glupteba | f658bd48724915663fe4ff16df8b47b52fe647d8ec0e79d3da8a2399bb579556

Analysis

max time kernel
74s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2023, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f658bd48724915663fe4ff16df8b47b52fe647d8ec0e79d3da8a2399bb579556.exe
Size

1.4MB
MD5

e094893c307756f26546790c7964143c
SHA1

e1940f22ca71aa0dff1e2291cd0cb2fb59c4d862
SHA256

f658bd48724915663fe4ff16df8b47b52fe647d8ec0e79d3da8a2399bb579556
SHA512

bdd4b1e740a9019919840a276fe97da166fa41ced37cc3312d8656cd3ebf8bca1c35bec96b2474da2a6cc51eff5d3491c6810a274478cd3c5cf60a93a932083e
SSDEEP

24576:/yzltQIdqLP6YrPefIsFE+GQCbDQ88KSYwCzfCm/w4tjWmJkg7AcX/5:KTQIdqLBTewWHGj8/YwCzH/wujWAk83X

Score

10^/10

glupteba mystic redline smokeloader zgrat taiga up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Extracted

Family

smokeloader

Botnet

up3

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/6912-211-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6912-214-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6912-213-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6912-217-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Detect ZGRat V1 25 IoCs

resource	yara_rule
behavioral1/memory/6224-624-0x000002BE45E30000-0x000002BE45F14000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-628-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-629-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-631-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-633-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-635-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-637-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-639-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-641-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-643-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-645-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-647-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-649-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-652-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-654-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-656-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-658-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-661-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-663-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-665-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-667-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-671-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-673-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-675-0x000002BE45E30000-0x000002BE45F11000-memory.dmp	family_zgrat_v1
behavioral1/memory/2420-733-0x0000000002B30000-0x0000000002F2C000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

resource	yara_rule
behavioral1/memory/2420-736-0x0000000002F30000-0x000000000381B000-memory.dmp	family_glupteba
behavioral1/memory/2420-741-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/3880-277-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/8120-474-0x0000000000400000-0x000000000046F000-memory.dmp	family_redline
behavioral1/memory/8120-473-0x00000000005A0000-0x00000000005FA000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	BB9A.exe

Executes dropped EXE 11 IoCs

pid	Process
4148	TD2LQ80.exe
3716	Ih4sd84.exe
2356	HG4OZ12.exe
4736	1KW31rv9.exe
6328	2eY4396.exe
5280	7My72nk.exe
5660	8sT689HF.exe
4232	9EE3QR1.exe
8120	BB9A.exe
7696	47C.exe
7792	884.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f658bd48724915663fe4ff16df8b47b52fe647d8ec0e79d3da8a2399bb579556.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	TD2LQ80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ih4sd84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	HG4OZ12.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000022cfa-26.dat	autoit_exe
behavioral1/files/0x0008000000022cfa-27.dat	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 6328 set thread context of 6912	6328	2eY4396.exe	145
PID 5660 set thread context of 3880	5660	8sT689HF.exe	161
PID 4232 set thread context of 6960	4232	9EE3QR1.exe	167

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
7692	sc.exe
5512	sc.exe
7444	sc.exe
4136	sc.exe
8180	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6852	6912	WerFault.exe	145

