redline | ec249d5d9d6ed36215c66b94c922b229167a01fc1dc37d55d70e78b2c87efc5f

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2023 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec249d5d9d6ed36215c66b94c922b229167a01fc1dc37d55d70e78b2c87efc5f.exe
Size

957KB
MD5

16ecb315f9db703a5397af14d52615d6
SHA1

8a16699523213409e934db948f380d3b22217848
SHA256

ec249d5d9d6ed36215c66b94c922b229167a01fc1dc37d55d70e78b2c87efc5f
SHA512

afa06027ffdf7652ca1ba7b212ff28338e4cb919955db5729a584ef90915496f0a2a900f0a66289717231eac2ff42e7ef6c0fc95b6885931783b2ababaca2710
SSDEEP

12288:Ebclpo2dAKlpItf+BV3XHSlHYBPHJqXbmxoRj3cQpRnRu9cdTYrtj2Z:RlW2dAK4tf+BVHHkIoRj3cQDoj2

Score

10^/10

redline smokeloader grome kinza backdoor infostealer persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\CAD5.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\CAD5.exe	family_redline
behavioral1/memory/4988-57-0x0000000000120000-0x000000000015E000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xO560Ot.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xO560Ot.exe	family_redline
behavioral1/memory/6080-332-0x0000000000F20000-0x0000000000F5E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 9 IoCs

Processes:

C7B5.exePx2GN6sd.exebZ5Nk6xI.exeC9E9.exeBE9FN3Rg.exeCAD5.exetC1Jw3UE.exe1sm74pL0.exe2xO560Ot.exe

pid process

3264 C7B5.exe
3600 Px2GN6sd.exe
1944 bZ5Nk6xI.exe
1084 C9E9.exe
4480 BE9FN3Rg.exe
4988 CAD5.exe
3896 tC1Jw3UE.exe
4520 1sm74pL0.exe
6080 2xO560Ot.exe

pid	process
3264	C7B5.exe
3600	Px2GN6sd.exe
1944	bZ5Nk6xI.exe
1084	C9E9.exe
4480	BE9FN3Rg.exe
4988	CAD5.exe
3896	tC1Jw3UE.exe
4520	1sm74pL0.exe
6080	2xO560Ot.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

C7B5.exePx2GN6sd.exebZ5Nk6xI.exeBE9FN3Rg.exetC1Jw3UE.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	C7B5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Px2GN6sd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	bZ5Nk6xI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	BE9FN3Rg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	tC1Jw3UE.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ec249d5d9d6ed36215c66b94c922b229167a01fc1dc37d55d70e78b2c87efc5f.exe1sm74pL0.exe

description	pid	process	target process
PID 4596 set thread context of 4080	4596	ec249d5d9d6ed36215c66b94c922b229167a01fc1dc37d55d70e78b2c87efc5f.exe	AppLaunch.exe
PID 4520 set thread context of 5964	4520	1sm74pL0.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3236	4596	WerFault.exe	ec249d5d9d6ed36215c66b94c922b229167a01fc1dc37d55d70e78b2c87efc5f.exe
6072	4520	WerFault.exe	1sm74pL0.exe
216	5964	WerFault.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exe

pid	process
4080	AppLaunch.exe
4080	AppLaunch.exe
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084
3084

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

AppLaunch.exe

pid process

4080 AppLaunch.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

msedge.exe

pid	process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: SeShutdownPrivilege	3084
Token: SeCreatePagefilePrivilege	3084
Token: 33	5836	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5836	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3084

pid	process
3084

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ec249d5d9d6ed36215c66b94c922b229167a01fc1dc37d55d70e78b2c87efc5f.exeC7B5.exePx2GN6sd.exebZ5Nk6xI.exeBE9FN3Rg.execmd.exetC1Jw3UE.exemsedge.exemsedge.exe

