hxxps://www[.]nexusmods[.]com/gorillatag/mods/280

Analysis

max time kernel
178s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.nexusmods.com/gorillatag/mods/280

Score

8^/10

discovery evasion persistence privilege_escalation spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4164	netsh.exe
5080	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	luminati.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	luminati.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	luminati.exe

Executes dropped EXE 22 IoCs

pid	Process
5652	MentalMentor.exe
6256	MentalMentor.tmp
6104	7z.exe
6468	7z.exe
5140	7z.exe
5276	7z.exe
5996	luminati.exe
1604	test_wpf.exe
2288	net_updater32.exe
1736	net_updater32.exe
7048	test_wpf.exe
3316	idle_report.exe
1020	mentalmentor.exe
6200	mentalmentor_crashpad_handler.exe
5588	brightdata.exe
3208	QtWebEngineProcess.exe
6548	luminati.exe
3144	QtWebEngineProcess.exe
3760	test_wpf.exe
7016	luminati.exe
3284	test_wpf.exe
3100	QtWebEngineProcess.exe

Loads dropped DLL 64 IoCs

pid	Process
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6104	7z.exe
6468	7z.exe
5140	7z.exe
5276	7z.exe
5996	luminati.exe
5996	luminati.exe
5996	luminati.exe
5996	luminati.exe
5996	luminati.exe
1736	net_updater32.exe
1736	net_updater32.exe
1736	net_updater32.exe
1736	net_updater32.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
6200	mentalmentor_crashpad_handler.exe
6200	mentalmentor_crashpad_handler.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
3208	QtWebEngineProcess.exe
3208	QtWebEngineProcess.exe
3208	QtWebEngineProcess.exe
3208	QtWebEngineProcess.exe
3208	QtWebEngineProcess.exe
6548	luminati.exe
3208	QtWebEngineProcess.exe
3208	QtWebEngineProcess.exe
3208	QtWebEngineProcess.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mental Mentor = "\"C:\\Users\\Admin\\mentalmentor\\mentalmentor.exe\" silent"	mentalmentor.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	net_updater32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_488E097E1A6B1768143D54114E281A12	net_updater32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\BrightData	net_updater32.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\idle_report.exe.log	idle_report.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	net_updater32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	net_updater32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	net_updater32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	net_updater32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	net_updater32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_488E097E1A6B1768143D54114E281A12	net_updater32.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\test_wpf.exe.log	test_wpf.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	net_updater32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	net_updater32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luminati.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test_wpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mentalmentor_crashpad_handler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brightdata.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QtWebEngineProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MentalMentor.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net_updater32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idle_report.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mentalmentor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QtWebEngineProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luminati.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QtWebEngineProcess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test_wpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net_updater32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test_wpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test_wpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MentalMentor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luminati.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	net_updater32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	net_updater32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	net_updater32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-523280732-2327480845-3730041215-1000\{C3B1F316-DD8E-442E-8B74-377057229649}	mentalmentor.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	QtWebEngineProcess.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	QtWebEngineProcess.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	QtWebEngineProcess.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 17227.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\lum_sdk_session_id:LUM:$DATA	luminati.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	533	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1020	mentalmentor.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2496	msedge.exe
2496	msedge.exe
3444	msedge.exe
3444	msedge.exe
5288	identity_helper.exe
5288	identity_helper.exe
5804	msedge.exe
5804	msedge.exe
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
5996	luminati.exe
5996	luminati.exe
5996	luminati.exe
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
