redline | 4da0960fc325f6f271c3730e8e80c53840848a55b0a0216b205d1f7f65760860

Analysis

max time kernel
168s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2023 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x0006000000022e21-53.exe
Size

31KB
MD5

1351208118e7c3a0c6350cf065d54a4e
SHA1

875f04cbe186688619f1e51c3a7d0ee1f9458481
SHA256

4da0960fc325f6f271c3730e8e80c53840848a55b0a0216b205d1f7f65760860
SHA512

a304ffe35981a2ceda249392a465ef67adbf36ab30962df063dcfc96a96c63e6caa935ecdb1f1cb544d1a6f6550c25d14d3a60e6ab67f7e2782cc7402b55bfb9
SSDEEP

384:K9VD6tee+qUOTd2opQTLAdz1SvNmhpdvOjT7PbA6HBiTSnjxZMdP05ldpRMaYIBI:k6Qe+qUv8zcqdvOXA6XkPslJvGaVW

Score

10^/10

redline smokeloader grome backdoor infostealer persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AAE4.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\AAE4.exe	family_redline
behavioral2/memory/2544-542-0x00000000006E0000-0x000000000071E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes itself 1 IoCs

Processes:

pid process

3264
Executes dropped EXE 8 IoCs

Processes:

A544.exeA8B1.exeAAE4.exeNQ5nb1oN.exeNV8Xx7QN.exeAw2sF3aQ.exeLx8ig1ba.exe1Hs14UK0.exe

pid process

3348 A544.exe
3596 A8B1.exe
2544 AAE4.exe
5652 NQ5nb1oN.exe
3576 NV8Xx7QN.exe
1316 Aw2sF3aQ.exe
1564 Lx8ig1ba.exe
2972 1Hs14UK0.exe

pid	process
3264

pid	process
3348	A544.exe
3596	A8B1.exe
2544	AAE4.exe
5652	NQ5nb1oN.exe
3576	NV8Xx7QN.exe
1316	Aw2sF3aQ.exe
1564	Lx8ig1ba.exe
2972	1Hs14UK0.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NV8Xx7QN.exeAw2sF3aQ.exeLx8ig1ba.exeA544.exeNQ5nb1oN.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	NV8Xx7QN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Aw2sF3aQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Lx8ig1ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	A544.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	NQ5nb1oN.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Hs14UK0.exe

description pid process target process

PID 2972 set thread context of 1136 2972 1Hs14UK0.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

6124 2972 WerFault.exe 1Hs14UK0.exe
5704 1136 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 2972 set thread context of 1136	2972	1Hs14UK0.exe	AppLaunch.exe

pid	pid_target	process	target process
6124	2972	WerFault.exe	1Hs14UK0.exe
5704	1136	WerFault.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0x0006000000022e21-53.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x0006000000022e21-53.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x0006000000022e21-53.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x0006000000022e21-53.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0x0006000000022e21-53.exe

pid	process
2740	0x0006000000022e21-53.exe
2740	0x0006000000022e21-53.exe
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264
3264

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3264
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0x0006000000022e21-53.exe

pid process

2740 0x0006000000022e21-53.exe

pid	process
3264

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	process
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264
Token: SeShutdownPrivilege	3264
Token: SeCreatePagefilePrivilege	3264

