umbral | hxxps://gofile[.]io/d/LHhXZw

Resubmissions

04/09/2024, 20:05

240904-yt8tysvgmk 10

04/09/2024, 19:05

240904-xrz9csvdnm 3

Analysis

max time kernel
81s
max time network
81s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/LHhXZw

Score

10^/10

umbral credential_access discovery execution motw phishing spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000234ad-94.dat	family_umbral
behavioral1/memory/2112-129-0x0000027CC1160000-0x0000027CC11A0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1892	powershell.exe
6972	powershell.exe
5184	powershell.exe
5380	powershell.exe
5968	powershell.exe
6648	powershell.exe
7124	powershell.exe
7088	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	CrackFN.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	CrackFN.exe

Executes dropped EXE 2 IoCs

pid	Process
2112	CrackFN.exe
6740	CrackFN.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
53	discord.com
610	discord.com
611	discord.com
52	discord.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
83	whatismyipaddress.com
84	whatismyipaddress.com
603	ip-api.com
49	ip-api.com
82	whatismyipaddress.com

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
620	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
6124	wmic.exe
6768	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-523280732-2327480845-3730041215-1000\{7306BBDD-EFFB-4C57-ACAA-5B151CE69F7E}	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 991709.crdownload:SmartScreen	msedge.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vPnFR.scr\:SmartScreen:$DATA	CrackFN.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RkwWX.scr\:SmartScreen:$DATA	CrackFN.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2340	msedge.exe
2340	msedge.exe
4596	msedge.exe
4596	msedge.exe
528	identity_helper.exe
528	identity_helper.exe
1800	msedge.exe
1800	msedge.exe
1892	powershell.exe
1892	powershell.exe
1892	powershell.exe
5184	powershell.exe
5184	powershell.exe
5184	powershell.exe
5380	powershell.exe
5380	powershell.exe
5380	powershell.exe
5580	powershell.exe
5580	powershell.exe
5580	powershell.exe
5968	powershell.exe
5968	powershell.exe
5968	powershell.exe
6108	msedge.exe
6108	msedge.exe
6972	powershell.exe
6972	powershell.exe
6972	powershell.exe
6648	powershell.exe
6648	powershell.exe
6648	powershell.exe
7124	powershell.exe
7124	powershell.exe
7124	powershell.exe
6720	powershell.exe
6720	powershell.exe
6720	powershell.exe
7088	powershell.exe
7088	powershell.exe
7088	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 54 IoCs

