Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
336s -
max time network
345s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 12:49
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/glnklein/Free-Fortnite-Hwid-Spoofer/raw/main/freeSpoofer.rar
Resource
win10v2004-20240709-en
General
-
Target
https://github.com/glnklein/Free-Fortnite-Hwid-Spoofer/raw/main/freeSpoofer.rar
Malware Config
Signatures
-
Cerber 6 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
description ioc pid Process 3920 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AMIDEWINx64.EXE Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AMIDEWINx64.EXE Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AMIDEWINx64.EXE 2424 taskkill.exe 4724 taskkill.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ applecleaner_2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ applecleaner_2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ applecleaner_2.exe -
Checks BIOS information in registry 2 TTPs 9 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion applecleaner_2.exe Set value (data) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 35004f00300048005300200020002d002000310000000000 applecleaner_2.exe Set value (data) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 64004f00620048005300200020002d002000660000000000 applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion applecleaner_2.exe Set value (data) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 38004f00650048005300200020002d002000330000000000 applecleaner_2.exe -
Executes dropped EXE 9 IoCs
pid Process 1492 freeSpoofer.exe 3084 applecleaner_2.exe 2436 AMIDEWINx64.EXE 4564 freeSpoofer.exe 3140 applecleaner_2.exe 3524 AMIDEWINx64.EXE 1292 freeSpoofer.exe 2956 applecleaner_2.exe 5064 AMIDEWINx64.EXE -
resource yara_rule behavioral1/files/0x00070000000234ab-185.dat themida behavioral1/memory/3084-186-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp themida behavioral1/memory/3084-189-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp themida behavioral1/memory/3084-190-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp themida behavioral1/memory/3084-188-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp themida behavioral1/memory/3084-191-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp themida behavioral1/memory/3084-249-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp themida behavioral1/memory/3140-578-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp themida behavioral1/memory/3140-579-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp themida behavioral1/memory/3140-577-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp themida behavioral1/memory/3140-580-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp themida behavioral1/memory/3140-591-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp themida behavioral1/memory/2956-748-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp themida behavioral1/memory/2956-747-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp themida behavioral1/memory/2956-749-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp themida behavioral1/memory/2956-750-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp themida behavioral1/memory/2956-802-0x00007FF7570B0000-0x00007FF757A52000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA applecleaner_2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA applecleaner_2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA applecleaner_2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 9 raw.githubusercontent.com 11 raw.githubusercontent.com -
Checks system information in the registry 2 TTPs 3 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer applecleaner_2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer applecleaner_2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer applecleaner_2.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 3084 applecleaner_2.exe 3140 applecleaner_2.exe 2956 applecleaner_2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 63 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "1183c991-4414f82e-f" applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily applecleaner_2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "037ec1f8-94a1f557-8" applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName applecleaner_2.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral applecleaner_2.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "90f7a1c8-33aad01a-3" applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion applecleaner_2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU applecleaner_2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 applecleaner_2.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "f1ce88f9-9b205907-9" applecleaner_2.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily applecleaner_2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion applecleaner_2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName applecleaner_2.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier applecleaner_2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS applecleaner_2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion applecleaner_2.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion applecleaner_2.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "79a0998b-70d889c2-d" applecleaner_2.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier applecleaner_2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS applecleaner_2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral applecleaner_2.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "183fba5d-7fa09cb0-7" applecleaner_2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct applecleaner_2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral applecleaner_2.exe -