1736	net_updater32.exe
1736	net_updater32.exe
1736	net_updater32.exe
1736	net_updater32.exe
1736	net_updater32.exe
1736	net_updater32.exe
1736	net_updater32.exe
1736	net_updater32.exe
1736	net_updater32.exe
1736	net_updater32.exe
1736	net_updater32.exe
1736	net_updater32.exe
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
6256	MentalMentor.tmp
1020	mentalmentor.exe
1020	mentalmentor.exe
1736	net_updater32.exe
1736	net_updater32.exe
1736	net_updater32.exe
1736	net_updater32.exe
1736	net_updater32.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
3208	QtWebEngineProcess.exe
3208	QtWebEngineProcess.exe
3144	QtWebEngineProcess.exe
1736	net_updater32.exe
1736	net_updater32.exe
1736	net_updater32.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 50 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5996	luminati.exe
Token: SeDebugPrivilege	1736	net_updater32.exe
Token: SeShutdownPrivilege	1736	net_updater32.exe
Token: SeCreatePagefilePrivilege	1736	net_updater32.exe
Token: SeShutdownPrivilege	1736	net_updater32.exe
Token: SeCreatePagefilePrivilege	1736	net_updater32.exe
Token: SeShutdownPrivilege	1736	net_updater32.exe
Token: SeCreatePagefilePrivilege	1736	net_updater32.exe
Token: SeShutdownPrivilege	1736	net_updater32.exe
Token: SeCreatePagefilePrivilege	1736	net_updater32.exe
Token: SeBackupPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe
Token: SeSecurityPrivilege	1736	net_updater32.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
5588	brightdata.exe
5588	brightdata.exe
5588	brightdata.exe
1020	mentalmentor.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
5588	brightdata.exe
5588	brightdata.exe
5588	brightdata.exe
1020	mentalmentor.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe
1020	mentalmentor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 2768	3444	msedge.exe	84
PID 3444 wrote to memory of 2768	3444	msedge.exe	84
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 1500	3444	msedge.exe	85
PID 3444 wrote to memory of 2496	3444	msedge.exe	86
PID 3444 wrote to memory of 2496	3444	msedge.exe	86
PID 3444 wrote to memory of 452	3444	msedge.exe	87
PID 3444 wrote to memory of 452	3444	msedge.exe	87
PID 3444 wrote to memory of 452	3444	msedge.exe	87
PID 3444 wrote to memory of 452	3444	msedge.exe	87
PID 3444 wrote to memory of 452	3444	msedge.exe	87
PID 3444 wrote to memory of 452	3444	msedge.exe	87
PID 3444 wrote to memory of 452	3444	msedge.exe	87
PID 3444 wrote to memory of 452	3444	msedge.exe	87
PID 3444 wrote to memory of 452	3444	msedge.exe	87
PID 3444 wrote to memory of 452	3444	msedge.exe	87
PID 3444 wrote to memory of 452	3444	msedge.exe	87
PID 3444 wrote to memory of 452	3444	msedge.exe	87
PID 3444 wrote to memory of 452	3444	msedge.exe	87
PID 3444 wrote to memory of 452	3444	msedge.exe	87
PID 3444 wrote to memory of 452	3444	msedge.exe	87
PID 3444 wrote to memory of 452	3444	msedge.exe	87
PID 3444 wrote to memory of 452	3444	msedge.exe	87
PID 3444 wrote to memory of 452	3444	msedge.exe	87
PID 3444 wrote to memory of 452	3444	msedge.exe	87
PID 3444 wrote to memory of 452	3444	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.nexusmods.com/gorillatag/mods/280
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff90e9546f8,0x7ff90e954708,0x7ff90e954718
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2340 /prefetch:2
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 /prefetch:8
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7456 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7796 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7964 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8312 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1304 /prefetch:1
  2⤵
  PID:6740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8336 /prefetch:1
  2⤵
  PID:6816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:6592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9176 /prefetch:1
  2⤵
  PID:7024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7820 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:7096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9016 /prefetch:1
  2⤵
  PID:7084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:7120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8524 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7808 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=8000 /prefetch:8
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7632 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=8928 /prefetch:8
  2⤵
  PID:6196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1308 /prefetch:1
  2⤵
  PID:6340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8600 /prefetch:8
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:6544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9052 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7600 /prefetch:1
  2⤵
  PID:6504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:5912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9336 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10180 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,14747888104878725139,14537532333980924319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4972

