glupteba | 604d74771e04b36b54d5dba085da04a6a45f9c0138618576edc5a063ba5a36f6

Analysis

max time kernel
7s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2023, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

604d74771e04b36b54d5dba085da04a6a45f9c0138618576edc5a063ba5a36f6.exe
Size

1.4MB
MD5

55816a7763d094b31acb49042117a11d
SHA1

ae380a2f1bd1dea1ed7ee3c194707bebbacdad81
SHA256

604d74771e04b36b54d5dba085da04a6a45f9c0138618576edc5a063ba5a36f6
SHA512

0e3acb34971182e923371d8bf903a45a3cc6670ca4bf5af7e67e419f1180ae094c028cae9abae079bbac4648dc2319947e1f63f6e26843b70c9afc9fbdedbdca
SSDEEP

24576:lyahlyaBM6ThQSOqVeAIsgwHGHl/D/bRjcv6gaHNj9M/MIPpzzmd+wMsuz/6WItj:AelyaqK5OueHPmGpfRjcvsIlzmsslt

Score

10^/10

glupteba mystic redline smokeloader stealc zgrat taiga up3 backdoor dropper evasion infostealer loader persistence rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Extracted

Family

stealc

http://77.91.68.247

Attributes

url_path
/c36258786fdc16da.php

rc4.plain

Extracted

Family

smokeloader

Botnet

up3

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/6528-232-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6528-235-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6528-233-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6528-238-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Detect ZGRat V1 16 IoCs

resource	yara_rule
behavioral1/memory/5836-800-0x000001D91C2E0000-0x000001D91C3C4000-memory.dmp	family_zgrat_v1
behavioral1/memory/5836-805-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5836-807-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5836-804-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5836-809-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5836-811-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5836-813-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5836-828-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5836-824-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5836-832-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5836-836-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5836-841-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5836-845-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5836-850-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5836-854-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5836-858-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

resource	yara_rule
behavioral1/memory/4816-927-0x0000000002DB0000-0x000000000369B000-memory.dmp	family_glupteba
behavioral1/memory/4816-936-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/4400-315-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/5768-669-0x0000000000540000-0x000000000059A000-memory.dmp	family_redline
behavioral1/memory/5768-670-0x0000000000400000-0x000000000046F000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
6464	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 4 IoCs

pid	Process
3016	iP8UN81.exe
2532	KU0KQ14.exe
620	AS0Zs67.exe
2016	1fW28AM0.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	iP8UN81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	KU0KQ14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	AS0Zs67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	604d74771e04b36b54d5dba085da04a6a45f9c0138618576edc5a063ba5a36f6.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000022d87-26.dat	autoit_exe
behavioral1/files/0x0007000000022d87-27.dat	autoit_exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5640	sc.exe
5008	sc.exe
3848	sc.exe
1684	sc.exe
3088	sc.exe
6132	sc.exe
5896	sc.exe
5572	sc.exe
5712	sc.exe
6320	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6728	6528	WerFault.exe	140
3776	7096	WerFault.exe	226

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5156	schtasks.exe
6968	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1524	msedge.exe
1524	msedge.exe
1832	msedge.exe
1832	msedge.exe
3424	msedge.exe
3424	msedge.exe
3508	msedge.exe
3508	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3508	msedge.exe
3508	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2016	1fW28AM0.exe
2016	1fW28AM0.exe
2016	1fW28AM0.exe
2016	1fW28AM0.exe
2016	1fW28AM0.exe
2016	1fW28AM0.exe
2016	1fW28AM0.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
2016	1fW28AM0.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2016	1fW28AM0.exe
2016	1fW28AM0.exe
2016	1fW28AM0.exe
2016	1fW28AM0.exe
2016	1fW28AM0.exe
2016	1fW28AM0.exe
2016	1fW28AM0.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
2016	1fW28AM0.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 3016	912	604d74771e04b36b54d5dba085da04a6a45f9c0138618576edc5a063ba5a36f6.exe	84
PID 912 wrote to memory of 3016	912	604d74771e04b36b54d5dba085da04a6a45f9c0138618576edc5a063ba5a36f6.exe	84
PID 912 wrote to memory of 3016	912	604d74771e04b36b54d5dba085da04a6a45f9c0138618576edc5a063ba5a36f6.exe	84
PID 3016 wrote to memory of 2532	3016	iP8UN81.exe	86
PID 3016 wrote to memory of 2532	3016	iP8UN81.exe	86
PID 3016 wrote to memory of 2532	3016	iP8UN81.exe	86
PID 2532 wrote to memory of 620	2532	KU0KQ14.exe	87
PID 2532 wrote to memory of 620	2532	KU0KQ14.exe	87
PID 2532 wrote to memory of 620	2532	KU0KQ14.exe	87
PID 620 wrote to memory of 2016	620	AS0Zs67.exe	88
PID 620 wrote to memory of 2016	620	AS0Zs67.exe	88
PID 620 wrote to memory of 2016	620	AS0Zs67.exe	88
PID 2016 wrote to memory of 4536	2016	1fW28AM0.exe	91
PID 2016 wrote to memory of 4536	2016	1fW28AM0.exe	91
PID 2016 wrote to memory of 3508	2016	1fW28AM0.exe	93
PID 2016 wrote to memory of 3508	2016	1fW28AM0.exe	93
PID 2016 wrote to memory of 4368	2016	1fW28AM0.exe	94
PID 2016 wrote to memory of 4368	2016	1fW28AM0.exe	94
PID 3508 wrote to memory of 3912	3508	msedge.exe	97
PID 3508 wrote to memory of 3912	3508	msedge.exe	97
PID 4536 wrote to memory of 4728	4536	msedge.exe	95
PID 4536 wrote to memory of 4728	4536	msedge.exe	95
PID 4368 wrote to memory of 676	4368	msedge.exe	96
PID 4368 wrote to memory of 676	4368	msedge.exe	96
PID 2016 wrote to memory of 4052	2016	1fW28AM0.exe	98
PID 2016 wrote to memory of 4052	2016	1fW28AM0.exe	98
PID 4052 wrote to memory of 1756	4052	msedge.exe	99
PID 4052 wrote to memory of 1756	4052	msedge.exe	99
PID 2016 wrote to memory of 4528	2016	1fW28AM0.exe	100
PID 2016 wrote to memory of 4528	2016	1fW28AM0.exe	100
PID 4528 wrote to memory of 2804	4528	msedge.exe	101
PID 4528 wrote to memory of 2804	4528	msedge.exe	101
PID 2016 wrote to memory of 2284	2016	1fW28AM0.exe	104
PID 2016 wrote to memory of 2284	2016	1fW28AM0.exe	104
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103
PID 4536 wrote to memory of 4592	4536	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\604d74771e04b36b54d5dba085da04a6a45f9c0138618576edc5a063ba5a36f6.exe
"C:\Users\Admin\AppData\Local\Temp\604d74771e04b36b54d5dba085da04a6a45f9c0138618576edc5a063ba5a36f6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:912
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iP8UN81.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iP8UN81.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KU0KQ14.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KU0KQ14.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AS0Zs67.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AS0Zs67.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:620
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1fW28AM0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1fW28AM0.exe
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x15c,0x174,0x7ffb8d6846f8,0x7ffb8d684708,0x7ffb8d684718
        7⤵
        
