glupteba | e6218806a8384d029a2f5d2214729cccab8790b8a9455a7cdcf8a7968e8ea298

Analysis

max time kernel
28s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2023, 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6218806a8384d029a2f5d2214729cccab8790b8a9455a7cdcf8a7968e8ea298.exe
Size

1.4MB
MD5

9c016f4b3ccf4716685a5d37c8894152
SHA1

da74dfa77613cd777b0c4c16151f36ed5579fbbb
SHA256

e6218806a8384d029a2f5d2214729cccab8790b8a9455a7cdcf8a7968e8ea298
SHA512

c37a67a2b6c1ff1ea999529d63c4595c5e81a409eb18ccf8a8754887c832e1135e2f18ae193f318c010cd171716b8cb832d05d655972161474fe58b6de4724a7
SSDEEP

24576:9y20/I5hlyvXaAgyv3eDIs9F1GrITDLf3GH3YhAokYJAvnSs79DpV0qJ:Y20aaXj/esuvGI/3GXYZB09DL0q

Malware Config

Extracted

Family

smokeloader

Version

2022

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Extracted

Family

stealc

http://77.91.68.247

Attributes

url_path
/c36258786fdc16da.php

rc4.plain

Extracted

Family

smokeloader

Botnet

up3

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/5584-96-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/5584-146-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/5584-114-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/5584-97-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Detect ZGRat V1 17 IoCs

resource	yara_rule
behavioral1/memory/3940-851-0x000001760EE30000-0x000001760EF14000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-864-0x000001760EE30000-0x000001760EF11000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-865-0x000001760EE30000-0x000001760EF11000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-867-0x000001760EE30000-0x000001760EF11000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-869-0x000001760EE30000-0x000001760EF11000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-871-0x000001760EE30000-0x000001760EF11000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-873-0x000001760EE30000-0x000001760EF11000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-875-0x000001760EE30000-0x000001760EF11000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-877-0x000001760EE30000-0x000001760EF11000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-879-0x000001760EE30000-0x000001760EF11000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-883-0x000001760EE30000-0x000001760EF11000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-887-0x000001760EE30000-0x000001760EF11000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-891-0x000001760EE30000-0x000001760EF11000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-899-0x000001760EE30000-0x000001760EF11000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-909-0x000001760EE30000-0x000001760EF11000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-912-0x000001760EE30000-0x000001760EF11000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-896-0x000001760EE30000-0x000001760EF11000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

resource	yara_rule
behavioral1/memory/5948-1034-0x0000000002EA0000-0x000000000378B000-memory.dmp	family_glupteba
behavioral1/memory/5948-1045-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/8828-422-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/5516-687-0x0000000000540000-0x000000000059A000-memory.dmp	family_redline
behavioral1/memory/5516-688-0x0000000000400000-0x000000000046F000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
6700	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 8 IoCs

pid	Process
3272	vX6oX15.exe
2836	Rk0Ik39.exe
3660	kp9Fs07.exe
4032	1BN00fq9.exe
4840	2Ov9866.exe
6576	7JF69vm.exe
8764	8cP142RX.exe
8840	sc.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e6218806a8384d029a2f5d2214729cccab8790b8a9455a7cdcf8a7968e8ea298.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vX6oX15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Rk0Ik39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kp9Fs07.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000022cd9-26.dat	autoit_exe
behavioral1/files/0x0007000000022cd9-27.dat	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4840 set thread context of 5584	4840	2Ov9866.exe	118
PID 8764 set thread context of 8828	8764	8cP142RX.exe	162
PID 8840 set thread context of 8940	8840	sc.exe	165

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5564	sc.exe
8588	sc.exe
8840	sc.exe
5208	sc.exe
3208	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8128	5584	WerFault.exe	118

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7JF69vm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7JF69vm.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7JF69vm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6888	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3996	msedge.exe
3996	msedge.exe
6148	msedge.exe
6148	msedge.exe
6308	msedge.exe
6308	msedge.exe
6184	msedge.exe
6184	msedge.exe
6160	msedge.exe
2996	msedge.exe
6160	msedge.exe
2996	msedge.exe
6576	7JF69vm.exe
6576	7JF69vm.exe
6404	msedge.exe
6404	msedge.exe
6516	msedge.exe
6516	msedge.exe
6428	msedge.exe
6428	msedge.exe
6800	msedge.exe
6800	msedge.exe
1524	msedge.exe
1524	msedge.exe
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found
3320	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
6576	7JF69vm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found
Token: SeShutdownPrivilege	3320	Process not Found
Token: SeCreatePagefilePrivilege	3320	Process not Found