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5060

C:\Users\Admin\Desktop\MentalMentor.exe
"C:\Users\Admin\Desktop\MentalMentor.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5652
- C:\Users\Admin\AppData\Local\Temp\is-1KCFD.tmp\MentalMentor.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1KCFD.tmp\MentalMentor.tmp" /SL5="$90298,2487297,845312,C:\Users\Admin\Desktop\MentalMentor.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:6256
- - C:\Users\Admin\AppData\Local\Temp\is-0TVJQ.tmp\7z.exe
    "C:\Users\Admin\AppData\Local\Temp\is-0TVJQ.tmp\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\is-0TVJQ.tmp\zip_libs.7z" -o"C:\Users\Admin\mentalmentor\" * -r -aoa
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:6104
- - C:\Users\Admin\AppData\Local\Temp\is-0TVJQ.tmp\7z.exe
    "C:\Users\Admin\AppData\Local\Temp\is-0TVJQ.tmp\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\is-0TVJQ.tmp\zip_bin.7z" -o"C:\Users\Admin\mentalmentor\" * -r -aoa
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:6468
- - C:\Users\Admin\AppData\Local\Temp\is-0TVJQ.tmp\7z.exe
    "C:\Users\Admin\AppData\Local\Temp\is-0TVJQ.tmp\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\is-0TVJQ.tmp\zip_lum.7z" -o"C:\Users\Admin\mentalmentor\luminati\" * -r -aoa
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5140
- - C:\Users\Admin\AppData\Local\Temp\is-0TVJQ.tmp\7z.exe
    "C:\Users\Admin\AppData\Local\Temp\is-0TVJQ.tmp\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\is-0TVJQ.tmp\zip_html.7z" -o"C:\Users\Admin\mentalmentor\settings\temp\inst_gui\" * -r -aoa
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5276
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall add rule name="Mental Mentor" dir=in action=allow program="C:\Users\Admin\mentalmentor\mentalmentor.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4164
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" advfirewall firewall add rule name="Mental Mentor" dir=in action=allow program="C:\Users\Admin\mentalmentor\QtWebEngineProcess.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5080
- - C:\Users\Admin\mentalmentor\luminati\luminati.exe
    "C:\Users\Admin\mentalmentor\luminati\luminati.exe" switch_on
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5996
  - - C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\test_wpf.exe
      C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\test_wpf.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1604
  - - C:\Users\Admin\mentalmentor\luminati\net_updater32.exe
      "C:\Users\Admin\mentalmentor\luminati\net_updater32.exe" --install win_global_microtrading.mental_mentor --no-cleanup
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2288
- - C:\Users\Admin\mentalmentor\mentalmentor.exe
    "C:\Users\Admin\mentalmentor\mentalmentor.exe" install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1020
  - - C:\Users\Admin\mentalmentor\mentalmentor_crashpad_handler.exe
      C:\Users\Admin\mentalmentor\mentalmentor_crashpad_handler.exe --no-rate-limit --database=C:\Users\Admin\mentalmentor\sentry --metrics-dir=C:\Users\Admin\mentalmentor\sentry --url=https://o4505329939513344.ingest.sentry.io:443/api/4506451695239168/minidump/?sentry_client=sentry.native/0.4.6&sentry_key=0cb1bfe551768937b10a49cd2122722e --attachment=C:/Users/Admin/mentalmentor/sentry/log --attachment=C:\Users\Admin\mentalmentor\sentry\b4d576a3-19c8-4f3b-d8e6-7776b004fc1d.run\__sentry-event --attachment=C:\Users\Admin\mentalmentor\sentry\b4d576a3-19c8-4f3b-d8e6-7776b004fc1d.run\__sentry-breadcrumb1 --attachment=C:\Users\Admin\mentalmentor\sentry\b4d576a3-19c8-4f3b-d8e6-7776b004fc1d.run\__sentry-breadcrumb2 --initial-client-data=0x534,0x544,0x548,0x508,0x54c,0x6b2c7b7c,0x6b2c7b90,0x6b2c7ba0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:6200
  - - C:\Users\Admin\mentalmentor\luminati\luminati.exe
      C:\Users\Admin\mentalmentor\luminati\luminati.exe is_switch_on
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:6548
    - - C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\test_wpf.exe
        
