mystic | bb32ea7d56902a74dc94787ab68593ef8eef937157e9cdd50eac8fcf2f36dac6

Analysis

max time kernel
55s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2023 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac306b384e51e4e70c374d6cfaf43bb9.exe
Size

1.3MB
MD5

ac306b384e51e4e70c374d6cfaf43bb9
SHA1

e39453aeb15b662ff2e946b7fe72dd0e69a7a73a
SHA256

bb32ea7d56902a74dc94787ab68593ef8eef937157e9cdd50eac8fcf2f36dac6
SHA512

435688a7668c3f09490e49b92e3da471f58883f84e60868ac72cb1c340bb6d02444535142effbe6205b58d1d7fc8853c977568f7560008625347a2b79a88a695
SSDEEP

24576:Dye30QZcF5h3/M0QZ3eae9IshCMGGCdD8bDdN+TKf0EhxTYnOKjVgQ9FDfEUpeRb:We3gTrQ9neu4JGbaz3YO099FDL

Score

10^/10

mystic redline taiga infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/6500-211-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6500-214-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6500-215-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6500-217-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/7152-238-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1996	DM2gf65.exe
64	zi0AJ10.exe
2300	10bl57dV.exe
6276	11df5456.exe
5864	12cT536.exe
5812	13gW496.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ac306b384e51e4e70c374d6cfaf43bb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	DM2gf65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zi0AJ10.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000022dde-19.dat	autoit_exe
behavioral1/files/0x0007000000022dde-20.dat	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 6276 set thread context of 6500	6276	11df5456.exe	145
PID 5864 set thread context of 7152	5864	12cT536.exe	150
PID 5812 set thread context of 6856	5812	13gW496.exe	153

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4584	6500	WerFault.exe	145

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
844	msedge.exe
3908	msedge.exe
844	msedge.exe
3908	msedge.exe
4892	msedge.exe
4892	msedge.exe
3024	msedge.exe
3024	msedge.exe
5684	msedge.exe
5684	msedge.exe
6208	msedge.exe
6208	msedge.exe
5108	identity_helper.exe
5108	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2300	10bl57dV.exe
2300	10bl57dV.exe
2300	10bl57dV.exe
2300	10bl57dV.exe
2300	10bl57dV.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
2300	10bl57dV.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
2300	10bl57dV.exe
2300	10bl57dV.exe
2300	10bl57dV.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
2300	10bl57dV.exe
2300	10bl57dV.exe
2300	10bl57dV.exe
2300	10bl57dV.exe
2300	10bl57dV.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
2300	10bl57dV.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
3024	msedge.exe
2300	10bl57dV.exe
2300	10bl57dV.exe
2300	10bl57dV.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1996	2128	ac306b384e51e4e70c374d6cfaf43bb9.exe	89
PID 2128 wrote to memory of 1996	2128	ac306b384e51e4e70c374d6cfaf43bb9.exe	89
PID 2128 wrote to memory of 1996	2128	ac306b384e51e4e70c374d6cfaf43bb9.exe	89
PID 1996 wrote to memory of 64	1996	DM2gf65.exe	90
PID 1996 wrote to memory of 64	1996	DM2gf65.exe	90
PID 1996 wrote to memory of 64	1996	DM2gf65.exe	90
PID 64 wrote to memory of 2300	64	zi0AJ10.exe	91
PID 64 wrote to memory of 2300	64	zi0AJ10.exe	91
PID 64 wrote to memory of 2300	64	zi0AJ10.exe	91
PID 2300 wrote to memory of 1072	2300	10bl57dV.exe	92
PID 2300 wrote to memory of 1072	2300	10bl57dV.exe	92
PID 2300 wrote to memory of 2332	2300	10bl57dV.exe	96
PID 2300 wrote to memory of 2332	2300	10bl57dV.exe	96
PID 1072 wrote to memory of 2096	1072	msedge.exe	95
PID 1072 wrote to memory of 2096	1072	msedge.exe	95
PID 2332 wrote to memory of 644	2332	msedge.exe	97
PID 2332 wrote to memory of 644	2332	msedge.exe	97
PID 2300 wrote to memory of 3024	2300	10bl57dV.exe	98
PID 2300 wrote to memory of 3024	2300	10bl57dV.exe	98
PID 3024 wrote to memory of 1892	3024	msedge.exe	99
PID 3024 wrote to memory of 1892	3024	msedge.exe	99
PID 2300 wrote to memory of 4432	2300	10bl57dV.exe	100
PID 2300 wrote to memory of 4432	2300	10bl57dV.exe	100
PID 4432 wrote to memory of 5004	4432	msedge.exe	101
PID 4432 wrote to memory of 5004	4432	msedge.exe	101
PID 2300 wrote to memory of 4400	2300	10bl57dV.exe	102
PID 2300 wrote to memory of 4400	2300	10bl57dV.exe	102
PID 4400 wrote to memory of 3588	4400	msedge.exe	103
PID 4400 wrote to memory of 3588	4400	msedge.exe	103
PID 2300 wrote to memory of 1260	2300	10bl57dV.exe	106
PID 2300 wrote to memory of 1260	2300	10bl57dV.exe	106
PID 1260 wrote to memory of 2828	1260	msedge.exe	105
PID 1260 wrote to memory of 2828	1260	msedge.exe	105
PID 2300 wrote to memory of 4304	2300	10bl57dV.exe	107
PID 2300 wrote to memory of 4304	2300	10bl57dV.exe	107
PID 4304 wrote to memory of 888	4304	msedge.exe	115
PID 4304 wrote to memory of 888	4304	msedge.exe	115
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114
PID 3024 wrote to memory of 420	3024	msedge.exe	114

