hxxp://maddnessporn[.]com | Triage

Analysis

max time kernel
865s
max time network
852s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 04:45

Sharing

Report Analysis Logs

General

Target

http://maddnessporn.com

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 16 IoCs

pid	Process
5188	Parasite in City 1.03.exe
1916	Parasite in City 1.03.exe
2772	Parasite in City 1.03.exe
5936	Parasite in City 1.03.exe
5300	Parasite in City 1.03.exe
3680	parasite_in_city.exe
4316	parasite_in_city.exe
6112	parasite_in_city.exe
5448	parasite_in_city.exe
4740	parasite_in_city.exe
1824	Parasite in City 1.03.exe
1852	Parasite in City 1.03.exe
5664	parasite_in_city.exe
3564	parasite_in_city.exe
4412	Parasite in City 1.03.exe
3384	parasite_in_city.exe

Loads dropped DLL 8 IoCs

pid	Process
3680	parasite_in_city.exe
4316	parasite_in_city.exe
6112	parasite_in_city.exe
5448	parasite_in_city.exe
4740	parasite_in_city.exe
5664	parasite_in_city.exe
3564	parasite_in_city.exe
3384	parasite_in_city.exe

Adds Run key to start application 2 TTPs 8 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Parasite in City 1.03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Parasite in City 1.03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Parasite in City 1.03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Parasite in City 1.03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	Parasite in City 1.03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	Parasite in City 1.03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Parasite in City 1.03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Parasite in City 1.03.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	parasite_in_city.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Parasite in City 1.03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	parasite_in_city.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	parasite_in_city.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Parasite in City 1.03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Parasite in City 1.03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	parasite_in_city.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	parasite_in_city.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Parasite in City 1.03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Parasite in City 1.03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	parasite_in_city.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	parasite_in_city.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Parasite in City 1.03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Parasite in City 1.03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Parasite in City 1.03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	parasite_in_city.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{8ADC8EC0-E910-472B-B3A8-684782FC4C04}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 380786.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2252	msedge.exe
2252	msedge.exe
4984	msedge.exe
4984	msedge.exe
2940	identity_helper.exe
2940	identity_helper.exe
5428	msedge.exe
5428	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
5868	msedge.exe
5868	msedge.exe
4764	msedge.exe
4764	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3384	parasite_in_city.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 41 IoCs