pid	Process
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	CrackFN.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	5184	powershell.exe
Token: SeDebugPrivilege	5380	powershell.exe
Token: SeDebugPrivilege	5580	powershell.exe
Token: SeIncreaseQuotaPrivilege	5776	wmic.exe
Token: SeSecurityPrivilege	5776	wmic.exe
Token: SeTakeOwnershipPrivilege	5776	wmic.exe
Token: SeLoadDriverPrivilege	5776	wmic.exe
Token: SeSystemProfilePrivilege	5776	wmic.exe
Token: SeSystemtimePrivilege	5776	wmic.exe
Token: SeProfSingleProcessPrivilege	5776	wmic.exe
Token: SeIncBasePriorityPrivilege	5776	wmic.exe
Token: SeCreatePagefilePrivilege	5776	wmic.exe
Token: SeBackupPrivilege	5776	wmic.exe
Token: SeRestorePrivilege	5776	wmic.exe
Token: SeShutdownPrivilege	5776	wmic.exe
Token: SeDebugPrivilege	5776	wmic.exe
Token: SeSystemEnvironmentPrivilege	5776	wmic.exe
Token: SeRemoteShutdownPrivilege	5776	wmic.exe
Token: SeUndockPrivilege	5776	wmic.exe
Token: SeManageVolumePrivilege	5776	wmic.exe
Token: 33	5776	wmic.exe
Token: 34	5776	wmic.exe
Token: 35	5776	wmic.exe
Token: 36	5776	wmic.exe
Token: SeIncreaseQuotaPrivilege	5776	wmic.exe
Token: SeSecurityPrivilege	5776	wmic.exe
Token: SeTakeOwnershipPrivilege	5776	wmic.exe
Token: SeLoadDriverPrivilege	5776	wmic.exe
Token: SeSystemProfilePrivilege	5776	wmic.exe
Token: SeSystemtimePrivilege	5776	wmic.exe
Token: SeProfSingleProcessPrivilege	5776	wmic.exe
Token: SeIncBasePriorityPrivilege	5776	wmic.exe
Token: SeCreatePagefilePrivilege	5776	wmic.exe
Token: SeBackupPrivilege	5776	wmic.exe
Token: SeRestorePrivilege	5776	wmic.exe
Token: SeShutdownPrivilege	5776	wmic.exe
Token: SeDebugPrivilege	5776	wmic.exe
Token: SeSystemEnvironmentPrivilege	5776	wmic.exe
Token: SeRemoteShutdownPrivilege	5776	wmic.exe
Token: SeUndockPrivilege	5776	wmic.exe
Token: SeManageVolumePrivilege	5776	wmic.exe
Token: 33	5776	wmic.exe
Token: 34	5776	wmic.exe
Token: 35	5776	wmic.exe
Token: 36	5776	wmic.exe
Token: SeIncreaseQuotaPrivilege	5848	wmic.exe
Token: SeSecurityPrivilege	5848	wmic.exe
Token: SeTakeOwnershipPrivilege	5848	wmic.exe
Token: SeLoadDriverPrivilege	5848	wmic.exe
Token: SeSystemProfilePrivilege	5848	wmic.exe
Token: SeSystemtimePrivilege	5848	wmic.exe
Token: SeProfSingleProcessPrivilege	5848	wmic.exe
Token: SeIncBasePriorityPrivilege	5848	wmic.exe
Token: SeCreatePagefilePrivilege	5848	wmic.exe
Token: SeBackupPrivilege	5848	wmic.exe
Token: SeRestorePrivilege	5848	wmic.exe
Token: SeShutdownPrivilege	5848	wmic.exe
Token: SeDebugPrivilege	5848	wmic.exe
Token: SeSystemEnvironmentPrivilege	5848	wmic.exe
Token: SeRemoteShutdownPrivilege	5848	wmic.exe
Token: SeUndockPrivilege	5848	wmic.exe
Token: SeManageVolumePrivilege	5848	wmic.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 4792	4596	msedge.exe	83
PID 4596 wrote to memory of 4792	4596	msedge.exe	83
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 5096	4596	msedge.exe	84
PID 4596 wrote to memory of 2340	4596	msedge.exe	85
PID 4596 wrote to memory of 2340	4596	msedge.exe	85
PID 4596 wrote to memory of 2840	4596	msedge.exe	86
PID 4596 wrote to memory of 2840	4596	msedge.exe	86
PID 4596 wrote to memory of 2840	4596	msedge.exe	86
PID 4596 wrote to memory of 2840	4596	msedge.exe	86
PID 4596 wrote to memory of 2840	4596	msedge.exe	86
PID 4596 wrote to memory of 2840	4596	msedge.exe	86
PID 4596 wrote to memory of 2840	4596	msedge.exe	86
PID 4596 wrote to memory of 2840	4596	msedge.exe	86
PID 4596 wrote to memory of 2840	4596	msedge.exe	86
PID 4596 wrote to memory of 2840	4596	msedge.exe	86
PID 4596 wrote to memory of 2840	4596	msedge.exe	86
PID 4596 wrote to memory of 2840	4596	msedge.exe	86
PID 4596 wrote to memory of 2840	4596	msedge.exe	86
PID 4596 wrote to memory of 2840	4596	msedge.exe	86
PID 4596 wrote to memory of 2840	4596	msedge.exe	86
PID 4596 wrote to memory of 2840	4596	msedge.exe	86
PID 4596 wrote to memory of 2840	4596	msedge.exe	86
PID 4596 wrote to memory of 2840	4596	msedge.exe	86
PID 4596 wrote to memory of 2840	4596	msedge.exe	86
PID 4596 wrote to memory of 2840	4596	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/LHhXZw
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6c5646f8,0x7ffc6c564708,0x7ffc6c564718
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4140 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6160 /prefetch:8
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6332 /prefetch:8
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2756 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2732 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2228 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2232 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7292 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7400 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7536 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7664 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7840 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8072 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8700 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8872 /prefetch:1
  2⤵
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9028 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9032 /prefetch:1
  2⤵
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9248 /prefetch:1
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9272 /prefetch:1
  2⤵
  PID:6080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9476 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8728 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8708 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9824 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8980 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10252 /prefetch:1
  2⤵
  PID:6892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8392 /prefetch:1
  2⤵
  PID:7104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10892 /prefetch:1
  2⤵
  PID:6888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:7112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10224 /prefetch:1
  2⤵
  PID:7004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11024 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:6684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11692 /prefetch:1
  2⤵
  PID:7188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11352 /prefetch:1
  2⤵
  PID:7260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11752 /prefetch:1
  2⤵
  PID:7332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9874282896534744982,13682520230761286794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10728 /prefetch:1
  2⤵
  PID:7652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:232