description	pid	process	target process
PID 4596 wrote to memory of 1948	4596	ec249d5d9d6ed36215c66b94c922b229167a01fc1dc37d55d70e78b2c87efc5f.exe	AppLaunch.exe
PID 4596 wrote to memory of 1948	4596	ec249d5d9d6ed36215c66b94c922b229167a01fc1dc37d55d70e78b2c87efc5f.exe	AppLaunch.exe
PID 4596 wrote to memory of 1948	4596	ec249d5d9d6ed36215c66b94c922b229167a01fc1dc37d55d70e78b2c87efc5f.exe	AppLaunch.exe
PID 4596 wrote to memory of 4080	4596	ec249d5d9d6ed36215c66b94c922b229167a01fc1dc37d55d70e78b2c87efc5f.exe	AppLaunch.exe
PID 4596 wrote to memory of 4080	4596	ec249d5d9d6ed36215c66b94c922b229167a01fc1dc37d55d70e78b2c87efc5f.exe	AppLaunch.exe
PID 4596 wrote to memory of 4080	4596	ec249d5d9d6ed36215c66b94c922b229167a01fc1dc37d55d70e78b2c87efc5f.exe	AppLaunch.exe
PID 4596 wrote to memory of 4080	4596	ec249d5d9d6ed36215c66b94c922b229167a01fc1dc37d55d70e78b2c87efc5f.exe	AppLaunch.exe
PID 4596 wrote to memory of 4080	4596	ec249d5d9d6ed36215c66b94c922b229167a01fc1dc37d55d70e78b2c87efc5f.exe	AppLaunch.exe
PID 4596 wrote to memory of 4080	4596	ec249d5d9d6ed36215c66b94c922b229167a01fc1dc37d55d70e78b2c87efc5f.exe	AppLaunch.exe
PID 3084 wrote to memory of 3264	3084		C7B5.exe
PID 3084 wrote to memory of 3264	3084		C7B5.exe
PID 3084 wrote to memory of 3264	3084		C7B5.exe
PID 3084 wrote to memory of 1544	3084		cmd.exe
PID 3084 wrote to memory of 1544	3084		cmd.exe
PID 3264 wrote to memory of 3600	3264	C7B5.exe	Px2GN6sd.exe
PID 3264 wrote to memory of 3600	3264	C7B5.exe	Px2GN6sd.exe
PID 3264 wrote to memory of 3600	3264	C7B5.exe	Px2GN6sd.exe
PID 3600 wrote to memory of 1944	3600	Px2GN6sd.exe	bZ5Nk6xI.exe
PID 3600 wrote to memory of 1944	3600	Px2GN6sd.exe	bZ5Nk6xI.exe
PID 3600 wrote to memory of 1944	3600	Px2GN6sd.exe	bZ5Nk6xI.exe
PID 3084 wrote to memory of 1084	3084		C9E9.exe
PID 3084 wrote to memory of 1084	3084		C9E9.exe
PID 3084 wrote to memory of 1084	3084		C9E9.exe
PID 1944 wrote to memory of 4480	1944	bZ5Nk6xI.exe	BE9FN3Rg.exe
PID 1944 wrote to memory of 4480	1944	bZ5Nk6xI.exe	BE9FN3Rg.exe
PID 1944 wrote to memory of 4480	1944	bZ5Nk6xI.exe	BE9FN3Rg.exe
PID 3084 wrote to memory of 4988	3084		CAD5.exe
PID 3084 wrote to memory of 4988	3084		CAD5.exe
PID 3084 wrote to memory of 4988	3084		CAD5.exe
PID 4480 wrote to memory of 3896	4480	BE9FN3Rg.exe	tC1Jw3UE.exe
PID 4480 wrote to memory of 3896	4480	BE9FN3Rg.exe	tC1Jw3UE.exe
PID 4480 wrote to memory of 3896	4480	BE9FN3Rg.exe	tC1Jw3UE.exe
PID 1544 wrote to memory of 3532	1544	cmd.exe	msedge.exe
PID 1544 wrote to memory of 3532	1544	cmd.exe	msedge.exe
PID 3896 wrote to memory of 4520	3896	tC1Jw3UE.exe	1sm74pL0.exe
PID 3896 wrote to memory of 4520	3896	tC1Jw3UE.exe	1sm74pL0.exe
PID 3896 wrote to memory of 4520	3896	tC1Jw3UE.exe	1sm74pL0.exe
PID 3532 wrote to memory of 4612	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 4612	3532	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2360	1544	cmd.exe	msedge.exe
PID 1544 wrote to memory of 2360	1544	cmd.exe	msedge.exe
PID 2360 wrote to memory of 1648	2360	msedge.exe	msedge.exe
PID 2360 wrote to memory of 1648	2360	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe
PID 3532 wrote to memory of 3804	3532	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ec249d5d9d6ed36215c66b94c922b229167a01fc1dc37d55d70e78b2c87efc5f.exe
"C:\Users\Admin\AppData\Local\Temp\ec249d5d9d6ed36215c66b94c922b229167a01fc1dc37d55d70e78b2c87efc5f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 332
2⤵
- Program crash
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4596 -ip 4596
1⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\C7B5.exe
C:\Users\Admin\AppData\Local\Temp\C7B5.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3264