Kills process with taskkill 9 IoCs
pid Process 1600 taskkill.exe 5064 taskkill.exe 2424 taskkill.exe 4724 taskkill.exe 5032 taskkill.exe 4004 taskkill.exe 2352 taskkill.exe 3920 taskkill.exe 5020 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings msedge.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 3888 msedge.exe 3888 msedge.exe 4708 msedge.exe 4708 msedge.exe 3296 identity_helper.exe 3296 identity_helper.exe 2032 msedge.exe 2032 msedge.exe 5008 msedge.exe 5008 msedge.exe 1076 msedge.exe 1076 msedge.exe 3084 applecleaner_2.exe 3084 applecleaner_2.exe 1492 freeSpoofer.exe 1492 freeSpoofer.exe 1492 freeSpoofer.exe 1492 freeSpoofer.exe 3012 identity_helper.exe 3012 identity_helper.exe 3140 applecleaner_2.exe 3140 applecleaner_2.exe 4564 freeSpoofer.exe 4564 freeSpoofer.exe 4564 freeSpoofer.exe 4564 freeSpoofer.exe 2956 applecleaner_2.exe 2956 applecleaner_2.exe 1748 msedge.exe 1748 msedge.exe 1792 msedge.exe 1792 msedge.exe 1792 msedge.exe 1292 freeSpoofer.exe 1292 freeSpoofer.exe 1292 freeSpoofer.exe 1292 freeSpoofer.exe 4000 identity_helper.exe 4000 identity_helper.exe 6000 msedge.exe 6000 msedge.exe 6000 msedge.exe 6000 msedge.exe -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 660 Process not Found 660 Process not Found 660 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 39 IoCs
pid Process 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1792 msedge.exe 1792 msedge.exe 1792 msedge.exe 1792 msedge.exe 1792 msedge.exe 1792 msedge.exe 1792 msedge.exe 1792 msedge.exe 1792 msedge.exe 1792 msedge.exe 1792 msedge.exe 1792 msedge.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeRestorePrivilege 1592 7zG.exe Token: 35 1592 7zG.exe Token: SeSecurityPrivilege 1592 7zG.exe Token: SeSecurityPrivilege 1592 7zG.exe Token: SeDebugPrivilege 3920 taskkill.exe Token: SeDebugPrivilege 2424 taskkill.exe Token: SeDebugPrivilege 4724 taskkill.exe Token: SeDebugPrivilege 5020 taskkill.exe Token: SeDebugPrivilege 1600 taskkill.exe Token: SeDebugPrivilege 5032 taskkill.exe Token: SeDebugPrivilege 4004 taskkill.exe Token: SeDebugPrivilege 2352 taskkill.exe Token: SeDebugPrivilege 5064 taskkill.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 1592 7zG.exe 1492 freeSpoofer.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 1492 freeSpoofer.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1492 freeSpoofer.exe 4564 freeSpoofer.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe 1076 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4708 wrote to memory of 4796 4708 msedge.exe 83 PID 4708 wrote to memory of 4796 4708 msedge.exe 83 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 4464 4708 msedge.exe 85 PID 4708 wrote to memory of 3888 4708 msedge.exe 86 PID 4708 wrote to memory of 3888 4708 msedge.exe 86 PID 4708 wrote to memory of 516 4708 msedge.exe 87 PID 4708 wrote to memory of 516 4708 msedge.exe 87 PID 4708 wrote to memory of 516 4708 msedge.exe 87 PID 4708 wrote to memory of 516 4708 msedge.exe 87 PID 4708 wrote to memory of 516 4708 msedge.exe 87 PID 4708 wrote to memory of 516 4708 msedge.exe 87 PID 4708 wrote to memory of 516 4708 msedge.exe 87 PID 4708 wrote to memory of 516 4708 msedge.exe 87 PID 4708 wrote to memory of 516 4708 msedge.exe 87 PID 4708 wrote to memory of 516 4708 msedge.exe 87 PID 4708 wrote to memory of 516 4708 msedge.exe 87 PID 4708 wrote to memory of 516 4708 msedge.exe 87 PID 4708 wrote to memory of 516 4708 msedge.exe 87 PID 4708 wrote to memory of 516 4708 msedge.exe 87 PID 4708 wrote to memory of 516 4708 msedge.exe 87 PID 4708 wrote to memory of 516 4708 msedge.exe 87 PID 4708 wrote to memory of 516 4708 msedge.exe 87 PID 4708 wrote to memory of 516 4708 msedge.exe 87 PID 4708 wrote to memory of 516 4708 msedge.exe 87 PID 4708 wrote to memory of 516 4708 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/glnklein/Free-Fortnite-Hwid-Spoofer/raw/main/freeSpoofer.rar1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6a4b46f8,0x7ffb6a4b4708,0x7ffb6a4b47182⤵PID:4796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:22⤵PID:4464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:82⤵PID:516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:1592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:3400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:82⤵PID:3412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:12⤵PID:4276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:12⤵PID:4580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3468 /prefetch:82⤵PID:3596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:12⤵PID:2852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7898874681445730952,13985957209602796120,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:12⤵PID:3692