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
4032	1BN00fq9.exe
4032	1BN00fq9.exe
4032	1BN00fq9.exe
4032	1BN00fq9.exe
4032	1BN00fq9.exe
4032	1BN00fq9.exe
4032	1BN00fq9.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
4032	1BN00fq9.exe
4032	1BN00fq9.exe
4032	1BN00fq9.exe
4032	1BN00fq9.exe
4032	1BN00fq9.exe
4032	1BN00fq9.exe
4032	1BN00fq9.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 3272	2104	e6218806a8384d029a2f5d2214729cccab8790b8a9455a7cdcf8a7968e8ea298.exe	86
PID 2104 wrote to memory of 3272	2104	e6218806a8384d029a2f5d2214729cccab8790b8a9455a7cdcf8a7968e8ea298.exe	86
PID 2104 wrote to memory of 3272	2104	e6218806a8384d029a2f5d2214729cccab8790b8a9455a7cdcf8a7968e8ea298.exe	86
PID 3272 wrote to memory of 2836	3272	vX6oX15.exe	88
PID 3272 wrote to memory of 2836	3272	vX6oX15.exe	88
PID 3272 wrote to memory of 2836	3272	vX6oX15.exe	88
PID 2836 wrote to memory of 3660	2836	Rk0Ik39.exe	90
PID 2836 wrote to memory of 3660	2836	Rk0Ik39.exe	90
PID 2836 wrote to memory of 3660	2836	Rk0Ik39.exe	90
PID 3660 wrote to memory of 4032	3660	kp9Fs07.exe	92
PID 3660 wrote to memory of 4032	3660	kp9Fs07.exe	92
PID 3660 wrote to memory of 4032	3660	kp9Fs07.exe	92
PID 4032 wrote to memory of 1524	4032	1BN00fq9.exe	95
PID 4032 wrote to memory of 1524	4032	1BN00fq9.exe	95
PID 4032 wrote to memory of 4704	4032	1BN00fq9.exe	97
PID 4032 wrote to memory of 4704	4032	1BN00fq9.exe	97
PID 1524 wrote to memory of 64	1524	msedge.exe	101
PID 1524 wrote to memory of 64	1524	msedge.exe	101
PID 4032 wrote to memory of 1068	4032	1BN00fq9.exe	99
PID 4032 wrote to memory of 1068	4032	1BN00fq9.exe	99
PID 4704 wrote to memory of 720	4704	msedge.exe	98
PID 4704 wrote to memory of 720	4704	msedge.exe	98
PID 1068 wrote to memory of 3956	1068	msedge.exe	100
PID 1068 wrote to memory of 3956	1068	msedge.exe	100
PID 4032 wrote to memory of 4132	4032	1BN00fq9.exe	102
PID 4032 wrote to memory of 4132	4032	1BN00fq9.exe	102
PID 4132 wrote to memory of 4952	4132	msedge.exe	103
PID 4132 wrote to memory of 4952	4132	msedge.exe	103
PID 4032 wrote to memory of 1064	4032	1BN00fq9.exe	104
PID 4032 wrote to memory of 1064	4032	1BN00fq9.exe	104
PID 1064 wrote to memory of 2832	1064	msedge.exe	105
PID 1064 wrote to memory of 2832	1064	msedge.exe	105
PID 4032 wrote to memory of 4192	4032	1BN00fq9.exe	106
PID 4032 wrote to memory of 4192	4032	1BN00fq9.exe	106
PID 4192 wrote to memory of 4108	4192	msedge.exe	107
PID 4192 wrote to memory of 4108	4192	msedge.exe	107
PID 4032 wrote to memory of 1628	4032	1BN00fq9.exe	108
PID 4032 wrote to memory of 1628	4032	1BN00fq9.exe	108
PID 1628 wrote to memory of 2280	1628	msedge.exe	109
PID 1628 wrote to memory of 2280	1628	msedge.exe	109
PID 4032 wrote to memory of 4888	4032	1BN00fq9.exe	110
PID 4032 wrote to memory of 4888	4032	1BN00fq9.exe	110
PID 4888 wrote to memory of 3372	4888	msedge.exe	111
PID 4888 wrote to memory of 3372	4888	msedge.exe	111
PID 4032 wrote to memory of 4416	4032	1BN00fq9.exe	112
PID 4032 wrote to memory of 4416	4032	1BN00fq9.exe	112
PID 4416 wrote to memory of 3740	4416	msedge.exe	113
PID 4416 wrote to memory of 3740	4416	msedge.exe	113
PID 4032 wrote to memory of 2144	4032	1BN00fq9.exe	114
PID 4032 wrote to memory of 2144	4032	1BN00fq9.exe	114
PID 2144 wrote to memory of 4276	2144	msedge.exe	115
PID 2144 wrote to memory of 4276	2144	msedge.exe	115
PID 3660 wrote to memory of 4840	3660	kp9Fs07.exe	116
PID 3660 wrote to memory of 4840	3660	kp9Fs07.exe	116
PID 3660 wrote to memory of 4840	3660	kp9Fs07.exe	116
PID 4840 wrote to memory of 5584	4840	2Ov9866.exe	118
PID 4840 wrote to memory of 5584	4840	2Ov9866.exe	118
PID 4840 wrote to memory of 5584	4840	2Ov9866.exe	118
PID 4840 wrote to memory of 5584	4840	2Ov9866.exe	118
PID 4840 wrote to memory of 5584	4840	2Ov9866.exe	118
PID 4840 wrote to memory of 5584	4840	2Ov9866.exe	118
PID 4840 wrote to memory of 5584	4840	2Ov9866.exe	118
PID 4840 wrote to memory of 5584	4840	2Ov9866.exe	118
PID 4840 wrote to memory of 5584	4840	2Ov9866.exe	118

C:\Users\Admin\AppData\Local\Temp\e6218806a8384d029a2f5d2214729cccab8790b8a9455a7cdcf8a7968e8ea298.exe
"C:\Users\Admin\AppData\Local\Temp\e6218806a8384d029a2f5d2214729cccab8790b8a9455a7cdcf8a7968e8ea298.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vX6oX15.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vX6oX15.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rk0Ik39.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rk0Ik39.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kp9Fs07.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kp9Fs07.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3660
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1BN00fq9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1BN00fq9.exe
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4032
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff9138846f8,0x7ff913884708,0x7ff913884718
        7⤵
        
        PID:64
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
        7⤵
        
        PID:6412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
        7⤵
        
        PID:6080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        7⤵
        
        PID:6900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
        7⤵
        
        PID:4212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
        7⤵
        
        PID:7380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
        7⤵
        
        PID:7472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:1
        7⤵
        
        PID:7888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:1
        7⤵
        
        PID:7340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
        7⤵
        
        PID:6020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
        7⤵
        
        PID:7364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
        7⤵
        
        PID:5708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
        7⤵
        
        PID:6692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
        7⤵
        
        PID:6140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
        7⤵
        
        PID:8408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
        7⤵
        
        PID:8444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
        7⤵
        
        PID:8620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7708 /prefetch:1
        7⤵
        
        PID:5316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7664 /prefetch:1
        7⤵
        
        PID:6276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8160 /prefetch:1
        7⤵
        
        PID:9136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8216 /prefetch:1
        7⤵
        
        PID:7480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8612 /prefetch:8
        7⤵
        
        PID:8324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8612 /prefetch:8
        7⤵
        
        PID:8396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,5590491983737844431,128663789377662325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7876 /prefetch:1
        7⤵
        
