f1ddb9a3a516bbdd61167acd58999ebbe1f3106ce00dad6b8ce07c5e095de071d6637388e6662e4e90a64e4aba142

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3692966ab44a7e5b9f6f690c0eb27462

SHA1
6aa464a9ae5451212fce0eb3598f6be6570f04e1

SHA256
b4ecc21e359cf6b7197e179531ea65c9ab80ad90f35a8917f911a7d914c67416

SHA512
8326784342a0b46f6b7ad85a2d82a5ef4cfa793f4b3fa13d48442d177ab0bd7664313123b68d821a127f754ff31297d709f8eaaa3fab0e34079a0154ccfacb01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8b196fbce2e68021a88220074dddb3ae

SHA1
1120d9e8b5d5d9a8edff827b157937330bc930db

SHA256
87dd0eeb98ced09e98b271518a99bee125810ca313e85a0b67e365945a4b79ff

SHA512
2d75b0a752121757d4c0005d7e20d524558ef3623e86e888cb74c14612bcada9118a97cdebae7a9d30f28872a4599e172c824106fc50010e44c7c784f431b801

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
95a5504b614b80e2047f9cbb57cf4ad0

SHA1
400a0ace5bcd99485f87d52867a18fde74aae60d

SHA256
29ec222f971e9fa5e7ea9cc96328a456e6ce19072c1880b99dd8bc92a4233cfc

SHA512
f6e9b7ccccd5d15ff536ab5a6e55e5e7b63e29fac2ab5c47b7139c1359b1761c2e885b2205530503c614e5992beeb29c482a3053888eec477da161012a8d4d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a32170fd888e5674eaea8b2174a80607

SHA1
b2263a6bc425a9936a5d434a550f48110fe6b0eb

SHA256
0864c2b8e47d618961680ffc2e2b451bbff711336b1cb3f81bb15419f62cbce7

SHA512
cc819078c0f3a7d27051af60e878e48dcba763a6a5c87ef4f9031ccad6dcccb93add6918701eb2c7462b578fe45aec9f8bd7d4bdf4ca7850eabaf5f452f4e640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9098d33ee7c24a671719fe814c792de7

SHA1
558363de72d314abaa9715752dd7334bdbce45d6

SHA256
24f454dec039b406256639d5b419e11a6ac6e318757815df64ffe7e9155bc9fb

SHA512
f6bd454a75c79ad209ec993485de22a0520b8657624e6479e07683cca21ec64a87c0f171f5c6c2dfb2cab0d6243815e5c0947de08e8c2c3226b625b3835165e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cf1737659ee1bfb21773e8decf4b8bf8

SHA1
6b55d3b5ecfa6f7cfc4fa34f1b69d2ed68375370

SHA256
13ad684ec5169cf43782ab6d064e0dc6dc381bf0725966be9241eae5932f2823

SHA512
c37e691620f3a63394943d905e8bc3559244b3bd14c391e4b5647ccd615189830a0896b29b3c7b18d6e155929318e13b75246d0eaf801090a1f019fb4cb99213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c518d4c95fd7ee4b46992146073f2089

SHA1
65cda3c378a4f03e82fa6bcd9c51ffd1f5376e55

SHA256
149ca5b3c475c9449a441ec7f4cb06892db2dfef80ad2a24d5aecd53bdcbfb9d

SHA512
b7ef68dc13301807ddf140b07f2713eea2341079286a68104e11b6473555dc902d43e050f6c799d1afe43faf7141eb3e6fbb5f5787fc552ad6a323fc3ff88921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
437a4b2b6396112b2e350f915ff92a62

SHA1
f18eae5e645bcad79064615ab7d5b1cf3692bc31

SHA256
e06af68f24cef0871a318a1fd3b1734041d9cb359910a67f1930625555881976

SHA512
69d74b77d314604221669498800eb3e16f0e71958f7c7cc1234d4d8c86bc8f4d5ae9e04983425cb6c6a002ae087ac253365646a32812330ea96141313ceebf46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps