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:392
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4876
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4212
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\freeSpoofer\" -ad -an -ai#7zMap23041:84:7zEvent139191⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1592
-
C:\Users\Admin\Desktop\freeSpoofer.exe"C:\Users\Admin\Desktop\freeSpoofer.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1492 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c start C:\Users\Admin\Desktop\tools\applecleaner_2.exe2⤵PID:3504
-
C:\Users\Admin\Desktop\tools\applecleaner_2.exeC:\Users\Admin\Desktop\tools\applecleaner_2.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3084 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&14⤵PID:4004
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&14⤵PID:2120
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&14⤵PID:3020
-
C:\Windows\system32\taskkill.exetaskkill /f /im Battle.net.exe5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://applecheats.cc4⤵PID:4356
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1076 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffb6a4b46f8,0x7ffb6a4b4708,0x7ffb6a4b47186⤵PID:3232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:26⤵PID:1988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:5008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:86⤵PID:4732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:16⤵PID:1912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:16⤵PID:4396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:16⤵PID:1592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:16⤵PID:516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:16⤵PID:876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:86⤵PID:1488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:3012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:16⤵PID:3132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:16⤵PID:5068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:16⤵PID:4972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:16⤵PID:3920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:16⤵PID:2968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:16⤵PID:2436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:16⤵PID:720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4404 /prefetch:16⤵PID:184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:16⤵PID:3656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:16⤵PID:4340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:16⤵PID:4468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:16⤵PID:3296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6072 /prefetch:86⤵PID:2740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:16⤵PID:184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:16⤵PID:2096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1250414283006439567,10839342601314764251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:16⤵PID:2352
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause4⤵PID:4724
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c net user administrator /active:yes |start C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Desktop\tools\alt.txt2⤵PID:4560
-
C:\Windows\system32\net.exenet user administrator /active:yes3⤵PID:3664
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator /active:yes4⤵PID:8
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" start C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Desktop\tools\alt.txt"3⤵PID:4464
-
C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXEC:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Desktop\tools\alt.txt4⤵
- Cerber
- Executes dropped EXE
PID:2436 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4396
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3844
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1972
-
C:\Users\Admin\Desktop\freeSpoofer.exe"C:\Users\Admin\Desktop\freeSpoofer.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:4564 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c start C:\Users\Admin\Desktop\tools\applecleaner_2.exe2⤵PID:4480
-
C:\Users\Admin\Desktop\tools\applecleaner_2.exeC:\Users\Admin\Desktop\tools\applecleaner_2.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3140 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&14⤵PID:2288
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&14⤵PID:1944
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&14⤵PID:3596
-
C:\Windows\system32\taskkill.exetaskkill /f /im Battle.net.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://applecheats.cc4⤵PID:2412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/5⤵PID:1480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6a4b46f8,0x7ffb6a4b4708,0x7ffb6a4b47186⤵PID:2792
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause4⤵PID:1048
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c net user administrator /active:yes |start C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Desktop\tools\alt.txt2⤵PID:1600
-
C:\Windows\system32\net.exenet user administrator /active:yes3⤵PID:3660