        PID:8904
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff9138846f8,0x7ff913884708,0x7ff913884718
        7⤵
        
        PID:720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,3493663539531483873,7074860029756309896,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,3493663539531483873,7074860029756309896,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
        7⤵
        
        PID:6168
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff9138846f8,0x7ff913884708,0x7ff913884718
        7⤵
        
        PID:3956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6708422103047436150,1430403349910452208,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
        7⤵
        
        PID:5920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,6708422103047436150,1430403349910452208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3996
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x174,0x178,0x17c,0x150,0x180,0x7ff9138846f8,0x7ff913884708,0x7ff913884718
        7⤵
        
        PID:4952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13997611332216896014,16556950882176255606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13997611332216896014,16556950882176255606,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
        7⤵
        
        PID:5852
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9138846f8,0x7ff913884708,0x7ff913884718
        7⤵
        
        PID:2832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,4003583099330030929,16961803444453059576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,4003583099330030929,16961803444453059576,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        7⤵
        
        PID:6212
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff9138846f8,0x7ff913884708,0x7ff913884718
        7⤵
        
        PID:4108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,3639147977233217458,14379820860449063872,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,3639147977233217458,14379820860449063872,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        7⤵
        
        PID:6396
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff9138846f8,0x7ff913884708,0x7ff913884718
        7⤵
        
        PID:2280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,6420957302538982150,16935335460547269716,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
        7⤵
        
        PID:6096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,6420957302538982150,16935335460547269716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6160
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff9138846f8,0x7ff913884708,0x7ff913884718
        7⤵
        
        PID:3372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,17917032344702940603,2873991862600875753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,17917032344702940603,2873991862600875753,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        7⤵
        
        PID:6568
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff9138846f8,0x7ff913884708,0x7ff913884718
        7⤵
        
        PID:3740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,2193003432264248831,137506457384388890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,2193003432264248831,137506457384388890,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
        7⤵
        
        PID:6300
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff9138846f8,0x7ff913884708,0x7ff913884718
        7⤵
        
        PID:4276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,15273291363051343608,16975404649807600131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,15273291363051343608,16975404649807600131,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
        7⤵
        
        PID:2512
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ov9866.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ov9866.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4840
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 540
        7⤵
        Program crash
        
        PID:8128
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7JF69vm.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7JF69vm.exe
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:6576
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8cP142RX.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8cP142RX.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:8764
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:8828
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9IL0Cg1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9IL0Cg1.exe
  2⤵
  PID:8840
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:8940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5584 -ip 5584
1⤵
PID:6784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7628

C:\Users\Admin\AppData\Local\Temp\4C56.exe
C:\Users\Admin\AppData\Local\Temp\4C56.exe
1⤵
PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:9084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9138846f8,0x7ff913884708,0x7ff913884718
    3⤵
    PID:8752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,12060978997961077759,16098154797004057053,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
    3⤵
    PID:7336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,12060978997961077759,16098154797004057053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
    3⤵
    PID:6852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,12060978997961077759,16098154797004057053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
    3⤵
    PID:7316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12060978997961077759,16098154797004057053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
    3⤵
    PID:6540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12060978997961077759,16098154797004057053,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
    3⤵
    PID:5528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12060978997961077759,16098154797004057053,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
    3⤵
    PID:7876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12060978997961077759,16098154797004057053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
    3⤵
    PID:6504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12060978997961077759,16098154797004057053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
    3⤵
    PID:6040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12060978997961077759,16098154797004057053,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
    3⤵
    PID:6648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12060978997961077759,16098154797004057053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
    3⤵
    PID:2736
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,12060978997961077759,16098154797004057053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 /prefetch:8
    3⤵
    PID:3056
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,12060978997961077759,16098154797004057053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 /prefetch:8
    3⤵
    PID:8040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5152

C:\Users\Admin\AppData\Local\Temp\8F4C.exe
C:\Users\Admin\AppData\Local\Temp\8F4C.exe
1⤵
PID:5792
- C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
  2⤵
  PID:6596
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    PID:5908
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:5408
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:8096
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:5948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:5964
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    PID:3352
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:6992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:1124
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:6700
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:6444
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5748
- C:\Users\Admin\AppData\Local\Temp\forc.exe
  "C:\Users\Admin\AppData\Local\Temp\forc.exe"
  2⤵
  PID:5744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\forc.exe" & del "C:\ProgramData\*.dll"" & exit
    3⤵
    PID:6052
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:6888
- C:\Users\Admin\AppData\Local\Temp\latestX.exe
  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
  2⤵
  PID:5128

C:\Users\Admin\AppData\Local\Temp\9269.exe
C:\Users\Admin\AppData\Local\Temp\9269.exe
1⤵
PID:7432
- C:\Users\Admin\AppData\Local\Temp\9269.exe
  C:\Users\Admin\AppData\Local\Temp\9269.exe
  2⤵
  PID:3940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5664

C:\Users\Admin\AppData\Local\Temp\43A9.exe
C:\Users\Admin\AppData\Local\Temp\43A9.exe
1⤵
PID:6308
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
  2⤵
  PID:8932

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:3220
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5564
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:8588
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Launches sc.exe
  PID:8840
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:5208
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:3208

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:2992
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:5400
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:5472
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:3476
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:8876

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:6356

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:7420

C:\Users\Admin\AppData\Local\Temp\EE71.exe
C:\Users\Admin\AppData\Local\Temp\EE71.exe
1⤵
PID:8060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\48463108-b619-4c29-aa3c-5f35d568d7fa.tmp

Filesize
2KB

MD5
6f3bebdea9d6fb71cdb01d3c4c010809

SHA1
aa1990677aaf4c157e0634bcf47e4ef58924d86e

SHA256
4c03b70824b6b7bc4b490b9d099fdf8fb92e4719a118e73eb1ae285e5e399576

SHA512
52517978abc415daca13c472823edfcacb30b8e1c26917e5c25089f30bd739e0819c2b25e974c17035fa29dcaaab01b0d1ccc3e44c0b44f43b7a2397de6d077a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\6d17daae-4ea5-4a8b-bfbe-5cf2fe0d2da0.tmp