        PID:4728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,2794455338582787380,2658624736426355115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,2794455338582787380,2658624736426355115,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        7⤵
        
        PID:4592
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb8d6846f8,0x7ffb8d684708,0x7ffb8d684718
        7⤵
        
        PID:3912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
        7⤵
        
        PID:3812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
        7⤵
        
        PID:4148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
        7⤵
        
        PID:1604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
        7⤵
        
        PID:872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
        7⤵
        
        PID:5256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
        7⤵
        
        PID:5444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4304 /prefetch:1
        7⤵
        
        PID:5680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2352 /prefetch:1
        7⤵
        
        PID:5744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
        7⤵
        
        PID:5952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
        7⤵
        
        PID:3128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
        7⤵
        
        PID:2096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
        7⤵
        
        PID:5920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
        7⤵
        
        PID:4840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
        7⤵
        
        PID:5488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
        7⤵
        
        PID:6276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
        7⤵
        
        PID:6244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
        7⤵
        
        PID:7028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
        7⤵
        
        PID:7036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb8d6846f8,0x7ffb8d684708,0x7ffb8d684718
        8⤵
        
        PID:6872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7436 /prefetch:1
        7⤵
        
        PID:6540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:1
        7⤵
        
        PID:6568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6960 /prefetch:8
        7⤵
        
        PID:4896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6960 /prefetch:8
        7⤵
        
        PID:4884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4990552858041724049,12632203510689914209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9144 /prefetch:1
        7⤵
        
        PID:4428
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb8d6846f8,0x7ffb8d684708,0x7ffb8d684718
        7⤵
        
        PID:676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,3314807126649962512,16940114594972467473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3314807126649962512,16940114594972467473,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
        7⤵
        
        PID:1576
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb8d6846f8,0x7ffb8d684708,0x7ffb8d684718
        7⤵
        
        PID:1756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,1265723875836818988,14879735548015390522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
        7⤵
        
        PID:5508
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb8d6846f8,0x7ffb8d684708,0x7ffb8d684718
        7⤵
        
        PID:2804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1472,15551337145787140106,16661026425509797753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
        7⤵
        
        PID:5916
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
        6⤵
        
        PID:2284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb8d6846f8,0x7ffb8d684708,0x7ffb8d684718
        7⤵
        
        PID:2188
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
        6⤵
        
        PID:5136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x178,0x17c,0x180,0x154,0x184,0x7ffb8d6846f8,0x7ffb8d684708,0x7ffb8d684718
        7⤵
        
        PID:5228
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
        6⤵
        
        PID:5908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffb8d6846f8,0x7ffb8d684708,0x7ffb8d684718
        7⤵
        
        PID:6036
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        6⤵
        
        PID:6136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb8d6846f8,0x7ffb8d684708,0x7ffb8d684718
        7⤵
        
        PID:5480
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        
        PID:5520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb8d6846f8,0x7ffb8d684708,0x7ffb8d684718
        7⤵
        
        PID:4912
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ce1751.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ce1751.exe
        5⤵
        
        PID:6264
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6528 -s 540
        7⤵
        Program crash
        
        PID:6728
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7GI39hG.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7GI39hG.exe
      4⤵
      PID:6632
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8FB960XA.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8FB960XA.exe
    3⤵
    PID:2140
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:6868
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:6976
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4932
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4400
  - - C:\Windows\System32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:5712
  - - C:\Windows\System32\sc.exe
      sc stop bits
      4⤵
      Launches sc.exe
      PID:3848
  - - C:\Windows\System32\sc.exe
      sc stop dosvc
      4⤵
      Launches sc.exe
      PID:6320
  - - C:\Windows\System32\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:1684
  - - C:\Windows\System32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:3088
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9dM6LS9.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9dM6LS9.exe
  2⤵
  PID:6656
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6528 -ip 6528
1⤵
PID:6708