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator /active:yes4⤵PID:3596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" start C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Desktop\tools\alt.txt"3⤵PID:2192
-
C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXEC:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Desktop\tools\alt.txt4⤵
- Cerber
- Executes dropped EXE
PID:3524
-
-
-
-
C:\Users\Admin\Desktop\freeSpoofer.exe"C:\Users\Admin\Desktop\freeSpoofer.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1292 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c start C:\Users\Admin\Desktop\tools\applecleaner_2.exe2⤵PID:2184
-
C:\Users\Admin\Desktop\tools\applecleaner_2.exeC:\Users\Admin\Desktop\tools\applecleaner_2.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2956 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&14⤵PID:3248
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&14⤵PID:3860
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&14⤵PID:3140
-
C:\Windows\system32\taskkill.exetaskkill /f /im Battle.net.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://applecheats.cc4⤵PID:1560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1792 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6a4b46f8,0x7ffb6a4b4708,0x7ffb6a4b47186⤵PID:396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:26⤵PID:2224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:1748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:86⤵PID:3128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:16⤵PID:3100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:16⤵PID:348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:16⤵PID:3732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:16⤵PID:1988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:16⤵PID:224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:16⤵PID:5108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:16⤵PID:1136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:16⤵PID:3188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6340 /prefetch:86⤵PID:1172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6340 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:4000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:16⤵PID:1668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:16⤵PID:2932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:16⤵PID:5312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:16⤵PID:5320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,6928069198947200398,3012654923187235274,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5040 /prefetch:26⤵
- Suspicious behavior: EnumeratesProcesses
PID:6000
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause4⤵PID:4152
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c net user administrator /active:yes |start C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Desktop\tools\alt.txt2⤵PID:3296
-
C:\Windows\system32\net.exenet user administrator /active:yes3⤵PID:4412
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator /active:yes4⤵PID:2980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" start C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Desktop\tools\alt.txt"3⤵PID:1488
-
C:\Users\Admin\Desktop\tools\AMIDEWINx64.EXEC:\Users\Admin\Desktop\tools\AMIDEWINx64.EXE /ALL C:\Users\Admin\Desktop\tools\alt.txt4⤵
- Cerber
- Executes dropped EXE
PID:5064
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3916
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5c00b0d6e0f836dfa596c6df9d3b2f8f2
SHA169ad27d9b4502630728f98917f67307e9dd12a30
SHA256578481cd359c669455e24983b13723c25584f58925b47283cb580019ef3142b1
SHA5120e098ab5f5772fec17880e228a0dccbbaa06dc1af14e0fd827f361599c61899fe07d612a7f7b049ff6661d27fdc495566dd20fc28ceed022b87c212bf00be5da
-
Filesize
152B
MD5a870d1e22451fe178c351580fa9e31f4
SHA170ae09e0a1852c76122a2fc202b9ab60a14a2213
SHA25650a798dbef7ab0f49c686f3408d423d2e6d09f2b3440e3cfadec288b8fbf1512
SHA512ca5f8ff302c48d50dcf4bffddbe8155855875a61b72c3aabee4c54b24ab6bf1d558318d1278afe1103e9bcdd0605e409b69dc64ddadc426a2d5e6e27053958e6
-
Filesize
152B
MD5e6d055237cc5ac8b34e2616da0e1e391
SHA10ab1fe501cfaf1266be8ba01c79bf33468b9dfae
SHA25621de8724287101fa4f2d99127c971545025185122f35ff9ff6cc5bc11b885909
SHA51259b22aebe2d3979bc29a8ae34df813f9f12321a8cac855e6258e6b6965c53efbab75f2c6a531d5c3b844ddbffbafed7639d750592db716de7452ce05876e48d8
-
Filesize
152B
MD554f1b76300ce15e44e5cc1a3947f5ca9
SHA1c978bfaa6ec6dae05464c6426eaa6cb3c3e2f3b7
SHA25643dec5d87b7ee892a3d99cb61f772ba403882ac0772423f36034e84244c1ca24
SHA512ac26e5676c675be329eb62b5d5a36a0e6014ab8a6366684b0fc2a59ae5f061f596f462b82eb4e9f135d2235a0cbd4af96680d234eecc873a8397fd81507d277a
-
Filesize
152B
MD593d978de0b4283f57495b59545cf4360
SHA1a545b4f9bae3ac46a1fc8b0fbbecc9b6b79b3335
SHA25604cb42b49eb17c31d955cd51d2ddebf4d296779fe3a941d3334c7d8061104630
SHA512ec262d72d9d723cf6da8c72abf4e50da4b4e392e0397d61b271413db645a5483b1caa24fbd96c4478e06419eaff9aa15972dafaf92c4ccf88fd83d1fb8975b5d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9f78f61c-ae45-4645-a34c-8e49c17aca0b.tmp
Filesize6KB
MD5cf28ecad96a2d54ffec10b929f2c33a9
SHA1d9ceb140566fa7c436fa0ea596f13c5a18c0c860