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7My72nk.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7My72nk.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7My72nk.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
524	msedge.exe
524	msedge.exe
3392	msedge.exe
3392	msedge.exe
3408	msedge.exe
3408	msedge.exe
5688	msedge.exe
5688	msedge.exe
948	msedge.exe
948	msedge.exe
5032	msedge.exe
5032	msedge.exe
5280	7My72nk.exe
5280	7My72nk.exe
4184	identity_helper.exe
4184	identity_helper.exe
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5280	7My72nk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeDebugPrivilege	8120	BB9A.exe
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
4736	1KW31rv9.exe
4736	1KW31rv9.exe
4736	1KW31rv9.exe
4736	1KW31rv9.exe
4736	1KW31rv9.exe
4736	1KW31rv9.exe
4736	1KW31rv9.exe
4736	1KW31rv9.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
4736	1KW31rv9.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
4736	1KW31rv9.exe
4736	1KW31rv9.exe
4736	1KW31rv9.exe
4736	1KW31rv9.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
4736	1KW31rv9.exe
4736	1KW31rv9.exe
4736	1KW31rv9.exe
4736	1KW31rv9.exe
4736	1KW31rv9.exe
4736	1KW31rv9.exe
4736	1KW31rv9.exe
4736	1KW31rv9.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
4736	1KW31rv9.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
948	msedge.exe
4736	1KW31rv9.exe
4736	1KW31rv9.exe
4736	1KW31rv9.exe
4736	1KW31rv9.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 4148	2404	f658bd48724915663fe4ff16df8b47b52fe647d8ec0e79d3da8a2399bb579556.exe	90
PID 2404 wrote to memory of 4148	2404	f658bd48724915663fe4ff16df8b47b52fe647d8ec0e79d3da8a2399bb579556.exe	90
PID 2404 wrote to memory of 4148	2404	f658bd48724915663fe4ff16df8b47b52fe647d8ec0e79d3da8a2399bb579556.exe	90
PID 4148 wrote to memory of 3716	4148	TD2LQ80.exe	92
PID 4148 wrote to memory of 3716	4148	TD2LQ80.exe	92
PID 4148 wrote to memory of 3716	4148	TD2LQ80.exe	92
PID 3716 wrote to memory of 2356	3716	Ih4sd84.exe	93
PID 3716 wrote to memory of 2356	3716	Ih4sd84.exe	93
PID 3716 wrote to memory of 2356	3716	Ih4sd84.exe	93
PID 2356 wrote to memory of 4736	2356	HG4OZ12.exe	95
PID 2356 wrote to memory of 4736	2356	HG4OZ12.exe	95
PID 2356 wrote to memory of 4736	2356	HG4OZ12.exe	95
PID 4736 wrote to memory of 2156	4736	1KW31rv9.exe	96
PID 4736 wrote to memory of 2156	4736	1KW31rv9.exe	96
PID 4736 wrote to memory of 948	4736	1KW31rv9.exe	98
PID 4736 wrote to memory of 948	4736	1KW31rv9.exe	98
PID 2156 wrote to memory of 1144	2156	msedge.exe	99
PID 2156 wrote to memory of 1144	2156	msedge.exe	99
PID 948 wrote to memory of 3964	948	msedge.exe	100
PID 948 wrote to memory of 3964	948	msedge.exe	100
PID 4736 wrote to memory of 4656	4736	1KW31rv9.exe	101
PID 4736 wrote to memory of 4656	4736	1KW31rv9.exe	101
PID 4656 wrote to memory of 4524	4656	msedge.exe	102
PID 4656 wrote to memory of 4524	4656	msedge.exe	102
PID 4736 wrote to memory of 2984	4736	1KW31rv9.exe	103
PID 4736 wrote to memory of 2984	4736	1KW31rv9.exe	103
PID 2984 wrote to memory of 4668	2984	msedge.exe	104
PID 2984 wrote to memory of 4668	2984	msedge.exe	104
PID 4736 wrote to memory of 3440	4736	1KW31rv9.exe	105
PID 4736 wrote to memory of 3440	4736	1KW31rv9.exe	105
PID 3440 wrote to memory of 316	3440	msedge.exe	106
PID 3440 wrote to memory of 316	3440	msedge.exe	106
PID 4736 wrote to memory of 888	4736	1KW31rv9.exe	107
PID 4736 wrote to memory of 888	4736	1KW31rv9.exe	107
PID 888 wrote to memory of 4340	888	msedge.exe	108
PID 888 wrote to memory of 4340	888	msedge.exe	108
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116
PID 4656 wrote to memory of 1900	4656	msedge.exe	116

C:\Users\Admin\AppData\Local\Temp\f658bd48724915663fe4ff16df8b47b52fe647d8ec0e79d3da8a2399bb579556.exe
"C:\Users\Admin\AppData\Local\Temp\f658bd48724915663fe4ff16df8b47b52fe647d8ec0e79d3da8a2399bb579556.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TD2LQ80.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TD2LQ80.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ih4sd84.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ih4sd84.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HG4OZ12.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HG4OZ12.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1KW31rv9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1KW31rv9.exe
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4736
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe1c8e46f8,0x7ffe1c8e4708,0x7ffe1c8e4718
        7⤵
        
        PID:1144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,13569128180801420712,14852307194370670504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,13569128180801420712,14852307194370670504,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
        7⤵
        
        PID:2348
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe1c8e46f8,0x7ffe1c8e4708,0x7ffe1c8e4718
        7⤵
        
        PID:3964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
        7⤵
        
        PID:1512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
        7⤵
        
        PID:5176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
        7⤵
        
        PID:5628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        7⤵
        
        PID:5620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
        7⤵
        
        PID:5596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
        7⤵
        
        PID:6136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
        7⤵
        
        PID:6352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4384 /prefetch:1
        7⤵
        
        PID:6404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
        7⤵
        
        PID:6492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
        7⤵
        
        PID:6704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
        7⤵
        
        PID:6740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
        7⤵
        
        PID:6876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
        7⤵
        
        PID:7140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
        7⤵
        
        PID:7160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
        7⤵
        
        PID:5616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
        7⤵
        
        PID:5248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7100 /prefetch:1
        7⤵
        
        PID:4028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7544 /prefetch:8
        7⤵
        
        PID:4176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7544 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7636 /prefetch:1
        7⤵
        
        PID:1884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
        7⤵
        
        PID:6904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,10093553649472409968,15444580852720713121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
        7⤵
        
        PID:8000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x164,0x174,0x7ffe1c8e46f8,0x7ffe1c8e4708,0x7ffe1c8e4718
        7⤵
        
        PID:4524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,13311579382791091049,16802179786755667009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,13311579382791091049,16802179786755667009,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        7⤵
        