        C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\test_wpf.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3760
  - - C:\Users\Admin\mentalmentor\QtWebEngineProcess.exe
      "C:\Users\Admin\mentalmentor\QtWebEngineProcess.exe" --type=utility --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --lang=en-US --service-sandbox-type=network --use-gl=angle --application-name=mentalmentor --webengine-schemes=qrc:sLV --mojo-platform-channel-handle=2948 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:3208
  - - C:\Users\Admin\mentalmentor\QtWebEngineProcess.exe
      "C:\Users\Admin\mentalmentor\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=3292 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3144
  - - C:\Users\Admin\mentalmentor\luminati\luminati.exe
      C:\Users\Admin\mentalmentor\luminati\luminati.exe is_switch_on
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:7016
    - - C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\test_wpf.exe
        
        C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\test_wpf.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3284
  - - C:\Users\Admin\mentalmentor\QtWebEngineProcess.exe
      "C:\Users\Admin\mentalmentor\QtWebEngineProcess.exe" --type=utility --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --lang=en-US --service-sandbox-type=audio --use-gl=angle --application-name=mentalmentor --webengine-schemes=qrc:sLV --mojo-platform-channel-handle=4472 /prefetch:8
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3100

C:\Users\Admin\mentalmentor\luminati\net_updater32.exe
"C:/Users/Admin/mentalmentor/luminati/net_updater32.exe" --updater win_global_microtrading.mental_mentor
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736
- C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\test_wpf.exe
  C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\test_wpf.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:7048
- C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\idle_report.exe
  C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\idle_report.exe --id 96650 --screen
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3316
- C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\brightdata.exe
  C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\brightdata.exe --appid win_global_microtrading.mental_mentor
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5588

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:7080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\20240817_195149_once_07_service_stop_1.429.308.log

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\20240817_195151_perr_15_peer_start.jslog

Filesize
994B

MD5
ec1ffa348a07e85f3e6b4ef3cd586234

SHA1
0f0460ed688a973078579311134f987515e41d19

SHA256
1b9c10229f8e524e8f493d258148c3a3a5a2532dcbd609797d2b1f22542f743e

SHA512
d11e0686ec22b30833fc4646c4260429b7e01607e579477013caed673736ebd117b947d340124d5cc07c61e089bcbe935192cb1d66ca7d733103301b2bfd2a5f

Download Submit
C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\brd_sdk32_clr.dll

Filesize
7.1MB

MD5
c6030e74a4597da324a77da97cb33ada

SHA1
d015867cf7aca7a93f0912e1dccbafb1b2f4e04f

SHA256
44147c861e95842b7cf885afdd84935e28566514b3dccf6a1f8fb97df21aa21c

SHA512
25484367903290a2daa7d847a4db6ee72dba137ca4ee5410824d9d84618a0aa41bd33ae55475efe4f9034409b8e8c97daacbc82dd56c75ad29aaeed478be28db

Download Submit
C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\brightdata.exe

Filesize
3.2MB

MD5
ad027044465902bc8a6e85056d3e2011

SHA1
d7ae22a4988b2453c123953e03d0f44a4f2eb9c1

SHA256
e7bc43667b3573755abbacb09e1b47168bff77b10387803b6f867d44645ed659

SHA512
1a34d2a32b5146c9034d1cd08ddf6f250d1c81d3dd567094a138d8ff46ba18fcaa395f284e11ea565c24d48354ee125d231425ed870d2e848836a2d31ab80bf5

Download Submit
C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\idle_report.exe

Filesize
30KB

MD5
ddb7556b90d6b912cbc5b96ade855ba1

SHA1
1a6cd4dfb4549e94d2381827de64d58f4a49991c

SHA256
db1b3dc9925acce3d02b620f1110a4ca8fc78813ac5079b3d40c95c56e686508

SHA512
1bd48c043bc2aeb21d1937f92f4ffb3f02866ed74186b401c23af693b7c03ae3590c6ce8a5d1f3c597af36b00175ac9a88505295771e8ea98c4bb10516ed5b46

Download Submit
C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\lum_sdk_install_id

Filesize
33B

MD5
af8385df96f15014dc057a17f2054175

SHA1
00e828671b6003cc8078a06b2cd6c19fa0a8b687

SHA256
21332cb08b5a61a613f81e73a656a1d597ec87a2aabe58a063c875b8a0b5966b

SHA512
eecd6d8798c1a1aadc53c9d69b8b3c06cf0b4e7c5ba2cad3f9be803c83cd4964d73e7f445178d2124cc9c5dabc37e11512e68b5cb6a807f2c8b0ecc7acb41b41