pid	Process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4728	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4728	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3384	parasite_in_city.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4452	4984	msedge.exe	83
PID 4984 wrote to memory of 4452	4984	msedge.exe	83
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 4756	4984	msedge.exe	84
PID 4984 wrote to memory of 2252	4984	msedge.exe	85
PID 4984 wrote to memory of 2252	4984	msedge.exe	85
PID 4984 wrote to memory of 3416	4984	msedge.exe	86
PID 4984 wrote to memory of 3416	4984	msedge.exe	86
PID 4984 wrote to memory of 3416	4984	msedge.exe	86
PID 4984 wrote to memory of 3416	4984	msedge.exe	86
PID 4984 wrote to memory of 3416	4984	msedge.exe	86
PID 4984 wrote to memory of 3416	4984	msedge.exe	86
PID 4984 wrote to memory of 3416	4984	msedge.exe	86
PID 4984 wrote to memory of 3416	4984	msedge.exe	86
PID 4984 wrote to memory of 3416	4984	msedge.exe	86
PID 4984 wrote to memory of 3416	4984	msedge.exe	86
PID 4984 wrote to memory of 3416	4984	msedge.exe	86
PID 4984 wrote to memory of 3416	4984	msedge.exe	86
PID 4984 wrote to memory of 3416	4984	msedge.exe	86
PID 4984 wrote to memory of 3416	4984	msedge.exe	86
PID 4984 wrote to memory of 3416	4984	msedge.exe	86
PID 4984 wrote to memory of 3416	4984	msedge.exe	86
PID 4984 wrote to memory of 3416	4984	msedge.exe	86
PID 4984 wrote to memory of 3416	4984	msedge.exe	86
PID 4984 wrote to memory of 3416	4984	msedge.exe	86
PID 4984 wrote to memory of 3416	4984	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://maddnessporn.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83d7446f8,0x7ff83d744708,0x7ff83d744718
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
  2⤵
  PID:5164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:1
  2⤵
  PID:6068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6768 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6956 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:5176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7404 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7328 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7596 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7448 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7736 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7692 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8076 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7424 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7304 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2968 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8084 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8460 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8604 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,3612834990995061401,14090444786082626366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4764
- C:\Users\Admin\Downloads\Parasite in City 1.03.exe
  "C:\Users\Admin\Downloads\Parasite in City 1.03.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5188
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parasite_in_city.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parasite_in_city.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3680
- C:\Users\Admin\Downloads\Parasite in City 1.03.exe
  "C:\Users\Admin\Downloads\Parasite in City 1.03.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\parasite_in_city.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\parasite_in_city.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4740
- C:\Users\Admin\Downloads\Parasite in City 1.03.exe
  "C:\Users\Admin\Downloads\Parasite in City 1.03.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\parasite_in_city.exe
    C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\parasite_in_city.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:6112
- C:\Users\Admin\Downloads\Parasite in City 1.03.exe
  "C:\Users\Admin\Downloads\Parasite in City 1.03.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5936
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\parasite_in_city.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\parasite_in_city.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4316
- C:\Users\Admin\Downloads\Parasite in City 1.03.exe
  "C:\Users\Admin\Downloads\Parasite in City 1.03.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5300
- - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\parasite_in_city.exe
    C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\parasite_in_city.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5448
- C:\Users\Admin\Downloads\Parasite in City 1.03.exe
  "C:\Users\Admin\Downloads\Parasite in City 1.03.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1824
- - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\parasite_in_city.exe
    C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\parasite_in_city.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5664
- C:\Users\Admin\Downloads\Parasite in City 1.03.exe
  "C:\Users\Admin\Downloads\Parasite in City 1.03.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\parasite_in_city.exe
    C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\parasite_in_city.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3564
- C:\Users\Admin\Downloads\Parasite in City 1.03.exe
  "C:\Users\Admin\Downloads\Parasite in City 1.03.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4412
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parasite_in_city.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parasite_in_city.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:3384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1692

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x424 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004a

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004b

Filesize
67KB

MD5
a074f116c725add93a8a828fbdbbd56c

SHA1
88ca00a085140baeae0fd3072635afe3f841d88f

SHA256
4cdcda7d8363be5bc824064259780779e7c046d56399c8a191106f55ce2ed8a6

SHA512
43ed55cda35bde93fc93c408908ab126e512c45611a994d7f4e5c85d4f2d90d573066082cb7b8dffce6a24a1f96cd534586646719b214ac7874132163faa5f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004c

Filesize
41KB

MD5
a7ee007fb008c17e73216d0d69e254e8

SHA1
160d970e6a8271b0907c50268146a28b5918c05e

SHA256
414024b478738b35312a098bc7f911300b14396d34718f78886b5942d9afe346

SHA512
669bec67d3fc1932a921dd683e6acfdf462b9063e1726770bae8740d83503a799c2e30030f2aca7ec96df0bfd6d8b7f999f8296ee156533302161eb7c9747602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004d

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004e

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004f

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000050

Filesize
1.2MB

MD5
9f8f80ca4d9435d66dd761fbb0753642

SHA1
5f187d02303fd9044b9e7c74e0c02fe8e6a646b7

SHA256
ab481b8b19b3336deda1b9ad4680cce4958152c9f9daa60c7bd8eb6786887359

SHA512
9c0de8e5bf16f096bf781189d813eeb52c3c8ec73fc791de10a8781e9942de06ed30ff5021ab7385c98686330049e3e610adc3e484e12ef807eec58607cfae63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000055

Filesize
27KB

MD5
c3bd38af3c74a1efb0a240bf69a7c700

SHA1
7e4b80264179518c362bef5aa3d3a0eab00edccd

SHA256
1151160e75f88cbc8fe3ada9125cc2822abc1386c0eab7a1d5465cfd004522c8

SHA512
41a2852c8a38700cf4b38697f3a6cde3216c50b7ed23d80e16dea7f5700e074f08a52a10ba48d17111bb164c0a613732548fe65648658b52db882cacb87b9e8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007e