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3760

C:\Users\Admin\Downloads\CrackFN.exe
"C:\Users\Admin\Downloads\CrackFN.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\CrackFN.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5580
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5776
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5848
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5968
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:6124

C:\Users\Admin\Downloads\CrackFN.exe
"C:\Users\Admin\Downloads\CrackFN.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- NTFS ADS
PID:6740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\CrackFN.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:6972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:6648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:7124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6720
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:6640
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:7044
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:6812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:7088
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:6768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrackFN.exe.log

Filesize
1KB

MD5
547df619456b0e94d1b7663cf2f93ccb

SHA1
8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3

SHA256
8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a

SHA512
01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
c8e81e2dd950d63e4f8b3a6302de1ea3

SHA1
3fc185d78f6d10f91c30b044fe0a51e569bf2214

SHA256
acfe59c3e3b33a5aaa42e6c98a80d1db7f2cb4579c32ecb85afd520a0e9cba33

SHA512
34d1e446a0242bbba055f5b78d491663827c09014eb8071aa94e492ecc9b113324ba1907fc44eac6ff7fab61f0d79ca74027b20c399a363d4f84d0ba88578790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
438B

MD5
2066dc72ae2e61197381233d15ba066a

SHA1
268c85d13894f5651a23b671ce3f5b19f2fcc2bb

SHA256
ba0b4730bcd4815c2357341baa9928815cec1f45af46ca3331808ee5cde1a4c7

SHA512
9852e1386bb9852a7da1efa13d9cb362b9d9f12deea8900882d62d9305b312c55b72edbf0bd1e78869206bd0a17454ff170109c697f2a1b26998a9a4bca0a86f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
a6273e32111fd2e299568b4fdcf59ba5

SHA1
9099c16788c096647dedca1a4c751b4319f5d5aa

SHA256
fe9b2e5a05009485063754be0a8921395e3d9442a49e39faff4e25e4660156c3

SHA512
a2929d648889e90fe156dfe85eac49b29487ea21fd6b7e17b50ed02b2d6f412966e56b052642ca37c1e8f67009b850996036b46fb3d785f4feffa208114a2118

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b2b590078018dcf7a7211d9f7e32e6d0

SHA1
dc2605bc061b1114f2569c1f0c64f3655b5f379d

SHA256
b137582182edf0217b07fe556b301511b6733e4570b21f3efe48b7d6cc8f4768

SHA512
8fbc1c6e1b13a4189d02fb5f16338dbc1a93f49af3ea1d20792c1df13aafd2f9b2f06fbd92cee5ee64e1c1ce9d5d009fe7bc8b5abe17bf2690e095bd68d07f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
632a8f1836f6548edeba36cd61254f3a