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 3264 wrote to memory of 3348	3264		A544.exe
PID 3264 wrote to memory of 3348	3264		A544.exe
PID 3264 wrote to memory of 3348	3264		A544.exe
PID 3264 wrote to memory of 3168	3264		cmd.exe
PID 3264 wrote to memory of 3168	3264		cmd.exe
PID 3264 wrote to memory of 3596	3264		A8B1.exe
PID 3264 wrote to memory of 3596	3264		A8B1.exe
PID 3264 wrote to memory of 3596	3264		A8B1.exe
PID 3264 wrote to memory of 2544	3264		AAE4.exe
PID 3264 wrote to memory of 2544	3264		AAE4.exe
PID 3264 wrote to memory of 2544	3264		AAE4.exe
PID 3168 wrote to memory of 4132	3168	cmd.exe	msedge.exe
PID 3168 wrote to memory of 4132	3168	cmd.exe	msedge.exe
PID 3168 wrote to memory of 1104	3168	cmd.exe	msedge.exe
PID 3168 wrote to memory of 1104	3168	cmd.exe	msedge.exe
PID 3168 wrote to memory of 1712	3168	cmd.exe	msedge.exe
PID 3168 wrote to memory of 1712	3168	cmd.exe	msedge.exe
PID 3168 wrote to memory of 2756	3168	cmd.exe	msedge.exe
PID 3168 wrote to memory of 2756	3168	cmd.exe	msedge.exe
PID 3168 wrote to memory of 2164	3168	cmd.exe	msedge.exe
PID 3168 wrote to memory of 2164	3168	cmd.exe	msedge.exe
PID 3168 wrote to memory of 3996	3168	cmd.exe	msedge.exe
PID 3168 wrote to memory of 3996	3168	cmd.exe	msedge.exe
PID 3168 wrote to memory of 4396	3168	cmd.exe	msedge.exe
PID 3168 wrote to memory of 4396	3168	cmd.exe	msedge.exe
PID 1104 wrote to memory of 1688	1104	msedge.exe	msedge.exe
PID 1104 wrote to memory of 1688	1104	msedge.exe	msedge.exe
PID 2164 wrote to memory of 3468	2164	msedge.exe	msedge.exe
PID 2164 wrote to memory of 3468	2164	msedge.exe	msedge.exe
PID 4396 wrote to memory of 4608	4396	msedge.exe	msedge.exe
PID 4396 wrote to memory of 4608	4396	msedge.exe	msedge.exe
PID 3996 wrote to memory of 3916	3996	msedge.exe	msedge.exe
PID 3996 wrote to memory of 3916	3996	msedge.exe	msedge.exe
PID 1712 wrote to memory of 2652	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 2652	1712	msedge.exe	msedge.exe
PID 2756 wrote to memory of 3008	2756	msedge.exe	msedge.exe
PID 2756 wrote to memory of 3008	2756	msedge.exe	msedge.exe
PID 3168 wrote to memory of 4992	3168	cmd.exe	msedge.exe
PID 3168 wrote to memory of 4992	3168	cmd.exe	msedge.exe
PID 4992 wrote to memory of 3588	4992	msedge.exe	msedge.exe
PID 4992 wrote to memory of 3588	4992	msedge.exe	msedge.exe
PID 4132 wrote to memory of 2188	4132	msedge.exe	msedge.exe
PID 4132 wrote to memory of 2188	4132	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe
PID 1712 wrote to memory of 5256	1712	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0x0006000000022e21-53.exe
"C:\Users\Admin\AppData\Local\Temp\0x0006000000022e21-53.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2740

C:\Users\Admin\AppData\Local\Temp\A544.exe
C:\Users\Admin\AppData\Local\Temp\A544.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3348

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NQ5nb1oN.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NQ5nb1oN.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5652

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NV8Xx7QN.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NV8Xx7QN.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3576

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Aw2sF3aQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Aw2sF3aQ.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1316

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lx8ig1ba.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lx8ig1ba.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1564

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Hs14UK0.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Hs14UK0.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 540
8⤵
- Program crash
PID:5704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 592
7⤵
- Program crash
PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A7A6.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
2⤵
- Suspicious use of WriteProcessMemory
PID:4132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9d63b46f8,0x7ff9d63b4708,0x7ff9d63b4718
3⤵
PID:2188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
2⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff9d63b46f8,0x7ff9d63b4708,0x7ff9d63b4718
3⤵
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,10689059842390119906,7671739687745580199,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:3
3⤵
PID:5288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,10689059842390119906,7671739687745580199,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
3⤵
PID:5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9d63b46f8,0x7ff9d63b4708,0x7ff9d63b4718
3⤵
PID:2652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
3⤵
PID:5268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
3⤵
PID:5256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
3⤵
PID:5588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
3⤵
PID:6056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
3⤵
PID:6096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
3⤵
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
3⤵
PID:5516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
3⤵
PID:6500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
3⤵
PID:6512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
3⤵
PID:6592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
3⤵
PID:6688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
3⤵
PID:6908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
3⤵
PID:7156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
3⤵
PID:7136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
3⤵
PID:1984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
3⤵
PID:320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
3⤵
PID:6340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1
3⤵
PID:5952