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px2GN6sd.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px2GN6sd.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3600

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bZ5Nk6xI.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bZ5Nk6xI.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE9FN3Rg.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE9FN3Rg.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4480

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tC1Jw3UE.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tC1Jw3UE.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3896

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sm74pL0.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sm74pL0.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:5964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 540
8⤵
- Program crash
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 572
7⤵
- Program crash
PID:6072

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xO560Ot.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xO560Ot.exe
6⤵
- Executes dropped EXE
PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C8CF.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ffe84c446f8,0x7ffe84c44708,0x7ffe84c44718
3⤵
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
3⤵
PID:928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
3⤵
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
3⤵
PID:3804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
3⤵
PID:2772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
3⤵
PID:2500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
3⤵
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
3⤵
PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
3⤵
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
3⤵
PID:772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
3⤵
PID:5324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
3⤵
PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
3⤵
PID:5836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7528 /prefetch:1
3⤵
PID:5672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8140 /prefetch:1
3⤵
PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8124 /prefetch:1
3⤵
PID:3252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
3⤵
PID:5976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
3⤵
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8464 /prefetch:1
3⤵
PID:3332

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2932 /prefetch:8
3⤵
PID:5656

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2932 /prefetch:8
3⤵
PID:5188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7512 /prefetch:8
3⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6884 /prefetch:8
3⤵
PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
3⤵
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9188 /prefetch:1
3⤵
PID:5504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,7396527907766219049,14778752653483252243,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6632 /prefetch:2
3⤵
PID:1336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
2⤵
- Suspicious use of WriteProcessMemory
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe84c446f8,0x7ffe84c44708,0x7ffe84c44718
3⤵
PID:1648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,5592785850284671282,9273211454771520634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
3⤵
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,5592785850284671282,9273211454771520634,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
3⤵
PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
2⤵
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe84c446f8,0x7ffe84c44708,0x7ffe84c44718
3⤵
PID:388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
2⤵
PID:2652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe84c446f8,0x7ffe84c44708,0x7ffe84c44718
3⤵
PID:1748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
2⤵
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe84c446f8,0x7ffe84c44708,0x7ffe84c44718
3⤵
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
2⤵
PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe84c446f8,0x7ffe84c44708,0x7ffe84c44718
3⤵
PID:5540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
2⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe84c446f8,0x7ffe84c44708,0x7ffe84c44718
3⤵
PID:5732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
2⤵
PID:5432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe84c446f8,0x7ffe84c44708,0x7ffe84c44718
3⤵
PID:5456

C:\Users\Admin\AppData\Local\Temp\C9E9.exe
C:\Users\Admin\AppData\Local\Temp\C9E9.exe
1⤵
- Executes dropped EXE
PID:1084

C:\Users\Admin\AppData\Local\Temp\CAD5.exe
C:\Users\Admin\AppData\Local\Temp\CAD5.exe
1⤵
- Executes dropped EXE
PID:4988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4520 -ip 4520
1⤵
PID:5976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5964 -ip 5964
1⤵
PID:6012

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4076

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
1a5fc49ffbf85ab34aec587738be545a

SHA1
5552eb5ded58f02b52cad1d7d8d6a78547353bac

SHA256
df37e7889ec197aee56f1b006b70f2a751ae04fda80b86d2b77aff5ed70f0157

SHA512
36862f0f125c29e121706272d7bf420534e1db955bb77741388c679bfcb0b613c3e1b1c380b1b9cccf8dea69cf401110b7ea0fbcc1dbc93ade754e526832f124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
6f9a6a9bc879eea7ee094f88e6edcbaf