        PID:1900
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe1c8e46f8,0x7ffe1c8e4708,0x7ffe1c8e4718
        7⤵
        
        PID:4668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,14621915382194139006,12972315495326315250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,14621915382194139006,12972315495326315250,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        7⤵
        
        PID:5680
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe1c8e46f8,0x7ffe1c8e4708,0x7ffe1c8e4718
        7⤵
        
        PID:316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1520,14228093413542533412,12817236161872148496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5032
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe1c8e46f8,0x7ffe1c8e4708,0x7ffe1c8e4718
        7⤵
        
        PID:4340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
        6⤵
        
        PID:3564
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
        6⤵
        
        PID:5980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe1c8e46f8,0x7ffe1c8e4708,0x7ffe1c8e4718
        7⤵
        
        PID:6016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        6⤵
        
        PID:6480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe1c8e46f8,0x7ffe1c8e4708,0x7ffe1c8e4718
        7⤵
        
        PID:6592
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        
        PID:7016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe1c8e46f8,0x7ffe1c8e4708,0x7ffe1c8e4718
        7⤵
        
        PID:7048
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2eY4396.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2eY4396.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6328
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 548
        7⤵
        Program crash
        
        PID:6852
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7My72nk.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7My72nk.exe
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:5280
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8sT689HF.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8sT689HF.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5660
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9EE3QR1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9EE3QR1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4232
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:6960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x144,0x170,0x7ffe1c8e46f8,0x7ffe1c8e4708,0x7ffe1c8e4718
1⤵
PID:4788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6912 -ip 6912
1⤵
PID:6308

C:\Users\Admin\AppData\Local\Temp\BB9A.exe
C:\Users\Admin\AppData\Local\Temp\BB9A.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:8120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1c8e46f8,0x7ffe1c8e4708,0x7ffe1c8e4718
    3⤵
    PID:6228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,1539667073351531881,170814473985086044,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
    3⤵
    PID:2024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,1539667073351531881,170814473985086044,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
    3⤵
    PID:2404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,1539667073351531881,170814473985086044,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:8
    3⤵
    PID:7288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1539667073351531881,170814473985086044,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:6628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1539667073351531881,170814473985086044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:6604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1539667073351531881,170814473985086044,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
    3⤵
    PID:7060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1539667073351531881,170814473985086044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
    3⤵
    PID:6008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1539667073351531881,170814473985086044,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
    3⤵
    PID:7856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1539667073351531881,170814473985086044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
    3⤵
    PID:5684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1539667073351531881,170814473985086044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
    3⤵
    PID:4752
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,1539667073351531881,170814473985086044,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
    3⤵
    PID:5588
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,1539667073351531881,170814473985086044,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
    3⤵
    PID:5876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\47C.exe
C:\Users\Admin\AppData\Local\Temp\47C.exe
1⤵
- Executes dropped EXE
PID:7696
- C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
  2⤵
  PID:7864
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    PID:5744
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:8140
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:5164
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:2420
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:5968
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    PID:4204
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:7108
- C:\Users\Admin\AppData\Local\Temp\latestX.exe
  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
  2⤵
  PID:2788

C:\Users\Admin\AppData\Local\Temp\884.exe
C:\Users\Admin\AppData\Local\Temp\884.exe
1⤵
- Executes dropped EXE
PID:7792
- C:\Users\Admin\AppData\Local\Temp\884.exe
  C:\Users\Admin\AppData\Local\Temp\884.exe
  2⤵
  PID:6224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\ACC4.exe
C:\Users\Admin\AppData\Local\Temp\ACC4.exe
1⤵
PID:3288
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
  2⤵
  PID:7536

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:6148
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:7692
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5512
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:7444
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:4136
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:8180

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:7716
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:1484
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:5400
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:5752
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:3340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:5768

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:7932

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:7772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
25189300c19c8d07d07f0ec5b9ac8df0

SHA1
8c38360db6ac069df9f203b225348ac699f020b7

SHA256
80664f48abed2305dc6c625d5faabd9c6cfb91a495b3978799e29f6c686a85f6

SHA512
8ba104d264ba9f10b6c60a2a51e0fb6ded1555acca091d16899f49da1635d4372ff5c8813dc02abb0732dce6c0d529708938abd54e2fcf24cd04fb9f7301f862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cd57206d74e68e1f70796d0fda0bf24a

SHA1
dbdcb840eae95928031d3e99994d2cdf651ec85b

SHA256
8af9526122c3e5f3d3840c5442672e5c2240c09ed4b01d7252e931c770fbe196

SHA512
1d2b643233f4ec20715020c18fb795eb2648125462e0bfe557c991a0e0048d71c85570e37f45a20c38bc88f1f4141c6e24b1da904af08eb3ec8d21305ad5583c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8e7c0daa78dcd7b64e59e2f69cd09610

SHA1
55cdab5aac1f262584c388bdb2b3937183759885

SHA256
6f455ac5a89f7b0134670df01ebb7a2b94e73272802577b73b2319449b34e9ab

SHA512
4fa7c6f8718d1fad5bc18e0b34a8fa3ce38355ec133da3944c07243e34a48fe471779d5e2f86fa74a2a9c1f71a3ad51c4992e4a43e02a45f25f8777ec52c96ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c188c53e448e2d2fc8a48f3d2316f00a

