glupteba | 64a42266251406f4fca81f9628b78b2e8b7c45bf095ae217c466bab552490f08

Analysis

max time kernel
60s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2023, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64a42266251406f4fca81f9628b78b2e8b7c45bf095ae217c466bab552490f08.exe
Size

1.4MB
MD5

fd5f5d2ce91a7c3f6ff37fd069cf6218
SHA1

80d6c8574278657d193bdd0df8476484d25b3d89
SHA256

64a42266251406f4fca81f9628b78b2e8b7c45bf095ae217c466bab552490f08
SHA512

b184490cc57cb423608323b79878bf3d93674987cbc0ccfcd07daed65444f44313f6b40deba691a730c268f76a8308368321851daeee9d20c8049d9c0e109585
SSDEEP

24576:kyOEa9jcQAScjlFbWM0evIsgtbG7XtDAQvCVEfdq+UgcgAsfeAJbOq:zOP9jZMFixeAVhGJZCIjBcnmJ

Score

10^/10

glupteba mystic redline smokeloader stealc zgrat taiga up3 backdoor dropper evasion infostealer loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Extracted

Family

stealc

http://77.91.68.247

Attributes

url_path
/c36258786fdc16da.php

rc4.plain

Extracted

Family

smokeloader

Botnet

up3

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3280-262-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3280-263-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3280-264-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3280-267-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Detect ZGRat V1 18 IoCs

resource	yara_rule
behavioral1/memory/5548-664-0x00000227BC700000-0x00000227BC7E4000-memory.dmp	family_zgrat_v1
behavioral1/memory/5548-666-0x00000227BC700000-0x00000227BC7E1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5548-665-0x00000227BC700000-0x00000227BC7E1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5548-668-0x00000227BC700000-0x00000227BC7E1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5548-670-0x00000227BC700000-0x00000227BC7E1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5548-672-0x00000227BC700000-0x00000227BC7E1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5548-674-0x00000227BC700000-0x00000227BC7E1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5548-676-0x00000227BC700000-0x00000227BC7E1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5548-678-0x00000227BC700000-0x00000227BC7E1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5548-680-0x00000227BC700000-0x00000227BC7E1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5548-682-0x00000227BC700000-0x00000227BC7E1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5548-684-0x00000227BC700000-0x00000227BC7E1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5548-690-0x00000227BC700000-0x00000227BC7E1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5548-686-0x00000227BC700000-0x00000227BC7E1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5548-697-0x00000227BC700000-0x00000227BC7E1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5548-701-0x00000227BC700000-0x00000227BC7E1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5548-705-0x00000227BC700000-0x00000227BC7E1000-memory.dmp	family_zgrat_v1
behavioral1/memory/5548-709-0x00000227BC700000-0x00000227BC7E1000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

resource	yara_rule
behavioral1/memory/1416-816-0x0000000002EC0000-0x00000000037AB000-memory.dmp	family_glupteba
behavioral1/memory/1416-820-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/7644-326-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/7588-527-0x0000000000540000-0x000000000059A000-memory.dmp	family_redline
behavioral1/memory/7588-530-0x0000000000400000-0x000000000046F000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
7820	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	B205.exe

Executes dropped EXE 9 IoCs

pid	Process
2844	jp5LF27.exe
760	su4MH53.exe
5020	YX1Fe44.exe
5028	1Pq82HM6.exe
6876	2Tc6272.exe
1096	7gI28Ql.exe
7536	8hB634Ar.exe
7780	9FB2CI8.exe
7588	B205.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	YX1Fe44.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	64a42266251406f4fca81f9628b78b2e8b7c45bf095ae217c466bab552490f08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	jp5LF27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	su4MH53.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000022cff-27.dat	autoit_exe
behavioral1/files/0x0007000000022cff-26.dat	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 6876 set thread context of 3280	6876	2Tc6272.exe	149
PID 7536 set thread context of 7644	7536	8hB634Ar.exe	164
PID 7780 set thread context of 7988	7780	9FB2CI8.exe	170

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5196	sc.exe
7900	sc.exe
6984	sc.exe
7088	sc.exe
7216	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3772	3280	WerFault.exe	149