Download Submit
C:\ProgramData\BrightData\d1bab175a2a8d47f9b561f4c58dc046b93194db0\test_wpf.exe

Filesize
29KB

MD5
0bbfcd9d525ec710b386e2efb3669b4e

SHA1
5aaa4f7a33f79e6fa71f44b58380229b80f6239f

SHA256
1b67b0bc187bf45a43c28b768b39e6ea5b657afd5433db0661f49ce7a3061d1a

SHA512
e4a654923926a6b81a15335e0165a0e39b721a1e8aa25343d553bcd32667b8edb0ab7a0627da8b9ee4a4e091232e61e30db0fd70595d38568dddda4d52abc0bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
23KB

MD5
27e58f81689e46bfd12e9cd1c098c323

SHA1
1202282fe8f65bb6d4fd355272f5bc37b00d3190

SHA256
6150ea1312d6a28224bb453beb02bc1ee1b3af6226ab7a425cac0fd0625dfb4f

SHA512
2b8453eef87040bef9e5778222139f4f6ad620d9fb5d684c4cf4e92c58a7ab21ea178aed48d8ac0170eed0516828d4a90f32c1957c17d16ba4ab37f2d2be92be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
81KB

MD5
0318f3101fc015a6a199befa3e49d2f3

SHA1
1b238d954ac5c61c4ece229928252df3c3ff0001

SHA256
aec88424a38b6fe3b854a43a4551b57d485d5de66ad8b18247d197d6434b7b1a

SHA512
b62a3cb59c9a07e4dc55daa0b2c7db3aca949104413049565ae484694e16f43454f6664f1e8835296385abf90a61f3ac646d71065b859c079fd8b43771f9b3ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
21KB

MD5
291881d52877becd9060c2799d198c50

SHA1
8fac77d52deba4c57d9aca6d977fc5d94bd1902f

SHA256
acb1ea8ae92c6e49f6181a992801ed3a0f1b9b466a703654244f36c050a62256

SHA512
2feb0d062fd11845a31d4b933f397116e53f4441784d2026d038cc68a4b1b9f223af157a369a4237b9b8f8d74712ef353da66b7e7e6286f8d2cbf0b9ca4b9071

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
99KB

MD5
9a9a489258a260539b84d6e4a27d828e

SHA1
e893c7cfb7778c2156af901acec9e6912b4b4a4f

SHA256
97c9bac0c32ee44216b8419635f6081664e0ad1ead1cb6b49a8ecee27dc75adb

SHA512
336a3e305bbae5dc7641d3e45182f48ae1da1fe587c30415ed875f85c848002a2c03d6ccdbc05ebc36de582377b005d043da9be7182c4c60f73deb8cd65eb6e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
17KB

MD5
d31cbb8014c727c9bc8ca1f67bc21190

SHA1
4d82bead78f7e798e65e2ce07015ba6c5fbcb37f

SHA256
d800789d2a4f2f66461ccfc8a01a351293d85a90119b2cbcf1eb2d67b28b6199

SHA512
3b05c87d6c98cd0d9ab9133ed549ef8ded203100cbea4785df2748213871c5635c89ae9d9ca879f4d2821208093658da56ef62b6e7f324e776aa49cfe7abbbf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
21KB

MD5
c55dbb2a5e2048f8ac7b88cafbe13ab6

SHA1
6629572a0fd059184b4e5c57687fa414fa7283d3

SHA256
a82abfaf7dd683f673153324de1295a2a952e5b40fbbc581b5fc39603883f5cb

SHA512
61336d53f5f14636ad0552e92bafec6ab262faea08d28143dbe6f631bd6be86ed1b6b2dd5a2127cde53a1405ee4bc8384c3327521571917dc22c7fd553f108aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
30KB