SHA1
3e0c7052c4d3d3efe8a5148aafe53f360fa81425

SHA256
48cad7e9037ec2cbfeefb5ba510f93e695a175955fa98456595396a1c32d3f59

SHA512
7c4394e359b5070ae7261c0e22832d912c359773194b2d9b62995550b03e5e7e16d57e9cbe956aa8772e1a443a4dcefbf4b3ee760179181bc400be785168662f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
5095ce150628cfba35fb007dc1a47659

SHA1
00fd0fce09dea385a2698c03a80241db2668e4cc

SHA256
67256331d8b2dbb7ccc13ea7fa034228fa3546dc830e1f331e09aa6c14be9125

SHA512
a95df2e4b24e029a3a192c7b479bb87c7d0788c6e0a26bdf95601b8bf29ee910beb30e8d9be45199b37aeb04e5429472d685172d142f524f4900a052a6886e78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
a309a4eba37dfcbc09e507bcf5934afc

SHA1
a153b456df9ddc590e859d997bd11fb2384b5b60

SHA256
bb6b07c593a078301cd96190e863a488fe0504d87c7a45d3ed9b6da82fa0bdaa

SHA512
2afed93149474399d6253699e1ef5bfd4ff867d880c4d2ce2f818ba7c5d84a8695dec3feda45b8969ef8a4a5f41c91ec1ff3499bcd37ebff63b1958678a4fc51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
0a7307fae1d78d791a3fafc0150be65a

SHA1
1ec4dbec1dc62e01ed81a51f6d598f707004cb2b

SHA256
7a9250208af251dcbe4318a190840be01a40e4ab8ef4a74a3e9684fcca497164

SHA512
0c8279ff67d54b5c06246a441fbd1a733c8fb59e2e64a5898fc3893486b56a32fc74ae724b2e3c665be23593fc25e06e8a09a447312f325b6a51e2fd08bf3eeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
e2565e589c9c038c551766400aefc665

SHA1
77893bb0d295c2737e31a3f539572367c946ab27

SHA256
172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80

SHA512
5a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\bd3f38ef-1ade-46de-8f06-04be34e763f2\index
Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
5927bf3e369fdd4978f2f017d54a4778

SHA1
4b8e4c7499fcd39a5d80694e1145d7e5831654e5

SHA256
8239cd2148b087a8fe2a42423932b3b3aa3e6e2540145697fcc2644831074f28

SHA512
e68016607c00ceb141bc75094715be3ea53426c3c20015ea80aec1380b1c2cbb2fbb1f2510a75c1021709855257fbec131d0cffec8fb9f98af996de0bf4079a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
a15fdd55464298188696e44cfe4ee9da

SHA1
dc5a5589d8b84c5ae203fc0112573869d665cc16

SHA256
3831f9e5bff5bb7a044d313b8f2b4f09a56103f05b117582114074d4516828d1

SHA512
ca70699e1628805f73c5ccb0a878f9e605a3c5a35629fb68d1a8403f1a0cf378542b65153ce7862d05d1b14d721ff07f0046515809d83eb03677c99aaf98fdf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
155B

MD5
4fdc9de707b11c4100cdd7a6479a215c

SHA1
ac308f8bbc7971fc4c4009c5563a5ee0d9207785

SHA256
89cebb2bf979fcea9cdd615456d650bd46c696e8e83cc8dee5bf7d8b8fafc7db

SHA512
1488cd1f0626656a1b9b51c5f298ecf47ec1367714fdc209f230262fcd8eb56a9ba17cafa2add8be9ca9f27831f2029e4d863b77b1a52ca0c306f5446fad7e73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
215B

MD5
f845f28ff8f9aa7b31b00e98560d6516

SHA1
c32e5355072c8e656e6bc8985db4a7090a46e1e5

SHA256
98f0156663000f2ed5de37bb94571ea36dd9096cfa78514a2666a7c94bf4e131

SHA512
04c89e005eb4c7c47cb117c742939e73bcef133a79f4c1db3e6abbca502bcce10bdb8e41d3c3d6b64383279c973dbdbd7d9630eff2918cfa564362ba4b3e262b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
151B