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7gI28Ql.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7gI28Ql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7gI28Ql.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1280	msedge.exe
1280	msedge.exe
1704	msedge.exe
1704	msedge.exe
4956	msedge.exe
4956	msedge.exe
5492	msedge.exe
5492	msedge.exe
2536	msedge.exe
2536	msedge.exe
5884	msedge.exe
5884	msedge.exe
1096	7gI28Ql.exe
1096	7gI28Ql.exe
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1096	7gI28Ql.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeDebugPrivilege	7588	B205.exe
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
5028	1Pq82HM6.exe
5028	1Pq82HM6.exe
5028	1Pq82HM6.exe
5028	1Pq82HM6.exe
5028	1Pq82HM6.exe
5028	1Pq82HM6.exe
5028	1Pq82HM6.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
5028	1Pq82HM6.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
5028	1Pq82HM6.exe
5028	1Pq82HM6.exe
5028	1Pq82HM6.exe
5028	1Pq82HM6.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
5028	1Pq82HM6.exe
5028	1Pq82HM6.exe
5028	1Pq82HM6.exe
5028	1Pq82HM6.exe
5028	1Pq82HM6.exe
5028	1Pq82HM6.exe
5028	1Pq82HM6.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
5028	1Pq82HM6.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
5028	1Pq82HM6.exe
5028	1Pq82HM6.exe
5028	1Pq82HM6.exe
5028	1Pq82HM6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 2844	4072	64a42266251406f4fca81f9628b78b2e8b7c45bf095ae217c466bab552490f08.exe	90
PID 4072 wrote to memory of 2844	4072	64a42266251406f4fca81f9628b78b2e8b7c45bf095ae217c466bab552490f08.exe	90
PID 4072 wrote to memory of 2844	4072	64a42266251406f4fca81f9628b78b2e8b7c45bf095ae217c466bab552490f08.exe	90
PID 2844 wrote to memory of 760	2844	jp5LF27.exe	92
PID 2844 wrote to memory of 760	2844	jp5LF27.exe	92
PID 2844 wrote to memory of 760	2844	jp5LF27.exe	92
PID 760 wrote to memory of 5020	760	su4MH53.exe	93
PID 760 wrote to memory of 5020	760	su4MH53.exe	93
PID 760 wrote to memory of 5020	760	su4MH53.exe	93
PID 5020 wrote to memory of 5028	5020	YX1Fe44.exe	94
PID 5020 wrote to memory of 5028	5020	YX1Fe44.exe	94
PID 5020 wrote to memory of 5028	5020	YX1Fe44.exe	94
PID 5028 wrote to memory of 2056	5028	1Pq82HM6.exe	97
PID 5028 wrote to memory of 2056	5028	1Pq82HM6.exe	97
PID 5028 wrote to memory of 4908	5028	1Pq82HM6.exe	99
PID 5028 wrote to memory of 4908	5028	1Pq82HM6.exe	99
PID 2056 wrote to memory of 3548	2056	msedge.exe	100
PID 2056 wrote to memory of 3548	2056	msedge.exe	100
PID 4908 wrote to memory of 2648	4908	msedge.exe	101
PID 4908 wrote to memory of 2648	4908	msedge.exe	101
PID 5028 wrote to memory of 2536	5028	1Pq82HM6.exe	102
PID 5028 wrote to memory of 2536	5028	1Pq82HM6.exe	102
PID 2536 wrote to memory of 1312	2536	msedge.exe	103
PID 2536 wrote to memory of 1312	2536	msedge.exe	103
PID 5028 wrote to memory of 4656	5028	1Pq82HM6.exe	104
PID 5028 wrote to memory of 4656	5028	1Pq82HM6.exe	104
PID 4656 wrote to memory of 2700	4656	msedge.exe	105
PID 4656 wrote to memory of 2700	4656	msedge.exe	105
PID 5028 wrote to memory of 4300	5028	1Pq82HM6.exe	106
PID 5028 wrote to memory of 4300	5028	1Pq82HM6.exe	106
PID 4300 wrote to memory of 1488	4300	msedge.exe	107
PID 4300 wrote to memory of 1488	4300	msedge.exe	107
PID 5028 wrote to memory of 3724	5028	1Pq82HM6.exe	108
PID 5028 wrote to memory of 3724	5028	1Pq82HM6.exe	108
PID 3724 wrote to memory of 3216	3724	msedge.exe	109
PID 3724 wrote to memory of 3216	3724	msedge.exe	109
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111
PID 4908 wrote to memory of 4576	4908	msedge.exe	111

C:\Users\Admin\AppData\Local\Temp\64a42266251406f4fca81f9628b78b2e8b7c45bf095ae217c466bab552490f08.exe
"C:\Users\Admin\AppData\Local\Temp\64a42266251406f4fca81f9628b78b2e8b7c45bf095ae217c466bab552490f08.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jp5LF27.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jp5LF27.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\su4MH53.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\su4MH53.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YX1Fe44.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YX1Fe44.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Pq82HM6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Pq82HM6.exe
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:5028
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe1e5146f8,0x7ffe1e514708,0x7ffe1e514718
        7⤵
        
        PID:3548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,3169082365098241334,7429316150366247533,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
        7⤵
        
        PID:780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,3169082365098241334,7429316150366247533,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1280
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe1e5146f8,0x7ffe1e514708,0x7ffe1e514718
        7⤵
        
        PID:2648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,16638362242746656660,3950904630829540556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,16638362242746656660,3950904630829540556,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
        7⤵
        
        PID:4576
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe1e5146f8,0x7ffe1e514708,0x7ffe1e514718
        7⤵
        
        PID:1312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
        7⤵
        
        PID:3516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
        7⤵
        
        PID:404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
        7⤵
        
        PID:5692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
        7⤵
        
        PID:5684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
        7⤵
        
        PID:5572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
        7⤵
        
        PID:6380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
        7⤵
        
        PID:6444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4372 /prefetch:1
        7⤵
        
        PID:6464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
        7⤵
        
        PID:6812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
        7⤵
        
        PID:6956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
        7⤵
        
        PID:7116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
        7⤵
        
        PID:5632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
        7⤵
        
        PID:6840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
        7⤵
        
        PID:6824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
        7⤵
        
        PID:7140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
        7⤵
        
        PID:5672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
        7⤵
        
        PID:1884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7516 /prefetch:1
        7⤵
        
        PID:4796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7488 /prefetch:1
        7⤵
        
        PID:5204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8208 /prefetch:8
        7⤵
        
        PID:8152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8208 /prefetch:8
        7⤵
        
        PID:8168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15912771915720926301,7090147493796484150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8692 /prefetch:1
        7⤵
        
        PID:6464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe1e5146f8,0x7ffe1e514708,0x7ffe1e514718
        7⤵
        