SHA25630f5e9c77acbeb3192db1a7f9d9fc5c0809b70c3d6ebba19431eb4ca9b8e8f66
SHA5128a4bc202c4f689266707ddf2fea52a7641a44ea1d13b1ef21ccce20d742f614d74281136d5bbca0ba76305fbf6b97a88a56e71f0235c47be28b27e04507dfc51
-
Filesize
44KB
MD55bcf01a100018b0b1800c60316916f14
SHA182461356567aa396886a799f36f439fa4da3c2bc
SHA256829229eb1a5f18ccfbe785c8889447b9a50da859fd87b0bd996560310f8e4a5c
SHA512ed322f68f7989311c03a0d3ccaa77a941105050d63ef5bea8d383e8cadcc23438424226fe79b1948d80662a19a22cf671daf62a876e266d5b4b5f035a6d4a4a4
-
Filesize
264KB
MD56acdcae5bff38b5f02dab8987f8d4989
SHA17b96e1cc4ef39b8133fc61f366e2b784a2a72108
SHA256509d80a8b8e5b5f0352a356fce3f84fca1b2b7a10c987dc6602416bb41b6565b
SHA512d37e333e0313be190fad640a9cfc8259a90cef92b8d230e2462dbd7af21fa6deef8d3a1c3a5c2d6a1ba86d2883322eee8cbc49139cd6b28221e5cf46aeb54829
-
Filesize
4.0MB
MD59786b84d535c348037bfc0af6cad9af9
SHA170233bda2d9868648479618bcbfe5fc5d96bddfa
SHA2566e97e86ee1c908fd737f9ac0cf5ebc34a95e33d47f2cb58148f67aed8af9ee14
SHA5126ec9633c089f79899c9989074575d1a5c10b104cd1916597994ef30bbdbeea3b32d39303666870c759439873eaf4400dde24a3ad6dfbfc99d48c6841506c1a02
-
Filesize
51KB
MD55f5c9972f65ac63c264e607072c64576
SHA19d84385f8e8bf337bc647eabb4e00b3763ca70c5
SHA2564ea5c6296a4e344eb8cb9c770d0dc0d483e97b53fd59859c2c178d16cbf4f94c
SHA512dc011715e0a5ff0a7d7c3106b57db5b5572ea6d4b74fa2a04216e85c7a24b44a52bf284c2bcb457f6ec0183268206650fdc19ac07d9ea8f26320357124d88ccd
-
Filesize
31KB
MD563a94abb30126570d75daa3cfa625fd2
SHA1cdcd527e56935e2cf5e979c92588892ae337fd50
SHA2569c3ef951aa98b46a38044ba52dc2912439697719fa6850255e77db28d499b58f
SHA5122e18d7d794900758728c7e9197b3a4d9c3df41cf40addf05a8964e468d41642a125aaac90afbe88e09eb2758515ebcb9b8f5693f279e6a64a48a5bfdd9f102c9
-
Filesize
117KB
MD5c86148d2d825ca014d4d1312195172d5
SHA1417287c872c3fb419b39c4d2d6c1208904093edd
SHA2561d9d2cb29e07816ec51064a7a1cb754a129544c1482723f237c4fdcc54702808
SHA5121e372cb5bd5da1330c9d0a8199be41a26b07a950b8b7de94ba21e693798aa2bf22a1ab999dee62602b7c1fb1cd837a9728e51202c43c0772989259df82adad8b
-
Filesize
95KB
MD557de6d6cb74ef45508f1bfa04589d952
SHA143f564cc15ac70f107f2076b1535c812aaad4292
SHA2567d5a74904b65595d38a7dac3f74b90e7aa582e302a2e446239338b83992de0af
SHA512c9222718f3cfbb64fefbf66faacb25eccde0f125a3cead87057507103beb64670f191b62bf82e1e160506c9d96e7c2576213ff07818debe12c5fe79be109af60
-
Filesize
63KB
MD52a0b5da6166ad4b50c461647a29fe427
SHA1e198444731b76661941cc4628024324dfbd728c4
SHA256e2f6d4e250b3032229e3105e4a0fc3e849c5184ff0e366a3877b0c7a4b9618bc
SHA51260cb1582b1c65fc8fe8796be3b6aed9e4c48206a4b2534f15a292fdc694bf9a0502184b4bce182784cbbd41dcb9a7cdb28086c5fb2e78e379242537c84be525d
-
Filesize
22KB
MD59c1283510cbfaca7e8e531b4336cfcb0
SHA1500285b207303d5c569595e055891b7964d7c405
SHA25633714bf8b8291cb0a726b156b0be60c317bf900812f483b714ef94bcf2db8644
SHA512794917f221c72ba02089f7fdcf60e9518fa4e77a4ebe9721ed9a27731341c2c5be63931b76a2223ca95ae0120e2e0d3a2b7f75d653b9d53eeea46f8f6fdf418e
-
Filesize
22KB
MD5709199329241af6565ff9647762ecb79
SHA12b2ce61b505f57d6e6e7a179d45fa1b4ee0634d8
SHA256bf95260685ff141dd90227e75659ff11edac6e60b7b897c5638a778015bcad0c
SHA5125a8c5f7da77f4ea16ef5b06896c149d38cf7a831a96edc8d3d42f8cbef88a20b0be5971f5baa2ef97221e85ecc2275ad5088cac58ad7c73b3b155a85af4785c8
-
Filesize
33KB
MD5ca27923986447745810849e975265b5d
SHA10b21bafa12cd1a7eb220c85f77d07f8b0a24922b
SHA256d441a9cd526b61901b48ef28bafc61f71d1ee9b6c6ca5a670d5f86dbd301f481
SHA51271d96f71e19462a6a8d4b08244ddf361251099af8556b6cd5b7cdff7f2701d7fe818e4e8a4d7219900a1052492861794e9a7e9a17e29d1485857212576b7828f
-
Filesize
75KB
MD5af7ae505a9eed503f8b8e6982036873e
SHA1d6f48cba7d076fb6f2fd6ba993a75b9dc1ecbf0c
SHA2562adefcbc041e7d18fcf2d417879dc5a09997aa64d675b7a3c4b6ce33da13f3fe
SHA512838fefdbc14901f41edf995a78fdac55764cd4912ccb734b8bea4909194582904d8f2afdf2b6c428667912ce4d65681a1044d045d1bc6de2b14113f0315fc892
-
Filesize
38KB
MD586b73ab5f530be7984b704414f2a711d
SHA18e297794ed7b6f5ea476d14b5270df12e8f3e42a
SHA2561a48b70f97555c13f84b8f088a417f9179d99b5101250819350acaf6e91bb92f
SHA512468f8d4ae9419cacdf913fba2da37055e3469d935d7b7b362717cf17d2c4c27882ea3bb34510273312dd80dc2dea05775ce65bc3f9d1048f50aad4b27e8188ac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize720B
MD5c0748fd5fed69fd96bb6d3e0332cb30f
SHA15f60f042fcdda38d42ca798417cc2627d96efd71
SHA25611ca424fa58451d4aef3681ce6f9e183732fa0c025e934ce1547611b1a9ab350
SHA5122e7cc3043c5d5a170e7aab3dc71364deeb043ec96d715478919390448a6a76dd534ee99ee7793aa87a8469ad36f6bda0208975041a674d09c90bef4d03c3251e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize720B
MD5b40073c0ad07f4ca85969f27f64e1516
SHA132a11c1c2bf29423f0054928495615667e12c839
SHA25609dd39b67ef7da5e9e1e77c279710dd052c5dbd639493b24c2fdab7411457d07
SHA512b68be306cac5c66aa00f5af81daa43509cc3b2449136737ccf8e2518a9f6c9791a87a6d7776f2d8cfcf0cf5b82db491e7005549388907418e006b2b47b01de0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize720B
MD5574c0caadb51a9e04a1ec2433d16034f
SHA18bd4f4015d64dbe0a6d628e5e681967363ad53f9
SHA25679052d59ebd69a8133a56fc4552a7aaf4d7ae9dad1c104b34ad3ec93a3a4dd7c
SHA5127fdd117d23a0cfff0af11bf01b84010a4affb28b1791266bf2b69a3ec1949036d90342d939d320cb6cec8aca072a6050d8070344b61bb81fd9b499dfac9ce2f2
-
Filesize
322B
MD5b0d5ad5ec142c1f88a21a5b85e0eb3a3
SHA1df3f3af8d14e996e7dcb4a9d22fc0d17ee52ee10