Filesize
33B

MD5
2b432fef211c69c745aca86de4f8e4ab

SHA1
4b92da8d4c0188cf2409500adcd2200444a82fcc

SHA256
42b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de

SHA512
948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
896ed027977814c4f4473c5ffcbb0f1a

SHA1
cc4d833932e02da628904055c2fad7cdeb1a4ef9

SHA256
a16410e260f7fb05437e6cce7cbb0fd0c916473be176e236da3249071532c545

SHA512
55c6bf600f45ea8dac99c7bbfff04833844d17708d7b69b19d3f32e952e6ffed8fdef55260a6af05b770dbb007fd9942f934029e3c472fd45a574c344574783d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
175B

MD5
6153ae3a389cfba4b2fe34025943ec59

SHA1
c5762dbae34261a19ec867ffea81551757373785

SHA256
93c2b2b9ce1d2a2f28fac5aadc19c713b567df08eaeef4167b6543a1cd094a61

SHA512
f2367664799162966368c4a480df6eb4205522eaae32d861217ba8ed7cfabacbfbb0f7c66433ff6d31ec9638da66e727e04c2239d7c6a0d5fd3356230e09ab6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
a5100d0996c63b5649b36c29dec80486

SHA1
e57732ad2dd0754d317478c920a43e9898928f57

SHA256
8018b15abcff6928b1f26be57cbdd1f1a2787ee59b712c6d3d8117e921bcf930

SHA512
d1e3ffc8b4fe254031ac90d7898f95389733d7449f23604fc294fa5644e48405006d6acc5faa3cac8111bf25d06b517b15730cbe0e89783f9faf5b0e3b0d74bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13365262196033340

Filesize
461B

MD5
b2324f8bc0cdc95a8ba41e1f3b7cccec

SHA1
07af9292eff214a10692a73dc7a32c8c10bcea44

SHA256
cba1c453f72a0d7d0f0e8928d1d4b867585e171b2c18f87c22ecc3812a7bef79

SHA512
9a12e2f91936e1704aa2dd1e66e81df934bc10c7e1b710661c517db3f0ce6d25d04af842d836939800d585db7548db1efd4cde4a8712435786ea31e2cc401160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13365262196213340

Filesize
933B

MD5
259a521abf4ab212c759a0ef4a06c405

SHA1
b333bfc64bca335326c42174990a7f0eb784a224

SHA256
8e179677488c54adf306ece3878bb7682033ca9741fd22c9d96043de177ba978

SHA512
cb8784ed8775b8ef6ab5e88a6105a6fe89bc6a2b0d208b7e5d63332fe6b73147dbfe8af44f71911c47d4b5d8b84aa32c30d3cbc20730ccbe0846a256dc4eecc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
ad85968ed501809773461a230647ee07

SHA1
6fcf2dc23aec27378bdd79fc6c10901752479294

SHA256
f1825bf930e271a4119db4c0852fbe61df891359b61b5a6afbbe21925870f33b

SHA512
688bd0f36fa22dcdf398487186211bcd6f30ca393bef350d001565b096b8f6630986002a7e442f19de045da3438f3dffa8415f253cba543b9194680eb56f521e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
7072604407c4907d01527329a97f52f4

SHA1
75a140ab0e5a13137df9328dd7486dc97144b392

SHA256
9b6b82d15db463bcf4eb14e8889e47ccac9c40678a9bbd1fde58858f65d35fe5

SHA512
efcae29122387f986335ff12ee0ea131bb8546e176f5005f838af25ecf68be5da07784355440047a56ef3d66a4d887666aef11b912d49d0265b1382c750b5865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
535B