SHA1
4972d652412d3f2320424d8ab196a6c86fc89296

SHA256
75f9dde3d10f46ffefa997e4c2a1c3f105501e8fe62c14050cb69ae30bebe218

SHA512
3c20162cb008dd60528ee62340bc5e2f73520d5251a6d54217c945cd42a27ea0b5dbb22582ef38dea40e61fce5eee39bf34a126130b1b829e88c00639de1635d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6f688709fd923785d0c9ecbe4f4dfe23

SHA1
7acc2b4516e9ef460995367f27e31fecbcac3476

SHA256
0a22755ec62ad41929494ba508ea7f9e1fd7080bba16f9b8f0f32640b8860c4c

SHA512
03eaa86e1211768dd1d2b9df59a659b132c377d7893c8cc95f366d24b9d2b3e97f8ffbe56bf4425aa15dad7be2b2ac2dfccd355ea5f8973d3d0097f7b5f04549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6b391e3d6b49e3b2db19d4b6bebc41c3

SHA1
4cfa8ccd83e8ae5622db547a835eb090baa2d81c

SHA256
9e68a41e4445da7300dadd50d8163011f2b98fb298b6717107267c91e35aa7fc

SHA512
4ffde8db36c25d1ec7f22e1605326635acda357910e0a6612cd97e2a6b0db149eb498fe4f78d04babf0b1c9b4654df02fe907de115a5bdb236a882a007da8359

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
81db57567ef0b74b13a8ece19074aaff

SHA1
12264e68feff10271448cc4b2bb7c398bfaeaa6f

SHA256
9149b7d69d645da30b2e8f6ec81f7c51b6f9b4e1f74f8a62577c51aa9d297e80

SHA512
af0353baa7cf4894cbde8402de6d24ed8125b3b69b028f2b2b17536151339a70a465ce872a79ca87baa5de8f209b7bf4b2e31b0798842d0371423b99cd664b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
512a71d40b90aa96a620e93fc6598186

SHA1
24687270ca56bc6b4cbc491bae5f038766b94cb3

SHA256
715a6319f3154eb886796b9b5f28a88656784ced1f1415d79b8802c57506d151

SHA512
150d073fbcd1c12af27c3ec967a6096988ab10ec34a5fe25642cd5faf8797c1f083a84f3a352282dd04283c8a1e56def2604746de55672c43af2b012edb8d3a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
8f0bf90e3a1312991debe68a59ca3656

SHA1
798a7546c7cfb3b11968adf58346b2577c4b2cfa

SHA256
1edb616b9486dacd3affc62703b328dc87249b5fb04a9238c1898cd188fa0bc4

SHA512
d039eea91b8f5dd08b54261720c5dcf9f51924cf3d9835ac1c6595601be8fe9a746bc5cf752992c6b4774ecc461a7bec4edbca5a98e1ad1349e6445f71bd0335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4aa7dc71808dcfe2c13a08a2844bc0b7

SHA1
d5452d7ac5d91fcfa0dd84012c1c54fe605fbeea

SHA256
a49c4d2ffc814375f461b8fc669df3c4e411164dadaa87f17818a15c05331edc

SHA512
46ae16cd71f4b9c9f9392811970233df40df3f25308b3b0a6413bf60f4e5821b26667654ad4f16f477e35a7975fec40309690f4b9558659b4d0864bc897526fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586107.TMP

Filesize
370B

MD5
4b93e3a20ca65c5d9efe3e0f0ef00d0b

SHA1
8d285a586ead576061134c65b05809bdc75b3883

SHA256
0ccd0c180e5fb3f3e12f31355053e20bf0a71bb97d83513b152a51e7bfb680f4

SHA512
5ac9f2d995f48dab32851ed5066a23aa8370d49d3efde4e68954cdd915576183fb3660bb602b68ab406a6829c14598056fbe0519e9deb1f7813556c0801c54f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cb1e3befbd51e0f7150210afd435fc93