MD5
e591a03c83f9b4836d44106bad4da974

SHA1
8e3e30a57867030e9b1cc30c081591fc02423ff4

SHA256
43c83d234cf228dbec26b88a10c34f7c651abc8b1ea9d729573270c334138617

SHA512
389410632915d478f539f8ddef79d1defbcb0a46cb86e53c1e3a6799ba54dfdc7e8aeb3e575890ed800b6a5c6631c0521ffb8f829870c329f628bc011cdf60ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt.tmp
Filesize
146B

MD5
682105c95fdd2a230e933c938837d585

SHA1
82c78890bae1f2d208529c7640611d03f2e7bc3d

SHA256
13f091b139b4eec8a5b6f0a3f8e3bb9cc14ca38a433aed629b6e4c5249e3e3af

SHA512
d36b597b8398cd83166c248ad959ac35385e53d3f95fdb501513896b184e4538ccdc1aba46038a2b53a3efb80e6357d1d2c2701de9717c501c5a1836be3ebe18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
855ffb811d5262eb24e06710154b3430

SHA1
45d4be75e74d9f92895dd88c5594417b37218262

SHA256
05d57a127bd0a198d9b09d6c73d0ed407ddb8559a886625bf65065b528941961

SHA512
599177ea5c1d9804846fd8bab79c8703716413c4ac93bcabf0c4f1ac52bf2b642f8d80093180df9629926cd2df3370bb521b08de07c4a68f385723141b1e80f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59425e.TMP
Filesize
48B

MD5
cca45e88b7dcc4b818f0619e07ae47e5

SHA1
8b42ab3045efb5b1d86f1276eae09f49478f7665

SHA256
97b0eecce9e20f81fb8e7b704bf0735ffa128af6a011306b81f838dc47e71874

SHA512
a6106d3424c82f590df9297c39ccb4a141d42ee19ec40645d5b8cb917bc5b022c5095d9b3102c36f12d97c3501e416f80b72fc7b86964f647b51fb093f10d9e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
3e6567f184dcb89869d731d140f8e081

SHA1
1d1c85b0f688f942809c39f427957e24eebe4421

SHA256
a4a9d037192ae0d851371364beb86abfc765b3823fea3337bbb46c4f17b69b61

SHA512
12b17c256ab393fac9c824389175433d7273ceaa1dbc1783187d0a0f43d6e5cd764a1cae0cf2bba9f56137a3ef2c233177a6caf8e62aea5cd49eb45514e5b644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
aece982a1b4162f84b9227f676ade169

SHA1
980afa83966900831453e1fd55365140d77034ec

SHA256
ad8d155e58239c8276769604e0894e1bd038f9ccc38f16154e83ccfd926c18ba

SHA512
58ca57645a132940ce7a2dfa95aac3392d5abd1cab2099461259e65c3ac13ae9ccaba76a3d2520640c5b8bfb1e2d9fec65642c895c6df55a406fcd9ca668eba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
eff907701f8ae1dd9b27bf94954566fb

SHA1
1f63faa7034e3a00f46c9bb514a7e37e41109c59

SHA256
460688edc67658f3414ad26d973c6611e8d7da572272a7261f78b2e6bb03bb7c

SHA512
075abc0b9c941725131730a4857fa3117c0d65ddac1cf51e2497e563cdeef59003a7972d2b744bcdc5adc445fd06c73240afbf950062947afe83f2160c49cad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
41f77188547c8b8adc12b9aa9e6281bc

SHA1
f75429e6cb201fd357045483a9ba8bef69173140

SHA256
490306631e222deca6f35541a6d3ff8a7bfa24789c7840fd6b2fe58090b3d355

SHA512
e9e203f5baaefa7d6295425192e59893a66c641e83d6679cf6ba50617bb81fe11722af27875eeb4c705bfebbab695bfddc945d1f17ccef0221055244eecfd275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588f99.TMP
Filesize
1KB

MD5
78c4f99fe1581d64064a384feef10463

SHA1
7c43c9f22b56f955fb1aa6f2222d638bd8710c12

SHA256
9e2395ce1994d341055bacdf59925dd9f9fd45ee12f527eb441cab471f5c38a4

SHA512
dcde2af76d563e8fbe4cc880432ae952ab5211c2c67ff88b70a85cb5943225ffc851fd73c7b82354685ae4383e28cbe6851c0d41c4cd306ba6ec650582404b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cb2adc00-d7a4-46dd-af0d-7b00a765126d.tmp
Filesize
5KB