        PID:2700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,4008006263627762980,12733232860751493304,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
        7⤵
        
        PID:5436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,4008006263627762980,12733232860751493304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe1e5146f8,0x7ffe1e514708,0x7ffe1e514718
        7⤵
        
        PID:1488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1552,1666767505380913957,177133598029114578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5884
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe1e5146f8,0x7ffe1e514708,0x7ffe1e514718
        7⤵
        
        PID:3216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,13082907403571761375,17829375870806613523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
        7⤵
        
        PID:6868
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
        6⤵
        
        PID:4512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe1e5146f8,0x7ffe1e514708,0x7ffe1e514718
        7⤵
        
        PID:1504
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
        6⤵
        
        PID:6088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe1e5146f8,0x7ffe1e514708,0x7ffe1e514718
        7⤵
        
        PID:5468
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        6⤵
        
        PID:6456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x160,0x170,0x7ffe1e5146f8,0x7ffe1e514708,0x7ffe1e514718
        7⤵
        
        PID:6568
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        6⤵
        
        PID:6328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0xa4,0x16c,0x7ffe1e5146f8,0x7ffe1e514708,0x7ffe1e514718
        7⤵
        
        PID:6404
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Tc6272.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Tc6272.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6876
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:5496
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:5404
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 540
        7⤵
        Program crash
        
        PID:3772
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7gI28Ql.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7gI28Ql.exe
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:1096
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8hB634Ar.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8hB634Ar.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:7536
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:7644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9FB2CI8.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9FB2CI8.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:7780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:7988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3280 -ip 3280
1⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\B205.exe
C:\Users\Admin\AppData\Local\Temp\B205.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:5736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe1e5146f8,0x7ffe1e514708,0x7ffe1e514718
    3⤵
    PID:5776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,14026770027938026738,14322869677501598680,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
    3⤵
    PID:3356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,14026770027938026738,14322869677501598680,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
    3⤵
    PID:5808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,14026770027938026738,14322869677501598680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
    3⤵
    PID:8064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14026770027938026738,14322869677501598680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
    3⤵
    PID:8100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14026770027938026738,14322869677501598680,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
    3⤵
    PID:1484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14026770027938026738,14322869677501598680,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
    3⤵
    PID:5308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14026770027938026738,14322869677501598680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
    3⤵
    PID:7936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14026770027938026738,14322869677501598680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:1
    3⤵
    PID:2496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14026770027938026738,14322869677501598680,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
    3⤵
    PID:7336
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,14026770027938026738,14322869677501598680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 /prefetch:8
    3⤵
    PID:4148
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,14026770027938026738,14322869677501598680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 /prefetch:8
    3⤵
    PID:6468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,14026770027938026738,14322869677501598680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
    3⤵
    PID:7852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\F549.exe
C:\Users\Admin\AppData\Local\Temp\F549.exe
1⤵
PID:6752
- C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
  2⤵
  PID:6728
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    PID:5520
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:3272
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:6196
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:1416
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:5616
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    PID:4996
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:6524
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:7820
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:7708
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3568
- C:\Users\Admin\AppData\Local\Temp\forc.exe
  "C:\Users\Admin\AppData\Local\Temp\forc.exe"
  2⤵
  PID:4528
- C:\Users\Admin\AppData\Local\Temp\latestX.exe
  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
  2⤵
  PID:3592

C:\Users\Admin\AppData\Local\Temp\F8A5.exe
C:\Users\Admin\AppData\Local\Temp\F8A5.exe
1⤵
PID:6920
- C:\Users\Admin\AppData\Local\Temp\F8A5.exe
  C:\Users\Admin\AppData\Local\Temp\F8A5.exe
  2⤵
  PID:5548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\9F56.exe
C:\Users\Admin\AppData\Local\Temp\9F56.exe
1⤵
PID:6764
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
  2⤵
  PID:6052

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:3624
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:7900
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6984
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:7088
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:7216
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:5196

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:5184
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:7828
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:5304
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:4896
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:6844

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:6632

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\2E68.exe
C:\Users\Admin\AppData\Local\Temp\2E68.exe
1⤵
PID:5640

C:\Users\Admin\AppData\Local\Temp\308C.exe
C:\Users\Admin\AppData\Local\Temp\308C.exe
1⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\3204.exe
C:\Users\Admin\AppData\Local\Temp\3204.exe
1⤵
PID:6184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
25189300c19c8d07d07f0ec5b9ac8df0

SHA1
8c38360db6ac069df9f203b225348ac699f020b7

SHA256
80664f48abed2305dc6c625d5faabd9c6cfb91a495b3978799e29f6c686a85f6

SHA512
8ba104d264ba9f10b6c60a2a51e0fb6ded1555acca091d16899f49da1635d4372ff5c8813dc02abb0732dce6c0d529708938abd54e2fcf24cd04fb9f7301f862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cd57206d74e68e1f70796d0fda0bf24a

SHA1
dbdcb840eae95928031d3e99994d2cdf651ec85b

SHA256
8af9526122c3e5f3d3840c5442672e5c2240c09ed4b01d7252e931c770fbe196

SHA512
1d2b643233f4ec20715020c18fb795eb2648125462e0bfe557c991a0e0048d71c85570e37f45a20c38bc88f1f4141c6e24b1da904af08eb3ec8d21305ad5583c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ee6ada6f85245d77550c6c2bd851c6b0