C:\Users\Admin\AppData\Local\Temp\AF56.exe
C:\Users\Admin\AppData\Local\Temp\AF56.exe
1⤵
PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:7036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,12149436417904864154,5916912930373511573,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
    3⤵
    PID:3196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,12149436417904864154,5916912930373511573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
    3⤵
    PID:4668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,12149436417904864154,5916912930373511573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
    3⤵
    PID:2916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12149436417904864154,5916912930373511573,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
    3⤵
    PID:884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12149436417904864154,5916912930373511573,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
    3⤵
    PID:5760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12149436417904864154,5916912930373511573,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
    3⤵
    PID:4436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12149436417904864154,5916912930373511573,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
    3⤵
    PID:444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12149436417904864154,5916912930373511573,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:1
    3⤵
    PID:3888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12149436417904864154,5916912930373511573,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
    3⤵
    PID:2536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,12149436417904864154,5916912930373511573,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
    3⤵
    PID:5792
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,12149436417904864154,5916912930373511573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 /prefetch:8
    3⤵
    PID:5748
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,12149436417904864154,5916912930373511573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 /prefetch:8
    3⤵
    PID:5968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\DDAA.exe
C:\Users\Admin\AppData\Local\Temp\DDAA.exe
1⤵
PID:3348
- C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
  2⤵
  PID:5776
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    PID:752
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:1004
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:4816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:3164
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    PID:5920
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:6188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:3748
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:6464
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3588
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5880
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:1840
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1364
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5344
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:5896
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:5156
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4328
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:4648
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:6968
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        
        PID:1172
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:2784
- C:\Users\Admin\AppData\Local\Temp\forc.exe
  "C:\Users\Admin\AppData\Local\Temp\forc.exe"
  2⤵
  PID:6728
- C:\Users\Admin\AppData\Local\Temp\latestX.exe
  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
  2⤵
  PID:3456

C:\Users\Admin\AppData\Local\Temp\E200.exe
C:\Users\Admin\AppData\Local\Temp\E200.exe
1⤵
PID:6516
- C:\Users\Admin\AppData\Local\Temp\E200.exe
  C:\Users\Admin\AppData\Local\Temp\E200.exe
  2⤵
  PID:5836

C:\Users\Admin\AppData\Local\Temp\5107.exe
C:\Users\Admin\AppData\Local\Temp\5107.exe
1⤵
PID:2168
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
  2⤵
  PID:6320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5972

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:6536
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5640
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6132
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5896
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:5572
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:5008

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:4920
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:5984
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:1636
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:4440
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:3032

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:5104

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:6476

C:\Users\Admin\AppData\Local\Temp\B8AC.exe
C:\Users\Admin\AppData\Local\Temp\B8AC.exe
1⤵
PID:5980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  PID:5564

C:\Users\Admin\AppData\Local\Temp\BB9B.exe
C:\Users\Admin\AppData\Local\Temp\BB9B.exe
1⤵
PID:7096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 784
  2⤵
  - Program crash
  PID:3776

C:\Users\Admin\AppData\Local\Temp\BCF3.exe
C:\Users\Admin\AppData\Local\Temp\BCF3.exe
1⤵
PID:6052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 7096 -ip 7096
1⤵
PID:3184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:3416

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
PID:6788

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
1⤵
PID:2276

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
1⤵
PID:5660

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
1⤵
PID:5648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:6452

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:4680

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:2140

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
1⤵
PID:2400

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
1⤵
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8992ae6e99b277eea6fb99c4f267fa3f

SHA1
3715825c48f594068638351242fac7fdd77c1eb7

SHA256
525038333c02dff407d589fa407b493b7962543e205c587feceefbc870a08e3d

SHA512
a1f44fff4ea76358c7f2a909520527ec0bbc3ddcb722c5d1f874e03a0c4ac42dac386a49ccf72807ef2fa6ccc534490ad90de2f699b1e49f06f79157f251ab25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8992ae6e99b277eea6fb99c4f267fa3f

SHA1
3715825c48f594068638351242fac7fdd77c1eb7

SHA256
525038333c02dff407d589fa407b493b7962543e205c587feceefbc870a08e3d

SHA512
a1f44fff4ea76358c7f2a909520527ec0bbc3ddcb722c5d1f874e03a0c4ac42dac386a49ccf72807ef2fa6ccc534490ad90de2f699b1e49f06f79157f251ab25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a5f595566f83e288991a95ff3747e1d7

SHA1
f3f4069819da237eea7e05a9caefb51d2a2df896

SHA256
50cecc4be2308132639e09216843eacc34bcde5d2cc88716a4355e3b3af643fe

SHA512
57f7ebeb715fa7205b463efa7844b1c58b0ccc681655970bd88aa5296dcc4579bb1edc8ee93dcb049275756c9e99469eee42498f84ced4996dc575b8a74ea003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2c356792d25953a353537ff99d8ff763

SHA1
795b5dca39e4408f832dfcd6142e2b8c3242686b

SHA256
aa4c2fc1c9e566ebec324eac5a10c22f8e186be43d34e78d18ddffd664647f02

SHA512
0b9529ed29de80d3e8f195370bc44ae691151fb8e25a821327809533523f09ca4c54a508eddd873430b64f688938287f70f3c8b9297038edaba9f2db94a7ecbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6276613a51dae3b747451bc05e24edfa

SHA1
96ff591013fc8d378a9b37ea580d8ec6e98bbde5

SHA256
d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0

SHA512
dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
73KB

MD5
d439aa40127eb4c49c97bd689cf1d222

SHA1
420b5ea10d3dc13070c9a1022160aaac4f28a352

SHA256
f38b31ffce521cb614481e3bd6ca9b130e862663ac7134ee30dfe121ec2b6091

SHA512
172c61e97d8bf3dd5b8cdb59b102c0e6e660864da859e5db451fa9820b39c4f118ee5f54fb18e60c0022eaf7570522cb18303e2a759e9143af4b14bb50a94958

