cerber | 2166d772e82772104d208ec9bf6ee32f878c0af766b14606eb0861a9947e78d1

Analysis

max time kernel
242s
max time network
244s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2024 13:06

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

temp.exe
Size

13.8MB
MD5

7ca7039579e44b8764788ae3d1b92060
SHA1

0aaf9b691b1446ecb5d141318126ec45cc270116
SHA256

2166d772e82772104d208ec9bf6ee32f878c0af766b14606eb0861a9947e78d1
SHA512

99f711f1ae9771886d94e6419590522b916a50e6cfd614c34beb9e04d46cadcb374fc71aeaaec5af681d675e5efd21de159a22407e8bdde9a505ee6383c3943d
SSDEEP

393216:R7Db0jzEGZXIo5IAqBWeDbvFjCPcTB41HHg:RDbNCTJiv9CPKBog

Score

10^/10

cerber discovery persistence privilege_escalation ransomware

Malware Config

Signatures

Cerber 64 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		3308	taskkill.exe
		5644	taskkill.exe
		3296	taskkill.exe
		5452	taskkill.exe
		3408	taskkill.exe
		5004	taskkill.exe
		468	taskkill.exe
		1660	taskkill.exe
		5572	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		3700	taskkill.exe
		6120	taskkill.exe
		3536	taskkill.exe
		6076	taskkill.exe
		700	taskkill.exe
		4840	taskkill.exe
		5092	taskkill.exe
		5288	taskkill.exe
		4704	taskkill.exe
		3808	taskkill.exe
		3696	taskkill.exe
		376	taskkill.exe
		1204	taskkill.exe
		4760	taskkill.exe
		3776	taskkill.exe
		1376	taskkill.exe
		2520	taskkill.exe
		3128	taskkill.exe
		5584	taskkill.exe
		6032	taskkill.exe
		5616	taskkill.exe
		5040	taskkill.exe
		3316	taskkill.exe
		3688	taskkill.exe
		4816	taskkill.exe
		2164	taskkill.exe
		5432	taskkill.exe
		2312	taskkill.exe
		1788	taskkill.exe
		3964	taskkill.exe
		5340	taskkill.exe
		4464	taskkill.exe
		2216	taskkill.exe
		3716	taskkill.exe
		2640	taskkill.exe
		5664	taskkill.exe
		3992	taskkill.exe
		2272	taskkill.exe
		2188	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		3516	taskkill.exe
		5940	taskkill.exe
		4352	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		4628	taskkill.exe
		64	taskkill.exe
		4244	taskkill.exe
		5892	taskkill.exe
		1300	taskkill.exe
		5708	taskkill.exe
		1424	taskkill.exe
		5732	taskkill.exe