SHA1
489fbd744de38f0b9959692ca72e1568f869a6f8

SHA256
35b18d1e2fd894866366c961eb0a949c6b6448a3733cb16d7a0f3bb24018a691

SHA512
ea31633732107b38e337d8aa9245cc350418496bc23edbdbf135d6122dfe2ed1291150d8b405c6039735d55a70671ed1fb4dc2dd326b3b0ea5d28659012522b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
02e54cdfc696286272c1ff07b4f1b1b3

SHA1
71f9f02f7db55fbb8b09f1c7b9a874886cea56db

SHA256
603bc8c63ca3125126fd52c567ba82f63f40bf6786a6a2c980208d8916565966

SHA512
1d7f69fbc42b9638443999053ce0d2ea51ec85495a2526ae5af8535ecd976c577389a54e6520c5954175306fc210d0ee98f318026babb249c4b059f9ab2894eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b626c903c4f7b0f06605bf5986af48f8

SHA1
630271853e34962d66eab9f831e7e48ed15a7add

SHA256
03ec39b897b39fb4b50dad89f602dc4d5c8a632ad7d7f2e7db7deb48ab83aec1

SHA512
e519629ab109d99c97b2e8aaa8964d2783a988a7c007a7b143ba1855dacf508ddd86dcd9955dca8cd61edc75b1e0fb791bec1ed2391d534ba541dbac2e1ae213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d16fd68cb1c1188e2c63c3a4561ab056

SHA1
01572bdbf646d78b81f03e3af7be3c4c4eb53ba6

SHA256
98a90b797c45b74ea9e0a06402c0ef8e4c11c2fcc2c3885fa518e088210d6a9d

SHA512
49018807f328fe58a01ae2bf9cfa35bdc6b02b4ab4cecf9c09cc9bd6a082896383e83cae6f031ea07756b1b06f8163d8ca117e476a18c7789d032e21c829a4b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3a748249c8b0e04e77ad0d6723e564ff

SHA1
5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729

SHA256
f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed

SHA512
53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f059bad989b9e78e36f5dd52a782b131

SHA1
6422f0cce8b7849d96bb1bf07474cf1fba354e9e

SHA256
d4f422cfd75944bc7f3736bc3b5a6921c11303a0713c4c3ff8357fd98ae5a884

SHA512
e25add10d075af0a5ff457e9f46e3482338ed9d6be276e774057e56374042138648d0149eaa3ce2fabc71fbbef658b4a650f3e987cf179c8c4a0f2c6b77a83e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
da8dc1371eb8157c1f3933178c8a66cf

SHA1
e919c43fb55dedcbc965226faa9e0010f5ba6a0b

SHA256
474330308a99321353a57face282c49aa62dbba86aa05f1f35d8d5d02dcd9593

SHA512
155315e19f82f4bd787bb3c7b33299faab5f5b5655c6de8b73206b4635f2231ed5bd5b0561fadfccb1d4ff8a091beb50752e467f9b1fbb45b837e43e198fe92d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587af7.TMP

Filesize
1KB

MD5
be58ba4659405c458bb5e21692b5caf7

SHA1
4a278fd6eaafa36668937187768304a753be0e9d

SHA256
5a6c18e3b81a562f3151842589a552c34db15912a63bb451985f9fe2a52c36eb

SHA512
c83b6a4e28e02485922d820589ae2fdc9a533244f237b50829b065279eca98d4ee39b5a2f6fa68156f4b8d4712a47f46cf0b38b1eda02a8c055ed2741aa5e970

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
86b8d01bba5e9ed9eede82ba677b2177

SHA1
a1bb820019076d0d9798181b13d7f4ab12134408

SHA256
ffa27f30182fe14277f3f27894f37ccb37afcaaef19298f9bfe7017c74f0dc68

SHA512
e8cbfa1885a314518ef881294b29e8198c4a8dc89fba358d222e7bb954211b3968843fd6aa4f03f6a25dbbfddd97387525be30a7a02f3fd01a606cc8130ad881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
86b8d01bba5e9ed9eede82ba677b2177

SHA1
a1bb820019076d0d9798181b13d7f4ab12134408

SHA256
ffa27f30182fe14277f3f27894f37ccb37afcaaef19298f9bfe7017c74f0dc68

SHA512
e8cbfa1885a314518ef881294b29e8198c4a8dc89fba358d222e7bb954211b3968843fd6aa4f03f6a25dbbfddd97387525be30a7a02f3fd01a606cc8130ad881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
afd2d48e63b19013ed227374b3320118

SHA1
a580e22119b13da050dc5bec908626fcd5603023

SHA256
63347a685c2852ab93eb6914b51d3bb2e4fc51fe3f344c149f25e00a37be4a18

SHA512
42f225b5a272478a6a0af5d9303eeb23762a572c7645b9d3947a24374b23ab9d6fd11240f94f587e8e0f29c0cebab0722133df26d96ec4ee9498aa1525bd2f9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
afd2d48e63b19013ed227374b3320118

SHA1
a580e22119b13da050dc5bec908626fcd5603023

SHA256
63347a685c2852ab93eb6914b51d3bb2e4fc51fe3f344c149f25e00a37be4a18

SHA512
42f225b5a272478a6a0af5d9303eeb23762a572c7645b9d3947a24374b23ab9d6fd11240f94f587e8e0f29c0cebab0722133df26d96ec4ee9498aa1525bd2f9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f4929459b670a689e1a3d0a549b4f104