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
21KB

MD5
7d75a9eb3b38b5dd04b8a7ce4f1b87cc

SHA1
68f598c84936c9720c5ffd6685294f5c94000dff

SHA256
6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7

SHA512
cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
224KB

MD5
4e08109ee6888eeb2f5d6987513366bc

SHA1
86340f5fa46d1a73db2031d80699937878da635e

SHA256
bf44187e1683e78d3040bcef6263e25783c6936096ff0a621677d411dd9d1339

SHA512
4e477fd9e58676c0e00744dbe3421e528dd2faeca2ab998ebbeb349b35bb3711dcf78d8c9e7adba66b4d681d1982c31cac42024c8b19e19537a5615dac39c661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
33KB

MD5
fdbf5bcfbb02e2894a519454c232d32f

SHA1
5e225710e9560458ac032ab80e24d0f3cb81b87a

SHA256
d9315d0678ac213bbe2c1de27528f82fd40dbff160f5a0c19850f891da29ea1c

SHA512
9eb86ebb1b50074df9bd94f7660df6f362b5a46411b35ce820740f629f8ef77f0b49a95c5550441a7db2b2638f0ed3d0204cb8f8c76391c05401506833b8c916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
186KB

MD5
740a924b01c31c08ad37fe04d22af7c5

SHA1
34feb0face110afc3a7673e36d27eee2d4edbbff

SHA256
f0e1953b71cc4abbffdd5096d99dfb274688e517c381b15c3446c28a4ac416e0

SHA512
da7061f944c69245c2f66b0e6a8b5a9bca91bda8a73f99734dcb23db56c5047de796fa7e348ff8840d9ac123436e38a4206408573215b7e5e98942ea6d66bb7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
526ff8b332812049431e0a90235f0741

SHA1
e8473436d99f01639e4db36e99e3f26c11c4385c

SHA256
9b23eaf018f1022de005a1226be97cdc11d3bd9fd7b0b6c8804c357165998c62

SHA512
cefc4d0dddc9b6a8484b11390d5f411be4aea31c115c3f5f9023d53ca3beb26ba9a556c15612eef7dfb3abe66df28ee9f66e109e3346ab341bdf7e1772ebbfba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
9f07c8eaa799f3425362b379c262cfce

SHA1
a367680014fc57e9e577d4fb2994f544b721d499

SHA256
d33909af51936b9edd4bd7d12e18a21f6be68850f71bd8846ff20e6427c735ab

SHA512
2d9fdca117434f34aa75af5b9595cf3e7a892c96237df45fe8677efea44a12c2a47a606a690dc5ffcdcbb5191c6e011ccf6fd58b6725e83409318cf2e27e101e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f1b8e4406ba55d92638ec50fa96ec925

SHA1
6239bd0cf6b228c1d3200707b2f07498bb596fe5

SHA256
c8029808672104702060a8d8f45f4fa7b906d7465cff598aa70864c6618c197f

SHA512
a244a6d5ae0b6f8181deed4375df37d012ffaee6aec13349dc19f5571edd447660092aaa6aa9a1cbc3c12f79b7e6b8c7cb7b51452ca9bad7a8174aaef1fe3f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
399774cc38ddef8a6d159e01e11f47b4

SHA1
16961ebccad2c4938dd2f99f3fdc593480e4298c

SHA256
e1d1a0538e30c3aa5141f09c84e38d54c788c761cfb84b5d63d3109452cd3971

SHA512
c347a46333246d5937994d1549195282ab13fa1ef74e7a60518657f50936d6cd9ee8596c85d51824272270f65b3764a27d33200b1230ad258befb1f2bcfd3276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5da83987c923a3e623e7e38c91f35e7d

SHA1
e2a812de3037225076008932ace00507e6618aa4

SHA256
8336eca0793eb18f7cf4c525f5b57c696af5f16a87a53151876d6620de62228c

SHA512
eed3f66a5653d51dc8a51108afa065fad1296deb23ae6f72acb727088409c746a1efa5023028eb8b0dc7748796eca9773869c388f74e0e864484729e0c4187e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f1881400134252667af6731236741098

SHA1
6fbc4f34542d449afdb74c9cfd4a6d20e6cdc458

SHA256
d6fcec1880d69aaa0229f515403c1a5ac82787f442c37f1c0c96c82ec6c15b75

SHA512
18b9ac92c396a01b6662a4a8a21b995d456716b70144a136fced761fd0a84c99e8bd0afb9585625809b87332da75727b82a07b151560ea253a3b8c241b799450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
bc5e67496fabc426fa81e73c59bcda09

SHA1
e22497e56e2e26881b8f06ba52be2bdd790480cf

SHA256
86916bdfeac7a2b2140df78c6c9ea0903295be8b2ddf36e29a620a2e30c02165

SHA512
c63b6d458a18462e337118cbd99dde523001c9ab6ada73e17697ed3a82f4204d14e0579f18065f1b7439adc19680d876dab8d1bacaf5e5ad2e076894c8c75db6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
e204fefad0f778e4a9a71716d09dd4be

SHA1
9745051e09fccef06447b514fb268a5a4414c2f0

SHA256
780e3eb5e9a2c8acbef314b43059494193112a5da2e6ae23951f6b0a415b00f2

SHA512
427582b7b70c27a866a5a57f79324e45832386e4ac49842abccb38bf1c93f676e8153fef05934084aa4f1eb817541ea4dd3ded674fc721ef5cf79c7190887aeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588f0c.TMP

Filesize
1KB

MD5
688fc7d2d380fcdeae641f582524387c

SHA1
e720f8f3f56e7dc88a718212997a0bbba7c3d911

SHA256
5d611d1bf2409ea2916fe53bdb4e2ca0ec6e9a8f2d425f649696ee5e3ec2d454

SHA512
0127dcb8f079974e8901482f49dbdc087c8fdfda339fc55ab0736e7252cac76cef3089c7c144e0c35f1af84d9ce13a7022c0fdaf4f0be07ca81a6171e77deceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
d765df2a8ef24898932ac25907bf4741