MD5
a3f736ac483568af15f1d2837147bc18

SHA1
184969a2c4fa6a67ed1f8d1e7a706e107f4eee9f

SHA256
6dff111c405a7ab96841461a79c260d53568b54fa83918ba36d9e1fef414afce

SHA512
8bca0566cdf000a40dd8612a862e453ff886b422452a398d853212be1e256174425c24c831a6d51f55df051fe4be00f08e2e8a387ed5bdf509004a5f27a205ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
ff4d38de0dcf82faa0ced19370ebf2e7

SHA1
f9bac6dab1a3d0da2eb71591551c83152405af84

SHA256
86abc06b49756ae044d3a5d91d23d22dca76a8240efce7ddee1f1cf9ce786362

SHA512
c3ee8a5e9df13aef614657541c5fa8190e0f38d86084dfeb581642d77f20f0cfae27d7f8c9621c651af542c505b0f2260a72574489bd23ad1ad549521f640147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
ff4d38de0dcf82faa0ced19370ebf2e7

SHA1
f9bac6dab1a3d0da2eb71591551c83152405af84

SHA256
86abc06b49756ae044d3a5d91d23d22dca76a8240efce7ddee1f1cf9ce786362

SHA512
c3ee8a5e9df13aef614657541c5fa8190e0f38d86084dfeb581642d77f20f0cfae27d7f8c9621c651af542c505b0f2260a72574489bd23ad1ad549521f640147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
c470bc7c50bc36fc2d0b97444b82cfac

SHA1
eb9ea1378c23e4857791650b04f31ec7947bef09

SHA256
507417428c355332a36337ef90e502ae078cc930e679e462a573243c744bc180

SHA512
10468ae3ee7a5ec094c6e4158cd3ff91966cd493a81f75e92c1f1aa24f970504e1651f905c5663b7849e5b490dfb703c8f863a60f6c71453a05f1b802cd7ebbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7B5.exe
Filesize
1.5MB

MD5
5120b817f57a1b6c204b90deeebf33f9

SHA1
721b0cb8f0bb5b214705315dffb292c631a66d24

SHA256
2b01af1393bf2f2e38c7ff830c4f963f9a3d10833327f0ba7226ff2ca9b51bd6

SHA512
63816f38608e8fb5f08a93708f411e562205073aef42a87dbd8e3f6247100eb46b33b939741a8edfcbdf920e5bb0cef33458d0636523a42e11807195563e19ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7B5.exe
Filesize
1.5MB

MD5
5120b817f57a1b6c204b90deeebf33f9

SHA1
721b0cb8f0bb5b214705315dffb292c631a66d24

SHA256
2b01af1393bf2f2e38c7ff830c4f963f9a3d10833327f0ba7226ff2ca9b51bd6

SHA512
63816f38608e8fb5f08a93708f411e562205073aef42a87dbd8e3f6247100eb46b33b939741a8edfcbdf920e5bb0cef33458d0636523a42e11807195563e19ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\C8CF.bat
Filesize
342B

MD5
e79bae3b03e1bff746f952a0366e73ba

SHA1
5f547786c869ce7abc049869182283fa09f38b1d

SHA256
900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63

SHA512
c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9E9.exe
Filesize
180KB

MD5
286aba392f51f92a8ed50499f25a03df

SHA1
ee11fb0150309ec2923ce3ab2faa4e118c960d46

SHA256
ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22

SHA512
84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9E9.exe
Filesize
180KB

MD5
286aba392f51f92a8ed50499f25a03df

SHA1
ee11fb0150309ec2923ce3ab2faa4e118c960d46

SHA256
ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22

SHA512
84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAD5.exe
Filesize
221KB

MD5
73089952a99d24a37d9219c4e30decde

SHA1
8dfa37723afc72f1728ec83f676ffeac9102f8bd

SHA256
9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60

SHA512
7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAD5.exe
Filesize
221KB