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
3⤵
PID:4184

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
3⤵
PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,9566309635289429700,4378181944342842269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8080 /prefetch:1
3⤵
PID:2928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
2⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9d63b46f8,0x7ff9d63b4708,0x7ff9d63b4718
3⤵
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,10725059398240631416,3035299892641884172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
3⤵
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,10725059398240631416,3035299892641884172,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
3⤵
PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
2⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0xfc,0x100,0x80,0x104,0x7ff9d63b46f8,0x7ff9d63b4708,0x7ff9d63b4718
3⤵
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,11487541581580211652,15029083326889755538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
3⤵
PID:5320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,11487541581580211652,15029083326889755538,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
3⤵
PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
2⤵
- Suspicious use of WriteProcessMemory
PID:3996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9d63b46f8,0x7ff9d63b4708,0x7ff9d63b4718
3⤵
PID:3916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,35482978196217472,6875808581037301968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
3⤵
PID:5796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,35482978196217472,6875808581037301968,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
3⤵
PID:5788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
2⤵
- Suspicious use of WriteProcessMemory
PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9d63b46f8,0x7ff9d63b4708,0x7ff9d63b4718
3⤵
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,6438364148096692821,13328572582191878029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
3⤵
PID:5328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,6438364148096692821,13328572582191878029,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
3⤵
PID:5312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
2⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9d63b46f8,0x7ff9d63b4708,0x7ff9d63b4718
3⤵
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,3064948045716827426,17722193791252768450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
3⤵
PID:5356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,3064948045716827426,17722193791252768450,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
3⤵
PID:5304

C:\Users\Admin\AppData\Local\Temp\A8B1.exe
C:\Users\Admin\AppData\Local\Temp\A8B1.exe
1⤵
- Executes dropped EXE
PID:3596

C:\Users\Admin\AppData\Local\Temp\AAE4.exe
C:\Users\Admin\AppData\Local\Temp\AAE4.exe
1⤵
- Executes dropped EXE
PID:2544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2972 -ip 2972
1⤵
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1136 -ip 1136
1⤵
PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2e0f83b0-b478-438e-93c3-8dc2b6cdb96e.tmp
Filesize
10KB

MD5
53561453af2094a18a32df07b972e414

SHA1
ab67412f1a853a1be79371c513da2aa234b85431

SHA256
a09661a09e97a6f2b0faba3b780b66aff41b804b459ec32898717ec47800c2b3

SHA512
44e277566b819316f2a6bfc8723fcad0db6f7fcfd4bc12da8a7ae0f40d88d89cc181392c7801ce36ff0871afc62d77b6cf0748ed2282b5fdce2aa62f7f945c85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\3c50f965-d0d7-4cef-a880-63bfb55a0531.tmp
Filesize
2KB

MD5
e4622a81f5b524caff759b2dc4d5a484

SHA1
e7e15329ebd8dbb235497042401d103941379408

SHA256
855c628aad83ab9db33806e0454e1b55ddfc0df844236ca8b2a09b2c7679cb6b

SHA512
8ddd3311ec850806bfbaac9175ca2553981d6e71a9abdcd80887e4f09b8aadf2edae1182e803d8b927bb48fc548270ab2199a3989f51d9721f97418185e24813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
432B

MD5
d579fd65d7649bb3f45d4d3b04c47a48

SHA1
ae40895a545fa3fb11297829e6741b064b8a5d88

SHA256
f16a3cd544d4e0d30d5822e428255d05d6f4317d007866370977b80c0524c9b4

SHA512
92ab699bfddec15487aef88ee346bcff1348a68d1e6a86d7d97e8e973ac028fe05a4d0204af639221d2b7f6b7aac962110b029aa68218470122928da7b961d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
bb401e0ab18985510da29b02b2af64ae