Filesize
2KB

MD5
9d9ea399cc6846b240e9fa407928e72d

SHA1
f933029304071950d870641b506dfbae066626ef

SHA256
4ed3fdd249db720d236560d2c344090fa44b19e972ed1e422fd159b7d733a750

SHA512
dfe9c34c56214ce94a8e428578913b0ab5ec3887a7bdbace2a67314e4d6c95e6a59aa397628a9c74dfe698fb9e5313155ad2868a098069f8b03a8c29ec59b2e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\95c74804-6d26-4d9d-81d6-b791228e43da.tmp

Filesize
2KB

MD5
196af24c598897394e07482e55683c60

SHA1
94723d82e34d6df5e5f4d550c43d866ddda62ead

SHA256
20c9b455111b4dcaa21c6d662bd10f94c255c52e0b06298491e08680625e990d

SHA512
236a6b8a98dcedda33eb62d65374a796011a63721047baf16f0cfe51a2e4282b8f2b9fbb7fed765fc02a393ec8886358040470303aca68acb941a7bd64e978d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
25189300c19c8d07d07f0ec5b9ac8df0

SHA1
8c38360db6ac069df9f203b225348ac699f020b7

SHA256
80664f48abed2305dc6c625d5faabd9c6cfb91a495b3978799e29f6c686a85f6

SHA512
8ba104d264ba9f10b6c60a2a51e0fb6ded1555acca091d16899f49da1635d4372ff5c8813dc02abb0732dce6c0d529708938abd54e2fcf24cd04fb9f7301f862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cd57206d74e68e1f70796d0fda0bf24a

SHA1
dbdcb840eae95928031d3e99994d2cdf651ec85b

SHA256
8af9526122c3e5f3d3840c5442672e5c2240c09ed4b01d7252e931c770fbe196

SHA512
1d2b643233f4ec20715020c18fb795eb2648125462e0bfe557c991a0e0048d71c85570e37f45a20c38bc88f1f4141c6e24b1da904af08eb3ec8d21305ad5583c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9e2c22bf-47e7-478d-9958-9adb7af6883e.tmp

Filesize
8KB

MD5
7a657c1d829af481ef1c43ad9aad8315

SHA1
636d3bf2631a835e2bfe1fcebbccc7fcb8b97b00

SHA256
294eba52d03295e05c6f8e9aec7e5f5d071d0337e4b0272ffa397e0aa6c1ef40

SHA512
c3c4ceb4a12d33d61b0a5382836e4ae1abb20f819aa3ac49391a94369c5f75802881db6320b7e6e03ee51820bb3e27516e6ab96eee27a3d86720cfd5e2680900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
23f1ed5e9cda071b7fa338a949a14b87

SHA1
f27b2cacdb097f1f6b72eac570c7d8fd523114cb

SHA256
eb2c24abd55e9191902252f08b15690ee86f33af08143406f5669bde4b403a11

SHA512
58aba88a997ca34dbee8b75234f13a71b92ae958eb859d6d82e6c1da709800eacb68b4870f99413cadb2ff13a7e913ed679d563a58c044656afa3242e9b84912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4e7b744e1d41482b257feb0c839e98a5

SHA1
5343fc85827d79fea57e3df9f8b78d3616588b76

SHA256
c9c4048dcc098b668a57f450e02424a7c19fdc19c2f1610772e7789c282e131a

SHA512
3e64cba52e8919fa1a552cc7ff5933c6df2e6533fd0c52741da755a831446aa3592e29e8cf5c224c7dac85b4f6aa30a98e01b11f8335295d47a0d9df7a79d6f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
d78b05bb2c95244b8db5b59a9bd42cf5

SHA1
49f3f37944e7f912088821f63c107e53bf08cec2

SHA256
180637aabbb8ce5947bf2c767cb8475917799e9ff3b8d81568e76ffbe5487df9

SHA512
9ee0aabef8d87affe4d04be90030a9cd24369097a7cced2c0efaf6e0a6a08b96ae19416968b0aa8e351bd8bd1dcdda219be3bd30aac7deae72709cec3f226899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ea35f0c4269ebf1a54d633f5f97f48ac

SHA1
782f6ccff2509ffc156fb0e9051589d27b538048

SHA256
2c6b2adc798a4f3014c85edb17d7b67abc9b02e369d5c10ccc26a5b0873b3b30

SHA512
e4f7ad4bb53dedb18f7dea848f0e706f74d37719bee0110b5af71605f7eafe3e15d46e9ac4097a423121c5d433bb7b5af2a4478b5ec2e3c8cd54f6fa41c1b209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3a748249c8b0e04e77ad0d6723e564ff

SHA1
5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729

SHA256
f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed

SHA512
53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
92c9c97eba3493498239b117a94a53d1

SHA1
ddc577582163797f0cf52e8ea44d41f8a1a1786b

SHA256
dbc3b65b327452741c77c10826a8bcd1fc16fecaae0b70d3f445ef4bb1f049b3

SHA512
106ff1792bebec2695228d17ba07057330429b087f98e67e8ca4013543fb3e3df54d8c4c31bef725588b94889ea4bf47f32ac9460776184c21f3da04f5b583fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
de5cd3a9b4261c5ff8df28a0dad02ad2

SHA1
c3ab674b5e81ce9ca9f2c93e43b2c367b44bc8a3

SHA256
4c806df8575f24a2644eee8deb114c740a702eda4831bbdc98b1c67e7815b989

SHA512
4a995df6c15420e89c75f9756d5cf90622507ba357d73b9fcac683e2e8d83efdb694f89e82ff501952c273b2f3f32271249a218283eb009436baa1c8cc27f52e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583d04.TMP

Filesize
1KB

MD5
846e12ff4600747dffc5dbb8a64e908c

SHA1
c1547459557e29b542752b04a784efbed22468ba

SHA256
304379bc0de68dd5a78098bc153cc6274feaea5c7fe2ef2e3597138e35d21c4a

SHA512
57df4b6c1a9b93e77b8c537a6ce0c0b462c46958ddc25b9606a3f9a8e69bb99cb7a50f29666ec19d73a167c41da887021ab0eac11e7ceead4f51a76b742e50ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
196af24c598897394e07482e55683c60