SHA1
f09ff34afef78fa360aa3f8b4f860c032581c92b

SHA256
c635d70ecfcda8e4f5acd276006801c7d4fcb996042f4215f89fda35985cb10c

SHA512
6f60fcb3c3e859bf9e4e816c2a197f5a99fdc53d3e156445355ac63eb40975b17c82d5427162e1c311bc92885a82e139576d833970d3a315c8c7809010f4b51c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1272c3112250da86430164a5d92dc22b

SHA1
0d5c4286aeffe1b871d1c3c39801464bcaafbd39

SHA256
cc613c4cc5aecfe4236ea00cdb37ea8247e49ff400069e70f7eb4339dbe105ef

SHA512
9059ebdffbe9b9ecfe48a8274e3bc0382eba1ed8c111ce1eaf0c44a4e3f2c33fdf5c1560b6e49ae2e9395317f99ca2d21a9f2681bac8014f9e344fd737936ce1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c4ff23eda5bd3c409ece8474872e6eeb

SHA1
2b06da0b8ddf156efe044f60339b02cd29a2ad15

SHA256
c60aa20112961d1090631b40a28ec80ecac4279bcd1969d0d13f32019344a568

SHA512
9a99a0bd452c0b4356582c7d55042a0a43fb7a6a62460fa3e6cd60d3757af1cb63a6ae2085318ce871df89c35197bf4cf03a8d1b97d2ed837e3af447a9021824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3a748249c8b0e04e77ad0d6723e564ff

SHA1
5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729

SHA256
f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed

SHA512
53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7367f0ef0dda3ef9b22c4e88161c30e9

SHA1
0e2a03fe7420e51175cb07bc888baf309af9ddc3

SHA256
c536c771e868ab8c2059575414504f82f2103a4e6dece26e89c2b375bedfef46

SHA512
03367be102f8d275899b8a3c24d922e90568da5074db57753e0e07bc6591eed327367fd9a89c98f88cb5f57ff52bcfa0a322efa042b3d1be265eae3340673284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7b6d920af3ae9d1b68a303afab3567b8

SHA1
c88a111268b6c4752e472dbc69e12b7541ca8b80

SHA256
5fb7eff8762e7b40ebb916d8ee07cc7a5d2ee56154ab984eb88315bb0c5fc16b

SHA512
88dc2e7325bd9d69c105fb0cb1f074ce9176bf6fe09a75d7cf9d241968bfb00c6a1a42a3d397d7b6097688d941abae56492a50aae75a88e475d13998254abbc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1a631fdfac91ee583fc3975b139a02d0

SHA1
8dc85d3753d870a6be992a125c069a934ffecbc9

SHA256
959aa7520c51fa95e0157a3c6adfc5636fadecc553e755c8e741527c66653b0e

SHA512
1ffb7f6f2cb678600f8e400de738ac5189d9afe0c279dc66896138f0f9734147acee247b6c96e4c77f77aca43cb545d3c334ee9a8f2d260492c92168f2d55c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589333.TMP

Filesize
1KB

MD5
ce790661634743b78b96e401043ebf9a

SHA1
294a7fa01cf4d8c3f3bb9961d4c0ca19ddae7ad8

SHA256
c8db9e8cbb992bb1f2ca6a198e2777a69a036485e1bb60f5ce316b1481762d61

SHA512
ed4efccb3701e6e23693c38e7348aa194e77cdd427febb71a39de70a458b5180d156186e83d5635bf5af4e8b57107c73849ed985a0cb656f881125fd285aabd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9e2f5bfb188452b7aee0464359f68775

SHA1
a59729afa885c8d615660568c398500846d0cbc1

SHA256
ccf0d7b11835412ac3d00ab26acb331e466779468e818d987ee22c1ad565e175

SHA512
b2fab78839b8eda2e42e3c4df798b88f2f4697d48bdffeddf178cbb6edeedc1a052d02b836fcda4b62f62bfa07ffa36b56a8b1043a74a1265205e115151b2c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
da6854d6d44ebc74ff90b9e95a43a8bb

SHA1
c1581e997d228cfd1d54f12e98de6dec3074f04d

SHA256
bf0586dbbfe271fba96cbede185c694ecfd59508d66c7c911e45eb140f266f88

SHA512
9e9c7a8aab5cb34f1b1c7610701a3853ba6a0853a91b85c7652c097068c3df23cb17a44e9373e4c4030a19699f351620a32e361d68336eb8998f206cebee0e2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
cef5b0427a00e268ca20c62fd61acad1

SHA1
5f037f0963b48dfddd2b71426779fa88784f8da1

SHA256
83fbc36cb75384048d12af5a5e5668820c13bb9d07b730c97d573d9309ac80b7

SHA512
9c13b51fedf90ee6a96ca1b2420a9411a2d0a03ef71d81f38453625ec518f172b11f1ade80a8d5b6c6dd2f37d53551fee0dc3f738a41649d87f9b5b36bce4bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
cef5b0427a00e268ca20c62fd61acad1