SHA1
ed7fa0c095aaf68f0d3f47cae8657337cbdc8e58

SHA256
2225e4b6340021387cd8338d7be28a6d90c9ae0e7aeef54a89c2beff008927bf

SHA512
510c54a2907666a072db0b2cdbb462947c3245f1affd24973c5e0da9af0daf56ecc4a8c8ba90036415be2f17a89da530aac4258a5739156e72f83950c9fdb323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
663eea430761ef9ddf3f2977b9f0ef3b

SHA1
9c4f3b346520e5de404486b2d49f67521e60f99d

SHA256
ceb2353c75c76c83feeb693200bc37f38b466a86c78cdd568f83c867544f8a45

SHA512
ed3b5479bd51bc7b5176576d32f43c1db050e7c7cb32386c17ea10a17f994feed6fe7d4ff14e631d535de151b3f9bd62fed391b6da6c85b6f70e09f4592f9155

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
99c278765502d61a4a484db481cb230d

SHA1
1bde2a5848fe81b36bc8aed29df9768868bc337a

SHA256
04170eb6cae68f5e8563d6f71cc44797d16b70d73fdf6ae8be93fe6a12083f62

SHA512
21988fe3673b484d80b40c835cf52dd2d0bb3ebda371c9258d865f32407ff65aae326f0c31f3e6306df10abc4fe7abae1715613c93a992fe6782f0410b6f0603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
3a748249c8b0e04e77ad0d6723e564ff

SHA1
5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729

SHA256
f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed

SHA512
53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
2b1c397731f9dc1230ebe5bff4c1388a

SHA1
989558cb7f1a759e0bb78d5ac76305e1b1c04829

SHA256
78bd1dd440382cfad941b098c579bce56c8267ffc0aee2f49a237c8d2a16993a

SHA512
20e6869c06628af2ff75a7736c7ed205d2d87856b4587d34786de981629b1af92154487fcfb519966acef81f9272d76985a6110a6a68922c733a1151f4baf9d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
5685dfe8fd5199a23c2387f80a56b9c3

SHA1
9047fe41755c7d3cbefdf82df912822344246d23

SHA256
0a1b09d6d0fcd5713de64c35838b5d4512da41e228009ea4fa9f59a0ca990f3d

SHA512
cbcef72c657aa02e540979d030212a64aefd9027497c1153836c4027704ff2f0c7c39ec89b400e65cdf621779208f1e5118d69593239c4264009c1bcbd7a7e4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
e7797dbfeba0616a93f69fe8d68138a2

SHA1
d0ac583f27f1c1098b602f602165af34b67e1dba

SHA256
c6a98ff3b2d9b0d84a775184b9a50fae9a68649c49a3333eaf8bf4a888e49d4f

SHA512
1a70b2b7c52c445f0ee9b55d5e92b3262eaba97b5b0fe4c7bfbc86f4dd8969cb1b2ecd3590980739616101abb3cf81c5d39ddc2b7c29087b8d5ed75c5ee55249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
4a4de09ed3e03f617b48505e3609eb70

SHA1
72360deb5589c7b065d5788639be5bccf682c906

SHA256
60283c659cd6004035f2abf7a2ab8644cc4c6f8931e2c748dc624f9a7ff68133

SHA512
15508020c0a4537b8563bd3dbed4afa52d33a45270b49fe29c3e9a838dfeab1b7b7bd8a346c375b7aa4c77892b70862cea54adebc5bc207c088f8f8c25b3b823

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a6478.TMP
Filesize
1KB

MD5
9f4ec658a58d7be328129e63971fb137

SHA1
a0a2bd32917d29c07281fb53d0fb92fa654a6780

SHA256
f93ae1d255057ed8d44fcdcda329fe2bc24cf37340b38e35cf1d7f355b762333

SHA512
e87e8d2463c384a1ab3a06534537d0b7fc74bebd21c64c51efa7aca1e1c1a5a16ce30c4baca8b6404d3decddf2cdaa1f476fee12802113eafcacf3df4e87e809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
70011f05a627dfbe2d89ad49510ce0a8