C:\Users\Admin\AppData\Local\Temp\ac306b384e51e4e70c374d6cfaf43bb9.exe
"C:\Users\Admin\AppData\Local\Temp\ac306b384e51e4e70c374d6cfaf43bb9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DM2gf65.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DM2gf65.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zi0AJ10.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zi0AJ10.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:64
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\10bl57dV.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\10bl57dV.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1072
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7ff9303c46f8,0x7ff9303c4708,0x7ff9303c4718
        6⤵
        
        PID:2096
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,8002292111214489183,1279127198142404789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
        6⤵
        
        PID:1040
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,8002292111214489183,1279127198142404789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4892
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9303c46f8,0x7ff9303c4708,0x7ff9303c4718
        6⤵
        
        PID:644
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,7442387010739517531,6404089406610975053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:844
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,7442387010739517531,6404089406610975053,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        6⤵
        
        PID:4412
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x48,0x170,0x7ff9303c46f8,0x7ff9303c4708,0x7ff9303c4718
        6⤵
        
        PID:1892
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
        6⤵
        
        PID:4988
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3908
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
        6⤵
        
        PID:420
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
        6⤵
        
        PID:5516
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
        6⤵
        
        PID:5624
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
        6⤵
        
        PID:5816
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:1
        6⤵
        
        PID:4996
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:1
        6⤵
        
        PID:6240
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
        6⤵
        
        PID:6428
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
        6⤵
        
        PID:6792
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
        6⤵
        
        PID:6784
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
        6⤵
        
        PID:6764
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
        6⤵
        
        PID:6992
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
        6⤵
        
        PID:7136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
        6⤵
        
        PID:6332
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:1
        6⤵
        
        PID:5688
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7648 /prefetch:1
        6⤵
        
        PID:5596
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7632 /prefetch:1
        6⤵
        
        PID:5336
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9320 /prefetch:8
        6⤵
        
        PID:5640
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9320 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9400 /prefetch:1
        6⤵
        
        PID:5600
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9356 /prefetch:1
        6⤵
        
        PID:5404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1280 /prefetch:1
        6⤵
        
        PID:6732
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,11238013392184998653,5644016695821494562,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7924 /prefetch:2
        6⤵
        
        PID:2840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9303c46f8,0x7ff9303c4708,0x7ff9303c4718
        6⤵
        
        PID:5004
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,14630046036720177556,4698406477065411814,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5684
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,14630046036720177556,4698406477065411814,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
        6⤵
        
        PID:5672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4400
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9303c46f8,0x7ff9303c4708,0x7ff9303c4718
        6⤵
        
        PID:3588
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,17834449042929327753,4405259754769933361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1260
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,10316741990959435113,17449557325582411481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
        6⤵
        
        PID:6724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4304
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x174,0x178,0x17c,0x150,0x180,0x7ff9303c46f8,0x7ff9303c4708,0x7ff9303c4718
        6⤵
        
        PID:888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
        5⤵
        
        PID:5800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        5⤵
        
        PID:6452
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9303c46f8,0x7ff9303c4708,0x7ff9303c4718
        6⤵
        
        PID:6504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        
        PID:6920
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9303c46f8,0x7ff9303c4708,0x7ff9303c4718
        6⤵
        
        PID:7008
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11df5456.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11df5456.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:6276
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:6500
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6500 -s 540
        6⤵
        Program crash
        
        PID:4584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12cT536.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12cT536.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5864
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:7152
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13gW496.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13gW496.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5812
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:6856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9303c46f8,0x7ff9303c4708,0x7ff9303c4718
1⤵
PID:2828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff9303c46f8,0x7ff9303c4708,0x7ff9303c4718
1⤵
PID:5964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6500 -ip 6500
1⤵
PID:5344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\9d3b1598-839d-445d-b860-2a4a5618c67a.tmp