MD5
73089952a99d24a37d9219c4e30decde

SHA1
8dfa37723afc72f1728ec83f676ffeac9102f8bd

SHA256
9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60

SHA512
7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px2GN6sd.exe
Filesize
1.3MB

MD5
def1601480fa2f678b726fc68b522886

SHA1
18c2ebd994f0ea743b67a27d5fd4c155be2bcd80

SHA256
e31c230425f5c8d4a3214d460bcc29037cd9732dd3f2b6664569eafca1c1e3db

SHA512
d66be317728cc22270b465a78d81b92d54bc2fadbd021be53d842aed1a7f225544743a539e6ed81b4a23b7253617c67a56647030bc04a4c726fdcbbcbb8e39e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px2GN6sd.exe
Filesize
1.3MB

MD5
def1601480fa2f678b726fc68b522886

SHA1
18c2ebd994f0ea743b67a27d5fd4c155be2bcd80

SHA256
e31c230425f5c8d4a3214d460bcc29037cd9732dd3f2b6664569eafca1c1e3db

SHA512
d66be317728cc22270b465a78d81b92d54bc2fadbd021be53d842aed1a7f225544743a539e6ed81b4a23b7253617c67a56647030bc04a4c726fdcbbcbb8e39e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bZ5Nk6xI.exe
Filesize
1.2MB

MD5
dccb28b4b0f10083e62c25ffd61f4370

SHA1
7049a175cdbefd5c1db88a05a9d390da5fef31eb

SHA256
76a934e8058a21c09917e1ca13f03c670d70b24f9ceff14d64935efff8023869

SHA512
980dc3d3bcbae60eb144245ca325a66ddc670000dcf7cb1ffe9c7ec152ce6504c396c3dbbe0ab641d236298ad6e2c821fbc666e4a6ab079187a9acdd707412b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bZ5Nk6xI.exe
Filesize
1.2MB

MD5
dccb28b4b0f10083e62c25ffd61f4370

SHA1
7049a175cdbefd5c1db88a05a9d390da5fef31eb

SHA256
76a934e8058a21c09917e1ca13f03c670d70b24f9ceff14d64935efff8023869

SHA512
980dc3d3bcbae60eb144245ca325a66ddc670000dcf7cb1ffe9c7ec152ce6504c396c3dbbe0ab641d236298ad6e2c821fbc666e4a6ab079187a9acdd707412b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE9FN3Rg.exe
Filesize
768KB

MD5
456a474e561d9807ba01e1b2a2dfd5e9

SHA1
95629f980f73ed9e0555ee7884bcef0cfddb2ee7

SHA256
a91850b5a0c4997c372c4b5b37a38f1d50b6815c53f44e5c043c877a4140f497

SHA512
577c8032b0fbefae07d10a5613150eacef6079d02aef3c8091e6b12d5ef9161c7dbf966f7c10c106e9df6fa89f50717920dc5c1eeb331a183b858e02f18472ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE9FN3Rg.exe
Filesize
768KB

MD5
456a474e561d9807ba01e1b2a2dfd5e9

SHA1
95629f980f73ed9e0555ee7884bcef0cfddb2ee7

SHA256
a91850b5a0c4997c372c4b5b37a38f1d50b6815c53f44e5c043c877a4140f497

SHA512
577c8032b0fbefae07d10a5613150eacef6079d02aef3c8091e6b12d5ef9161c7dbf966f7c10c106e9df6fa89f50717920dc5c1eeb331a183b858e02f18472ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tC1Jw3UE.exe
Filesize
573KB

MD5
e34611ad14d3be42c22926bbd914aa8f

SHA1
2c4bcb3de283b13053889259490e449eea2437ac

SHA256
240305b34885daa3f8ec2e440ae067a4a1720fc888876afb80e5d767f7e17edc

SHA512
96a87a84faf6b2c11122988d0a7e5ec840f4d6ae66cd8cb48cb401f6c92063a723dd2e9f18cbd3049cb06f5d2819bff718c8665af6ba3033f412066b67b08781