SHA2568596fc656e4e86e70e80dbd6e52f1a32e9ceb56afbc056fb21bab9e852134407
SHA51248c4dc4019e8f58f3051291b50737b7a5090d82a07d63b92b2efd77a4915cbe6c52cbcad4217389a9b12d0197d352ba189dcbbbf1771df551432e8cae8d0759f
-
Filesize
264KB
MD55e67f28dca1f3c7d65b77738f6b77a79
SHA1000533c874a6c3df4646f722d2a91d7132cbd2a6
SHA2561a6907cb7e23d1425ca2263fc726ade424b0f01fabac9adf5dd60c6bdcd88b24
SHA512af556dab9272321d32f5a8dbfbbd1f3c8bafd981c1982c57e909ee8b5b3c46d7b29e046d53dfd54e32bdde11f4b30ecce02c8a942bc40f11fc0402e08cd310f8
-
Filesize
124KB
MD5317173c9c06d3143684b7afb3182f7de
SHA13500fb8997468ed6c53eb7f54b86fe172a6c43d7
SHA256d2aca3124bd82267965b6d50f12f395e54cc7ae621273e9e74a2cd93bcd5fed5
SHA5127fcd79c829a848e02d21fffa7bc7471100f57c752a3c6f0c0fde86e0311608c4647fae67ebf3b2e4eabf07bb93f7dcd27fe2fe91db56c63d2c5e477ac831aafa
-
Filesize
6B
MD5a9851aa4c3c8af2d1bd8834201b2ba51
SHA1fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA51241a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818
-
Filesize
28KB
MD50d0c3b92f0a9e33242ef33ef276e4241
SHA1bb30677994f9b2f9321eaed881a4fb934962e728
SHA256f71ac1cafd9611c8faae05bf07f81d44b34c2a41920542cc789f9468ebd1661b
SHA51208ffb157883c230b311cc5ee262006cf691f2bef8c282972749c9bc3ab84b874ad560cec2344a6b3d189fa31c4533fb4d9043b75fa0b46edbe507962a6eb6b07
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
331B
MD5ade0f96630e1c027cb9b2a5ee69993a5
SHA1af347164dbdaccbed69958e88b456b0363cfba1d
SHA256af340fb76a30daabed7aa6e38dedd1b7d5b25fd15b64901960a4f3a748c1b4d1
SHA512a52464c2fda4055cb7bbd2690fc0c45dcdbbb9338c234594df98fc15bd628b825bac7f7d0f717d992873a231cdc90f3700283649e13f152f3bd15d1c8870345d
-
Filesize
2KB
MD5b6d2bda5a79a11779073313b8b455674
SHA1dd90a5d5e7580ce0dc54e51e409c31204957e069
SHA256bd383abbd1978f59336582a7d5b7a3662db583bd43ed68c6e864a837a1aff6b8
SHA512b435058d0b8b7933f4fcf2c2c49b87f21e1892bea8d7a7512baa3301bd1cbe53da556b65221c858a0438477c718674abba753eb0ba7b01a5b05ce13cf9e8a5b8
-
Filesize
2KB
MD5ea6101af916b8a064c91315a27925c88
SHA122628eff073a96f427272e667ecb533a0f26c441
SHA256ae55ecf0d9ceb7ec84f910e4b595c80c1c6bb5c87706c125b59ef1ca94b55ec3
SHA512855c268f1b7f3f3b6206e5394fcbb72679f782ddc3a344836d3717d5decdcc9c0f1062375c871c238df42297b5712266774db6e320fd8436ad24d97ba23fe53f
-
Filesize
2KB
MD5c6ff7148b5b29e4cd4c307b68d831c53
SHA157caf26598eb3c7572d3c6ffac013604467472c3
SHA2567ec5484e8adf0254d85da5aa5304bb00bc7161341070c1b9449e21193840f72d
SHA512200416bf199bbe30904137e50334db976542e10a4db5805707d97ed3b7cd78057599aa96fb725442112ef21818e20407bc852dc579accffb04f1dd3235b6e08f
-
Filesize
261B
MD52c2e6472d05e3832905f0ad4a04d21c3
SHA1007edbf35759af62a5b847ab09055e7d9b86ffcc
SHA256283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03
SHA5128c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37
-
Filesize
6KB
MD533a861b31d1e5da81ae509a983e4b7bf
SHA18a942e5f9a2c90df39d6ed8b04bbb64d713e0827
SHA2566b19c70dd06a7f7f36a5cba484e2cafa40019746f72e4f060e537601d072966c
SHA51204164dd76aa529b6d3911f10835a5c9d98e0fe9999ea4403cd8a55b2790ef462f656e4d1e786e7c7603aa6d0ba492360222bd991fcd2bc31841726af37dead3b
-
Filesize
7KB
MD5561027c7f5f91577b07067e208b12332
SHA110108671f6472fd4506441e34265cfcbdade9f4b
SHA2561e23adaf83591a891eb3fb9a65ab7fc21fa90985e5c5f5f55e0221b03290be70
SHA512c5caed9359e7aafcfde66cfbe96f271ba65f1ddb9a3a516bbdd61167acd58999ebbe1f3106ce00dad6b8ce07c5e095de071d6637388e6662e4e90a64e4aba142
-
Filesize
7KB
MD53692966ab44a7e5b9f6f690c0eb27462
SHA16aa464a9ae5451212fce0eb3598f6be6570f04e1
SHA256b4ecc21e359cf6b7197e179531ea65c9ab80ad90f35a8917f911a7d914c67416
SHA5128326784342a0b46f6b7ad85a2d82a5ef4cfa793f4b3fa13d48442d177ab0bd7664313123b68d821a127f754ff31297d709f8eaaa3fab0e34079a0154ccfacb01
-
Filesize
7KB
MD58b196fbce2e68021a88220074dddb3ae
SHA11120d9e8b5d5d9a8edff827b157937330bc930db
SHA25687dd0eeb98ced09e98b271518a99bee125810ca313e85a0b67e365945a4b79ff
SHA5122d75b0a752121757d4c0005d7e20d524558ef3623e86e888cb74c14612bcada9118a97cdebae7a9d30f28872a4599e172c824106fc50010e44c7c784f431b801
-
Filesize
7KB
MD595a5504b614b80e2047f9cbb57cf4ad0
SHA1400a0ace5bcd99485f87d52867a18fde74aae60d
SHA25629ec222f971e9fa5e7ea9cc96328a456e6ce19072c1880b99dd8bc92a4233cfc
SHA512f6e9b7ccccd5d15ff536ab5a6e55e5e7b63e29fac2ab5c47b7139c1359b1761c2e885b2205530503c614e5992beeb29c482a3053888eec477da161012a8d4d2a
-
Filesize
7KB
MD5a32170fd888e5674eaea8b2174a80607
SHA1b2263a6bc425a9936a5d434a550f48110fe6b0eb
SHA2560864c2b8e47d618961680ffc2e2b451bbff711336b1cb3f81bb15419f62cbce7
SHA512cc819078c0f3a7d27051af60e878e48dcba763a6a5c87ef4f9031ccad6dcccb93add6918701eb2c7462b578fe45aec9f8bd7d4bdf4ca7850eabaf5f452f4e640
-
Filesize
7KB
MD59098d33ee7c24a671719fe814c792de7
SHA1558363de72d314abaa9715752dd7334bdbce45d6
SHA25624f454dec039b406256639d5b419e11a6ac6e318757815df64ffe7e9155bc9fb
SHA512f6bd454a75c79ad209ec993485de22a0520b8657624e6479e07683cca21ec64a87c0f171f5c6c2dfb2cab0d6243815e5c0947de08e8c2c3226b625b3835165e9
-
Filesize
7KB
MD5cf1737659ee1bfb21773e8decf4b8bf8
SHA16b55d3b5ecfa6f7cfc4fa34f1b69d2ed68375370
SHA25613ad684ec5169cf43782ab6d064e0dc6dc381bf0725966be9241eae5932f2823
SHA512c37e691620f3a63394943d905e8bc3559244b3bd14c391e4b5647ccd615189830a0896b29b3c7b18d6e155929318e13b75246d0eaf801090a1f019fb4cb99213
-
Filesize
7KB
MD5c518d4c95fd7ee4b46992146073f2089