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000085

Filesize
24KB

MD5
bd8cc9d83c149eeaad1ad43016482e93

SHA1
0dafbf23ee107066d708d9e4ab9697a2d7b90371

SHA256
08a031f5fc10a82f7e5ec1eebeb4a5fd92f21c2be56f3d6529427cbaf67fe0dc

SHA512
ac8c6b9d7f919080d7fb4c9ff6bf980a55109daeb1a35eb60b1704a41c1151cafcf20b1545dfb26e1e9e39c9f726813c99d9f61c3305b186a825c29e0f68972b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000086

Filesize
19KB

MD5
6d10689b844c62a5a41a37dd0dbdefa9

SHA1
20f00875bf8daf4487386384e37c9b52afecc315

SHA256
309115b290497c2b5826553e2c1b429f6ef0941c543c9fb420ee0fc55d8a04c2

SHA512
64985921a99f229cb37682700818977b89dd9b547dc10e7d7541b8f290d1583ecd79d0f23818450f7486f4902a7c5cc71df8851e60d0e5c488344f88e2cfd2f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000a0

Filesize
53KB

MD5
2c4d977d5fe4952355e21eaf1d52e874

SHA1
da02f09fbc5d774728e0d96a4fb7c506a0db4dde

SHA256
96c3e540c808068a73164179ad0e1cbdefd4a4415b1d5c4fa953af833977e401

SHA512
d8aa283763f8efd3c9ea80c9bb0d3f2817dfeb99e6fb21dada196c4184a73bfcf0e0be57cb5c3dbbd35426bf43e58e665c8ecbbdd062f7bb6f159660f39fe025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
4KB

MD5
ab4780e2897d42fc8f73b845f010da16

SHA1
04ceb5cc2afe729d81c68442f18df36e7a582d2d

SHA256
950053c4bc06da1d31c531764414f48dd9f6518e53d3fdd5afc5fa1ff3115e83

SHA512
96e5a64c9912dc30639169319e0ff40374401730fbf19e40fc3e09f0545d6e8400d1cc4b4b7f11ba8b814b0326778cb82b8a85b9528e360047eb481e7fbe47b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cd758e681a6d105edcc8935e9cb43e43

SHA1
cc94fab10026c6a1fdb7017601a0b67dcc2d74c0

SHA256
2bbc6c67ca9273ad91b17c1968f92318e50b637c551b8b2b9a0e510ce24437a3

SHA512
8384400018964b6e3ed6781d83ea363893ab0a89fa9a9cc0d8b8c23147bfe27b71bd3720a9c95d1ee3327665e001cfc0090b92ceeb0bceaeae27803013018c2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ef7dca3703c6cdb2626ab7ab5041a6c8

SHA1
5ba7927655307c408848508ecc27a9b14e10a415

SHA256
56e1ed9014749675b9cb056bbe3624e95d4cbfe9ef7c2728245478b359c9f826

SHA512
3956c5241b1cbd3c055fc13a523a5bbf5b247777ccf146fbb7cb6a197b77c2f1bfbdec2344eea206d38afb7b8517c7dbffe4034e1f9fc2b78c6a3fb3d8361248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
46e2442af7801fd19a04d377326b3e63

SHA1
2daaf18386693b1b30184b71daac1d4aaf9e6de9

SHA256
bbc54e983b49d02100e35c6b58334b578ec5cd0d8358824fc2ab8fd74205582d

SHA512
dc90f37c5d603d5389493b911304075a144ef580fff13ff03e101ae6147bfef9fba249d512d04e405bdb553ee66b4c2311131db3707cc955d8e526626fd0f4e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
96B

MD5
d9063a4a0bf0d3870ba6a48c06f13795

SHA1
31a73c84d4921cc4d1ff432ca7cccb465457d8a8

SHA256
19fc0d252ed2080c95d86688fb6013a2ac3d56782a406e528126f78cd47d2799

SHA512
5c796850d5feea67d73cd52c8178c2398d0fa5c7b04d8bd3957b5bba514998334b9d7c039556404c311771dd5cfe3aa3898f1405fd4fe26fc28409c9195a48b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
a05ffa9b425d212b996bfdb2d3d45958