MD5
f53b6c555e22cab81987779e5fff9e15

SHA1
bae45634c5f2c7cb4993c1451664204572e358f6

SHA256
d7b27dcfffd1bfe06ca5be72ec395190c6e00e30012339574d49081f8127e3e5

SHA512
66adc097ba55ac3e8598c52c27e5fb520ba8de11683315af7a074b16a401c3d43f4645ec88c648e992b766f86dd33c3c4435396fae8ee72c8b26d07cdedcd7b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
53b6225aadcc350c7a9a28b1c0e197b6

SHA1
e45cd3d1ac5cad51d052ecbcc8171c876503a600

SHA256
258cba7e66fb8a2bc4cb5c70db1c6d9015907dc1a6aa098269a5ddf4eb119fbe

SHA512
6d7304b15be3486685d9012870fb9cd59b4c6a3278a2525efa13267f2ab2f57137c3e8f08a29a78f3668a6e74cac48f4ae375728a5d23386cf96454892970732

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
367B

MD5
9b1c7297f42bcf7ae81fa837d7060209

SHA1
fa2f5a7b61222705f87ffc74859187e9087e9b8c

SHA256
000333dc31ee824c09dddd5a5bedc3edf7694bf2dbbda0a36a9cacc7109ae61b

SHA512
a628d188d8fc89f3da56bb6e272a188767155da653c89467e704b10eefec1818b8799732194bf9ca20d5de5ca7629817594ccd6ef923e8ca0da07f47690bf514

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d000bd02-a2d8-4539-bc1a-f3fbac2cde31.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
136B

MD5
d926bfa2a54891efee773116df5abafb

SHA1
8f0229090286b9a7065fcf389436f7e4ea519bcc

SHA256
6abbefed8d96ad5658de38d0cabd62570d739402cb80a55efc7c3708de1dd560

SHA512
5d7057078e7298e4b2a55cb39fd3306c7c368696ca18e19dededb9b35316b3ee94a2985dedc2439aa277ed932ae5e242ad870e30594457f01835a529e59ef5a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
d43bee3dd3ea24d88e30c441c39ca1de

SHA1
581ce1f8beeb267c5995e6a3c436e8de28f88abc

SHA256
847c66de0a593402e676ae20a606dabccad2f36062e01698fa4b074aec013265

SHA512
31134e0f73583c4101d749c9ff9a5b8f058de34457a26b62ac393b3f98d5eeedc35f10196c50c7eb8fd9bba4e353c67f0f44f68860027860c2659525260af024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
2KB

MD5
6686172ffcc559e73d31eb2afad3fd08

SHA1
3a5122c9d29104b5b3459318b8a24a48a670184f

SHA256
4f74eedf79dbfe5c4245fc9e79823a1efaea43c7c215cdec5b0a9aa54da128b0

SHA512
fcf8c0185c460ecb9b2bd4e0b21ef1294dddb1ecd9a28dbd8566afd41675f35377754786085032c7043402b21c03e9fe4e87ef930521cac9268766ab6154d4e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
6fdfa70d4b02b4eccdd5937b0eee977b

SHA1
eef1a2abcb335ce94f73827ee793237ccd07f684

SHA256
f90621bb115dc383f2c7798e529aa4f94430e4721ce58b212f673b06591ae7d6

SHA512
0a1c41e613e0e7a7331817abd85b9ed0a17b5b2e0acb4c5ffc66d6f55d27266ba8b237149f00952eb6c5a688038aca33e0df7d025af0ff01a5b94330b6828e2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
565B

MD5
c4783a861d95134f1c8b7dbe9bce5e2f

SHA1
a0a5b2099359214c30ae1272bc8ea7239048ea2a

SHA256
d5b580cbd8ef4a1ed164bc6e164c827938f56d0577bc1261ec99454558715d9d

SHA512
257e56ad2cb8c55bf71662332f6da9a8e1ddfe1b9967189c5bd5547e5a0be6c39535fbc3187394d97b7eda1814e05e7e251df364502830c2bdbd9c30bd02ec5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
4ef9b59edb4de9cdda881437b1020df9