SHA1
5f037f0963b48dfddd2b71426779fa88784f8da1

SHA256
83fbc36cb75384048d12af5a5e5668820c13bb9d07b730c97d573d9309ac80b7

SHA512
9c13b51fedf90ee6a96ca1b2420a9411a2d0a03ef71d81f38453625ec518f172b11f1ade80a8d5b6c6dd2f37d53551fee0dc3f738a41649d87f9b5b36bce4bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
59fa2a60b92465d1db3d05672d6b1c2f

SHA1
9893a911fe93192007f9c25268333a504d433d55

SHA256
910ac2aefa18cdd70c69870c9aac92feb92385d4785affb0fde6a0b0e8ba4678

SHA512
baf8f5e5f2bb83d3655309ffe1755937c558a274854d93e543bb15cd2699a986f27eb2c36fbaf00c944ba5e01f2fb479e1d75cde44be64132ec0ffcfce9171a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
59fa2a60b92465d1db3d05672d6b1c2f

SHA1
9893a911fe93192007f9c25268333a504d433d55

SHA256
910ac2aefa18cdd70c69870c9aac92feb92385d4785affb0fde6a0b0e8ba4678

SHA512
baf8f5e5f2bb83d3655309ffe1755937c558a274854d93e543bb15cd2699a986f27eb2c36fbaf00c944ba5e01f2fb479e1d75cde44be64132ec0ffcfce9171a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
9536b79cc42e80c3b7e2618edf8984ee

SHA1
3a7ddd9328afdf8237b9e6d22f9c947d0078dc5c

SHA256
7b943e4d2a7bca4313526c715e2dd22931d73b1d964362157dbe6c1308be281d

SHA512
c34295d55e710f8e1d21db213b4d6de58e4786b7bba3c1cdf680510be9f9d2ef14053888560ae290e298ed77be9656fad3b2725016b4423d276d0aeb92cc885b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b6086a52cc0d58501a56e008e5cd97f1

SHA1
14c28d2bc4059818a26c1cae106183462f86be96

SHA256
56017543db961fbdbe1e527b1f8a7843fd9785c068092062709622f44baf57e3

SHA512
770bdc11418f1c892ad2fdd79031f1ee2e6b03c31a5bfe69053cdb6cc4290ed10155008fb9a93b84105db4620cd018b62d87c30eab3dda689f201a1b8cc61ac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
60bdcdacdc1e18ece44c5be7babea402

SHA1
4aaca2795fa11f7ed0b94cbb2aaf90a902820b3c

SHA256
fdc0935e9f5d8c57c71aa80a90b29f109b09b4315f6ae551d15266e1b09926b2

SHA512
22de7e34dd430de8c58b618aa025edb0be1cae499600635bfb5b4519f44e10b321c51d0d2cb358147896492381e89a6ba628a2d922bc6967cdc41e480bfbf7bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
60bdcdacdc1e18ece44c5be7babea402

SHA1
4aaca2795fa11f7ed0b94cbb2aaf90a902820b3c

SHA256
fdc0935e9f5d8c57c71aa80a90b29f109b09b4315f6ae551d15266e1b09926b2

SHA512
22de7e34dd430de8c58b618aa025edb0be1cae499600635bfb5b4519f44e10b321c51d0d2cb358147896492381e89a6ba628a2d922bc6967cdc41e480bfbf7bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
60bdcdacdc1e18ece44c5be7babea402

SHA1
4aaca2795fa11f7ed0b94cbb2aaf90a902820b3c

SHA256
fdc0935e9f5d8c57c71aa80a90b29f109b09b4315f6ae551d15266e1b09926b2

SHA512
22de7e34dd430de8c58b618aa025edb0be1cae499600635bfb5b4519f44e10b321c51d0d2cb358147896492381e89a6ba628a2d922bc6967cdc41e480bfbf7bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
59fa2a60b92465d1db3d05672d6b1c2f

SHA1
9893a911fe93192007f9c25268333a504d433d55

SHA256
910ac2aefa18cdd70c69870c9aac92feb92385d4785affb0fde6a0b0e8ba4678

SHA512
baf8f5e5f2bb83d3655309ffe1755937c558a274854d93e543bb15cd2699a986f27eb2c36fbaf00c944ba5e01f2fb479e1d75cde44be64132ec0ffcfce9171a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
9536b79cc42e80c3b7e2618edf8984ee

SHA1
3a7ddd9328afdf8237b9e6d22f9c947d0078dc5c

SHA256
7b943e4d2a7bca4313526c715e2dd22931d73b1d964362157dbe6c1308be281d

SHA512
c34295d55e710f8e1d21db213b4d6de58e4786b7bba3c1cdf680510be9f9d2ef14053888560ae290e298ed77be9656fad3b2725016b4423d276d0aeb92cc885b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
9536b79cc42e80c3b7e2618edf8984ee