Filesize
2KB

MD5
939d7aa59b1cf5a78d4b5d4a7e690a18

SHA1
ff4b736a663089107a91158825b8ec39f3e28050

SHA256
f2fa4ae19b67ac97944a61e4f5ac55e114bb08efb8ee709abb0b293067d0e12c

SHA512
4692f41f4acd298e5b9278c77fa85e917c9dcf3c4478aaf0d4efef4f3b7889bc84a192f6dc60eb7a723be83e55ea788ed8179510937f39be4fa6b4a2318cfca8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
21KB

MD5
7d75a9eb3b38b5dd04b8a7ce4f1b87cc

SHA1
68f598c84936c9720c5ffd6685294f5c94000dff

SHA256
6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7

SHA512
cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
33KB

MD5
fdbf5bcfbb02e2894a519454c232d32f

SHA1
5e225710e9560458ac032ab80e24d0f3cb81b87a

SHA256
d9315d0678ac213bbe2c1de27528f82fd40dbff160f5a0c19850f891da29ea1c

SHA512
9eb86ebb1b50074df9bd94f7660df6f362b5a46411b35ce820740f629f8ef77f0b49a95c5550441a7db2b2638f0ed3d0204cb8f8c76391c05401506833b8c916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
224KB

MD5
4e08109ee6888eeb2f5d6987513366bc

SHA1
86340f5fa46d1a73db2031d80699937878da635e

SHA256
bf44187e1683e78d3040bcef6263e25783c6936096ff0a621677d411dd9d1339

SHA512
4e477fd9e58676c0e00744dbe3421e528dd2faeca2ab998ebbeb349b35bb3711dcf78d8c9e7adba66b4d681d1982c31cac42024c8b19e19537a5615dac39c661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
52b80e248b6d4b98251d4624b7fefe7b

SHA1
b8aaa2af0af172d2bbce5e06be7e5d9cba5a489c

SHA256
abb2b3c2a57e73986be15a11397b0f732e5fee5fc45a26e55e4322bb3b456a0a

SHA512
0350b98e075609c3bdfda930e2c74ed5ebe921983cd24deae9a36989fa6e7b8c08336052037dffe72f011bef0253035d30208dffb94b42be0796f21e2cb4ad79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
51f3a8389c84dcb121f0416beb05e401

SHA1
4396d03384c3f0bdab373628fe1fc21370944133

SHA256
528db5d81c0e9d016b043a70f579dedcf415d0d80619123245d61cb017ca4158

SHA512
234b9fd9ec734b299cc5c39a79ef7ac87539e3b99fbbd794b3f952dd92d6e5eb968262aa0e9421c2763574c8f11bc800573e60bb6f230accd04ef8cec0219192

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f03f7df4b6bd2306873884560879e715

SHA1
066516839731e63dd3b23e8b29bc544bc8743f03

SHA256
d341d7da7819244a3b577f425bcbd2f013f40f4ad8a2a9275b0622758533c1d4

SHA512
b2a8dd73347deef8b428d0ff49f10516801f7e6a319e8ecee27ae0e4618a6bcc84eeae24231f98fa67b47fe9334b130faadf35ba6c9525ecebb9c49e36e5ee2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c5ffdd0287a0bff889ef49dd722909a2

SHA1
e718d4e45fbd36606ff88c0eb612024f80ad276b

SHA256
3b6c5acc822b4493f6900cb2212d722b57e0b96bfdfa78d2cf3d5b4dfc159795

SHA512
4eac4d2983b5aaccece2cef2e946632ea7eb4924f85cec57a1498950a975073dd2f7004427436b1dd987494060c9890160336265e49de2c88c4e57b1b3905808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b8737e823dd9c56592b5c4c68bc988fb

SHA1
591eae1f3c3b1cbcd09be5d69a0d60212310e03c

SHA256
244ca5cc526d8ebf41a8a22952b3f1a7df875d4d806414ed78a66fab4fc967da

SHA512
f1ce093463fdc4ed9834115509f187b9c78feb49f9e33555637a3dcf78fc4b994c6814753c920624fb813d1842fcb9786b6591bc645d9de56d89f2ff1c10faf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0b8abe9b2d273da395ec7c5c0f376f32

SHA1
d7b266fb7310cc71ab5fdb0ef68f5788e702f2ec

SHA256
3751deeb9ad3db03e6b42dedcac68c1c9c7926a2beeaaa0820397b6ddb734a99

SHA512
3dd503ddf2585038aa2fedc53d20bb9576f4619c3dc18089d7aba2c12dc0288447b2a481327c291456d7958488ba2e2d4028af4ca2d30e92807c8b1cdcffc404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
85d69fb10dc3c8703ce7f8ef83d2f02b