SHA1
12238b8db7d87e94b356871d9e7d908c8b403bea

SHA256
a631949a53b6a83bfb57792a6bd3c385aaf66c0e29e310d4fdcec2980fac46ed

SHA512
dcd3039dbe0a846fa36ea5f4f231254f0bb2f3c74c5d7c2ac56d8075ac1c83bf33f70afad769b0e66d257c772e3338089fbba417d0aba40c2b63b9bf64f85c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
d16393b820746796ced5d125c1003a73

SHA1
4ccf7b9d66d350e3f43bfe3ae142fe07757c6777

SHA256
6a5156f25059a7b35b06971252b011f8b5fb3236a0503e704a44708d947d4980

SHA512
1a5757ebdd29b62d29fe02063ae8d4986b4145b64ca1c71a30589efd3dec839d32c6f8314d55937e7f31f1f060fee2d6a7b93f86a09fad8896ee214cf692ff1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
0262254a12a15f55ce4112d23e76fe2e

SHA1
d25bb804cd37c1f5e19d860f4b9acaa8994d7e4a

SHA256
2e655ad3203f9d316e77b5a7cdf9f566fe022f52fd5668484f76527c555313ab

SHA512
6e916a3acaa3946d0fd337ef8257a2397b7995c3567ed69193f4b4b38b8ef0ebd5a07a067fdc827339185ff1a7a419ea2352c9c53ecce9471a5d2f41a785d948

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
9c4e788601d8a3e53c4ebaaa8ede3f22

SHA1
98e9d125fff1e22e499b92edcf322bb505cf6cc1

SHA256
d5f030e4c73f316a4483198a9c9ae088723e9e61b51039830fe728481d671a7f

SHA512
836ae1e94cf83eaac1e83911dfa4d507464ba61a4aaed2223ba8e415785e7b1b8ac9ed2e636b6eca85f35e47e2d754b6239dce4e0c1023da16935729ac0aa9f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5aae629f5c82d59483f8e50e6e65d73e

SHA1
f77343785c53685fc0e9bbdd4f2f9fa01955e505

SHA256
d0c89443945172732211d7984ca0bddc1d8c59e5c26285c642ab5372c6faefff

SHA512
25540fc06aaeddef858bd45a4d09b87fce08abf7067e80a3ee51eaa8f0980aab6496a8d7b75d5f9180d0cd9cffe22a8c1e9b1cdca49fae0358086423c1d23f3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0593d246a8c806f0ef9ab81b376f45d1

SHA1
29a4c33e3e8a3508862687779e371625dceb775a

SHA256
db349f96b237dbea4acc20e0fc28efa21fea3cbe2e92dd4cc0f83942bcc6f669

SHA512
125e6509b2555acfc8b7a7156e84d4d16c57a6dcb91cf8c5fe204e0ed0e1d7c8c9e074c24de3e199d8e93a3f1b4f8476ef559b91b362244e7252a55fe87f2f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9f4c806060ba4101805f73e4b316a640

SHA1
9f4151d71c06d35e841204ddb8bf9f115dfd9181

SHA256
7d93b6139cc236f555ea55fcd1c37a5412170a7c382c511aab86ecc7bb382039

SHA512
85e6fe35730c685415e1140fcdb1a892cb441df3d417a8b32c20e9fab5d0ac2c63c3802b3defaad8375cf8bc5e03177f8cee5c776b1d3310aa096fb089ed6bd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
0f8a51b9cd5ddae04199c25017679572

SHA1
ec2b900d01fe35cc9fd17770480af9ab68c69067

SHA256
7aef9fe1c3560b1290b01621a67426012886c5f91ee06d19a6ea68a1da89e1da

SHA512
e4c91119a045e50f37960c999a33da59caca766cf28b40984db5ed4d072957764c7a0e285e3b657cfb37e468364782b5c4348391f042e03b473903df6e14a2da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
f835999350fe34b66e58df576fc3d069