MD5
6fb26b39d8dcf2f09ef8aebb8a5ffe23

SHA1
578cac24c947a6d24bc05a6aa305756dd70e9ac3

SHA256
774379647c0a6db04a0c2662be757a730c20f13b4c03fe0b12d43c0f09e7a059

SHA512
c40f4771c10add1b20efb81ee3b61fc5ede4701587f29a1c2cdde8b6faabd1c76d769bf8b99aa19082012f95d99ba448a472463fb9056acd2e43542e14e605cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
31KB

MD5
c03ff64e7985603de96e7f84ec7dd438

SHA1
dfc067c6cb07b81281561fdfe995aca09c18d0e9

SHA256
0db8e9f0a185bd5dd2ec4259db0a0e89363afa953069f5238a0537671de6f526

SHA512
bb0fd94c5a8944a99f792f336bb8a840f23f6f0f1cb9661b156511a9984f0bb6c96baf05b7c1cf0efb83f43a224ecea52740432e3cfc85e0799428765eefb692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b7fe22f6636a2011dafd9de7d59c0ddd

SHA1
fcfadb6089eaeae37469bca0c526a223342b4362

SHA256
9af671c6ce59360d71113abd9d6c9a8309f8ff333f8589cbc30364a0a564c020

SHA512
259d623ba748802c9ede43b70e6c41bb31cc620ab0734cd3a4cd2f3cfdaa8ff788d26172e03a7cc9d5c09b093a6d69a241cf59ba9f5494014f580606bee69384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.nexusmods.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
d82a724d479d4badaeb454241ce1af0d

SHA1
bd49ca00511612ab6b89113b309da6612ade4ced

SHA256
321fc7e4e6275a8ad3b47fbc31961bbc4bc5fc227fd108d95ba6d520c20cc84e

SHA512
d2375e31cb6a18967fefcbae54c54375813372e88a81a5219aead3d1dd3c18e8f21a1b21b70d40e135979eb279a12699b502c99509e91be0f0eeeb29eb55ab06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
04a4ef3e2c1eb66d9ce88f98869dda4a

SHA1
fd326de0f3533b86a3a07091d413cc3a18c0e70c

SHA256
bc1d859fb9a663ba51dd1b60c5e864f8eaf5a3383217346f52972af954cecba3

SHA512
d600aebd3595b698159bfff2e7236a64b637d697aca683315d4a73b43c3d1ff0a29c9db88a72680e9fb74ed8356eb63f401c250bc0e36135f684a5931638b369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
06f2ba8e487cf48e61108d08f162b26c

SHA1
8ea1a1a1e60b98f60922d6bc23238ee645f3b0ac

SHA256
4bf591c26c0382269dd56e62a0a38b739cc7b892feea8ada68d7671d5744c063

SHA512
cd0393e64587c37cc3efb2525e787172af9dad8afcfe212963025eac70e3fe2cd3e5da8c9fd29136835763b85965348924c3cda66ed6e7d4a43744ebc27727ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
8c99e6de193a8c35720dd7655b8e5c00

SHA1
50ede7b470900463ee19bdca456f5adf4e0df3fc

SHA256
e3eac1aea012ff61d585791aa51b105b44bb3d0c33d06a35934d26776c6f2327

SHA512
ea0b13e56d4d30e58d802c2b9c224afd5a02ed362cd3a198682b9ee9cbeba785106e2217de3a8f36c62264e52631c1330e7bb04c92aca9b15d12d7dfaf14d42f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
1e35282eaf7e5033822103be9e33785a

SHA1
419684ba9137833d8e620533af7aeabcf88121a8

SHA256
a749ab8fa9fabd12bb12f7efd2a12bdf73e1ef7e6c015145b0ca51dfddf11494

SHA512
2c11bf7e244519a1e8e8a96fd4f4859da0d30f43c5758091137ec6bad9da8f44965f53b8a2390634a03d137d0dc208000c6995dc937c0c03b1a256d8176028c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
41147bc2eaf09f33b6d25192224dd06f

SHA1
125ba716ca4a31ed0c9cbfb34f085185a36bca09

SHA256
720b73e3470f6bfdb84a4aaf0bc37b5eb0efdf9240982d9524120475b6575299

SHA512
d26ef19a5f49b1bddf242b6e3748ff9a950731926a7decc30521554b8dee7aab92e15d157a649a86b3264afd1883251ace103a50798c47e3b504dfef42cb4b83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
3c537e0e1147647729eb448678b21b1b