Executes dropped EXE 5 IoCs

pid	Process
5884	AMIDEWINx64.EXE
6044	AMIDEWINx64.EXE
1148	AMIDEWINx64.EXE
6068	AMIDEWINx64.EXE
6112	AMIDEWINx64.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
39	discord.com
40	discord.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2484	temp.exe
2484	temp.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\IME\amifldrv64.sys	temp.exe
File created	C:\Windows\IME\amigendrv64.sys	temp.exe
File created	C:\Windows\IME\AMIDEWINx64.EXE	temp.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5692	cmd.exe
5880	cmd.exe
5928	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
376	taskkill.exe
3516	taskkill.exe
2188	taskkill.exe
2520	taskkill.exe
5572	taskkill.exe
6120	taskkill.exe
3308	taskkill.exe
5676	taskkill.exe
1660	taskkill.exe
4704	taskkill.exe
5616	taskkill.exe
1376	taskkill.exe
64	taskkill.exe
5092	taskkill.exe
5452	taskkill.exe
3408	taskkill.exe
3064	taskkill.exe
5940	taskkill.exe
2164	taskkill.exe
5584	taskkill.exe
5732	taskkill.exe
4760	taskkill.exe
5432	taskkill.exe
3992	taskkill.exe
3808	taskkill.exe
4840	taskkill.exe
5892	taskkill.exe
4816	taskkill.exe
3408	taskkill.exe
3296	taskkill.exe
2640	taskkill.exe
5984	taskkill.exe
1756	taskkill.exe
700	taskkill.exe
3776	taskkill.exe
3316	taskkill.exe
3688	taskkill.exe
5340	taskkill.exe
5644	taskkill.exe
4352	taskkill.exe
3128	taskkill.exe
3684	taskkill.exe
4464	taskkill.exe
5040	taskkill.exe
1788	taskkill.exe
3700	taskkill.exe
2272	taskkill.exe
5664	taskkill.exe
3964	taskkill.exe
1204	taskkill.exe
1300	taskkill.exe
4628	taskkill.exe
6032	taskkill.exe
3536	taskkill.exe
468	taskkill.exe
2216	taskkill.exe
1424	taskkill.exe
844	taskkill.exe
5708	taskkill.exe
6076	taskkill.exe
5288	taskkill.exe
2312	taskkill.exe
3696	taskkill.exe
3716	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "218"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4050598569-1597076380-177084960-1000\{17CD6561-E528-4DAC-8DCB-AD6A9C9FCD23}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2484	temp.exe
2484	temp.exe
208	msedge.exe
208	msedge.exe
768	msedge.exe
768	msedge.exe
1924	msedge.exe
1924	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
3536	identity_helper.exe
3536	identity_helper.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3408	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	4352	taskkill.exe
Token: SeDebugPrivilege	468	taskkill.exe
Token: SeDebugPrivilege	2216	taskkill.exe
Token: SeDebugPrivilege	3128	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	4840	taskkill.exe
Token: SeDebugPrivilege	376	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	3776	taskkill.exe
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	4760	taskkill.exe
Token: SeDebugPrivilege	4628	taskkill.exe
Token: SeDebugPrivilege	64	taskkill.exe
Token: SeDebugPrivilege	3296	taskkill.exe
Token: SeDebugPrivilege	4704	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	2640	taskkill.exe
Token: SeDebugPrivilege	3696	taskkill.exe
Token: SeDebugPrivilege	3408	taskkill.exe
Token: SeDebugPrivilege	3716	taskkill.exe
Token: SeDebugPrivilege	3684	taskkill.exe
Token: SeDebugPrivilege	5004	taskkill.exe
Token: SeDebugPrivilege	4464	taskkill.exe
Token: SeDebugPrivilege	3688	taskkill.exe
Token: SeDebugPrivilege	5092	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	3064	taskkill.exe
Token: 33	1876	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1876	AUDIODG.EXE
Token: SeDebugPrivilege	5432	taskkill.exe
Token: SeDebugPrivilege	5572	taskkill.exe
Token: SeDebugPrivilege	5616	taskkill.exe
Token: SeDebugPrivilege	5664	taskkill.exe
Token: SeDebugPrivilege	5708	taskkill.exe
Token: SeDebugPrivilege	5892	taskkill.exe
Token: SeDebugPrivilege	5940	taskkill.exe
Token: SeDebugPrivilege	5984	taskkill.exe
Token: SeDebugPrivilege	6032	taskkill.exe
Token: SeDebugPrivilege	6076	taskkill.exe
Token: SeDebugPrivilege	6120	taskkill.exe
Token: SeDebugPrivilege	4816	taskkill.exe
Token: SeDebugPrivilege	5040	taskkill.exe