SHA1
fa1956c2969d2eaf51c0a70abbcc4b56286f90d1

SHA256
2c5f7528b7b836d2c2ae21aa15e5ef153d544b8eb4b9bf0318cbb0a73d8caffa

SHA512
59caa2fa1fe3f063669a574f72c6750a3302e71d0eebbf55eaf01eb387f14c8b6c7c953821c5c11b52323e748221cd51236f089f0f67e29ffac1469bee2a79d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
d34bd62a2d248712b6f00f474ee7113a

SHA1
8abd1169d48b82ca3b2fb43e40a20e56e9afed19

SHA256
a24e3e9dd492906098b438d6db84bc4021352133b1f3439d49a014c8ceacbc61

SHA512
39deb1cc52710cb03e5b2aca83d994e34fb5f6b6975f5cf8eee5312cec36f90e614c317c8a93770d8f4bb73e87fe798fb52e3ef0994b93f65c2c93166f794f83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
b0e300ae6ccc2284882d236104c85adb

SHA1
11e2c319c01e7b2e455c2f5313a742f39c1f3109

SHA256
d20f9bb6279467f816a7bf3b277edc933054959769ace5ba9b906d06117b8178

SHA512
dc23b13cec6fa9fd5d8542bcb6777b5c1b6a49824d4b4ef9ecea377adcf4af7ef90665dc782647aeebb6b279fc8ea09daf7dc820a9952b4111ab8bcac011a774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
63485821ae3ec1f6261008aef852f36c

SHA1
d87fc3da6030318c0309ef823b973213cef60005

SHA256
0aa706aba1dca1a21981ee169e8296e52f7a6151fce2fa02ddd99a1cb56b90d3

SHA512
591ef70b4d0fa242aa0581e46adef375217c679e9d264e55bdf24761a14276d69db16ac0906e0d9a80d57106b62b67f952c549e001ac4da7e58bd18d8ef0bf2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
527c12d0a6f5353a517455a7031aebf0

SHA1
7a4a8bd12275c76e1445e6c5ec0934456da31b39

SHA256
ade069eeaaa6443de2ad770f8c2bd2a64b2e4b3161dd0de5e89c8452b70e1e29

SHA512
d78ac844c9e015976efe0a4bd2c2f9ec9d7e791b8f9440f1fac3e4dd811b38629d25129961960467d3fbcc2f055f7283d5437fb8d2d2bbb586700c711b7c782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
e23066e89d5a6efd0d882e77227cf565

SHA1
c2600bcabbd6b4377e1ee0d4b60ff72d5a019a86

SHA256
3bfbfa822a90d27b50529d6c11679ae0303dafba6e360950464e722f5c45a970

SHA512
162edefc05cf003edd481ea0ab80b5dace00f9e9581b9d8fe0b25698ffba4ff8df3eb0cf62c92882a58cb6553647fb7b8332273a5d41d770b63e3f3f937bf4b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
5fa5149deffdeb2b5dea04de0385885f

SHA1
4a1791f8629c58fe1aee4500d34f0605320ac5a1

SHA256
5de06502dab963ee36658af74b41d481ef6f279f2522b4461bf807f173954160

SHA512
d8530b98a4a0d4310d1ab495e53bd076e0e465dcc911ac6d5be533e9a7b4d7df3ebc08d845495b7ae572ac7343863de5e6360b1a3ffd45c11714fb26af935bbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\e5b7980a04e4805673a74179633ecd675ba6a857\7744c306-aa87-439a-a1c2-238856ed5622\index-dir\the-real-index

Filesize
72B

MD5
1da9536a56d5146331a5aad03d1332f6

SHA1
75694c1467f7cf17828088889067dd92949f3668

SHA256
389958b3319bc72ffe8f1c5884f61216765e0e42a0063063c89884557ae8bcc5

SHA512
9146bdcc68395976d1862c180570630ec0ab1a428a36ef2f80e48a198321a386bbeeba090b622f7cc69f03420ae85ecb9befe541353b2457922677ce191028ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\e5b7980a04e4805673a74179633ecd675ba6a857\7744c306-aa87-439a-a1c2-238856ed5622\index-dir\the-real-index~RFe58b755.TMP