SHA1
aebdb51be1d0b7bed0b396e3c097d74587719ee3

SHA256
139fdf5ac87b2545fe85672752321a841435a56455f75101f2a3fa9b20ece56b

SHA512
d34526de162a683088c898f06cbc49f773c4253868c32d74fbace689538d3706e89b082ff132b1e413fb5d3863f6bcf4cf631f2c4784c229e113e38f652552d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
32ba5dbf670e4d4e1b348dec9fc9b846

SHA1
1b9bb93e40e35ad1268db5751003be7c9925178b

SHA256
ff4ca56310575385417c10f9f605af816deab42af6f70f56186c9abf79bea1be

SHA512
6e39521e044169ff70317a275da54cdbc2f9d568ee686b09fa9f7f2a2946f89511b461ba085c24366481cfe2fb78d6252ccfe26452753327bccbaaef33424a23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
79cffb17a6f73305973edd05a0986880

SHA1
1ea2ff68021516edd289078980fc487ef1d36873

SHA256
e6ba9448ff950fc0a922b6d0c550e1b3560902ac05f524047143f56baab8f9cf

SHA512
4f5fa1db9558e71a6dc63950c14b7e55f67126f81621fe6724abc6e160e595da095eec6d9b894af433dca45269557a5b198324b07648122af65d4a8451e79797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c65738617888921a153bd9b1ef516ee7

SHA1
5245e71ea3c181d76320c857b639272ac9e079b1

SHA256
4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26

SHA512
2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
53c7765298c390d682fdb86f5ec30b1c

SHA1
cd2b8f33ee8277bf7bbc1ab6813d9ef279f2ca11

SHA256
8d226348c5b4ca238b6d80bc3c4f31db1ecad767b818ddecefbcd9e0031bf0ec

SHA512
72b6c17a1f2220ee7f0ab92669a47cb505cf6c24b3a90129a14ed106e4f1949f283bdf8f5347e2373092a4b279eb8a9e94cdbeaebcf665bd38fdae692cfd5263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c41224ab6e2a713aff7b0128890716be

SHA1
b3525f9c3f583284b084fb88ae14a803fad84e04

SHA256
ee0f2a4ee399ef57c54d83bd611d11fb22ce2edc405db819a2a371b8a5192fd2

SHA512
25c71ac3f2ee6b0ccadd7549b7d8a42a964d0305d8758dfae53ce78eeaf52432380715ff545d95645e0e00d3b3b6c678f17eb16b2e9606d64988ffde82dfbc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wrzedeep.5fp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 991709.crdownload

Filesize
229KB

MD5
903a43a344098ea8485f1c46078505c4

SHA1
99202529ef3103d4610625fa073162f85e5be09a

SHA256
8862c3c16e1c50a1045684ef63023fe1c7846a2bcfd2f490da6669b8cc38607c

SHA512
c3b63a70265f40c30b0c9d452d37a7685b043efc728f94616d1edaf4952f11db2e2999a962e9bf4cc0c909f941621f7e192c3148663bce6b97124f1cee0588ff

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/1892-135-0x0000023612BF0000-0x0000023612C12000-memory.dmp

Filesize
136KB

Download
memory/2112-129-0x0000027CC1160000-0x0000027CC11A0000-memory.dmp

Filesize
256KB

Download
memory/2112-199-0x0000027CC2E90000-0x0000027CC2EA2000-memory.dmp

Filesize
72KB

Download
memory/2112-198-0x0000027CC2E60000-0x0000027CC2E6A000-memory.dmp

Filesize
40KB

Download
memory/2112-162-0x0000027CC1620000-0x0000027CC163E000-memory.dmp

Filesize
120KB

Download
memory/2112-160-0x0000027CC2E00000-0x0000027CC2E50000-memory.dmp

Filesize
320KB

Download
memory/2112-158-0x0000027CDB7C0000-0x0000027CDB836000-memory.dmp

Filesize
472KB

Download