SHA165cda3c378a4f03e82fa6bcd9c51ffd1f5376e55
SHA256149ca5b3c475c9449a441ec7f4cb06892db2dfef80ad2a24d5aecd53bdcbfb9d
SHA512b7ef68dc13301807ddf140b07f2713eea2341079286a68104e11b6473555dc902d43e050f6c799d1afe43faf7141eb3e6fbb5f5787fc552ad6a323fc3ff88921
-
Filesize
6KB
MD5437a4b2b6396112b2e350f915ff92a62
SHA1f18eae5e645bcad79064615ab7d5b1cf3692bc31
SHA256e06af68f24cef0871a318a1fd3b1734041d9cb359910a67f1930625555881976
SHA51269d74b77d314604221669498800eb3e16f0e71958f7c7cc1234d4d8c86bc8f4d5ae9e04983425cb6c6a002ae087ac253365646a32812330ea96141313ceebf46
-
Filesize
33B
MD52b432fef211c69c745aca86de4f8e4ab
SHA14b92da8d4c0188cf2409500adcd2200444a82fcc
SHA25642b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de
SHA512948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf
-
Filesize
24KB
MD5896ed027977814c4f4473c5ffcbb0f1a
SHA1cc4d833932e02da628904055c2fad7cdeb1a4ef9
SHA256a16410e260f7fb05437e6cce7cbb0fd0c916473be176e236da3249071532c545
SHA51255c6bf600f45ea8dac99c7bbfff04833844d17708d7b69b19d3f32e952e6ffed8fdef55260a6af05b770dbb007fd9942f934029e3c472fd45a574c344574783d
-
Filesize
175B
MD56153ae3a389cfba4b2fe34025943ec59
SHA1c5762dbae34261a19ec867ffea81551757373785
SHA25693c2b2b9ce1d2a2f28fac5aadc19c713b567df08eaeef4167b6543a1cd094a61
SHA512f2367664799162966368c4a480df6eb4205522eaae32d861217ba8ed7cfabacbfbb0f7c66433ff6d31ec9638da66e727e04c2239d7c6a0d5fd3356230e09ab6c
-
Filesize
319B
MD5a5100d0996c63b5649b36c29dec80486
SHA1e57732ad2dd0754d317478c920a43e9898928f57
SHA2568018b15abcff6928b1f26be57cbdd1f1a2787ee59b712c6d3d8117e921bcf930
SHA512d1e3ffc8b4fe254031ac90d7898f95389733d7449f23604fc294fa5644e48405006d6acc5faa3cac8111bf25d06b517b15730cbe0e89783f9faf5b0e3b0d74bc
-
Filesize
461B
MD5b2324f8bc0cdc95a8ba41e1f3b7cccec
SHA107af9292eff214a10692a73dc7a32c8c10bcea44
SHA256cba1c453f72a0d7d0f0e8928d1d4b867585e171b2c18f87c22ecc3812a7bef79
SHA5129a12e2f91936e1704aa2dd1e66e81df934bc10c7e1b710661c517db3f0ce6d25d04af842d836939800d585db7548db1efd4cde4a8712435786ea31e2cc401160
-
Filesize
933B
MD5259a521abf4ab212c759a0ef4a06c405
SHA1b333bfc64bca335326c42174990a7f0eb784a224
SHA2568e179677488c54adf306ece3878bb7682033ca9741fd22c9d96043de177ba978
SHA512cb8784ed8775b8ef6ab5e88a6105a6fe89bc6a2b0d208b7e5d63332fe6b73147dbfe8af44f71911c47d4b5d8b84aa32c30d3cbc20730ccbe0846a256dc4eecc7
-
Filesize
347B
MD5ad85968ed501809773461a230647ee07
SHA16fcf2dc23aec27378bdd79fc6c10901752479294
SHA256f1825bf930e271a4119db4c0852fbe61df891359b61b5a6afbbe21925870f33b
SHA512688bd0f36fa22dcdf398487186211bcd6f30ca393bef350d001565b096b8f6630986002a7e442f19de045da3438f3dffa8415f253cba543b9194680eb56f521e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
323B
MD57072604407c4907d01527329a97f52f4
SHA175a140ab0e5a13137df9328dd7486dc97144b392
SHA2569b6b82d15db463bcf4eb14e8889e47ccac9c40678a9bbd1fde58858f65d35fe5
SHA512efcae29122387f986335ff12ee0ea131bb8546e176f5005f838af25ecf68be5da07784355440047a56ef3d66a4d887666aef11b912d49d0265b1382c750b5865
-
Filesize
535B
MD5f53b6c555e22cab81987779e5fff9e15
SHA1bae45634c5f2c7cb4993c1451664204572e358f6
SHA256d7b27dcfffd1bfe06ca5be72ec395190c6e00e30012339574d49081f8127e3e5
SHA51266adc097ba55ac3e8598c52c27e5fb520ba8de11683315af7a074b16a401c3d43f4645ec88c648e992b766f86dd33c3c4435396fae8ee72c8b26d07cdedcd7b6
-
Filesize
1KB
MD553b6225aadcc350c7a9a28b1c0e197b6
SHA1e45cd3d1ac5cad51d052ecbcc8171c876503a600
SHA256258cba7e66fb8a2bc4cb5c70db1c6d9015907dc1a6aa098269a5ddf4eb119fbe
SHA5126d7304b15be3486685d9012870fb9cd59b4c6a3278a2525efa13267f2ab2f57137c3e8f08a29a78f3668a6e74cac48f4ae375728a5d23386cf96454892970732
-
Filesize
367B
MD59b1c7297f42bcf7ae81fa837d7060209
SHA1fa2f5a7b61222705f87ffc74859187e9087e9b8c
SHA256000333dc31ee824c09dddd5a5bedc3edf7694bf2dbbda0a36a9cacc7109ae61b
SHA512a628d188d8fc89f3da56bb6e272a188767155da653c89467e704b10eefec1818b8799732194bf9ca20d5de5ca7629817594ccd6ef923e8ca0da07f47690bf514
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d000bd02-a2d8-4539-bc1a-f3fbac2cde31.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
16B
MD5589c49f8a8e18ec6998a7a30b4958ebc
SHA1cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e
SHA25626d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8
SHA512e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
136B
MD5d926bfa2a54891efee773116df5abafb
SHA18f0229090286b9a7065fcf389436f7e4ea519bcc
SHA2566abbefed8d96ad5658de38d0cabd62570d739402cb80a55efc7c3708de1dd560
SHA5125d7057078e7298e4b2a55cb39fd3306c7c368696ca18e19dededb9b35316b3ee94a2985dedc2439aa277ed932ae5e242ad870e30594457f01835a529e59ef5a9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004
Filesize50B
MD5031d6d1e28fe41a9bdcbd8a21da92df1
SHA138cee81cb035a60a23d6e045e5d72116f2a58683
SHA256b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da
SHA512e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904
-
Filesize
16KB
MD59e02552124890dc7e040ce55841d75a4
SHA1f4179e9e3c00378fa4ad61c94527602c70aa0ad9
SHA2567b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77
SHA5123e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd
-
Filesize
44KB
MD5d43bee3dd3ea24d88e30c441c39ca1de
SHA1581ce1f8beeb267c5995e6a3c436e8de28f88abc
SHA256847c66de0a593402e676ae20a606dabccad2f36062e01698fa4b074aec013265
SHA51231134e0f73583c4101d749c9ff9a5b8f058de34457a26b62ac393b3f98d5eeedc35f10196c50c7eb8fd9bba4e353c67f0f44f68860027860c2659525260af024