SHA1
f447b211f7bb024bbf06109d0cc6c657623fc828

SHA256
167603f2f41155fcc881c6aba2e7711ab63a2017fb93dfb8f87c3810f5037510

SHA512
4f4962589365cddbff1e652daddbc96ef0aa7281f6cd842e191f9b1224af8f6456cf9d19e107731619829da7186c3ceb168b12c5dbf6847c0939e1ea5f3e3cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
78e6f655c7c64e1fe3394b0a97a5eb9b

SHA1
e2df0243b6eee7ca99e6cff6ab076979871a3cb1

SHA256
1440c22b69a6c4db1960b79c402a581fd7668161d56ab3d21d58c2e46d4e6472

SHA512
0b5549c75bef2e94714a60bc16ffb1e1a8ba745e85af6d5b8f9fd1d75cc9b548178d6147eca2ee1626ea4f7bde1a093b162439f8969e3020d32e617b9e1106d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
38677514a61548525db2d1304bd9cc2e

SHA1
47f139e19ce1e93e1d0c5a6ce4ef897c5675950b

SHA256
b24fed5b82a0f0e2eb6ec151f2766ed8dae98c6b834c12776695f9026fcde6c5

SHA512
0294804a36f84bcd84b352650d1e1e9283c6d07b190bbd5e4194609661b5bb2ee694e75be875b1e4074a5664a3ba96d463d000f105a12bc9c0cb8580b0a65a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d9d5.TMP

Filesize
1KB

MD5
cd196afb14703af14f7362c476289776

SHA1
b256eed5d842380e7daadabd2ec4daffa1f1a478

SHA256
57ec9ae9116f1669bcae2a1b18f1ab6ff6f70e9c6179823f170ad0ad5c0c085b

SHA512
376a7f99636d143a9108bdbf106ad27392cebf3e843f060745664baad25a7da512277c28f3725e63a8faf8fef02ef483fc23eb3eea5580fa954ba0fec1903230

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b48d0cefbb42c96da575ec043dbd4d65

SHA1
daaa4cce24a3da18b8d5dbf9e2ada472b3503313

SHA256
9c49fc9a96de61e1a0dac79598459aac5f31e5c6b8832da69c8b2331e1ab3b8c

SHA512
3902d1c3acfb2da598a67d80340ed3c6ea6c3deff22bfcbe38ea87e4bb063c27febb7788f1024c6071cf43d38c10ebb0fdd03a5554f8b9ea39eebe7643f05632

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3035488094aa2502ddf089fce6864bcc

SHA1
05a20d074063a771f6708879ddc87a772d39ab33

SHA256
88a53296a2957ef74003f5adc3062a04b913e82c9c0d1cc6d529ea3b0dbe8275

SHA512
04534ddf0291b154ab9cfaeabb2b1974783f9c27f8967028ab731f585a25ad8f2ecc5243558aaa0e79bf31a6d25d8fc5cdb2894bf6766fbcf721216e3c695918

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0TVJQ.tmp\idp.dll

Filesize
2.6MB

MD5
347530853fd2439ce98bd9a4faf643a0

SHA1
5becda68c81b692a7352840a8d8841023cba7e93

SHA256
6280e78986521f8662e1408d7cfe3bab343aa043e4fa15c8fe9b424306b194d9

SHA512
d9be9bfe254d4c7297034d481ce6144d85a0a5c9cdf20c7d6906ea2091239ab39d26b9d7b651a750a16cbb7d984a0ffdf69027d97a6dc8bcca1a2fa162b88dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0TVJQ.tmp\mentor-inno-lib.dll

Filesize
283KB

MD5
b53e08b82850626c046a5cebd295e41c

SHA1
086cbe08eba3fdc68371f46ee29e6dbeaa5d6876

SHA256
5120508b7cbdee3d9c89c8ece6e95c9bee018c4e09f13d5e0e2f7cf99828d0c6

SHA512
d76ae06d131450b5590e1c816615ad0b7bacfd648e34a69340c2c68c498d0670e3384dfa4d258064f66f590c512fdc5fddabfb55776fb729ab51c0cbfd4050be