SHA1
c8d88f329c75633cea85c5dd81e147563b86221e

SHA256
bfde6195a828769ed7c7b6096564e746957ddd7ee1a261c01fb7d9f3f8232dbc

SHA512
a44d5887b2b562d506928d7ce322b8cdba66e89ae549b6e2b5aedc03edb9ad2b12d785681e4898126a241b833c41bdd1748f695b3dad1962422ec2eb54bc4565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
d765df2a8ef24898932ac25907bf4741

SHA1
c8d88f329c75633cea85c5dd81e147563b86221e

SHA256
bfde6195a828769ed7c7b6096564e746957ddd7ee1a261c01fb7d9f3f8232dbc

SHA512
a44d5887b2b562d506928d7ce322b8cdba66e89ae549b6e2b5aedc03edb9ad2b12d785681e4898126a241b833c41bdd1748f695b3dad1962422ec2eb54bc4565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
417f29b2d766a311cc063ce26bcceeb4

SHA1
12126573676321326ecf34246debb926e59ae145

SHA256
e924cd851835055f641502d2b11bc5a3586144c1a1d8e68ac8fa2427241c643c

SHA512
926bc5224a64b147bee8fb38c93fcc13756ee51d5bcab7d6b590f2124b56e3236e6e3f7e1b29d0527aae8cc06b6f2f57017f1d95182d5bdd52e6b47121eff7fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
417f29b2d766a311cc063ce26bcceeb4

SHA1
12126573676321326ecf34246debb926e59ae145

SHA256
e924cd851835055f641502d2b11bc5a3586144c1a1d8e68ac8fa2427241c643c

SHA512
926bc5224a64b147bee8fb38c93fcc13756ee51d5bcab7d6b590f2124b56e3236e6e3f7e1b29d0527aae8cc06b6f2f57017f1d95182d5bdd52e6b47121eff7fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
a935bc7a00b77b873e7542e3fb32d746

SHA1
b73b788b8c7e9597d6cc88279ad38e46e1e4c713

SHA256
183225c841dbe7eede96c1bba5a321add56f750eee1d332bee035acdd4c4b89c

SHA512
71216ca00a600312ee0dc2b558eb9c62b062a7407df885215db9b9ea1f1d592c37a4cb2e804df46b5cf955272aeffb8a1399b15b4e1007f2fd003801820d1575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
c1210e6aca47de558bee12bef14958f7

SHA1
35ffd5e777cde4037179e039911dee68cb604983

SHA256
5387f3e35e24da68099978f8a281889c5c6c39086b3ab9e6b14199b2113be886

SHA512
b611bb92134f8bb650859af1c9df78b03feb8245d1241c97f27d78511c11ce537c58aac163301f278e9166688bad06dcf2d7e0ab193933cd4f667ff59c971e67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
d765df2a8ef24898932ac25907bf4741

SHA1
c8d88f329c75633cea85c5dd81e147563b86221e

SHA256
bfde6195a828769ed7c7b6096564e746957ddd7ee1a261c01fb7d9f3f8232dbc

SHA512
a44d5887b2b562d506928d7ce322b8cdba66e89ae549b6e2b5aedc03edb9ad2b12d785681e4898126a241b833c41bdd1748f695b3dad1962422ec2eb54bc4565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
a935bc7a00b77b873e7542e3fb32d746

SHA1
b73b788b8c7e9597d6cc88279ad38e46e1e4c713

SHA256
183225c841dbe7eede96c1bba5a321add56f750eee1d332bee035acdd4c4b89c

SHA512
71216ca00a600312ee0dc2b558eb9c62b062a7407df885215db9b9ea1f1d592c37a4cb2e804df46b5cf955272aeffb8a1399b15b4e1007f2fd003801820d1575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
417f29b2d766a311cc063ce26bcceeb4

SHA1
12126573676321326ecf34246debb926e59ae145

SHA256
e924cd851835055f641502d2b11bc5a3586144c1a1d8e68ac8fa2427241c643c

SHA512
926bc5224a64b147bee8fb38c93fcc13756ee51d5bcab7d6b590f2124b56e3236e6e3f7e1b29d0527aae8cc06b6f2f57017f1d95182d5bdd52e6b47121eff7fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
c1210e6aca47de558bee12bef14958f7

SHA1
35ffd5e777cde4037179e039911dee68cb604983

SHA256
5387f3e35e24da68099978f8a281889c5c6c39086b3ab9e6b14199b2113be886

SHA512
b611bb92134f8bb650859af1c9df78b03feb8245d1241c97f27d78511c11ce537c58aac163301f278e9166688bad06dcf2d7e0ab193933cd4f667ff59c971e67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
c1210e6aca47de558bee12bef14958f7

SHA1
35ffd5e777cde4037179e039911dee68cb604983

SHA256
5387f3e35e24da68099978f8a281889c5c6c39086b3ab9e6b14199b2113be886

SHA512
b611bb92134f8bb650859af1c9df78b03feb8245d1241c97f27d78511c11ce537c58aac163301f278e9166688bad06dcf2d7e0ab193933cd4f667ff59c971e67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9bc49e7b21f2dcc278a8204625dc9100

SHA1
f4434953958d31f5ed47ff0f9aa6c2b03ac4226f

SHA256
f792dd43f5569f254365357ad699ac566ab7f3fc77b5fa242f0a311a116649f7

SHA512
e9ce5c840ea9ac274ceb5be6c70d961c400ddcf3f27742078f9db95f02d09f4af323e0ef91e4a7aecaf3ab22f62f74fecd8a46aba97b9cea08fcefd233011990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
14830583da36d1fc8e641897cc8467d1

SHA1
9195629f70c47d5a1dc67cf74abf1f79592ba113

SHA256
661d05e576f0e4fc3d43981d0e818ad9061140fb526339634ced24ca64044c0a

SHA512
bced42cb445f50c039dcb425e8f14b149f69f41664d1284567e77a9b2b99b9321bafa9a45ba8c7e75e03080f1a420a2ca2b46c4daf6a62a8cc100dfe5c220568