SHA1
655c95e54ff91577c50b67766bb27b0259690909

SHA256
7df3ca86c8f3fc46d07e139235a9de1eb1c9837bb37e9924aa376fa421ad2353

SHA512
bb610ad08767bcb6b963e464c82d643037a258f65b01589966f5c28eb82515e20e53b7e1919734c4f20506ec47fc0ebffed959d909e498a577b7a280b38908db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
70011f05a627dfbe2d89ad49510ce0a8

SHA1
655c95e54ff91577c50b67766bb27b0259690909

SHA256
7df3ca86c8f3fc46d07e139235a9de1eb1c9837bb37e9924aa376fa421ad2353

SHA512
bb610ad08767bcb6b963e464c82d643037a258f65b01589966f5c28eb82515e20e53b7e1919734c4f20506ec47fc0ebffed959d909e498a577b7a280b38908db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
356825a6faeb6eca2dafd1883b699c38

SHA1
36d707e1170114f3fb529bb2b34dd4e091d2c926

SHA256
c519115cd5efecf081f1f6f2313f429a5a3460f9750c5bc84352a6205f49015d

SHA512
eab8ee3dd766e64f37556e927bb5f1eddf752c492d236ff2bd821c21066e62fde6ae48798c9ac9ce5b8ebd39c68cf1dfc92fbc38398ab433fcfc3450c7793fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
356825a6faeb6eca2dafd1883b699c38

SHA1
36d707e1170114f3fb529bb2b34dd4e091d2c926

SHA256
c519115cd5efecf081f1f6f2313f429a5a3460f9750c5bc84352a6205f49015d

SHA512
eab8ee3dd766e64f37556e927bb5f1eddf752c492d236ff2bd821c21066e62fde6ae48798c9ac9ce5b8ebd39c68cf1dfc92fbc38398ab433fcfc3450c7793fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
e4622a81f5b524caff759b2dc4d5a484

SHA1
e7e15329ebd8dbb235497042401d103941379408

SHA256
855c628aad83ab9db33806e0454e1b55ddfc0df844236ca8b2a09b2c7679cb6b

SHA512
8ddd3311ec850806bfbaac9175ca2553981d6e71a9abdcd80887e4f09b8aadf2edae1182e803d8b927bb48fc548270ab2199a3989f51d9721f97418185e24813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
e90afa30ee2c9c802b5e823b746388b2

SHA1
cac7a25c467d8df624ae9284436827eefb24cc22

SHA256
88d65898e0300e0ef220ff3aa7a12981c85184d10ce3fb32c6206fdee04d5aae

SHA512
036a3bead24e0de40c2cfec1b67fde5a99d7d7aa027b50267b306360b44f23cc2fca01bb92fd9e093bf1233cf19c36c571fd2e301a1e2508b28944d358b1f493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
883371630560695611efad1c12042246

SHA1
b19eea09fdf66f6e7225376eab0a317ba6650463

SHA256
14d374c57415e31ac9ee20ef82e8a02b2f18938983a881a0cd5f09fa6045ad2d

SHA512
3c55a657cb18cfc101fb80ff2784e5889b8b0074de67519e01b0c4b622ca80d766bf86284d4b300bc42716cd79faf65bd38ca177599a20f667fd7a0736c49bc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
f18d4c58b887034bdedb8b1cdfcf6725

SHA1
0b69088c6dd7184b284f527ef0aad1801089cd8a

SHA256
c07a1487a8c06e35dfe25b2b9fe7156c5dd066d7cef9dd1f8e2796435e788583

SHA512
f594c726a8c6364bbf41b5581e6afb400750bb739d447b1a043391d5534c68f56db5381e80cffd1da4e56e8e8709553be0f85ca74ffb36e5131a6471d8ad4180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
70011f05a627dfbe2d89ad49510ce0a8