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1KCFD.tmp\MentalMentor.tmp

Filesize
3.0MB

MD5
0d041f22d598f3a63bdf0e66c448bdab

SHA1
591fc72ec32e7efe2e641dba38c3cd7b6d415450

SHA256
e6b54015c403e3016b848b18fc488d4d281a752bc9ab2a3324ba4d8efb642563

SHA512
5dd3af37f06f308f348213c0305acab38cf279556c12a9b14d0343072b1f431778c75129715a2b04abcf219baaeba665faa08fcb4692d2ede36b2511178de210

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 17227.crdownload

Filesize
3.2MB

MD5
aee4dd798da9f13ac44fcd2eb5b6b296

SHA1
7079918f2ae966e78f7f234c088ce1feb7db00b9

SHA256
2952264b226a7f252a4195087e104e326cb2d70ae0ffb526c5051006059b0166

SHA512
95b6d31aa2ce2e9a58a23568f9e4cfd5fd13fe4e23bd71fb1218a45c17b0a273d8ac546414beb022f4386ffaacc34591d8a0b12c0e287197a5b52fbeea345a5b

Download Submit
C:\Users\Admin\mentalmentor\settings\webengine_profile_main\GPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\mentalmentor\settings\webengine_profile_main\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\mentalmentor\settings\webengine_profile_main\Platform Notifications\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
memory/1020-1548-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/1604-1178-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/1604-1181-0x0000000004FF0000-0x0000000004FFE000-memory.dmp

Filesize
56KB

Download
memory/1604-1180-0x0000000005010000-0x0000000005048000-memory.dmp

Filesize
224KB

Download
memory/1604-1179-0x0000000004E70000-0x0000000004E92000-memory.dmp

Filesize
136KB

Download
memory/1736-1354-0x0000000007C60000-0x0000000007C6A000-memory.dmp

Filesize
40KB

Download
memory/1736-1343-0x0000000007EB0000-0x0000000008454000-memory.dmp

Filesize
5.6MB

Download
memory/1736-1323-0x0000000006080000-0x00000000063D4000-memory.dmp

Filesize
3.3MB

Download
memory/1736-1320-0x0000000005690000-0x0000000005DB0000-memory.dmp

Filesize
7.1MB

Download
memory/1736-1308-0x0000000010000000-0x0000000010857000-memory.dmp

Filesize
8.3MB

Download
memory/3316-1363-0x0000000000E10000-0x0000000000E18000-memory.dmp

Filesize
32KB

Download
memory/5588-1398-0x0000000000EC0000-0x00000000011F6000-memory.dmp

Filesize
3.2MB

Download
memory/5652-1024-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/5652-1387-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/5652-1005-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/5996-1211-0x0000000006000000-0x0000000006022000-memory.dmp

Filesize
136KB

Download
memory/5996-1209-0x00000000064B0000-0x0000000006BD0000-memory.dmp

Filesize
7.1MB

Download
memory/5996-1238-0x0000000008350000-0x000000000887C000-memory.dmp

Filesize
5.2MB

Download
memory/5996-1212-0x00000000072E0000-0x0000000007634000-memory.dmp

Filesize
3.3MB

Download
memory/5996-1251-0x000000000A9D0000-0x000000000A9D8000-memory.dmp

Filesize
32KB

Download
memory/5996-1252-0x000000000CBF0000-0x000000000CC82000-memory.dmp

Filesize
584KB

Download
memory/5996-1253-0x000000000DE00000-0x000000000DF86000-memory.dmp

Filesize
1.5MB

Download
memory/5996-1210-0x0000000006BD0000-0x00000000072DC000-memory.dmp

Filesize
7.0MB

Download
memory/6256-1376-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/6256-1177-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/6256-1025-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/6256-1018-0x0000000000D10000-0x0000000000E50000-memory.dmp

Filesize
1.2MB

Download
memory/6256-1017-0x0000000000D10000-0x0000000000E50000-memory.dmp

Filesize
1.2MB

Download
memory/6256-1287-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download