SHA1
5f74151e53a8f3dae7c2d5d2f7ffb7dc029127a6

SHA256
8a2fa9bb0ac12f5c27757d56f0c5087e0dc7a4ecdcce139e327e7b026f5ca98a

SHA512
c7ad0ea1e9f36f5a93b751541b1ce82ca9d4ab75e00083902df2a84704c09e8d3639cbb81dedd33b9828c35dcfa5e1f7741fb7b4d18d2dc2acae28132f34b0c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b244d49e8530e0a74738a5e76981d15c

SHA1
0e5919b2b17269592a35ac0f4f6ac113d9d05f22

SHA256
4efec528f86481baafae1d51de494cead7333dc9387849c9cf5db1dc3d2a1515

SHA512
3d872779807c89074c07439079bdae326cb3d53016755d26f97ea38e2d209f6079dbdd19928165f740ec254c1a5699f7840d8c7c32c5fd9f072650cdc466d06d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
afd2d48e63b19013ed227374b3320118

SHA1
a580e22119b13da050dc5bec908626fcd5603023

SHA256
63347a685c2852ab93eb6914b51d3bb2e4fc51fe3f344c149f25e00a37be4a18

SHA512
42f225b5a272478a6a0af5d9303eeb23762a572c7645b9d3947a24374b23ab9d6fd11240f94f587e8e0f29c0cebab0722133df26d96ec4ee9498aa1525bd2f9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
f0e98c5b799d2a41e504824f510f055a

SHA1
455450dc4a25b93120c515eb47a38a8e551bd252

SHA256
8436ae2729eea71d2c8f7208a6d72548a4678ee3eb3758a33e88adfd70577b77

SHA512
e7a91ff01104b2e77fa9aad59277563008cd79b83a2da43569bfc08d69e386f055f76993604d4391e2f42de81f0ba4b0b16dabcf1fe28c2208638d77512738e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
f0e98c5b799d2a41e504824f510f055a

SHA1
455450dc4a25b93120c515eb47a38a8e551bd252

SHA256
8436ae2729eea71d2c8f7208a6d72548a4678ee3eb3758a33e88adfd70577b77

SHA512
e7a91ff01104b2e77fa9aad59277563008cd79b83a2da43569bfc08d69e386f055f76993604d4391e2f42de81f0ba4b0b16dabcf1fe28c2208638d77512738e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
82a785f19bc903ab6ad1ee5900dbf590

SHA1
9311389a42d9e9b69d60c31225532744faad9baa

SHA256
dc39713f5094a2361134b1a168793daea726a05b5c752d580d908cea2edc3cbc

SHA512
3f5a86221c23a31367e06e1739f97ac14b1faee6e656e059157150d2faf0a017fc04636c96f6e61dc6462401878cacd66906cad9c16042bf3b53b600735c0d57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b244d49e8530e0a74738a5e76981d15c

SHA1
0e5919b2b17269592a35ac0f4f6ac113d9d05f22

SHA256
4efec528f86481baafae1d51de494cead7333dc9387849c9cf5db1dc3d2a1515

SHA512
3d872779807c89074c07439079bdae326cb3d53016755d26f97ea38e2d209f6079dbdd19928165f740ec254c1a5699f7840d8c7c32c5fd9f072650cdc466d06d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b244d49e8530e0a74738a5e76981d15c

SHA1
0e5919b2b17269592a35ac0f4f6ac113d9d05f22

SHA256
4efec528f86481baafae1d51de494cead7333dc9387849c9cf5db1dc3d2a1515

SHA512
3d872779807c89074c07439079bdae326cb3d53016755d26f97ea38e2d209f6079dbdd19928165f740ec254c1a5699f7840d8c7c32c5fd9f072650cdc466d06d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
86b8d01bba5e9ed9eede82ba677b2177

SHA1
a1bb820019076d0d9798181b13d7f4ab12134408

SHA256
ffa27f30182fe14277f3f27894f37ccb37afcaaef19298f9bfe7017c74f0dc68

SHA512
e8cbfa1885a314518ef881294b29e8198c4a8dc89fba358d222e7bb954211b3968843fd6aa4f03f6a25dbbfddd97387525be30a7a02f3fd01a606cc8130ad881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
41e55e499fd40e1178e1a870bcef248f

SHA1
0d7aacfce6c65ab7361faffa05b4f53ea226807d

SHA256
bd70b57ced79415284c5e3f2d047e50a84ba449bc2c281f9bf0dd239c7cf914e

SHA512
55bb9217612a27cfd8456728bf5a25531921d78ead5213f352eadcb842cc3086540e124c068dc01a30fe89a6d2afcdb9800271e81d4953a1ec242cbd4b4f5671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
f0e98c5b799d2a41e504824f510f055a

SHA1
455450dc4a25b93120c515eb47a38a8e551bd252

SHA256
8436ae2729eea71d2c8f7208a6d72548a4678ee3eb3758a33e88adfd70577b77

SHA512
e7a91ff01104b2e77fa9aad59277563008cd79b83a2da43569bfc08d69e386f055f76993604d4391e2f42de81f0ba4b0b16dabcf1fe28c2208638d77512738e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
aeea0542f9670f58380071880f86f134

SHA1
51257ecaab0a9d7008aa94cf2b1b6fb68a4bd1fa

SHA256
e9bb380f8d88be57b794debb0f09bc1a5c79e838ebbdc6721e30f4be2deb33e8

SHA512
9f0cd5be6d2690fbe297703bb5472b695172edd012b7d4d36a96b46abc7a3b0d6bfedfb8e059c4ec6e88887b2bd5f2539b48852bbc8f7066b0b407dd0f2a2b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\d806b208-60e1-4d5f-9d39-a49fc0ce72b6.tmp