SHA1
3a7ddd9328afdf8237b9e6d22f9c947d0078dc5c

SHA256
7b943e4d2a7bca4313526c715e2dd22931d73b1d964362157dbe6c1308be281d

SHA512
c34295d55e710f8e1d21db213b4d6de58e4786b7bba3c1cdf680510be9f9d2ef14053888560ae290e298ed77be9656fad3b2725016b4423d276d0aeb92cc885b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
cef5b0427a00e268ca20c62fd61acad1

SHA1
5f037f0963b48dfddd2b71426779fa88784f8da1

SHA256
83fbc36cb75384048d12af5a5e5668820c13bb9d07b730c97d573d9309ac80b7

SHA512
9c13b51fedf90ee6a96ca1b2420a9411a2d0a03ef71d81f38453625ec518f172b11f1ade80a8d5b6c6dd2f37d53551fee0dc3f738a41649d87f9b5b36bce4bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
c067b4583e122ce237ff22e9c2462f87

SHA1
8a4545391b205291f0c0ee90c504dc458732f4ed

SHA256
a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e

SHA512
0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TD2LQ80.exe

Filesize
1003KB

MD5
ba40e4ffcb06c0f900b2ca4fe0318b6c

SHA1
99ca465c2c8579d750ca863514416a8c78fcb4af

SHA256
5334772944a2fe41433ac2dad31383168b09038d43fa24bd9f4e8067f713db8f

SHA512
534e192b0dea5cd0ba364b9d643ec0ef438d71460f7977258c628b76ae7f5c797e231cc238ca5bde463ff0e7662f754421d17e9de3e6a9b55726ae29d4af6496

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TD2LQ80.exe

Filesize
1003KB

MD5
ba40e4ffcb06c0f900b2ca4fe0318b6c

SHA1
99ca465c2c8579d750ca863514416a8c78fcb4af

SHA256
5334772944a2fe41433ac2dad31383168b09038d43fa24bd9f4e8067f713db8f

SHA512
534e192b0dea5cd0ba364b9d643ec0ef438d71460f7977258c628b76ae7f5c797e231cc238ca5bde463ff0e7662f754421d17e9de3e6a9b55726ae29d4af6496

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8sT689HF.exe

Filesize
315KB

MD5
6c48bad9513b4947a240db2a32d3063a

SHA1
a5b9b870ce2d3451572d88ff078f7527bd3a954a

SHA256
984ae46ad062442c543fcdb20b1a763001e7df08eb0ab24fc490cbf1ab4e54c8

SHA512
7ae5c7bce222cfeb9e0fae2524fd634fa323282811e97a61c6d1e9680d025e49b968e72ca8ce2a2ceca650fa73bc05b7cf578277944305ed5fae2322ef7d496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ih4sd84.exe

Filesize
782KB

MD5
b9f8e077ee394680cc79d96ddd821890

SHA1
2229da3a2b888fa2cda2463c9f63b97443d99cab

SHA256
964e80d6ac91f571eb7ab1cf46ba8049f5950f8fabbfb5ed9c319b3414019491

SHA512
34501a516828435647a4dabe05665d547136b5eba28959076146005f5d32b748076ed220678cba4a2d41e96dc06047e281da0ac2e2f0351bb76a52760d197bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ih4sd84.exe

Filesize
782KB

MD5
b9f8e077ee394680cc79d96ddd821890

SHA1
2229da3a2b888fa2cda2463c9f63b97443d99cab

SHA256
964e80d6ac91f571eb7ab1cf46ba8049f5950f8fabbfb5ed9c319b3414019491

SHA512
34501a516828435647a4dabe05665d547136b5eba28959076146005f5d32b748076ed220678cba4a2d41e96dc06047e281da0ac2e2f0351bb76a52760d197bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7My72nk.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7My72nk.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HG4OZ12.exe

Filesize
656KB

MD5
31ea9b9b0c39803ee73cba2db1784d84

SHA1
a1170c46a448329a0022b17d0df8f0809fa4ccb0

SHA256
1072253a8c4596107625e3d5f689e39d5c3c3d6b7943a6dd1bbc5718c4d8cb68

SHA512
9e64d824db052f58bea5ed2d6dcf04cf28468d714e842338fddda1687a75693288e68209fa4443d0c5825e2bceae3f39a87c5ddea769361c6b18370284cd9686

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HG4OZ12.exe

Filesize
656KB

MD5
31ea9b9b0c39803ee73cba2db1784d84

SHA1
a1170c46a448329a0022b17d0df8f0809fa4ccb0

SHA256
1072253a8c4596107625e3d5f689e39d5c3c3d6b7943a6dd1bbc5718c4d8cb68

SHA512
9e64d824db052f58bea5ed2d6dcf04cf28468d714e842338fddda1687a75693288e68209fa4443d0c5825e2bceae3f39a87c5ddea769361c6b18370284cd9686