SHA1
dd4986dfe876f100ef266c953b05579b0553e5d6

SHA256
0413abbaaf9f52e625f2b3a355e8f92a92e71571f5ee24fb05021975cf88bbeb

SHA512
17626da6e22c1c3f78e11b7f5e727477ff5993e6234c1f019efd4bc7e8117d0c484eb652796359ca43f16929affa76e8adf73e2cf4a7b6f8d756821dbbc4d74b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
42c8dcf47b5f912350354f4138494cf0

SHA1
0b37b5836ee67995bbcbc8eff1c17f69dc2eb6aa

SHA256
e7ce7ea63345b543d5b45febed8be5921f4f7cb89cb76d3c89d24d528461a1b6

SHA512
4590830040b1a71e9429098531fe8acbd959402ed002050cc9a0b760737fce7c26b64ae1f24fc73203375cceba7afa0ec495f8acf653d29f97cbd34a9d8aa16d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
71e334f186585989247a9b753ea5323f

SHA1
a1e0e3279e0bf007027a859da44349a5253932da

SHA256
0164bd31ce16e7c6d5357461043369f450210453d584158f456bfa30cf12c0e9

SHA512
c934054ee4087179b10fef35cf42e2e0daf4282e0da92d57b1c8664e97dc9f97715d1dfb0e45386f9f7125377646f74bfa0c52b32c14d9d9612498df011fd4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
fca179877489616aa9ce819ce368a98d

SHA1
c8fa7fe6dfc9f6ee8be2bea45b196af77eb58487

SHA256
114389ffe3cfb77ae9262a329970b29a431e45e1a632f611ab915f194ab7ce9a

SHA512
a5cd2d4e37169e7c0b593b15450dea3ce11c717450f79e8cfc28e657f0144076efffd47137c610b44a508f29c1a815ae04c9e35afc192e07cb459b12aedddbbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bf136ac6c31a7c77ede5d72bfc2b4334

SHA1
c20ade5872884f807cfe64f5acefa0105e46523d

SHA256
a6c675dbd75e17d47c2e0895eebdfc09a5b4356003a9d4586bc9ef5763f3936f

SHA512
5da1941317ee2ed0c2329d8ac4efa47d1917ab044c01a988c4ff05214ad42d72778697aa847442a55c7e98346c2bcadf078eb52ddca8792f3cf4fcfceb08b423

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
76dc3f8c01b5c305199c1249bdb25c6b

SHA1
2646260a75a02a0f47c2e88a1b5916a7f33c3027

SHA256
055e623fe9ee2cad1c402029ab7d97cd919d0355aba1d606946da626b598a8a1

SHA512
f08c51df368458d9bbc52cd8b744ed330e9c0abf72248f7c31755eca60cf7a19711a64d834ec4d05d9ebbf402531874561e6e0ee1cfe4908c42552b66a30e296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4abb6abef06611724e61f184e09f61b8

SHA1
d013072026fd67554ede06c072cdbf564e343909

SHA256
a13b9759e745c70e3f36551528a89cd7f58279202cf9e8e1c2e6395251b7f213

SHA512
1619bc364466c3d93e14cf7680aa4d06a32bf7ba4d8e0cabb5eb58a3e270bbeb9d836d068fa352111bf75eb02fca271492e5db0e5eaf15621ae130279ea07ef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a76485171c1f9cbe98e819231ab717ec

SHA1
53bbf2335d845d533fa039c65dbdb920497f3569

SHA256
facb12b1104b4ac5da683412b2901890f879d6fd379ccd16237c230bb57e048a

SHA512
1d3ffbb1d2b0786e6911e3bf474d538467a7adf90c3d27e0b100ea45a7573449bc16d25d2527eef137875d9870b1d5aa166c7686772aa193117d6b279f62e786

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
99c1967abe0f4b0a1c1ab84236743055