Token: SeDebugPrivilege	3308	taskkill.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	3536	taskkill.exe
Token: SeDebugPrivilege	5288	taskkill.exe
Token: SeDebugPrivilege	5340	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	5452	taskkill.exe
Token: SeDebugPrivilege	3808	taskkill.exe
Token: SeDebugPrivilege	700	taskkill.exe
Token: SeDebugPrivilege	4244	taskkill.exe
Token: SeDebugPrivilege	2188	taskkill.exe
Token: SeDebugPrivilege	3992	taskkill.exe
Token: SeDebugPrivilege	5584	taskkill.exe
Token: SeDebugPrivilege	5644	taskkill.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
3880	osk.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3880	osk.exe
3880	osk.exe
3880	osk.exe
3880	osk.exe
3880	osk.exe
3880	osk.exe
3880	osk.exe
3880	osk.exe
3880	osk.exe
3880	osk.exe
5916	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 4112	2484	temp.exe	89
PID 2484 wrote to memory of 4112	2484	temp.exe	89
PID 2484 wrote to memory of 3544	2484	temp.exe	90
PID 2484 wrote to memory of 3544	2484	temp.exe	90
PID 2484 wrote to memory of 1780	2484	temp.exe	93
PID 2484 wrote to memory of 1780	2484	temp.exe	93
PID 2484 wrote to memory of 2244	2484	temp.exe	94
PID 2484 wrote to memory of 2244	2484	temp.exe	94
PID 2244 wrote to memory of 3408	2244	cmd.exe	95
PID 2244 wrote to memory of 3408	2244	cmd.exe	95
PID 2484 wrote to memory of 3508	2484	temp.exe	97
PID 2484 wrote to memory of 3508	2484	temp.exe	97
PID 3508 wrote to memory of 1376	3508	cmd.exe	98
PID 3508 wrote to memory of 1376	3508	cmd.exe	98
PID 2484 wrote to memory of 4772	2484	temp.exe	99
PID 2484 wrote to memory of 4772	2484	temp.exe	99
PID 4772 wrote to memory of 4352	4772	cmd.exe	100
PID 4772 wrote to memory of 4352	4772	cmd.exe	100
PID 2484 wrote to memory of 4984	2484	temp.exe	101
PID 2484 wrote to memory of 4984	2484	temp.exe	101
PID 4984 wrote to memory of 468	4984	cmd.exe	102
PID 4984 wrote to memory of 468	4984	cmd.exe	102
PID 2484 wrote to memory of 5044	2484	temp.exe	103
PID 2484 wrote to memory of 5044	2484	temp.exe	103
PID 5044 wrote to memory of 2216	5044	cmd.exe	104
PID 5044 wrote to memory of 2216	5044	cmd.exe	104
PID 2484 wrote to memory of 1876	2484	temp.exe	106
PID 2484 wrote to memory of 1876	2484	temp.exe	106
PID 1876 wrote to memory of 3128	1876	cmd.exe	107
PID 1876 wrote to memory of 3128	1876	cmd.exe	107
PID 2484 wrote to memory of 4056	2484	temp.exe	108
PID 2484 wrote to memory of 4056	2484	temp.exe	108
PID 4056 wrote to memory of 1788	4056	cmd.exe	109
PID 4056 wrote to memory of 1788	4056	cmd.exe	109
PID 2484 wrote to memory of 3000	2484	temp.exe	110
PID 2484 wrote to memory of 3000	2484	temp.exe	110
PID 3000 wrote to memory of 4840	3000	cmd.exe	111
PID 3000 wrote to memory of 4840	3000	cmd.exe	111
PID 2484 wrote to memory of 3820	2484	temp.exe	112
PID 2484 wrote to memory of 3820	2484	temp.exe	112
PID 3820 wrote to memory of 376	3820	cmd.exe	113
PID 3820 wrote to memory of 376	3820	cmd.exe	113
PID 2484 wrote to memory of 4552	2484	temp.exe	114
PID 2484 wrote to memory of 4552	2484	temp.exe	114
PID 4552 wrote to memory of 1204	4552	cmd.exe	115
PID 4552 wrote to memory of 1204	4552	cmd.exe	115
PID 2484 wrote to memory of 4964	2484	temp.exe	116
PID 2484 wrote to memory of 4964	2484	temp.exe	116
PID 4964 wrote to memory of 1660	4964	cmd.exe	117
PID 4964 wrote to memory of 1660	4964	cmd.exe	117
PID 2484 wrote to memory of 4188	2484	temp.exe	118
PID 2484 wrote to memory of 4188	2484	temp.exe	118
PID 4188 wrote to memory of 1424	4188	cmd.exe	119
PID 4188 wrote to memory of 1424	4188	cmd.exe	119
PID 2484 wrote to memory of 2940	2484	temp.exe	120
PID 2484 wrote to memory of 2940	2484	temp.exe	120
PID 2940 wrote to memory of 3776	2940	cmd.exe	121
PID 2940 wrote to memory of 3776	2940	cmd.exe	121
PID 2484 wrote to memory of 928	2484	temp.exe	122
PID 2484 wrote to memory of 928	2484	temp.exe	122
PID 928 wrote to memory of 2164	928	cmd.exe	123
PID 928 wrote to memory of 2164	928	cmd.exe	123
PID 2484 wrote to memory of 1588	2484	temp.exe	124
PID 2484 wrote to memory of 1588	2484	temp.exe	124