SHA1
94723d82e34d6df5e5f4d550c43d866ddda62ead

SHA256
20c9b455111b4dcaa21c6d662bd10f94c255c52e0b06298491e08680625e990d

SHA512
236a6b8a98dcedda33eb62d65374a796011a63721047baf16f0cfe51a2e4282b8f2b9fbb7fed765fc02a393ec8886358040470303aca68acb941a7bd64e978d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
6f3bebdea9d6fb71cdb01d3c4c010809

SHA1
aa1990677aaf4c157e0634bcf47e4ef58924d86e

SHA256
4c03b70824b6b7bc4b490b9d099fdf8fb92e4719a118e73eb1ae285e5e399576

SHA512
52517978abc415daca13c472823edfcacb30b8e1c26917e5c25089f30bd739e0819c2b25e974c17035fa29dcaaab01b0d1ccc3e44c0b44f43b7a2397de6d077a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
6ddd79b83631b4e093e97315b0822bcb

SHA1
befbfca8620b53d0aaf23cee976067cfb98f062d

SHA256
faa52ed101d74af332880735bc5ca7bab921d916eff659b0ba845591178c3913

SHA512
3d4535f1759dc0207bf9bb7f2380d07849320aada5d91ad4daa21d978b0dcd7a5bfaf43619b5516a0e23cc1be43e333dd81c33b58810676e5c5cf0bcca8716b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
862cb9eefdb7a79708b18a04ed9865b2

SHA1
a3e4f45ce1c05feaa4a43f2a3afb76a12aabcd88

SHA256
d470d58b3916e8ecbad346c4e1c94caec4646ee37a49f20fc261a6a9b8a79228

SHA512
3e082e4be7f06df200832a8cc9d0133855c93abea6b8da680c858c75ee5055af5d3346a7ef4f288ad1e5e9569fc792194c78ebef731cdc6e9c7e0f95fed2258e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
862cb9eefdb7a79708b18a04ed9865b2

SHA1
a3e4f45ce1c05feaa4a43f2a3afb76a12aabcd88

SHA256
d470d58b3916e8ecbad346c4e1c94caec4646ee37a49f20fc261a6a9b8a79228

SHA512
3e082e4be7f06df200832a8cc9d0133855c93abea6b8da680c858c75ee5055af5d3346a7ef4f288ad1e5e9569fc792194c78ebef731cdc6e9c7e0f95fed2258e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
2933aaac022998c2bc6af358d17d7818

SHA1
10f70d3a20c9856e8f86e082484a9a9e51e2c227

SHA256
f2f8e9fb25ee41f9cdf0440ac000c31dd2f0ba619bcc6f2e16a1c66494a0ec4f

SHA512
63c0d8338c6dfba3753692f63968c50a44eca0a482f27064685bcbc0e094adbddb76754821ff8945a6ef51c02ba1293b19c02598af71be3475c73de19f95f6a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
2933aaac022998c2bc6af358d17d7818

SHA1
10f70d3a20c9856e8f86e082484a9a9e51e2c227

SHA256
f2f8e9fb25ee41f9cdf0440ac000c31dd2f0ba619bcc6f2e16a1c66494a0ec4f

SHA512
63c0d8338c6dfba3753692f63968c50a44eca0a482f27064685bcbc0e094adbddb76754821ff8945a6ef51c02ba1293b19c02598af71be3475c73de19f95f6a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c6045814d56802b8874d3b0c19788c96

SHA1
5c9113b2f93cbbc550f694770ea0218e1251e6b3

SHA256
d160976002ffdc40c7fcfdf0c79c29b0f0cbf8e5b4b8c5e02f4b12b14a7b15a9

SHA512
11bfb3e4d0091b79c964db2aac0c6fb5d1f63b20876ba875c4f258b85275c8f3932ac4ace375b2c202e4d42a360e3c96b41dabdf3c40eb4451d047a3c48743d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5c88dfc0ccfae9f803cd5a17bb7246c6

SHA1
2af056b2232842a295bd51fb0ec6e79be4eaec5d

SHA256
1c64c138fa0f19fb3a30401d927d05ccbc07a5a3236085ad0e4ca366193c5920

SHA512
3655ca52fb303f33e0cb707343bdad7e6e75d70bd383d678facc92bdbe73b5085e47c4e8a5cabcf669cc42b80ef868c8316744f46fd4b1431bce548dc66ad8d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
ab79226880c22ec68f516a6e35b06edd

SHA1
089887ef0b71f8de699524309e0127d524904435

SHA256
7ef199770b805a4cc91bfb696dfd446d4de0d0f8c698c8a08c9b6c5f0c16ed1b

SHA512
20522860868acb34d38ab65f68f46c5c551870cce5ad0111414426bad3c1f1d8afa6082819f3f7e529311dd025a6ff7e4f0b726788905ac2f47f80f8145543e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
ab79226880c22ec68f516a6e35b06edd

SHA1
089887ef0b71f8de699524309e0127d524904435

SHA256
7ef199770b805a4cc91bfb696dfd446d4de0d0f8c698c8a08c9b6c5f0c16ed1b

SHA512
20522860868acb34d38ab65f68f46c5c551870cce5ad0111414426bad3c1f1d8afa6082819f3f7e529311dd025a6ff7e4f0b726788905ac2f47f80f8145543e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
9d9ea399cc6846b240e9fa407928e72d

SHA1
f933029304071950d870641b506dfbae066626ef

SHA256
4ed3fdd249db720d236560d2c344090fa44b19e972ed1e422fd159b7d733a750

SHA512
dfe9c34c56214ce94a8e428578913b0ab5ec3887a7bdbace2a67314e4d6c95e6a59aa397628a9c74dfe698fb9e5313155ad2868a098069f8b03a8c29ec59b2e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
4f605faca53c8615f54aebe9a4e12eff