SHA1
655c95e54ff91577c50b67766bb27b0259690909

SHA256
7df3ca86c8f3fc46d07e139235a9de1eb1c9837bb37e9924aa376fa421ad2353

SHA512
bb610ad08767bcb6b963e464c82d643037a258f65b01589966f5c28eb82515e20e53b7e1919734c4f20506ec47fc0ebffed959d909e498a577b7a280b38908db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
3KB

MD5
34597e38c936098af9a5461eb02bb877

SHA1
19637bd1d964687a27e7cc43cd7bb2d5c6c7529e

SHA256
1a61a79d60baee096d201a34abb553c2f06a1467a6b563049c64ac74794aa6ab

SHA512
9722aefd2b84985d3ede20f52802934a95ecbd5ba0ecb0126a73a056115ff9788b51f49f816fed37dc901b79076c62b3ee50fc2f1cdfcbe2c73ab888aa71ef54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
3KB

MD5
34597e38c936098af9a5461eb02bb877

SHA1
19637bd1d964687a27e7cc43cd7bb2d5c6c7529e

SHA256
1a61a79d60baee096d201a34abb553c2f06a1467a6b563049c64ac74794aa6ab

SHA512
9722aefd2b84985d3ede20f52802934a95ecbd5ba0ecb0126a73a056115ff9788b51f49f816fed37dc901b79076c62b3ee50fc2f1cdfcbe2c73ab888aa71ef54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
883371630560695611efad1c12042246

SHA1
b19eea09fdf66f6e7225376eab0a317ba6650463

SHA256
14d374c57415e31ac9ee20ef82e8a02b2f18938983a881a0cd5f09fa6045ad2d

SHA512
3c55a657cb18cfc101fb80ff2784e5889b8b0074de67519e01b0c4b622ca80d766bf86284d4b300bc42716cd79faf65bd38ca177599a20f667fd7a0736c49bc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
356825a6faeb6eca2dafd1883b699c38

SHA1
36d707e1170114f3fb529bb2b34dd4e091d2c926

SHA256
c519115cd5efecf081f1f6f2313f429a5a3460f9750c5bc84352a6205f49015d

SHA512
eab8ee3dd766e64f37556e927bb5f1eddf752c492d236ff2bd821c21066e62fde6ae48798c9ac9ce5b8ebd39c68cf1dfc92fbc38398ab433fcfc3450c7793fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
e90afa30ee2c9c802b5e823b746388b2

SHA1
cac7a25c467d8df624ae9284436827eefb24cc22

SHA256
88d65898e0300e0ef220ff3aa7a12981c85184d10ce3fb32c6206fdee04d5aae

SHA512
036a3bead24e0de40c2cfec1b67fde5a99d7d7aa027b50267b306360b44f23cc2fca01bb92fd9e093bf1233cf19c36c571fd2e301a1e2508b28944d358b1f493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
e4622a81f5b524caff759b2dc4d5a484

SHA1
e7e15329ebd8dbb235497042401d103941379408

SHA256
855c628aad83ab9db33806e0454e1b55ddfc0df844236ca8b2a09b2c7679cb6b

SHA512
8ddd3311ec850806bfbaac9175ca2553981d6e71a9abdcd80887e4f09b8aadf2edae1182e803d8b927bb48fc548270ab2199a3989f51d9721f97418185e24813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ab773903-6e0e-430a-9f0d-13ff2e350131.tmp
Filesize
2KB

MD5
f18d4c58b887034bdedb8b1cdfcf6725

SHA1
0b69088c6dd7184b284f527ef0aad1801089cd8a

SHA256
c07a1487a8c06e35dfe25b2b9fe7156c5dd066d7cef9dd1f8e2796435e788583

SHA512
f594c726a8c6364bbf41b5581e6afb400750bb739d447b1a043391d5534c68f56db5381e80cffd1da4e56e8e8709553be0f85ca74ffb36e5131a6471d8ad4180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\fe36e6b5-c9ed-41ce-96a8-13803ac94699.tmp
Filesize
2KB