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1KW31rv9.exe

Filesize
895KB

MD5
ab83daf58f2e04dd51a019da6d634db3

SHA1
a961dc67503b7e5662a9c9d0f08ad59f665a31f4

SHA256
e16b03c1afa0e26d4e186f2f4946b45af202307d3ad26e4daa7d5192ce2e90a7

SHA512
0b3fe6b87a915b1f5d1fd9ea8fdfb9234cb3272ac9c19a7ecc1acb33a4908b130a7d114897ab89da2460686c4f39fe3c42a7cb31d899551313b7a541cd776224

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1KW31rv9.exe

Filesize
895KB

MD5
ab83daf58f2e04dd51a019da6d634db3

SHA1
a961dc67503b7e5662a9c9d0f08ad59f665a31f4

SHA256
e16b03c1afa0e26d4e186f2f4946b45af202307d3ad26e4daa7d5192ce2e90a7

SHA512
0b3fe6b87a915b1f5d1fd9ea8fdfb9234cb3272ac9c19a7ecc1acb33a4908b130a7d114897ab89da2460686c4f39fe3c42a7cb31d899551313b7a541cd776224

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2eY4396.exe

Filesize
276KB

MD5
c6e1cbf4c69ab7d8440685e1d847721f

SHA1
dac541efad2b6350640f6b0e5c633ee195a18aef

SHA256
197df032066100c7ec18f878edf321c39a5d048519a8e02944544529d3dcd379

SHA512
89cace6d18012803012333a3d01812013d6eab0db953ac4960079f416f48e19a61a4cd66d14fafb9af98cca0ba9d24a6988929f2c90ec5f6e51ee5941e34ac90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2eY4396.exe

Filesize
276KB

MD5
c6e1cbf4c69ab7d8440685e1d847721f

SHA1
dac541efad2b6350640f6b0e5c633ee195a18aef

SHA256
197df032066100c7ec18f878edf321c39a5d048519a8e02944544529d3dcd379

SHA512
89cace6d18012803012333a3d01812013d6eab0db953ac4960079f416f48e19a61a4cd66d14fafb9af98cca0ba9d24a6988929f2c90ec5f6e51ee5941e34ac90

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
bc3354a4cd405a2f2f98e8b343a7d08d

SHA1
4880d2a987354a3163461fddd2422e905976c5b2

SHA256
fffc160a4c555057143383fec606841cd2c319f79f52596e0d27322a677dca0b

SHA512
fe349af0497e2aa6933b1acfea9fecd2c1f16da009a06ac7d7f638353283da3ef04e9c3520d33bae6e15ea6190420a27be97f46e5553a538b661af226c241c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rasmx5j0.bqg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
264KB

MD5
dcbd05276d11111f2dd2a7edf52e3386

SHA1
f5dc6d418d9fb2d2cfa4af440ec4ff78da8f11ec

SHA256
cea5245bab036b03f89d549c71f47df8a14854b0de515643bf95319ec5af71d4

SHA512
5f1a9c993cd5394e23b39c43cc7479355c922d1ee8ea48109bbad805209dee697e20759257eca9e2f1b75d34a8c4b4c428a736fa8a468dc18de6c44cb6394846

Download Submit
memory/2120-1398-0x0000028737CA0000-0x0000028737CB0000-memory.dmp

Filesize
64KB

Download
memory/2120-1400-0x0000028737CA0000-0x0000028737CB0000-memory.dmp

Filesize
64KB

Download
memory/2120-1396-0x00007FFE19E00000-0x00007FFE1A8C1000-memory.dmp

Filesize
10.8MB

Download
memory/2120-1407-0x0000028737CB0000-0x0000028737CD2000-memory.dmp

Filesize
136KB

Download
memory/2420-1443-0x0000000002B30000-0x0000000002F2C000-memory.dmp

Filesize
4.0MB

Download
memory/2420-736-0x0000000002F30000-0x000000000381B000-memory.dmp

Filesize
8.9MB

Download
memory/2420-741-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2420-733-0x0000000002B30000-0x0000000002F2C000-memory.dmp

Filesize
4.0MB

Download
memory/3292-267-0x0000000002A80000-0x0000000002A96000-memory.dmp

Filesize
88KB

Download
memory/3880-479-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/3880-486-0x00000000076C0000-0x00000000076D0000-memory.dmp

Filesize
64KB

Download
memory/3880-313-0x00000000076A0000-0x00000000076AA000-memory.dmp

Filesize
40KB

Download
memory/3880-327-0x00000000087D0000-0x0000000008DE8000-memory.dmp

Filesize
6.1MB

Download
memory/3880-350-0x0000000007B00000-0x0000000007B4C000-memory.dmp

Filesize
304KB

Download
memory/3880-343-0x0000000007980000-0x00000000079BC000-memory.dmp

Filesize
240KB

Download
memory/3880-332-0x00000000079F0000-0x0000000007AFA000-memory.dmp

Filesize
1.0MB

Download
memory/3880-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3880-339-0x0000000007920000-0x0000000007932000-memory.dmp