SHA1
f35a2f968ea6a49d95935f67bc565c60db398848

SHA256
0938413871fb4817cfa0590f4344bb7fa18cdf91c1bf42fec0decfd75a602fdf

SHA512
3e3afcd47dec1b42b66bd9c62dcd78afeccdaf67b18ef23c613e9f0c80269c74c8f61f4af7fdf95eaabe39611c442393b35ba070649a0e1d8d650ca515e062f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
f8968e87704084db39b44e2d570a8c89

SHA1
fe6e310d3dfb7c576f8c8c604560accd7167b046

SHA256
17390114413b39afbef3852b3478f6784a25ababd70b5974fc987af0c1f6c10b

SHA512
38b0ef536cc1d1d1f94a9ce542866a7b0c6107750c92e134bb0b1d5fbe3e639f7764332e0c687d6fce9ae9b7fdc06752d8381500a5180e5303c4a37658497aef

Download Submit
C:\Users\Admin\Desktop\freeSpoofer.exe

Filesize
1.4MB

MD5
57749553c159683cf8c646bea1fa7e21

SHA1
414bdd48c6fd752f6d6100ad1c38fdecda8ffece

SHA256
5f1287749ae0d7025a05ab21ab24a6ccce54618f0890e51e85c12f76b0559d13

SHA512
6f3138fe1628880e30e7c451f285f8090ec41463c19aaabe2f42395f366d9f29dfe86a07a9086b0da1e1c52f71746fdb82f16a86c472a209996eb94098c19c41

Download Submit
C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE

Filesize
377KB

MD5
8690997c90d94b5a10f2fe39caa0d7a6

SHA1
ad05c719b046da3946e370409b342e3c67946a87

SHA256
157f846e4865f27898917304ba4480f6d67a327cbb25a790f885a78b8fba6db1

SHA512
39d2ff1aa49cdb302fd88f6903d71d0008e89ff9113eab8a3ca2b7dbc0e5604a059f8c6f798c97971149f80a379a73ea6900ad46cce5203effe5c226bcd080e0

Download Submit
C:\Users\Admin\Desktop\tools\applecleaner_2.exe

Filesize
3.6MB

MD5
f96eb2236970fb3ea97101b923af4228

SHA1
e0eed80f1054acbf5389a7b8860a4503dd3e184a

SHA256
46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

SHA512
2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

Download Submit
C:\Users\Admin\Downloads\freeSpoofer.rar

Filesize
13.8MB

MD5
4de784dcf73d6a71b45f090e999a591b

SHA1
a0dbb8326e1d122c8ef4f8a2bdfb3ec406ad8ebf

SHA256
94985615c3a4143304e8f85e41d9f1bd2281d073d47ade04dcac1f63d31305c2

SHA512
83e92a5bea27d2ea801296bee5e249f971e2501d7fb7ebb406d6ff43a75ab2c899b74864e317be4e89a4979787d5a3e600a64dece18dffa1145a991edf11d39d

Download Submit
memory/2956-749-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp

Filesize
9.6MB

Download
memory/2956-747-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp

Filesize
9.6MB

Download
memory/2956-750-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp

Filesize
9.6MB

Download
memory/2956-748-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp

Filesize
9.6MB

Download
memory/2956-802-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp

Filesize
9.6MB

Download
memory/3084-190-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp

Filesize
9.6MB

Download
memory/3084-189-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp

Filesize
9.6MB

Download
memory/3084-186-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp

Filesize
9.6MB

Download
memory/3084-188-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp

Filesize
9.6MB

Download
memory/3084-191-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp

Filesize
9.6MB

Download
memory/3084-249-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp

Filesize
9.6MB

Download
memory/3140-591-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp

Filesize
9.6MB

Download
memory/3140-580-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp

Filesize
9.6MB

Download
memory/3140-577-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp

Filesize
9.6MB

Download
memory/3140-579-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp

Filesize
9.6MB

Download
memory/3140-578-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp

Filesize
9.6MB

Download