Filesize
48B

MD5
b2c4ca43867d733c12a8d1fbe1ed1010

SHA1
625f619f86bb254eeea6f802247c6cbb0fb961d1

SHA256
e5c30b1bc87337540af17e3e3bef21c700de2309dc999565061ca2d1229ca69a

SHA512
a804b555e8ba51541d11e5dfee2a277a02e07654f5af6921e6bc5586554acb6bf7f358d6b5f2dd6cc4c742a1e4d219b752a3004184be77a6179900720680852a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\e5b7980a04e4805673a74179633ecd675ba6a857\index.txt

Filesize
103B

MD5
4b404d632fd3b5d288fcd0c13d896873

SHA1
5b82ff115903897718644b3248ee04fa257b5027

SHA256
53fcab7e671e57ea79b734807229938b746c014c526516e095bc02718e3fb9d5

SHA512
59ca875528fef9a981e31c89881648b8a94e7e0c21494c7df393e3acb7cfb342e02e444dceabf62b2f98baafec005b445a373016f164078d1870a74c0a5214e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\e5b7980a04e4805673a74179633ecd675ba6a857\index.txt

Filesize
98B

MD5
6365299aa62331a097c8c9ca75d1ed29

SHA1
c06fd5ba410584e9fde6499b80000523379502ce

SHA256
b305b992efa28ddceeb830c41504cb87f78ecf00c784080bf178a065f634730d

SHA512
560522c5b574668dca3afc9d70e06d9f368cd665c572db13810356eab78075629006397a99e3c0ca6c864cd5f8213ca2dd90e18ba18b3d92cb365a507bda4efe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\67a473248953641b_0

Filesize
75KB

MD5
42b74d63fe5b2b0ea87487ee7be8913a

SHA1
67c1a3e4339ee581a4239c58a18cef31c7c94f2e

SHA256
f2c238b67aa312bc6a20c57c104b31a88d310b0b149ed7366a07a262c89e2a0b

SHA512
fa0401f732ea0057866eded6baf24fc630c226c8e1e3db0cb281be75de5427cb6c0b230d2ff1e8ad9b00d4b49a166387c77b28bc9c7339c33798087f42f9c341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\67a473248953641b_1

Filesize
142KB

MD5
c45095be12b18570e894c4818b1e7727

SHA1
d65e63f124bbb3ed3f1b28aa4c709bc10efc31ca

SHA256
92b575e8a388761fb704bd561ee496c155e51804c819d2da7d50c6f2cfc8e2f9

SHA512
ab50ce23f54fce1151bd7b9f339b41c8549282530fcb7a719bd376b6322a5c86870d2648e3ae7c959e3fa67a71dcea3790039e129245305e28d7744186d49f82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
59d1aecf41cc53ef4608ba6ec9497f08

SHA1
5c5befa81c881c664f5dd16dc157b75b750ad973

SHA256
b776277dc40035aeee24c8a2a6f2caf83bda307af1aa765478bdbb38c2984422

SHA512
9242139433dbd00dc228f2ac6c495e4410821a67f334a02eb025905909d13da6b4b7b174237a55616ed35718ee3cefe69c1592b31f505967225433ecf9fc8794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58b706.TMP

Filesize
48B

MD5
0f1f5708005504ee6ff8da7873ceaeed

SHA1
1078084a1016a7c3f0bb1629c1ef385317d290f9

SHA256
86f5f07539236be1d3c18c036798049aca60d22bbe873733d12279a95aefec5c

SHA512
3fbcea4009f789a8ac8dabdb6492e9a7061b8519465609cfa404df9b292a90b8c89b75e5cafb483e7c272de59fc0ec404a79915588bf80fd82dda36378863bb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
6a95328fae802e563eaf98764cff840b

SHA1
e7de3e23b50c94f2edd6b3122667325f8b70cfbe

SHA256
0e3f8eca141c89fe620bd956973de62e6d422207b807257489b28b210c28df8f

SHA512
1fcb7269f1d010c2cf7d1de9c85f82ec5f99516a8298bacf457aa2b994bf533408f225ecb1d20e8b2cde497ce0b1b88d9f827b8194ae29a302a63eb4fbcd7cd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7123f06bd21e559c31344e384708ee19