MD5
e90afa30ee2c9c802b5e823b746388b2

SHA1
cac7a25c467d8df624ae9284436827eefb24cc22

SHA256
88d65898e0300e0ef220ff3aa7a12981c85184d10ce3fb32c6206fdee04d5aae

SHA512
036a3bead24e0de40c2cfec1b67fde5a99d7d7aa027b50267b306360b44f23cc2fca01bb92fd9e093bf1233cf19c36c571fd2e301a1e2508b28944d358b1f493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ffc53a69-406e-4f38-ab27-f34a0f7eb2a5.tmp
Filesize
2KB

MD5
883371630560695611efad1c12042246

SHA1
b19eea09fdf66f6e7225376eab0a317ba6650463

SHA256
14d374c57415e31ac9ee20ef82e8a02b2f18938983a881a0cd5f09fa6045ad2d

SHA512
3c55a657cb18cfc101fb80ff2784e5889b8b0074de67519e01b0c4b622ca80d766bf86284d4b300bc42716cd79faf65bd38ca177599a20f667fd7a0736c49bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\A544.exe
Filesize
1.5MB

MD5
fc63834e7701aede7a8c4c7cf3bcfbfa

SHA1
e93b9aaf058322e85607a64c91bd13a5e98430b5

SHA256
40ee0a1b9d1005444a79e427f1ca68214969189c5f871b12df4a594317042675

SHA512
7f4a799f5b0035c03f23252bb0bf9a052917f6ba056dcdfc2695cc2de4d0530ea9e1a0eedc405ca6c239982fe08e7df1fc083ffe394eee5fe32650696f6db562

Download Submit
C:\Users\Admin\AppData\Local\Temp\A544.exe
Filesize
1.5MB

MD5
fc63834e7701aede7a8c4c7cf3bcfbfa

SHA1
e93b9aaf058322e85607a64c91bd13a5e98430b5

SHA256
40ee0a1b9d1005444a79e427f1ca68214969189c5f871b12df4a594317042675

SHA512
7f4a799f5b0035c03f23252bb0bf9a052917f6ba056dcdfc2695cc2de4d0530ea9e1a0eedc405ca6c239982fe08e7df1fc083ffe394eee5fe32650696f6db562

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7A6.bat
Filesize
342B

MD5
e79bae3b03e1bff746f952a0366e73ba

SHA1
5f547786c869ce7abc049869182283fa09f38b1d

SHA256
900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63

SHA512
c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8B1.exe
Filesize
180KB

MD5
286aba392f51f92a8ed50499f25a03df

SHA1
ee11fb0150309ec2923ce3ab2faa4e118c960d46

SHA256
ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22

SHA512
84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8B1.exe
Filesize
180KB

MD5
286aba392f51f92a8ed50499f25a03df

SHA1
ee11fb0150309ec2923ce3ab2faa4e118c960d46

SHA256
ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22

SHA512
84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAE4.exe
Filesize
221KB

MD5
73089952a99d24a37d9219c4e30decde

SHA1
8dfa37723afc72f1728ec83f676ffeac9102f8bd

SHA256
9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60

SHA512
7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAE4.exe
Filesize
221KB

MD5
73089952a99d24a37d9219c4e30decde

SHA1
8dfa37723afc72f1728ec83f676ffeac9102f8bd

SHA256
9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60

SHA512
7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

Download Submit
\??\pipe\LOCAL\crashpad_1712_NFZKMFMHPAIUQJFZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2164_KNVXVIZQHQAEOYAI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2756_BNYCBZRELUWLQMOX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3996_GGTZNCDXMUGVXQNY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4396_ZUDAVKDGRYQYQOSQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4992_WULMPLDAIJVNXJWB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1136-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-428-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/2544-542-0x00000000006E0000-0x000000000071E000-memory.dmp

Filesize
248KB

Download
memory/2544-590-0x00000000740F0000-0x00000000748A0000-memory.dmp

Filesize
7.7MB

Download
memory/2740-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2740-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3264-1-0x0000000000D90000-0x0000000000DA6000-memory.dmp

Filesize
88KB

Download