C:\Users\Admin\AppData\Local\Temp\temp.exe
"C:\Users\Admin\AppData\Local\Temp\temp.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 06
  2⤵
  PID:4112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:1588
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:3228
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:740
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:4044
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:3144
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:208
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:64
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:1280
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:1432
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:3316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:4924
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:3556
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:5068
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:2544
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3312
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:4816
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:672
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1304
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:5004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:2456
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:4752
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:3172
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2964
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5080
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4568
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://discord.gg/badware
  2⤵
  PID:1680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/badware
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb295d46f8,0x7ffb295d4708,0x7ffb295d4718
      4⤵
      PID:2164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,50946961469071605,4741873446017930167,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
      4⤵
      PID:2876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,50946961469071605,4741873446017930167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,50946961469071605,4741873446017930167,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
      4⤵
      PID:3296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,50946961469071605,4741873446017930167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
      4⤵
      PID:4372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,50946961469071605,4741873446017930167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
      4⤵
      PID:548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,50946961469071605,4741873446017930167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
      4⤵
      PID:2000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1976,50946961469071605,4741873446017930167,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4492 /prefetch:8
      4⤵
      PID:2548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1976,50946961469071605,4741873446017930167,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4124 /prefetch:8
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:1924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,50946961469071605,4741873446017930167,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,50946961469071605,4741873446017930167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
      4⤵
      PID:920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,50946961469071605,4741873446017930167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1868 /prefetch:1
      4⤵
      PID:2012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,50946961469071605,4741873446017930167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1284 /prefetch:1
      4⤵
      PID:5736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,50946961469071605,4741873446017930167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
      4⤵
      PID:5744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,50946961469071605,4741873446017930167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
      4⤵
      PID:5368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,50946961469071605,4741873446017930167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
      4⤵
      PID:1356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,50946961469071605,4741873446017930167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6724 /prefetch:8
      4⤵
      PID:5200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,50946961469071605,4741873446017930167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6724 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,50946961469071605,4741873446017930167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
      4⤵
      PID:6060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:32
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mode con: cols=69 lines=18
  2⤵
  PID:1264
- - C:\Windows\system32\mode.com
    mode con: cols=69 lines=18
    3⤵
    PID:1148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://discord.gg/badware
  2⤵
  PID:2968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/badware
    3⤵
    PID:632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb295d46f8,0x7ffb295d4708,0x7ffb295d4718
      4⤵
      PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe >nul 2>&1
  2⤵
  PID:5416
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe >nul 2>&1
  2⤵
  PID:5548
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im epicgameslauncher.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im steamservice.exe >nul 2>&1
  2⤵
  PID:5604
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im steamservice.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe >nul 2>&1
  2⤵
  PID:5648
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im steam.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe >nul 2>&1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5692
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5880
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe >nul 2>&1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5928
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe >nul 2>&1
  2⤵
  PID:5972
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im UnrealCEFSubProcess.exe >nul 2>&1
  2⤵
  PID:6016
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im UnrealCEFSubProcess.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im CEFProcess.exe >nul 2>&1
  2⤵
  PID:6060
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im CEFProcess.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe >nul 2>&1
  2⤵
  PID:6104
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EasyAntiCheat.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BEService.exe >nul 2>&1
  2⤵
  PID:3220
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BEService.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BEServices.exe >nul 2>&1
  2⤵
  PID:4996
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BEServices.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BattleEye.exe >nul 2>&1
  2⤵
  PID:5212
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BattleEye.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im smartscreen.exe >nul 2>&1
  2⤵
  PID:4592
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im smartscreen.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im dnf.exe >nul 2>&1
  2⤵
  PID:4572
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im dnf.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im DNF.exe >nul 2>&1
  2⤵
  PID:5280
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im DNF.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im CrossProxy.exe >nul 2>&1
  2⤵
  PID:5324
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im CrossProxy.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BackgroundDownloader.exe >nul 2>&1
  2⤵
  PID:1324
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BackgroundDownloader.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im TXPlatform.exe >nul 2>&1
  2⤵
  PID:1740
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im TXPlatform.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OriginWebHelperService.exe >nul 2>&1
  2⤵
  PID:5448
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginWebHelperService.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Origin.exe >nul 2>&1
  2⤵
  PID:1248
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Origin.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OriginClientService.exe >nul 2>&1
  2⤵
  PID:3860
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginClientService.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OriginER.exe >nul 2>&1
  2⤵
  PID:1196
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginER.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:4244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OriginThinSetupInternal.exe >nul 2>&1
  2⤵
  PID:3524
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginThinSetupInternal.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OriginLegacyCLI.exe >nul 2>&1
  2⤵
  PID:5416
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginLegacyCLI.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Agent.exe >nul 2>&1
  2⤵
  PID:3956
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Agent.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiveM.exe >nul 2>&1
  2⤵
  PID:5552
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiveM.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiveM_ROSLauncher.exe >nul 2>&1
  2⤵
  PID:5612
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiveM_ROSLauncher.exe
    3⤵
    - Kills process with taskkill
    PID:5676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiveM_ROSService.exe >nul 2>&1
  2⤵
  PID:5652
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiveM_ROSService.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:5732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /SS %random%%random%-%random%%random%-%random%%random%
  2⤵
  PID:5904
- - C:\Windows\IME\AMIDEWINx64.EXE
    C:\Windows\IME\AMIDEWINx64.EXE /SS 10914148-87930905-1522930389
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:5884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /BS %random%%random%-%random%%random%-%random%%random%
  2⤵
  PID:5976
- - C:\Windows\IME\AMIDEWINx64.EXE
    C:\Windows\IME\AMIDEWINx64.EXE /BS 10914148-87930905-1522930389
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:6044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /CS %random%%random%-%random%%random%-%random%%random%
  2⤵
  PID:6028
- - C:\Windows\IME\AMIDEWINx64.EXE
    C:\Windows\IME\AMIDEWINx64.EXE /CS 1091710897-1874322201-255441548
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /PSN %random%%random%-%random%%random%-%random%%random%
  2⤵
  PID:6096
- - C:\Windows\IME\AMIDEWINx64.EXE
    C:\Windows\IME\AMIDEWINx64.EXE /PSN 1091710897-1874322201-255441548
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:6068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /SU AUTO
  2⤵
  PID:6124
- - C:\Windows\IME\AMIDEWINx64.EXE
    C:\Windows\IME\AMIDEWINx64.EXE /SU AUTO
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:6112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\INF\volid.exe C: 5120-2899
  2⤵
  PID:4100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\INF\volid.exe D: 2677-8147
  2⤵
  PID:3580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\INF\volid.exe E: 8471-6832
  2⤵
  PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\INF\volid.exe F: 5769-7959
  2⤵
  PID:3768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c shutdown /r
  2⤵
  PID:4952
- - C:\Windows\system32\shutdown.exe
    shutdown /r
    3⤵
    PID:4092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4948