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
a98f00f0876312e7f85646d2e4fe9ded

SHA1
5d6650725d89fea37c88a0e41b2486834a8b7546

SHA256
787892fff0e39d65ccf86bb7f945be728287aaf80064b7acc84b9122e49d54e6

SHA512
f5ca9ec79d5639c06727dd106e494a39f12de150fbfbb0461d5679aed6a137b3781eedf51beaf02b61d183991d8bca4c08a045a83412525d1e28283856fa3802

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9dM6LS9.exe

Filesize
624KB

MD5
995f3dec66f3ee5de35454476c2bebd1

SHA1
d67e2f62e70f04afb76829656aac3b1841e1fa02

SHA256
1917eaf7a23ea8b17eaca20fee755e71d3891f4de4dbd121aba6806b7bc2511a

SHA512
f3b0b1665369b18346d413fa53cbd2a419c5c73df09b4ab294f80a6df9830d0df6a1e65c46827fd71cde2746a743dc4f507fb36b9f0c36b7fae5f747ffcf7458

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iP8UN81.exe

Filesize
1003KB

MD5
d250d09127b88e2c438b41e90253e4b8

SHA1
1eed45cbc089055445f62ad5eee590730011f7e0

SHA256
b68b7fdf30e01f1b6edca7afff37726b9882900486d5380b2ea48fe5c730f493

SHA512
7caa3933e4339fc4d60f24e506c9ccbc43d9541c91f86ae560896bc06954e13ee136d1db67af8add4561a5b400ebb469af129d61c9dc6878aea220b395f74b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iP8UN81.exe

Filesize
1003KB

MD5
d250d09127b88e2c438b41e90253e4b8

SHA1
1eed45cbc089055445f62ad5eee590730011f7e0

SHA256
b68b7fdf30e01f1b6edca7afff37726b9882900486d5380b2ea48fe5c730f493

SHA512
7caa3933e4339fc4d60f24e506c9ccbc43d9541c91f86ae560896bc06954e13ee136d1db67af8add4561a5b400ebb469af129d61c9dc6878aea220b395f74b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8FB960XA.exe

Filesize
315KB

MD5
f2734fc20858e7e213a4ca9311cb43b8

SHA1
45ad3145163152fec7b2271acb2a24fb377f650b

SHA256
c9d3c6c828bdacc2cca0ffa4432e93f5194cd0c7d27ce2187586e8d6176262da

SHA512
c119f6790b0588d66db1150cc11d1da55a8058d5ea6a12c62a56129ceba3b564d06156af1baa2dcbf95694a3cd4e3be8972bc7ec3916529cdc38b1570cdb523e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8FB960XA.exe

Filesize
315KB

MD5
f2734fc20858e7e213a4ca9311cb43b8

SHA1
45ad3145163152fec7b2271acb2a24fb377f650b

SHA256
c9d3c6c828bdacc2cca0ffa4432e93f5194cd0c7d27ce2187586e8d6176262da

SHA512
c119f6790b0588d66db1150cc11d1da55a8058d5ea6a12c62a56129ceba3b564d06156af1baa2dcbf95694a3cd4e3be8972bc7ec3916529cdc38b1570cdb523e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KU0KQ14.exe

Filesize
781KB

MD5
4ac15d2629c1a7f8f6b160331cd48266

SHA1
c8eb0a3965828d65a00dd21ab5083428e11b12a0

SHA256
9bd63eed48ad0e132c82d30dd0857c65e002ba4dc3818f380c6156f62ab45eed

SHA512
6aadb3d3c3faf939865ecd4a5d44200aa11eb50939bd78a96ca77aae0229474b2857230e744f770b1bb7c7c39fbaa7d9647fe58e5a21571dead2d5c7266208f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KU0KQ14.exe

Filesize
781KB

MD5
4ac15d2629c1a7f8f6b160331cd48266

SHA1
c8eb0a3965828d65a00dd21ab5083428e11b12a0

SHA256
9bd63eed48ad0e132c82d30dd0857c65e002ba4dc3818f380c6156f62ab45eed

SHA512
6aadb3d3c3faf939865ecd4a5d44200aa11eb50939bd78a96ca77aae0229474b2857230e744f770b1bb7c7c39fbaa7d9647fe58e5a21571dead2d5c7266208f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7GI39hG.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7GI39hG.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AS0Zs67.exe

Filesize
656KB

MD5
1dab42ba54137b073308904c3f727073

SHA1
b1d2cfd7a9ba4e635701ee48e1315dc795faf77e

SHA256
7b7ec4811b7162e638729b85901fa21abf63c62d7b45dc46a7c76c754b920562

SHA512
ba77adf5e7daeb9f5874ba14b4579588c05cbaac97457176057a6eb43245fe5589d905b045cbae188cecc8d11a52e29060fc62e58285232d023ec7b18bcc3dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AS0Zs67.exe

Filesize
656KB

MD5
1dab42ba54137b073308904c3f727073

SHA1
b1d2cfd7a9ba4e635701ee48e1315dc795faf77e

SHA256
7b7ec4811b7162e638729b85901fa21abf63c62d7b45dc46a7c76c754b920562

SHA512
ba77adf5e7daeb9f5874ba14b4579588c05cbaac97457176057a6eb43245fe5589d905b045cbae188cecc8d11a52e29060fc62e58285232d023ec7b18bcc3dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1fW28AM0.exe