SHA1
59dc77ccb774b1422bcb7cc1301810372a113b70

SHA256
f2873048f042fce83525f2905204edc7f94e1c64b0f82165338465231d53d0e5

SHA512
e248a77e32286d1c673e9d6ae8de8d9d9a7737daf909fa288af4da26e4c25489529b4c2e01770db1dc255cac3cf87125207cc1b74d647fb05c317dfb5071179a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d20ba8d375a819b01a3a978f263182e7

SHA1
a98c43e6aab38adaa2570adfecb3f9996a03900b

SHA256
31e03f6f12e7e2016125ae9f1620d2fd4b91fb51f31901b34673aeb31d2c3db5

SHA512
a87d1772a5ac438628d5de3f9cfd97329faff2bada2d490437384272d5a29c4d395b676baa0191e7726fd5f1534cbfbb451197f02674164308db83847f2d0c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\a94ae14b-5e89-4f22-8a17-b3ffe036fae8.tmp

Filesize
2KB

MD5
6ddd79b83631b4e093e97315b0822bcb

SHA1
befbfca8620b53d0aaf23cee976067cfb98f062d

SHA256
faa52ed101d74af332880735bc5ca7bab921d916eff659b0ba845591178c3913

SHA512
3d4535f1759dc0207bf9bb7f2380d07849320aada5d91ad4daa21d978b0dcd7a5bfaf43619b5516a0e23cc1be43e333dd81c33b58810676e5c5cf0bcca8716b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\bf0bef40-ecd3-4cdd-a468-72368b9072d7.tmp

Filesize
2KB

MD5
4f605faca53c8615f54aebe9a4e12eff

SHA1
59dc77ccb774b1422bcb7cc1301810372a113b70

SHA256
f2873048f042fce83525f2905204edc7f94e1c64b0f82165338465231d53d0e5

SHA512
e248a77e32286d1c673e9d6ae8de8d9d9a7737daf909fa288af4da26e4c25489529b4c2e01770db1dc255cac3cf87125207cc1b74d647fb05c317dfb5071179a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c2fb89de-8d62-4061-aa8f-b31f04548772.tmp

Filesize
2KB

MD5
9a92ef18b30a59c9537aaeeccf8aacb2

SHA1
6fc0bca68741fd374f4bb53568ce884ddeb26071

SHA256
aacebf6eef64d465deb14f81b1e954ad39fe05e782d5a2270245afee68593b7b

SHA512
1f489de22e3f9dd48e8bead5bc6d23ea713d77a6c70949a9aec4c1fb20436d8d433cd252e3df0b2de6f06f3884a31110381ae8e9cd9aed28bca704c6612441d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
a98f00f0876312e7f85646d2e4fe9ded

SHA1
5d6650725d89fea37c88a0e41b2486834a8b7546

SHA256
787892fff0e39d65ccf86bb7f945be728287aaf80064b7acc84b9122e49d54e6

SHA512
f5ca9ec79d5639c06727dd106e494a39f12de150fbfbb0461d5679aed6a137b3781eedf51beaf02b61d183991d8bca4c08a045a83412525d1e28283856fa3802

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vX6oX15.exe

Filesize
1003KB

MD5
8dfecf98bdb5e941c17c77e481dba94a

SHA1
7b1039b68e81aac1c110e8fbf1380e1427f6c20a

SHA256
456134bb157fc8c4076fc54a4721d19a851b3add205563a5dcb11d3f14522f98

SHA512
c6d24e22e17ba6c20eeafc17dd13c017fe1868025297af5c5fff019d4695895f47615367975596590a43c007a09cb6695ab23acfa599225a324787d7a26a9981

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vX6oX15.exe

Filesize
1003KB

MD5
8dfecf98bdb5e941c17c77e481dba94a

SHA1
7b1039b68e81aac1c110e8fbf1380e1427f6c20a

SHA256
456134bb157fc8c4076fc54a4721d19a851b3add205563a5dcb11d3f14522f98

SHA512
c6d24e22e17ba6c20eeafc17dd13c017fe1868025297af5c5fff019d4695895f47615367975596590a43c007a09cb6695ab23acfa599225a324787d7a26a9981

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rk0Ik39.exe

Filesize
782KB

MD5
62974f3bcef7a864146f80ddd7b0c7fd

SHA1
c28cab8f0e227ca14ad7e5218685ce82e755c874

SHA256
7e88f12c3a350c7b1d1c6bdb2cde590c22f38dd517c161bf6065aab54e2ea711

SHA512
a9da9788ef0fdb8c031fa9aa10d04af380805bb49644d497e67eebcc97877b3ba6cbcb8abccd0264cb7243c7f4ec88bc8bf5dab44cecd1d2a862235f81ed473b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rk0Ik39.exe

Filesize
782KB

MD5
62974f3bcef7a864146f80ddd7b0c7fd

SHA1
c28cab8f0e227ca14ad7e5218685ce82e755c874

SHA256
7e88f12c3a350c7b1d1c6bdb2cde590c22f38dd517c161bf6065aab54e2ea711

SHA512
a9da9788ef0fdb8c031fa9aa10d04af380805bb49644d497e67eebcc97877b3ba6cbcb8abccd0264cb7243c7f4ec88bc8bf5dab44cecd1d2a862235f81ed473b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7JF69vm.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7JF69vm.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kp9Fs07.exe

Filesize
657KB

MD5
52d3dbf9924dd786e0a9c493241db84c

SHA1
b4d0aa80828543f8f6d06572f5c5cf878c80b60f

SHA256
252ac148024e9d19435ac56cf05f8e14a961ceda958ba3bdae114fdf2f99beb9

SHA512
d6f4e1e113bea417ba722838d299b0f9b654c81602473691a18c3972ba1f0ebfe780fa517e702d1822741a6fda53cd5a9539b90ac4bad2000716cf932a0fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kp9Fs07.exe

Filesize
657KB

MD5
52d3dbf9924dd786e0a9c493241db84c

SHA1
b4d0aa80828543f8f6d06572f5c5cf878c80b60f

SHA256
252ac148024e9d19435ac56cf05f8e14a961ceda958ba3bdae114fdf2f99beb9

SHA512
d6f4e1e113bea417ba722838d299b0f9b654c81602473691a18c3972ba1f0ebfe780fa517e702d1822741a6fda53cd5a9539b90ac4bad2000716cf932a0fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1BN00fq9.exe