SHA1
6d05d0fe61c43a70ce4bea3597d3892bac700c2e

SHA256
81e2ac753a161dc5392b76f25c2c345b78ba1387609e2ad9886f5d0b4ffff771

SHA512
e97fa45b92cbba012b5497225cc716a1fd00f215b89c8efd0c1c0f824f48cc9503f02b9e8fee706cb2969269b343f30350eb46f589ee564681a1286b27f6007c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
55765f6015dcc5bcdd15c466030cbd70

SHA1
f1c0398e89c35b0170cd3f9d98e5b2b857cf6fe3

SHA256
e58daf141a93fd15f1d234ddc07ccbe29aeaa986cf83f51cc26d5a7ed1be5049

SHA512
5c18b38b3a603bc53ff9383fcebf4682585cee0dbf9175c68b2c7a607eeb9584e07c6c13cae647b5df18b7ccf0118d3dd20f3793bb87bef877208e88576a38eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ca64b7b5a6516acd37d5ab6e07c2a076

SHA1
e0fa3557b0e23b80a5700dac922fd8847973d53c

SHA256
9223a8ac182e9ae89e834e7f41a328851643ba3d9c22907f72f9fe17cd712002

SHA512
4fb5f7b2f91417e1be3b405c294be5ce33a8e780fa13a6142425012ee7be98ce722819568879a8bc7a2654d5192269db5c3297d18d78706a54ce2538c5ccf1bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bd357113898a499408a951cb4378896c

SHA1
4ef3950c1af510afa5116d41e9653ec85cc59055

SHA256
9b6b371e8ab2c9904b6bf485ad83e9b1aad8508a0a56d680c20e5563b89ede7b

SHA512
ea27e0c687b8f666882e6c00a302c5419985ad2caf3aa057d2f0e1606274eb53ac70d584f83f4fec3211ce8c5158178a47e2f86fb920226fe9d8f4a52961863d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ed2ab203b9bd562724f85a5760c78ae5

SHA1
5c4e89b5c68bad38e7888f82b3a13758f4e3dd27

SHA256
d5a57ea23763a45a737057d1873798d2a0e306f4f8c29b53adc47f8cbb8c26dc

SHA512
66710fc1a2bb98ed85b54b9d6dc4378245b7e4b6b9a648b46b5c9dacf962aed46c1843b2b6f842d0c3ad79a5ba0cc8c5683920cf7555d1aac8d18d08750565ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
732eba2387ac38ad8c7e4d976c64b7f4

SHA1
4fc5ed89c11818c1200e6d5ed20b351493106f2c

SHA256
012c78d5881371c1b4f09cf29128ff9ef72458cff4f03d30f3990479f6274940

SHA512
55d11f650abe1bcae8fc670b29a7574b47976ca566a92f6371d9b291c8575cb3a4e760e74c1890109141580f77086ebce3ee2fa4f0db1708f37daf3981801124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b2f7f15eed4a79fb5213538030429b1d

SHA1
5ec6ac3353460fa15b7662acd9a99cbeed5bebef

SHA256
c673b6c249d405238fb3e6d003f8e3bc8e2ab96926e8962bbd844cb9f71b0cd4

SHA512
1ce48701170dc8bfe708bab3e93f2862eb970b49c4a420085a33e821fd298aa8604d0d7c4bc1ccdc47aaa482f8c85e8f33fdf29a711aeda0f880df8ceb0a9a48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c8845b5fe37f44a7beb2bb0346a6a798

SHA1
8031c88814245fb69e604f7dc9b599d2a7056e2e

SHA256
e0e93965240a539a08b287ac6bce87ee5c5b5307f4ca02d0a86588f4196ac9e1

SHA512
2c2753398a9fd6aa49d46806b42fe157a8cf0dbae23033a8c2596529d3031c52c59e46cc0a618ab8d1daa96424ae42b5d00ba982c078f612dc13b43b16c13357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ff9485a2708d8d9ac64c4296bf900a13

SHA1
bbcec833d185bd2da3438b9b0668331b6a1c51ae

SHA256
69c6ad6d149bbfcad83b72afc4269cfec969396e679b15023fc0507201431bb3

SHA512
7dc391f85945d9a338aedcf057b84f62fc7331b556a297c3dd45102220724bf9a2a8603c487c19da0d7e4f3752a2a3e080489cc93037baf019af091bf8caa2a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7d3bc4ad7974f7828275044f940a5195