Filesize
895KB

MD5
b43ae66705954174ad77169196d2e436

SHA1
6a6941d2e2c77bdff08be003b5e17c23b257a2ae

SHA256
79952456bd0b03136df4a2b5afadc8a239727f0161959ad827c9a5aabf6cafbd

SHA512
b9a0142d66d8aec9436aa72246d85897320afdccee5fe25c6166158ac5a77a960493bb096c48615d388334bfcc990887bf03a6cfde4c6a7af9557cfa8022aad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1fW28AM0.exe

Filesize
895KB

MD5
b43ae66705954174ad77169196d2e436

SHA1
6a6941d2e2c77bdff08be003b5e17c23b257a2ae

SHA256
79952456bd0b03136df4a2b5afadc8a239727f0161959ad827c9a5aabf6cafbd

SHA512
b9a0142d66d8aec9436aa72246d85897320afdccee5fe25c6166158ac5a77a960493bb096c48615d388334bfcc990887bf03a6cfde4c6a7af9557cfa8022aad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ce1751.exe

Filesize
276KB

MD5
13e4c445c461928609acdb4a22b7321e

SHA1
8ecc5875e8e4ffed852f932d9442585cf669053d

SHA256
c0694bfb94bb090861d56adae49d16aee88f3b4305f1550722357d8f7268f5c4

SHA512
d9ac36f1d994d21876baf1eebe1d79a82182a68e8dc401117c1c788bdffabf4e4ed7e6fb8830ab9cd5efb80de6702bb379fb6c2483fee02aa0e3508f32c4af23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ce1751.exe

Filesize
276KB

MD5
13e4c445c461928609acdb4a22b7321e

SHA1
8ecc5875e8e4ffed852f932d9442585cf669053d

SHA256
c0694bfb94bb090861d56adae49d16aee88f3b4305f1550722357d8f7268f5c4

SHA512
d9ac36f1d994d21876baf1eebe1d79a82182a68e8dc401117c1c788bdffabf4e4ed7e6fb8830ab9cd5efb80de6702bb379fb6c2483fee02aa0e3508f32c4af23

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
f13cf6c130d41595bc96be10a737cb18

SHA1
6b14ea97930141aa5caaeeeb13dd4c6dad55d102

SHA256
dd7aaf7ef0e5b3797eaf5182e7b192fa014b735e129e00e0c662829ce0c2515f

SHA512
ccd4f57b1af1f348fcf9f519a4789c04b499ac5e02ccb7333d0a42fa1cb1fdf9f969103b3a5467e278cd5c6cbbbbebaac4577d0c220e13335575a13408c79b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ef5lw2u.xp1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\forc.exe

Filesize
101KB

MD5
02d1af12b47621a72f44d2ae6bb70e37

SHA1
4e0cc70c068e55cd502d71851decb96080861101

SHA256
8d2a83ac263e56c2c058d84f67e23db8fe651b556423318f17389c2780351318

SHA512
ecf9114bbac62c81457f90a6d1c845901ece21e36ca602a79ba6c33f76a1117162175f0ace8ae6c2bdc9f962bd797ab9393316238adbc3b40a9b948d3c98582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE406.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE42B.tmp

Filesize
92KB

MD5
2c49291f7cd253c173250751551fd2b5

SHA1
9d8a80c2a365675a63b5f50f63b72b76d625b1b1

SHA256
5766d76fbd9f797ab218de6c240dcae6f78066bc5812a99aeeed584fb0621f75

SHA512
de4a9ca73d663384264643be909726cb3393ea45779c888eb54bb3fbd2e36d8ad1c30260a16f1ced9fc5d8fe96dee761a655ff3764148b3e2678563417d6d933

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE4A5.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE4AB.tmp

Filesize
28KB

MD5
92b2fc6606226aba24afdcd97a8d694b

SHA1
d2451678b00a45c294480634862ccea85b6922e4

SHA256
652bc82cac77ccbcef51e1e87cb17d9e31c3149a6d26d8692d3a6605e5b6d072

SHA512
5a4f78127700aaa21ac6f577e1f077d921d5aa75de91a73c6c6a2739c20d610bcbb8ac83e975fe4fb5ff73612dd2890da0f162fdbef1bf1d7c7f2967eadf0340

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE50A.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE535.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
217KB

MD5
6f38e2c344007fa6c5a609f3baa82894

SHA1
9296d861ae076ebddac76b490c2e56fcd0d63c6d

SHA256
fb1b0639a3bdd51f914bf71948d88555e1bbb9de0937f8fa94e7aa38a8d6ab9f

SHA512
5432ab0139ee88a7b509d60ed39d3b69f7c38fe94613b3d72cc4480112d95b2cbf7652438801e7e7956aca73d6ebc870851814bec0082f4d77737a024990e059

Download Submit
memory/752-1487-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/752-786-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1004-1137-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1004-911-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2920-905-0x0000000000910000-0x0000000000A10000-memory.dmp

Filesize
1024KB

Download
memory/2920-906-0x00000000023C0000-0x00000000023C9000-memory.dmp

Filesize
36KB

Download
memory/3112-288-0x0000000000BE0000-0x0000000000BF6000-memory.dmp

Filesize
88KB

Download
memory/3164-1544-0x0000000006220000-0x000000000623E000-memory.dmp

Filesize
120KB

Download
memory/3164-1484-0x00000000053F0000-0x0000000005A18000-memory.dmp

Filesize
6.2MB

Download
memory/3164-1511-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/3164-1516-0x0000000005D70000-0x00000000060C4000-memory.dmp

Filesize
3.3MB

Download
memory/3164-1574-0x0000000007210000-0x0000000007254000-memory.dmp

Filesize
272KB

Download
memory/3164-1483-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/3164-1617-0x0000000007C50000-0x00000000082CA000-memory.dmp

Filesize
6.5MB

Download
memory/3164-1619-0x0000000007600000-0x000000000761A000-memory.dmp

Filesize
104KB

Download
memory/3164-1478-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3164-1489-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3164-1477-0x0000000002C20000-0x0000000002C56000-memory.dmp