Filesize
2KB

MD5
41e55e499fd40e1178e1a870bcef248f

SHA1
0d7aacfce6c65ab7361faffa05b4f53ea226807d

SHA256
bd70b57ced79415284c5e3f2d047e50a84ba449bc2c281f9bf0dd239c7cf914e

SHA512
55bb9217612a27cfd8456728bf5a25531921d78ead5213f352eadcb842cc3086540e124c068dc01a30fe89a6d2afcdb9800271e81d4953a1ec242cbd4b4f5671

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
a98f00f0876312e7f85646d2e4fe9ded

SHA1
5d6650725d89fea37c88a0e41b2486834a8b7546

SHA256
787892fff0e39d65ccf86bb7f945be728287aaf80064b7acc84b9122e49d54e6

SHA512
f5ca9ec79d5639c06727dd106e494a39f12de150fbfbb0461d5679aed6a137b3781eedf51beaf02b61d183991d8bca4c08a045a83412525d1e28283856fa3802

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jp5LF27.exe

Filesize
1002KB

MD5
b6f3cdff22b58d92fd08a4f086c8b0a2

SHA1
1f8f828c5bc9b57cc35378fec42871fa585fd00b

SHA256
65ddf626991ac5039702cbaf5c9432fd4c7a603848b84d7188a41ac871f693c8

SHA512
9a2f209838b2a2f2e49c945e94efa9dc1b868c5223bf3c673ed415f95f798c522e0156d76d4b4763223f2cd8337bfd4d8dd0deeb805e00094bab2689992a88eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jp5LF27.exe

Filesize
1002KB

MD5
b6f3cdff22b58d92fd08a4f086c8b0a2

SHA1
1f8f828c5bc9b57cc35378fec42871fa585fd00b

SHA256
65ddf626991ac5039702cbaf5c9432fd4c7a603848b84d7188a41ac871f693c8

SHA512
9a2f209838b2a2f2e49c945e94efa9dc1b868c5223bf3c673ed415f95f798c522e0156d76d4b4763223f2cd8337bfd4d8dd0deeb805e00094bab2689992a88eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\su4MH53.exe

Filesize
781KB

MD5
055a2e829502a3c2671f934eccb2c49a

SHA1
b2231aa410d065f6fabd7d4b1e4dfe84f86bd6f0

SHA256
97f2ffd9ebe5b7dfd47e3b21da5afabef28a841223ef7997b9ac7d1d1799464a

SHA512
c98e62138f2b441fda36aeffc108aafb1ce86331a055da155bd5c1096c832fc452739a1729f1d1edc0b0d29ded66d4967c9c225cf94a2fa126a9568ae2bd7632

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\su4MH53.exe

Filesize
781KB

MD5
055a2e829502a3c2671f934eccb2c49a

SHA1
b2231aa410d065f6fabd7d4b1e4dfe84f86bd6f0

SHA256
97f2ffd9ebe5b7dfd47e3b21da5afabef28a841223ef7997b9ac7d1d1799464a

SHA512
c98e62138f2b441fda36aeffc108aafb1ce86331a055da155bd5c1096c832fc452739a1729f1d1edc0b0d29ded66d4967c9c225cf94a2fa126a9568ae2bd7632

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7gI28Ql.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7gI28Ql.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YX1Fe44.exe

Filesize
656KB

MD5
eefce54ae98ccb02ef20e4b533ded67f

SHA1
4b73d848fbec2a72a54201445e85e9db953ab15c

SHA256
1a61b004056aa3a3d5661b6ce69dd97a964130ef62edf9022c1710fd4d0c34e5

SHA512
3e507035839550d641aa2999a277244bdc417644b780a2447534bcd1ad89fa0bb9dd3e009481ab0e3cc8fde22644f530e74cc0d2a42903fcdaadc73681a09973

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YX1Fe44.exe

Filesize
656KB

MD5
eefce54ae98ccb02ef20e4b533ded67f

SHA1
4b73d848fbec2a72a54201445e85e9db953ab15c

SHA256
1a61b004056aa3a3d5661b6ce69dd97a964130ef62edf9022c1710fd4d0c34e5

SHA512
3e507035839550d641aa2999a277244bdc417644b780a2447534bcd1ad89fa0bb9dd3e009481ab0e3cc8fde22644f530e74cc0d2a42903fcdaadc73681a09973

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Pq82HM6.exe

Filesize
895KB

MD5
f19f1d23ac17e4b697b5cb677a433978

SHA1
e224f85d7ba68aa8e6ae729bf9e58b1b20158890

SHA256
7dbe6f319f343bf1dd50a27d6154942919c13d922f85ec7672abcab3b6059328

SHA512
43a20fe7a6ecf6a265be9e2ebb7136eb39320b4892eb8f47b61278ca1f87f7f81dc62a4dba22c9b4a3f37e329886430185e1fb8c3f736e57de059898eec8720c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Pq82HM6.exe

Filesize
895KB

MD5
f19f1d23ac17e4b697b5cb677a433978

SHA1
e224f85d7ba68aa8e6ae729bf9e58b1b20158890

SHA256
7dbe6f319f343bf1dd50a27d6154942919c13d922f85ec7672abcab3b6059328

SHA512
43a20fe7a6ecf6a265be9e2ebb7136eb39320b4892eb8f47b61278ca1f87f7f81dc62a4dba22c9b4a3f37e329886430185e1fb8c3f736e57de059898eec8720c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Tc6272.exe