SHA1
ac4a70f9319d4672fa0aff771c6f82f23abdb7b8

SHA256
376261a4d2b0f392f87708b33563032f24b065cde217ba3cae03f35465ffbc63

SHA512
51e1165af0ec70355cb9b9e6a7a60a3823646f4bcfcd1242c2d21a1b4380c8c8b6fe3d2dc9fedc07846c9a12849ca3ded17838b2aef4b478d2969073c82c7912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9aff9502598c74242ee990e2eb3b63ab

SHA1
a93e62758ce0698e909a965ecf645b96d470ee33

SHA256
d285663a185478caf70dfd2fbdb6260e04c1d42386fd0aae1675585b5a145820

SHA512
53fec5ba2fbd26afdffd662fa675eb232cd2f3caf1d51ae90ce85b221b86bb66c26c8bfc171721d72fdcbe7c065c67c32bf5f09a8bafcb53e1432a8b904cd28d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58844e.TMP

Filesize
204B

MD5
494459d474e114f2cb9e88285e2c5eb8

SHA1
91e5a365bed16a380b9267aa0c87360abfd280d7

SHA256
3f868b9baae8480fbefaf9b985c2bd531b7e2c37577ff1fcbcfa9e426b80281c

SHA512
3d1d5c18f98607a62528148ef5d658193dec56fc5e59ac5d28a1761b2df97ede73009eaaad7b90cf6d8f62b91490c608603779da948602212dd888024ad34dfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
934f3670eb67ae31208974b2c6a2daa1

SHA1
194fb9e8636c88bc2410d4b6568623d5ce188fc1

SHA256
28970e4437c21f6a8fa926c47b649311226b368f80303627dadc30542b175381

SHA512
78a673000f570a622536619dd6a1799d66d8db9ee06fffb0f1270b431269ba6de211991f091f9c94f452ef5ebf31520b3b91de189954542d6e043e688f99c3b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
392e70a14ac4a0bf968a020805c96467

SHA1
1e9e2ccd38dcc83baf54c3e25c26f3d8a2c1361c

SHA256
41dea4a86ac23a4be8acd5d41c5549eb46a73f2290a248b30ee69b7eb3a5fae1

SHA512
704de4736b1433badd77fb2b09594473997432fea80a725b2693eceeba02931367d1e2230f218e3c4ff44a0f0ac6639aebc0bc99063d8561adaed508bee33490

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\parasite_in_city.exe

Filesize
2.7MB

MD5
592673ff03913a468ae5223cf419b6dd

SHA1
e797ac7f5df60b1ae5e9896c3b36b86b2fb555b8

SHA256
fdae7c26b22af47f2b183c6cd02fc849770c984e44bf29d2639f58cba51e5ded

SHA512
5e0d983165fe142127c148087448650a3757df832210c1b3f9bb31399084c30e7e5beba15a2ffb30d562498bb72562f9dbf5f3da62a1bdccf8fec7975b12f1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\D3DX9_43.dll

Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\AppData\Local\parasite_in_city\sav.ini

Filesize
25B

MD5
69491c6d833bb3ababfe1f2590107edd

SHA1
eb7509a69edd21ab36f4f5258a69f0078084cdca

SHA256
3d1b3a90e24dffb01b9dd2a26cf12c14c478bdedcff82f15634719cf9feddeb2

SHA512
4303422d8a708dffbcef071b88d708bcfa72d4c67eb5e2db3f0225ea98221e57a9ade510025e95b6013861e8861dad8605b8a21737299cb85117a6c2b3318f81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 380786.crdownload

Filesize
48.7MB

MD5
505f89772b297509ea4a1c5712d8efd7

SHA1
ca5278a8b36e6b637b728e44606ba53731bd64c7

SHA256
3b358a19eca559e97a246b708003013a6bee7fef9a984cfdac6807ccf7665d7d

SHA512
3084202c3c4217d59ca7db628d0b1b7ae5ae0bd9d8e855c7e75a1eb543ffb3b1b22b42f3e6c7ee2d23735cd49e3a7947dc50f2f7bab6e361a18e7d0164239cc7

Download Submit