Filesize
216KB

Download
memory/3164-1505-0x0000000005390000-0x00000000053B2000-memory.dmp

Filesize
136KB

Download
memory/3348-739-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/3348-740-0x0000000000B70000-0x000000000180C000-memory.dmp

Filesize
12.6MB

Download
memory/3348-790-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/4400-315-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4400-359-0x0000000007A90000-0x0000000007ACC000-memory.dmp

Filesize
240KB

Download
memory/4400-738-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download
memory/4400-354-0x0000000007B60000-0x0000000007C6A000-memory.dmp

Filesize
1.0MB

Download
memory/4400-339-0x00000000077B0000-0x0000000007842000-memory.dmp

Filesize
584KB

Download
memory/4400-729-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/4400-361-0x0000000007AD0000-0x0000000007B1C000-memory.dmp

Filesize
304KB

Download
memory/4400-337-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/4400-347-0x0000000008890000-0x0000000008EA8000-memory.dmp

Filesize
6.1MB

Download
memory/4400-356-0x00000000078F0000-0x0000000007902000-memory.dmp

Filesize
72KB

Download
memory/4400-338-0x0000000007CC0000-0x0000000008264000-memory.dmp

Filesize
5.6MB

Download
memory/4400-344-0x0000000007780000-0x000000000778A000-memory.dmp

Filesize
40KB

Download
memory/4400-343-0x0000000007A40000-0x0000000007A50000-memory.dmp

Filesize
64KB

Download
memory/4560-357-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4560-346-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4560-355-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4560-360-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4816-936-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4816-927-0x0000000002DB0000-0x000000000369B000-memory.dmp

Filesize
8.9MB

Download
memory/4816-924-0x00000000029B0000-0x0000000002DAD000-memory.dmp

Filesize
4.0MB

Download
memory/5768-674-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/5768-726-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/5768-669-0x0000000000540000-0x000000000059A000-memory.dmp

Filesize
360KB

Download
memory/5768-670-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5768-675-0x0000000007710000-0x0000000007720000-memory.dmp

Filesize
64KB

Download
memory/5768-676-0x0000000008100000-0x0000000008166000-memory.dmp

Filesize
408KB

Download
memory/5768-686-0x0000000008B20000-0x0000000008B96000-memory.dmp

Filesize
472KB

Download
memory/5768-687-0x0000000008BF0000-0x0000000008DB2000-memory.dmp

Filesize
1.8MB

Download
memory/5768-688-0x0000000008DD0000-0x00000000092FC000-memory.dmp

Filesize
5.2MB

Download
memory/5768-698-0x0000000009400000-0x000000000941E000-memory.dmp

Filesize
120KB

Download
memory/5768-699-0x0000000002480000-0x00000000024D0000-memory.dmp

Filesize
320KB

Download
memory/5836-845-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp

Filesize
900KB

Download
memory/5836-811-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp

Filesize
900KB

Download
memory/5836-807-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp

Filesize
900KB

Download
memory/5836-850-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp

Filesize
900KB

Download
memory/5836-854-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp

Filesize
900KB

Download
memory/5836-858-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp

Filesize
900KB

Download
memory/5836-801-0x00007FFB88E70000-0x00007FFB89931000-memory.dmp

Filesize
10.8MB

Download
memory/5836-803-0x000001D903A60000-0x000001D903A70000-memory.dmp

Filesize
64KB

Download
memory/5836-804-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp

Filesize
900KB

Download
memory/5836-800-0x000001D91C2E0000-0x000001D91C3C4000-memory.dmp

Filesize
912KB

Download
memory/5836-798-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/5836-809-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp

Filesize
900KB

Download
memory/5836-1594-0x000001D903A60000-0x000001D903A70000-memory.dmp

Filesize
64KB

Download
memory/5836-1592-0x00007FFB88E70000-0x00007FFB89931000-memory.dmp

Filesize
10.8MB

Download
memory/5836-841-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp

Filesize
900KB

Download
memory/5836-805-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp

Filesize
900KB

Download
memory/5836-813-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp

Filesize
900KB

Download
memory/5836-828-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp

Filesize
900KB

Download
memory/5836-824-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp

Filesize
900KB

Download
memory/5836-832-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp

Filesize
900KB

Download
memory/5836-836-0x000001D91C2E0000-0x000001D91C3C1000-memory.dmp

Filesize
900KB

Download
memory/6516-789-0x00000155CF510000-0x00000155CF5D8000-memory.dmp

Filesize
800KB

Download
memory/6516-775-0x00007FFB88E70000-0x00007FFB89931000-memory.dmp

Filesize
10.8MB

Download
memory/6516-784-0x00000155B53F0000-0x00000155B5400000-memory.dmp

Filesize
64KB

Download
memory/6516-791-0x00000155CF6E0000-0x00000155CF7A8000-memory.dmp

Filesize
800KB

Download
memory/6516-785-0x00000155CF430000-0x00000155CF510000-memory.dmp

Filesize
896KB

Download
memory/6516-792-0x00000155CF7B0000-0x00000155CF7FC000-memory.dmp

Filesize
304KB

Download
memory/6516-783-0x00000155B6B00000-0x00000155B6BE0000-memory.dmp

Filesize
896KB

Download
memory/6516-802-0x00007FFB88E70000-0x00007FFB89931000-memory.dmp

Filesize
10.8MB

Download
memory/6516-768-0x00000155B4DD0000-0x00000155B4EBE000-memory.dmp

Filesize
952KB

Download
memory/6528-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6528-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6528-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6528-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6632-290-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/6632-242-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/6728-1184-0x0000000000230000-0x000000000045D000-memory.dmp

Filesize
2.2MB

Download
memory/6728-825-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/6728-778-0x0000000000230000-0x000000000045D000-memory.dmp

Filesize
2.2MB

Download