C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3880

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x4a8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38ab855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
f8dd3396277c8c2dbda5641986db31de

SHA1
02cfebfb1304e0c3e3e9361a2840f3defb7f3d90

SHA256
01ce03f6d1f0d25350d0f29f1fe91f76cda5a8f7e4a47f88cdc4aa4f9ee8cbf3

SHA512
d7f6457831d8d7424d0e16e849756bcdb8bc869a8291dd4993b665fe34a4310c3bc86e21f174cce6448a8e67268e15e644ac288d033126f2e129884efc1a1663

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
a9add6cfa17e83ce4f862fec23f37c54

SHA1
e6191760dff1f3f4be4e925c11d2f08b41bf5767

SHA256
d1550b89cbc75ebfb802777f8efe2bb7df068d1f417002113bbca44fda91fd71

SHA512
b5199972f10a3b06f56284cbe97c8d7329cb9c81cfea3e34568c56c3388c841e503a89403033ef47bbdeaaa18fb8d18b3f40f517fd056a39be5d8a352b582315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
323B

MD5
a5a1149047729a493b1a2a65063c39ba

SHA1
8f1f45cb0c0772dcd05795734cbf408636fb9fb9

SHA256
e0ef1f906ea2606c802310437fe799d93e073770ab6549060ee4b9c9c49f2006

SHA512
8ce257a087115e2d542657a2b4679d0c100ebdec76e3392cff1bbba133e129f2fcdbd73f9baab92e762bef47a2572d3dc8553fa3858d787d2a0b2bf8f05dc54e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c7b9e2b7c1ee2bec8dab9c77642ec4c6

SHA1
8a9eef48a89769c2caa0dc4dc2c7de5559b0ccb7

SHA256
aace55e5783433a9c3e25eafc246d06fe4808cd6e4ab202a5da02244599ef073

SHA512
13a0a698eb2364cffeb86fe317e60df580807485ef3b9f0c2a1d6c2c6b66edcd727d80609dbbd0ffb388658872d83ac6bf601a36972a81330b66763293b1afa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6e1659d1de1e4848a3e42d3d3fdb60d0