Filesize
276KB

MD5
357705539a204b2e73dee62339f55700

SHA1
4be1fa76aec7abd5e53dd9f9ae00208c6e47085d

SHA256
a11aeebd99f283c59615822d1d0870f96d7abd0e5a3a01b36cd7c9caed595c12

SHA512
c28a98090d8b57806866f369f8b8ddfe1c43726fbf655616aac8b83f62a661ec0f98067a5a21a566c78d68444a41ca1675864d1dc7b08e9aacfce749b56fc4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Tc6272.exe

Filesize
276KB

MD5
357705539a204b2e73dee62339f55700

SHA1
4be1fa76aec7abd5e53dd9f9ae00208c6e47085d

SHA256
a11aeebd99f283c59615822d1d0870f96d7abd0e5a3a01b36cd7c9caed595c12

SHA512
c28a98090d8b57806866f369f8b8ddfe1c43726fbf655616aac8b83f62a661ec0f98067a5a21a566c78d68444a41ca1675864d1dc7b08e9aacfce749b56fc4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
f13cf6c130d41595bc96be10a737cb18

SHA1
6b14ea97930141aa5caaeeeb13dd4c6dad55d102

SHA256
dd7aaf7ef0e5b3797eaf5182e7b192fa014b735e129e00e0c662829ce0c2515f

SHA512
ccd4f57b1af1f348fcf9f519a4789c04b499ac5e02ccb7333d0a42fa1cb1fdf9f969103b3a5467e278cd5c6cbbbbebaac4577d0c220e13335575a13408c79b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_20htd0zv.53h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\forc.exe

Filesize
101KB

MD5
02d1af12b47621a72f44d2ae6bb70e37

SHA1
4e0cc70c068e55cd502d71851decb96080861101

SHA256
8d2a83ac263e56c2c058d84f67e23db8fe651b556423318f17389c2780351318

SHA512
ecf9114bbac62c81457f90a6d1c845901ece21e36ca602a79ba6c33f76a1117162175f0ace8ae6c2bdc9f962bd797ab9393316238adbc3b40a9b948d3c98582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
217KB

MD5
6f38e2c344007fa6c5a609f3baa82894

SHA1
9296d861ae076ebddac76b490c2e56fcd0d63c6d

SHA256
fb1b0639a3bdd51f914bf71948d88555e1bbb9de0937f8fa94e7aa38a8d6ab9f

SHA512
5432ab0139ee88a7b509d60ed39d3b69f7c38fe94613b3d72cc4480112d95b2cbf7652438801e7e7956aca73d6ebc870851814bec0082f4d77737a024990e059

Download Submit
memory/1096-320-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1096-270-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1416-820-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1416-810-0x0000000002AC0000-0x0000000002EB9000-memory.dmp

Filesize
4.0MB

Download
memory/1416-816-0x0000000002EC0000-0x00000000037AB000-memory.dmp

Filesize
8.9MB

Download
memory/2760-1564-0x00007FFE1A2C0000-0x00007FFE1AD81000-memory.dmp

Filesize
10.8MB

Download
memory/2760-1565-0x00000277ACFD0000-0x00000277ACFE0000-memory.dmp

Filesize
64KB

Download
memory/3272-788-0x000000000086D000-0x0000000000880000-memory.dmp

Filesize
76KB

Download
memory/3272-792-0x0000000000800000-0x0000000000809000-memory.dmp

Filesize
36KB

Download
memory/3280-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-318-0x00000000023A0000-0x00000000023B6000-memory.dmp

Filesize
88KB

Download
memory/4528-1154-0x0000000000A50000-0x0000000000C7D000-memory.dmp

Filesize
2.2MB

Download
memory/4528-687-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4528-650-0x0000000000A50000-0x0000000000C7D000-memory.dmp

Filesize
2.2MB

Download
memory/5520-648-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/5520-1414-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/5548-705-0x00000227BC700000-0x00000227BC7E1000-memory.dmp