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tC1Jw3UE.exe
Filesize
573KB

MD5
e34611ad14d3be42c22926bbd914aa8f

SHA1
2c4bcb3de283b13053889259490e449eea2437ac

SHA256
240305b34885daa3f8ec2e440ae067a4a1720fc888876afb80e5d767f7e17edc

SHA512
96a87a84faf6b2c11122988d0a7e5ec840f4d6ae66cd8cb48cb401f6c92063a723dd2e9f18cbd3049cb06f5d2819bff718c8665af6ba3033f412066b67b08781

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sm74pL0.exe
Filesize
1.1MB

MD5
d36800e111ff7ea6ee447ed910a5abe3

SHA1
6848b3c7077280263c5c5083d3a4cd7831cbc786

SHA256
4ed903372a10a89c463fa681a011a5c0c53c1877768b1f7887211ef20bacc82f

SHA512
b553bee8405567244c12a8e76c2ac99f70ec80a857c45b3cd01158f28aa60ec21483d70b14d906f21fb0d4bb3cb12e39aa2e42dd0e57cc8153c49aed5543edd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sm74pL0.exe
Filesize
1.1MB

MD5
d36800e111ff7ea6ee447ed910a5abe3

SHA1
6848b3c7077280263c5c5083d3a4cd7831cbc786

SHA256
4ed903372a10a89c463fa681a011a5c0c53c1877768b1f7887211ef20bacc82f

SHA512
b553bee8405567244c12a8e76c2ac99f70ec80a857c45b3cd01158f28aa60ec21483d70b14d906f21fb0d4bb3cb12e39aa2e42dd0e57cc8153c49aed5543edd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xO560Ot.exe
Filesize
223KB

MD5
89c6751c8ff39a436909183a61368413

SHA1
50f2ee4a49c5c0afde082b7d44c6c3a1908234fd

SHA256
252cc75a3a5357743573cc9b12bbba56f93a8d10695baa9ceaf51ba8bbd25d9f

SHA512
90f74bd0f0ee631c70dae711a5c544f07bc6edb49c5f0f894794dda6827be95c63ade8d8addddd805e2ffcd4b4214da12cc78a8edad9ba2819d05b18f5fe0d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xO560Ot.exe
Filesize
223KB

MD5
89c6751c8ff39a436909183a61368413

SHA1
50f2ee4a49c5c0afde082b7d44c6c3a1908234fd

SHA256
252cc75a3a5357743573cc9b12bbba56f93a8d10695baa9ceaf51ba8bbd25d9f

SHA512
90f74bd0f0ee631c70dae711a5c544f07bc6edb49c5f0f894794dda6827be95c63ade8d8addddd805e2ffcd4b4214da12cc78a8edad9ba2819d05b18f5fe0d15

Download Submit
\??\pipe\LOCAL\crashpad_2360_VSHIIXGBRJCTJGHV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3532_EGSBZDGCBUBLLCXN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3084-2-0x0000000002E60000-0x0000000002E76000-memory.dmp

Filesize
88KB

Download
memory/4080-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4080-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4080-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4988-65-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/4988-79-0x0000000008100000-0x0000000008718000-memory.dmp

Filesize
6.1MB

Download
memory/4988-58-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/4988-57-0x0000000000120000-0x000000000015E000-memory.dmp

Filesize
248KB

Download
memory/4988-62-0x0000000007530000-0x0000000007AD4000-memory.dmp

Filesize
5.6MB

Download
memory/4988-89-0x0000000007320000-0x000000000736C000-memory.dmp

Filesize
304KB

Download
memory/4988-82-0x00000000072E0000-0x000000000731C000-memory.dmp

Filesize
240KB

Download
memory/4988-81-0x0000000007280000-0x0000000007292000-memory.dmp

Filesize
72KB

Download
memory/4988-80-0x0000000007390000-0x000000000749A000-memory.dmp

Filesize
1.0MB

Download
memory/4988-63-0x0000000007020000-0x00000000070B2000-memory.dmp

Filesize
584KB

Download
memory/4988-71-0x0000000006FF0000-0x0000000006FFA000-memory.dmp

Filesize
40KB

Download
memory/4988-204-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/5964-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5964-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5964-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5964-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6080-550-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/6080-333-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/6080-348-0x0000000007ED0000-0x0000000007EE0000-memory.dmp

Filesize
64KB

Download
memory/6080-332-0x0000000000F20000-0x0000000000F5E000-memory.dmp

Filesize
248KB

Download