Filesize
895KB

MD5
7a9c63290e43af94ea504db05995e93e

SHA1
e64503eb9a0ab8b50652444b2cd3266b8c5f3640

SHA256
22bf1a90b89c2af05b119c254afdc595da464a141fdbb33695fac9bcc08162f1

SHA512
cb0c2a142106d1d3bc87b815e1389dec29ce05da218aa2ad9e3f579d2c45f039cbc1288656ff055ee10adf1c1bbe26745163bbce9e9658f1a5f9e4d4f4cd1413

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1BN00fq9.exe

Filesize
895KB

MD5
7a9c63290e43af94ea504db05995e93e

SHA1
e64503eb9a0ab8b50652444b2cd3266b8c5f3640

SHA256
22bf1a90b89c2af05b119c254afdc595da464a141fdbb33695fac9bcc08162f1

SHA512
cb0c2a142106d1d3bc87b815e1389dec29ce05da218aa2ad9e3f579d2c45f039cbc1288656ff055ee10adf1c1bbe26745163bbce9e9658f1a5f9e4d4f4cd1413

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ov9866.exe

Filesize
276KB

MD5
61afdb5756c0711a6780698e10a1506a

SHA1
440a820fd3bfb0ecfa2a6b7646074430d0c11fa8

SHA256
1630904557c720030b5f9278ffc5365118d739ac3297e9d8bca6a4452adebe31

SHA512
04ab90d672d7335f22ffa033325060a15f82438ec4c900cd8076137d12a5a4042c5e626fd423c4e2b2788d4907a8021f7f4f7a3f265ec7ca1f5be5627b099968

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ov9866.exe

Filesize
276KB

MD5
61afdb5756c0711a6780698e10a1506a

SHA1
440a820fd3bfb0ecfa2a6b7646074430d0c11fa8

SHA256
1630904557c720030b5f9278ffc5365118d739ac3297e9d8bca6a4452adebe31

SHA512
04ab90d672d7335f22ffa033325060a15f82438ec4c900cd8076137d12a5a4042c5e626fd423c4e2b2788d4907a8021f7f4f7a3f265ec7ca1f5be5627b099968

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
f13cf6c130d41595bc96be10a737cb18

SHA1
6b14ea97930141aa5caaeeeb13dd4c6dad55d102

SHA256
dd7aaf7ef0e5b3797eaf5182e7b192fa014b735e129e00e0c662829ce0c2515f

SHA512
ccd4f57b1af1f348fcf9f519a4789c04b499ac5e02ccb7333d0a42fa1cb1fdf9f969103b3a5467e278cd5c6cbbbbebaac4577d0c220e13335575a13408c79b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jmwiswpi.ebj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\forc.exe

Filesize
101KB

MD5
02d1af12b47621a72f44d2ae6bb70e37

SHA1
4e0cc70c068e55cd502d71851decb96080861101

SHA256
8d2a83ac263e56c2c058d84f67e23db8fe651b556423318f17389c2780351318

SHA512
ecf9114bbac62c81457f90a6d1c845901ece21e36ca602a79ba6c33f76a1117162175f0ace8ae6c2bdc9f962bd797ab9393316238adbc3b40a9b948d3c98582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
217KB

MD5
6f38e2c344007fa6c5a609f3baa82894

SHA1
9296d861ae076ebddac76b490c2e56fcd0d63c6d

SHA256
fb1b0639a3bdd51f914bf71948d88555e1bbb9de0937f8fa94e7aa38a8d6ab9f

SHA512
5432ab0139ee88a7b509d60ed39d3b69f7c38fe94613b3d72cc4480112d95b2cbf7652438801e7e7956aca73d6ebc870851814bec0082f4d77737a024990e059

Download Submit
memory/3320-405-0x00000000010C0000-0x00000000010D6000-memory.dmp

Filesize
88KB

Download
memory/3940-852-0x00007FF90FD10000-0x00007FF9107D1000-memory.dmp

Filesize
10.8MB

Download
memory/3940-849-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3940-865-0x000001760EE30000-0x000001760EF11000-memory.dmp