Filesize
900KB

Download
memory/5548-676-0x00000227BC700000-0x00000227BC7E1000-memory.dmp

Filesize
900KB

Download
memory/5548-1542-0x00007FFE1A2C0000-0x00007FFE1AD81000-memory.dmp

Filesize
10.8MB

Download
memory/5548-670-0x00000227BC700000-0x00000227BC7E1000-memory.dmp

Filesize
900KB

Download
memory/5548-668-0x00000227BC700000-0x00000227BC7E1000-memory.dmp

Filesize
900KB

Download
memory/5548-665-0x00000227BC700000-0x00000227BC7E1000-memory.dmp

Filesize
900KB

Download
memory/5548-666-0x00000227BC700000-0x00000227BC7E1000-memory.dmp

Filesize
900KB

Download
memory/5548-672-0x00000227BC700000-0x00000227BC7E1000-memory.dmp

Filesize
900KB

Download
memory/5548-701-0x00000227BC700000-0x00000227BC7E1000-memory.dmp

Filesize
900KB

Download
memory/5548-697-0x00000227BC700000-0x00000227BC7E1000-memory.dmp

Filesize
900KB

Download
memory/5548-686-0x00000227BC700000-0x00000227BC7E1000-memory.dmp

Filesize
900KB

Download
memory/5548-663-0x00000227BC830000-0x00000227BC840000-memory.dmp

Filesize
64KB

Download
memory/5548-690-0x00000227BC700000-0x00000227BC7E1000-memory.dmp

Filesize
900KB

Download
memory/5548-1544-0x00000227BC830000-0x00000227BC840000-memory.dmp

Filesize
64KB

Download
memory/5548-674-0x00000227BC700000-0x00000227BC7E1000-memory.dmp

Filesize
900KB

Download
memory/5548-684-0x00000227BC700000-0x00000227BC7E1000-memory.dmp

Filesize
900KB

Download
memory/5548-682-0x00000227BC700000-0x00000227BC7E1000-memory.dmp

Filesize
900KB

Download
memory/5548-664-0x00000227BC700000-0x00000227BC7E4000-memory.dmp

Filesize
912KB

Download
memory/5548-680-0x00000227BC700000-0x00000227BC7E1000-memory.dmp

Filesize
900KB

Download
memory/5548-678-0x00000227BC700000-0x00000227BC7E1000-memory.dmp

Filesize
900KB

Download
memory/5548-661-0x00007FFE1A2C0000-0x00007FFE1AD81000-memory.dmp

Filesize
10.8MB

Download
memory/5548-658-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/5548-709-0x00000227BC700000-0x00000227BC7E1000-memory.dmp

Filesize
900KB

Download
memory/5616-1441-0x0000000005D70000-0x0000000005D92000-memory.dmp

Filesize
136KB

Download
memory/5616-1446-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/5616-1454-0x0000000005F60000-0x00000000062B4000-memory.dmp

Filesize
3.3MB

Download
memory/5616-1417-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/5616-1422-0x0000000005610000-0x0000000005C38000-memory.dmp

Filesize
6.2MB

Download
memory/5616-1421-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/5616-1419-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/5616-1413-0x0000000004F60000-0x0000000004F96000-memory.dmp

Filesize
216KB

Download
memory/5616-1482-0x0000000006530000-0x000000000654E000-memory.dmp

Filesize
120KB

Download
memory/5616-1517-0x0000000006AB0000-0x0000000006AF4000-memory.dmp

Filesize
272KB

Download
memory/6196-794-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6196-959-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6752-591-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/6752-660-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/6752-592-0x00000000003F0000-0x000000000108C000-memory.dmp

Filesize
12.6MB

Download
memory/6920-662-0x00007FFE1A2C0000-0x00007FFE1AD81000-memory.dmp

Filesize
10.8MB

Download
memory/6920-622-0x000001B2A2EF0000-0x000001B2A2FB8000-memory.dmp

Filesize
800KB

Download
memory/6920-632-0x000001B28A3D0000-0x000001B28A41C000-memory.dmp

Filesize
304KB

Download
memory/6920-611-0x000001B2A2C40000-0x000001B2A2D20000-memory.dmp

Filesize
896KB

Download
memory/6920-620-0x000001B2A2D20000-0x000001B2A2DE8000-memory.dmp

Filesize
800KB

Download
memory/6920-608-0x000001B2A2B60000-0x000001B2A2C40000-memory.dmp

Filesize
896KB

Download
memory/6920-604-0x00007FFE1A2C0000-0x00007FFE1AD81000-memory.dmp

Filesize
10.8MB

Download
memory/6920-607-0x000001B28A420000-0x000001B28A430000-memory.dmp

Filesize
64KB

Download
memory/6920-596-0x000001B288540000-0x000001B28862E000-memory.dmp

Filesize
952KB

Download
memory/7588-537-0x0000000008100000-0x0000000008166000-memory.dmp

Filesize
408KB

Download
memory/7588-530-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/7588-547-0x0000000002240000-0x0000000002290000-memory.dmp

Filesize
320KB

Download
memory/7588-543-0x00000000092C0000-0x00000000092DE000-memory.dmp

Filesize
120KB

Download
memory/7588-542-0x0000000008C90000-0x00000000091BC000-memory.dmp

Filesize
5.2MB

Download
memory/7588-541-0x0000000008AB0000-0x0000000008C72000-memory.dmp

Filesize
1.8MB

Download
memory/7588-538-0x00000000089D0000-0x0000000008A46000-memory.dmp

Filesize
472KB

Download
memory/7588-576-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/7588-534-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/7588-527-0x0000000000540000-0x000000000059A000-memory.dmp

Filesize
360KB

Download
memory/7588-532-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/7644-372-0x0000000007FA0000-0x0000000007FEC000-memory.dmp

Filesize
304KB

Download
memory/7644-362-0x0000000008DF0000-0x0000000009408000-memory.dmp

Filesize
6.1MB

Download
memory/7644-546-0x0000000007DF0000-0x0000000007E00000-memory.dmp

Filesize
64KB

Download
memory/7644-371-0x0000000007F30000-0x0000000007F6C000-memory.dmp

Filesize
240KB

Download
memory/7644-368-0x0000000007DD0000-0x0000000007DE2000-memory.dmp

Filesize
72KB

Download
memory/7644-367-0x00000000080B0000-0x00000000081BA000-memory.dmp

Filesize
1.0MB

Download
memory/7644-326-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/7644-337-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/7644-338-0x0000000008220000-0x00000000087C4000-memory.dmp

Filesize
5.6MB

Download
memory/7644-533-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/7644-339-0x0000000007C70000-0x0000000007D02000-memory.dmp

Filesize
584KB

Download
memory/7644-345-0x00000000057D0000-0x00000000057DA000-memory.dmp

Filesize
40KB

Download
memory/7644-340-0x0000000007DF0000-0x0000000007E00000-memory.dmp

Filesize
64KB

Download
memory/7988-359-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/7988-363-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/7988-364-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/7988-366-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download