-
Filesize
2KB
MD56686172ffcc559e73d31eb2afad3fd08
SHA13a5122c9d29104b5b3459318b8a24a48a670184f
SHA2564f74eedf79dbfe5c4245fc9e79823a1efaea43c7c215cdec5b0a9aa54da128b0
SHA512fcf8c0185c460ecb9b2bd4e0b21ef1294dddb1ecd9a28dbd8566afd41675f35377754786085032c7043402b21c03e9fe4e87ef930521cac9268766ab6154d4e4
-
Filesize
319B
MD56fdfa70d4b02b4eccdd5937b0eee977b
SHA1eef1a2abcb335ce94f73827ee793237ccd07f684
SHA256f90621bb115dc383f2c7798e529aa4f94430e4721ce58b212f673b06591ae7d6
SHA5120a1c41e613e0e7a7331817abd85b9ed0a17b5b2e0acb4c5ffc66d6f55d27266ba8b237149f00952eb6c5a688038aca33e0df7d025af0ff01a5b94330b6828e2b
-
Filesize
565B
MD5c4783a861d95134f1c8b7dbe9bce5e2f
SHA1a0a5b2099359214c30ae1272bc8ea7239048ea2a
SHA256d5b580cbd8ef4a1ed164bc6e164c827938f56d0577bc1261ec99454558715d9d
SHA512257e56ad2cb8c55bf71662332f6da9a8e1ddfe1b9967189c5bd5547e5a0be6c39535fbc3187394d97b7eda1814e05e7e251df364502830c2bdbd9c30bd02ec5f
-
Filesize
337B
MD54ef9b59edb4de9cdda881437b1020df9
SHA1dd4986dfe876f100ef266c953b05579b0553e5d6
SHA2560413abbaaf9f52e625f2b3a355e8f92a92e71571f5ee24fb05021975cf88bbeb
SHA51217626da6e22c1c3f78e11b7f5e727477ff5993e6234c1f019efd4bc7e8117d0c484eb652796359ca43f16929affa76e8adf73e2cf4a7b6f8d756821dbbc4d74b
-
Filesize
44KB
MD542c8dcf47b5f912350354f4138494cf0
SHA10b37b5836ee67995bbcbc8eff1c17f69dc2eb6aa
SHA256e7ce7ea63345b543d5b45febed8be5921f4f7cb89cb76d3c89d24d528461a1b6
SHA5124590830040b1a71e9429098531fe8acbd959402ed002050cc9a0b760737fce7c26b64ae1f24fc73203375cceba7afa0ec495f8acf653d29f97cbd34a9d8aa16d
-
Filesize
264KB
MD571e334f186585989247a9b753ea5323f
SHA1a1e0e3279e0bf007027a859da44349a5253932da
SHA2560164bd31ce16e7c6d5357461043369f450210453d584158f456bfa30cf12c0e9
SHA512c934054ee4087179b10fef35cf42e2e0daf4282e0da92d57b1c8664e97dc9f97715d1dfb0e45386f9f7125377646f74bfa0c52b32c14d9d9612498df011fd4f0
-
Filesize
4.0MB
MD5fca179877489616aa9ce819ce368a98d
SHA1c8fa7fe6dfc9f6ee8be2bea45b196af77eb58487
SHA256114389ffe3cfb77ae9262a329970b29a431e45e1a632f611ab915f194ab7ce9a
SHA512a5cd2d4e37169e7c0b593b15450dea3ce11c717450f79e8cfc28e657f0144076efffd47137c610b44a508f29c1a815ae04c9e35afc192e07cb459b12aedddbbc
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
11KB
MD5bf136ac6c31a7c77ede5d72bfc2b4334
SHA1c20ade5872884f807cfe64f5acefa0105e46523d
SHA256a6c675dbd75e17d47c2e0895eebdfc09a5b4356003a9d4586bc9ef5763f3936f
SHA5125da1941317ee2ed0c2329d8ac4efa47d1917ab044c01a988c4ff05214ad42d72778697aa847442a55c7e98346c2bcadf078eb52ddca8792f3cf4fcfceb08b423
-
Filesize
11KB
MD576dc3f8c01b5c305199c1249bdb25c6b
SHA12646260a75a02a0f47c2e88a1b5916a7f33c3027
SHA256055e623fe9ee2cad1c402029ab7d97cd919d0355aba1d606946da626b598a8a1
SHA512f08c51df368458d9bbc52cd8b744ed330e9c0abf72248f7c31755eca60cf7a19711a64d834ec4d05d9ebbf402531874561e6e0ee1cfe4908c42552b66a30e296
-
Filesize
11KB
MD54abb6abef06611724e61f184e09f61b8
SHA1d013072026fd67554ede06c072cdbf564e343909
SHA256a13b9759e745c70e3f36551528a89cd7f58279202cf9e8e1c2e6395251b7f213
SHA5121619bc364466c3d93e14cf7680aa4d06a32bf7ba4d8e0cabb5eb58a3e270bbeb9d836d068fa352111bf75eb02fca271492e5db0e5eaf15621ae130279ea07ef2
-
Filesize
11KB
MD5a76485171c1f9cbe98e819231ab717ec
SHA153bbf2335d845d533fa039c65dbdb920497f3569
SHA256facb12b1104b4ac5da683412b2901890f879d6fd379ccd16237c230bb57e048a
SHA5121d3ffbb1d2b0786e6911e3bf474d538467a7adf90c3d27e0b100ea45a7573449bc16d25d2527eef137875d9870b1d5aa166c7686772aa193117d6b279f62e786
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
4B
MD599c1967abe0f4b0a1c1ab84236743055
SHA1f35a2f968ea6a49d95935f67bc565c60db398848
SHA2560938413871fb4817cfa0590f4344bb7fa18cdf91c1bf42fec0decfd75a602fdf
SHA5123e3afcd47dec1b42b66bd9c62dcd78afeccdaf67b18ef23c613e9f0c80269c74c8f61f4af7fdf95eaabe39611c442393b35ba070649a0e1d8d650ca515e062f2
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize4KB
MD5f8968e87704084db39b44e2d570a8c89
SHA1fe6e310d3dfb7c576f8c8c604560accd7167b046
SHA25617390114413b39afbef3852b3478f6784a25ababd70b5974fc987af0c1f6c10b
SHA51238b0ef536cc1d1d1f94a9ce542866a7b0c6107750c92e134bb0b1d5fbe3e639f7764332e0c687d6fce9ae9b7fdc06752d8381500a5180e5303c4a37658497aef
-
Filesize
1.4MB
MD557749553c159683cf8c646bea1fa7e21
SHA1414bdd48c6fd752f6d6100ad1c38fdecda8ffece
SHA2565f1287749ae0d7025a05ab21ab24a6ccce54618f0890e51e85c12f76b0559d13
SHA5126f3138fe1628880e30e7c451f285f8090ec41463c19aaabe2f42395f366d9f29dfe86a07a9086b0da1e1c52f71746fdb82f16a86c472a209996eb94098c19c41
-
Filesize
377KB
MD58690997c90d94b5a10f2fe39caa0d7a6
SHA1ad05c719b046da3946e370409b342e3c67946a87
SHA256157f846e4865f27898917304ba4480f6d67a327cbb25a790f885a78b8fba6db1
SHA51239d2ff1aa49cdb302fd88f6903d71d0008e89ff9113eab8a3ca2b7dbc0e5604a059f8c6f798c97971149f80a379a73ea6900ad46cce5203effe5c226bcd080e0
-
Filesize
3.6MB
MD5f96eb2236970fb3ea97101b923af4228
SHA1e0eed80f1054acbf5389a7b8860a4503dd3e184a
SHA25646fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172
SHA5122fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7
-
Filesize
13.8MB
MD54de784dcf73d6a71b45f090e999a591b
SHA1a0dbb8326e1d122c8ef4f8a2bdfb3ec406ad8ebf
SHA25694985615c3a4143304e8f85e41d9f1bd2281d073d47ade04dcac1f63d31305c2
SHA51283e92a5bea27d2ea801296bee5e249f971e2501d7fb7ebb406d6ff43a75ab2c899b74864e317be4e89a4979787d5a3e600a64dece18dffa1145a991edf11d39d