Filesize
900KB

Download
memory/3940-864-0x000001760EE30000-0x000001760EF11000-memory.dmp

Filesize
900KB

Download
memory/3940-869-0x000001760EE30000-0x000001760EF11000-memory.dmp

Filesize
900KB

Download
memory/3940-1732-0x00000176292B0000-0x00000176292C0000-memory.dmp

Filesize
64KB

Download
memory/3940-871-0x000001760EE30000-0x000001760EF11000-memory.dmp

Filesize
900KB

Download
memory/3940-854-0x00000176292B0000-0x00000176292C0000-memory.dmp

Filesize
64KB

Download
memory/3940-873-0x000001760EE30000-0x000001760EF11000-memory.dmp

Filesize
900KB

Download
memory/3940-851-0x000001760EE30000-0x000001760EF14000-memory.dmp

Filesize
912KB

Download
memory/3940-1593-0x00007FF90FD10000-0x00007FF9107D1000-memory.dmp

Filesize
10.8MB

Download
memory/3940-896-0x000001760EE30000-0x000001760EF11000-memory.dmp

Filesize
900KB

Download
memory/3940-875-0x000001760EE30000-0x000001760EF11000-memory.dmp

Filesize
900KB

Download
memory/3940-867-0x000001760EE30000-0x000001760EF11000-memory.dmp

Filesize
900KB

Download
memory/3940-877-0x000001760EE30000-0x000001760EF11000-memory.dmp

Filesize
900KB

Download
memory/3940-879-0x000001760EE30000-0x000001760EF11000-memory.dmp

Filesize
900KB

Download
memory/3940-883-0x000001760EE30000-0x000001760EF11000-memory.dmp

Filesize
900KB

Download
memory/3940-887-0x000001760EE30000-0x000001760EF11000-memory.dmp

Filesize
900KB

Download
memory/3940-891-0x000001760EE30000-0x000001760EF11000-memory.dmp

Filesize
900KB

Download
memory/3940-899-0x000001760EE30000-0x000001760EF11000-memory.dmp

Filesize
900KB

Download
memory/3940-909-0x000001760EE30000-0x000001760EF11000-memory.dmp

Filesize
900KB

Download
memory/3940-912-0x000001760EE30000-0x000001760EF11000-memory.dmp

Filesize
900KB

Download
memory/5408-1006-0x0000000000840000-0x0000000000849000-memory.dmp

Filesize
36KB

Download
memory/5408-1000-0x00000000009D0000-0x0000000000AD0000-memory.dmp

Filesize
1024KB

Download
memory/5516-708-0x0000000008BA0000-0x0000000008BBE000-memory.dmp

Filesize
120KB

Download
memory/5516-718-0x0000000008C90000-0x0000000008CE0000-memory.dmp

Filesize
320KB

Download
memory/5516-687-0x0000000000540000-0x000000000059A000-memory.dmp

Filesize
360KB

Download
memory/5516-688-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5516-693-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/5516-753-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/5516-704-0x0000000008100000-0x0000000008166000-memory.dmp

Filesize
408KB

Download
memory/5516-742-0x0000000005E20000-0x000000000634C000-memory.dmp

Filesize
5.2MB

Download
memory/5516-741-0x0000000005C50000-0x0000000005E12000-memory.dmp

Filesize
1.8MB

Download
memory/5516-707-0x0000000008AD0000-0x0000000008B46000-memory.dmp

Filesize
472KB

Download
memory/5584-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5584-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5584-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5584-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5664-1755-0x000001ED00030000-0x000001ED00052000-memory.dmp

Filesize
136KB

Download
memory/5664-1738-0x000001EC81C10000-0x000001EC81C20000-memory.dmp

Filesize
64KB

Download
memory/5664-1737-0x00007FF90FD10000-0x00007FF9107D1000-memory.dmp

Filesize
10.8MB

Download
memory/5744-1284-0x0000000000DB0000-0x0000000000FDD000-memory.dmp

Filesize
2.2MB

Download
memory/5744-880-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5744-833-0x0000000000DB0000-0x0000000000FDD000-memory.dmp

Filesize
2.2MB

Download
memory/5792-791-0x0000000000090000-0x0000000000D2C000-memory.dmp

Filesize
12.6MB

Download
memory/5792-790-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/5792-847-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/5908-848-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/5908-1583-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/5948-1030-0x0000000002A90000-0x0000000002E94000-memory.dmp

Filesize
4.0MB

Download
memory/5948-1034-0x0000000002EA0000-0x000000000378B000-memory.dmp

Filesize
8.9MB

Download
memory/5948-1045-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5964-1595-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/5964-1670-0x00000000057C0000-0x0000000005B14000-memory.dmp

Filesize
3.3MB

Download
memory/5964-1664-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/5964-1608-0x0000000004D50000-0x0000000004D72000-memory.dmp

Filesize
136KB

Download
memory/5964-1742-0x00000000061B0000-0x00000000061F4000-memory.dmp

Filesize
272KB

Download
memory/5964-1591-0x0000000004D90000-0x00000000053B8000-memory.dmp

Filesize
6.2MB

Download
memory/5964-1589-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/5964-1587-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/5964-1584-0x0000000002670000-0x00000000026A6000-memory.dmp

Filesize
216KB

Download
memory/5964-1704-0x0000000005C50000-0x0000000005C6E000-memory.dmp

Filesize
120KB

Download
memory/6576-166-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/6576-415-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/7432-813-0x00000245742A0000-0x0000024574368000-memory.dmp

Filesize
800KB

Download
memory/7432-798-0x00000245741C0000-0x00000245742A0000-memory.dmp

Filesize
896KB

Download
memory/7432-797-0x00007FF90FD10000-0x00007FF9107D1000-memory.dmp

Filesize
10.8MB

Download
memory/7432-853-0x00007FF90FD10000-0x00007FF9107D1000-memory.dmp

Filesize
10.8MB

Download
memory/7432-794-0x0000024559B40000-0x0000024559C2E000-memory.dmp

Filesize
952KB

Download
memory/7432-824-0x0000024574540000-0x000002457458C000-memory.dmp

Filesize
304KB

Download
memory/7432-815-0x0000024574470000-0x0000024574538000-memory.dmp

Filesize
800KB

Download
memory/7432-796-0x00000245740E0000-0x00000245741C0000-memory.dmp

Filesize
896KB

Download
memory/7432-799-0x000002455A0B0000-0x000002455A0C0000-memory.dmp

Filesize
64KB

Download
memory/8096-1178-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/8096-1008-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/8828-445-0x0000000007AA0000-0x0000000007AB2000-memory.dmp

Filesize
72KB

Download
memory/8828-442-0x00000000079D0000-0x00000000079DA000-memory.dmp

Filesize
40KB

Download
memory/8828-441-0x0000000007980000-0x0000000007990000-memory.dmp

Filesize
64KB

Download
memory/8828-426-0x0000000007CF0000-0x0000000008294000-memory.dmp

Filesize
5.6MB

Download
memory/8828-454-0x0000000007B50000-0x0000000007B9C000-memory.dmp

Filesize
304KB

Download
memory/8828-447-0x0000000007B10000-0x0000000007B4C000-memory.dmp

Filesize
240KB

Download
memory/8828-694-0x0000000007980000-0x0000000007990000-memory.dmp

Filesize
64KB

Download
memory/8828-692-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/8828-431-0x00000000077E0000-0x0000000007872000-memory.dmp

Filesize
584KB

Download
memory/8828-424-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/8828-422-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/8828-444-0x00000000082A0000-0x00000000083AA000-memory.dmp

Filesize
1.0MB

Download
memory/8828-443-0x00000000088C0000-0x0000000008ED8000-memory.dmp

Filesize
6.1MB

Download
memory/8940-427-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/8940-430-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/8940-428-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/8940-425-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download