SHA1
6021bbd3f8eb7d18e6e220c4939809f77f2e0430

SHA256
c615e05469fdc443f6b2da0041ecc1c61d11ccd24c9abdeb98c7165dd0937256

SHA512
ec9a83655789dfe4de519eb04c33ae61db24d2945f0dd639cfaa5667459fd78a062e029dc49bfcc50b84961bc0d1a5031d7d509c92e0f83703e783517ad67bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3b2859ab277ee1d72b74303301f21032

SHA1
3c507771454424b54dceaf493673670a18389c67

SHA256
5147b6b603c09450d1a89ef912694d67206ce95dd3c7ff25da581e2e4aa69cca

SHA512
5eaf19676c5dfb4464d7c9b0e1c439cec74794412f6e3b8124a4b26cdf01f1821f2cd73142040e171325c298431bdf1bcdd88b855eb95692b8c571d1b45dc00f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
f2fad939c5b8260193b3a6f13131b5dc

SHA1
37141ef0425972fe09a4cf288c9cfea9c1decce7

SHA256
f210f2f20325c1a110f3a791c5635b4e8491b830b7f09eeda06ed98d55ab5d99

SHA512
0bbc8be7707fb418c2182442bfc7c1ca7ea62559fa9e430d899e878a40ab391fa1960d1999d7ea81114a2398f0558e04c54e636ae7899524ccf6bec9701aac15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
e96a7ca51b75d91df5700fb116eb1d3c

SHA1
2ad1ed923d9edb1bfe7bf72fc4642a56953f88f8

SHA256
8c5c7e0ec779311b74f643d62af30c391759d25e066b7f4833c2526ac5b4e85a

SHA512
8be78d86182c015e4d38b70b42d76b66eb0d63782f14fae81d9f68a34796a3943398d54658ea866827c19c5c3fc755bbf59006482a2e1daa46d820d8497a0f63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5828a1.TMP

Filesize
370B

MD5
87041f604b198ed8f76681b883122a28

SHA1
ad02cca70348904deb41ab9f78788457c1f6f3c5

SHA256
1466717fd6d0f0eb70f1b19912af3ed5aeb7c58fcbe1efee995dfe74fa314ce5

SHA512
cc71e28d018e1acd49af824efb19d2b5f13fe3ef975981d3c1d4a50d09a79ac3acfc605e69b2f08f6694146c0d22ae319b93e77d517a39ce176ef6fb518dee97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9a1e85012977486c1aa6220251935cda

SHA1
7fb9e4f9c5ff2b2bcfb967a88b2d7d29978330c7

SHA256
b965bb6cd2f154ff04f3b321f6f7d6074d3f4f5a58e994ba8e07c8c454f93970

SHA512
e1943c4080163495f56d606dd17307d1cdc4b4e2955c943fe15b94fbf873e8f854068d38904b417ca1ccc05c327a550aeaf602414f927eb0277fcbd30b5f9b24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c5bd1fb383778ab4d5f8e5477f89ce6b

SHA1
9740b0a536c87320b0b732656333fb938588b831

SHA256
e888fc1705bc1f9914200a85d429c2500dee547b98c044a495ac64474f73b568

SHA512
401a14703804399e2668ed45fea0d22f5226526011645f2f685cc35078c2ccfe901a4fb99d9d010158273b0d3eb54b5f84915f1d5102d2fd91f3d11875d9f017

Download Submit
C:\Windows\IME\AMIDEWINx64.EXE

Filesize
377KB

MD5
64ae4aa4904d3b259dda8cc53769064f

SHA1
24be8fb54afd8182652819b9a307b6f66f3fc58d

SHA256
2c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4

SHA512
6c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16

Download Submit
memory/2484-0-0x00000001404D4000-0x0000000140C19000-memory.dmp

Filesize
7.3MB

Download
memory/2484-12-0x00000001404D4000-0x0000000140C19000-memory.dmp

Filesize
7.3MB

Download
memory/2484-2-0x0000000140000000-0x00000001419DD000-memory.dmp

Filesize
25.9MB

Download
memory/2484-1-0x00007FFB48010000-0x00007FFB48012000-memory.dmp

Filesize
8KB

Download