Filesize
72KB

Download
memory/3880-305-0x00000000076C0000-0x00000000076D0000-memory.dmp

Filesize
64KB

Download
memory/3880-281-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/3880-283-0x00000000076F0000-0x0000000007782000-memory.dmp

Filesize
584KB

Download
memory/3880-282-0x0000000007C00000-0x00000000081A4000-memory.dmp

Filesize
5.6MB

Download
memory/5164-892-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5164-715-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5280-269-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5280-220-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5744-1309-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/5744-612-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/5968-1341-0x00000000053F0000-0x0000000005456000-memory.dmp

Filesize
408KB

Download
memory/5968-1307-0x0000000002C50000-0x0000000002C86000-memory.dmp

Filesize
216KB

Download
memory/5968-1306-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/5968-1308-0x0000000002D10000-0x0000000002D20000-memory.dmp

Filesize
64KB

Download
memory/5968-1311-0x0000000002D10000-0x0000000002D20000-memory.dmp

Filesize
64KB

Download
memory/5968-1317-0x0000000005460000-0x0000000005A88000-memory.dmp

Filesize
6.2MB

Download
memory/5968-1330-0x0000000005250000-0x0000000005272000-memory.dmp

Filesize
136KB

Download
memory/5968-1418-0x0000000006260000-0x000000000627E000-memory.dmp

Filesize
120KB

Download
memory/5968-1356-0x0000000005C70000-0x0000000005FC4000-memory.dmp

Filesize
3.3MB

Download
memory/6224-637-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-667-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-624-0x000002BE45E30000-0x000002BE45F14000-memory.dmp

Filesize
912KB

Download
memory/6224-625-0x00007FFE19E00000-0x00007FFE1A8C1000-memory.dmp

Filesize
10.8MB

Download
memory/6224-627-0x000002BE44660000-0x000002BE44670000-memory.dmp

Filesize
64KB

Download
memory/6224-1318-0x000002BE44660000-0x000002BE44670000-memory.dmp

Filesize
64KB

Download
memory/6224-1315-0x00007FFE19E00000-0x00007FFE1A8C1000-memory.dmp

Filesize
10.8MB

Download
memory/6224-675-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-673-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-671-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-628-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-629-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-631-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-633-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-635-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-622-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/6224-665-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-663-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-639-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-641-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-643-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-645-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-647-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-649-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-652-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-654-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-656-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-658-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6224-661-0x000002BE45E30000-0x000002BE45F11000-memory.dmp

Filesize
900KB

Download
memory/6912-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6912-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6912-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6912-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6960-326-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/6960-324-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/6960-323-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/6960-320-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/7696-557-0x0000000000700000-0x000000000139A000-memory.dmp

Filesize
12.6MB

Download
memory/7696-556-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/7696-611-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/7792-565-0x0000026890390000-0x000002689047E000-memory.dmp

Filesize
952KB

Download
memory/7792-590-0x00000268AADB0000-0x00000268AADFC000-memory.dmp

Filesize
304KB

Download
memory/7792-569-0x00007FFE19E00000-0x00007FFE1A8C1000-memory.dmp

Filesize
10.8MB

Download
memory/7792-585-0x00000268AACE0000-0x00000268AADA8000-memory.dmp

Filesize
800KB

Download
memory/7792-584-0x00000268AAB10000-0x00000268AABD8000-memory.dmp

Filesize
800KB

Download
memory/7792-574-0x00000268AAA30000-0x00000268AAB10000-memory.dmp

Filesize
896KB

Download
memory/7792-573-0x00000268AA8E0000-0x00000268AA9C0000-memory.dmp

Filesize
896KB

Download
memory/7792-626-0x00007FFE19E00000-0x00007FFE1A8C1000-memory.dmp

Filesize
10.8MB

Download
memory/7792-570-0x0000026890820000-0x0000026890830000-memory.dmp

Filesize
64KB

Download
memory/8120-474-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/8120-480-0x00000000076A0000-0x00000000076B0000-memory.dmp

Filesize
64KB

Download
memory/8120-478-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/8120-473-0x00000000005A0000-0x00000000005FA000-memory.dmp

Filesize
360KB

Download
memory/8120-481-0x0000000008100000-0x0000000008166000-memory.dmp

Filesize
408KB

Download
memory/8120-482-0x00000000089D0000-0x0000000008A46000-memory.dmp

Filesize
472KB

Download
memory/8120-485-0x0000000008AA0000-0x0000000008ABE000-memory.dmp

Filesize
120KB

Download
memory/8120-510-0x00000000044A0000-0x00000000044F0000-memory.dmp

Filesize
320KB

Download
memory/8120-520-0x0000000006A90000-0x0000000006C52000-memory.dmp

Filesize
1.8MB

Download
memory/8120-521-0x0000000008B90000-0x00000000090BC000-memory.dmp

Filesize
5.2MB

Download
memory/8120-550-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/8140-713-0x00000000022D0000-0x00000000022D9000-memory.dmp

Filesize
36KB

Download
memory/8140-712-0x0000000000901000-0x0000000000914000-memory.dmp

Filesize
76KB

Download