SHA1
4b93e1b20d9b6602742d671a7d64f7ba78d21588

SHA256
f9092f56041046ee306fcb4cdbbaaf6ac32c9a1d7f0d3b3c6375e7678e3fbd15

SHA512
54dd8a957e4f5201817a00f0f66490f7d664688197f10ac33578a3fb21e22566b2b9b6d5bff90926e1e85cd7aaa71e1bb81f4443ebae2122c32d12916559e28a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9f859eeab2b8376ccecf9f8016d60a5a

SHA1
b7dc6aff8b7c3a4f12cdef9eaf8a5879c9f20c9a

SHA256
08174833098b903d050858a7829960e611eb6a70d89ed99770d8036c55f3f800

SHA512
085dd9315ecd61b5dc7f51ec2a5c3b8ef5ef9841e89caaabf7359b48de093dffa97d495cecf4a0e63b82637f35badb7cb7dba519e8005888165da5c8720d16e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0e2aef8dc9dab8830cdb04c5f44f0d97

SHA1
30a99d0958497cb1a5cee0d235d0443789cb3447

SHA256
4dd6fe4170270a0dfb25ad7309dbe599bc3126b92e7499a7f7af9ee770b36432

SHA512
8fdeb8279619a61d5372a4c1e119600ca1b21ac85a749546d9f574a61f46fd1e41e7081077d5eaf9331a92fcea2c69b9ee2b09f3a7955046616feb12c637b3c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d3764df147a6a408334bfe66eed15b15

SHA1
e7cdd67e58cbfb3b5b7849730999c82436e7ac65

SHA256
21997f65cd011b8acfb67864045c35877df6fa43585968abf030483046e10bc2

SHA512
4bb91c1586dd80fb52291f13ef5c927d929f04744f6026f220a64355a07ae7580cfe5b287f414c57260311ae9e1694c6dfc4d2bfb9c66dc6e40c321fbe3c8af0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583a55.TMP

Filesize
1KB

MD5
47f908051555934f3eb532773d05d555

SHA1
7f94fbc508189c46ac15b8fb424a43d214c51447

SHA256
72cea604abe6f6e5591d08b4258e1b1c612df5cf5c4d8aae5f643418eccd4e04

SHA512
a02bebc022275fe20d0bc4cbbf24675e0dffe29815edcbcfe63b8dc497f9b085c2b7c8d70257d7a6398e435db95700cf19677783d28dad43a3419540437050c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
961a1c4e61a99f83008e3be4cc47875f

SHA1
07808722911d52919ea4e3d09c294236f299a4a3

SHA256
9c30db5b957c493722c6380c83e8afc7b45ea7ebddb55681f13f24c267e6e1ca

SHA512
1128215386e00b6ed3cfb3a273c87d584ce1a9b742a9d662b751933a0eb983daa3f394974ea0ef7eef83090b94e18525d2edbe7d38a05ebbd36029c519e99487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
961a1c4e61a99f83008e3be4cc47875f

SHA1
07808722911d52919ea4e3d09c294236f299a4a3

SHA256
9c30db5b957c493722c6380c83e8afc7b45ea7ebddb55681f13f24c267e6e1ca

SHA512
1128215386e00b6ed3cfb3a273c87d584ce1a9b742a9d662b751933a0eb983daa3f394974ea0ef7eef83090b94e18525d2edbe7d38a05ebbd36029c519e99487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
939d7aa59b1cf5a78d4b5d4a7e690a18

SHA1
ff4b736a663089107a91158825b8ec39f3e28050

SHA256
f2fa4ae19b67ac97944a61e4f5ac55e114bb08efb8ee709abb0b293067d0e12c

SHA512
4692f41f4acd298e5b9278c77fa85e917c9dcf3c4478aaf0d4efef4f3b7889bc84a192f6dc60eb7a723be83e55ea788ed8179510937f39be4fa6b4a2318cfca8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
6c24d6a64f9997663d5f5ec382473b56

SHA1
3cb683340eaa94a498b76821eaa116b864c2d726

SHA256
0b9330d350e2fc85fcb818f82774b7d43dc08f0d89bbbdc7844428a71c52a7eb

SHA512
beb0241d1d78b33c7c2d9155689aa3d76e0e03148c337b211297cc7388f22c183787e9c611af3081f9a6f116537762cddfbb585623ea6c787f9cef579ebb6cda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
939d7aa59b1cf5a78d4b5d4a7e690a18

SHA1
ff4b736a663089107a91158825b8ec39f3e28050

SHA256
f2fa4ae19b67ac97944a61e4f5ac55e114bb08efb8ee709abb0b293067d0e12c

SHA512
4692f41f4acd298e5b9278c77fa85e917c9dcf3c4478aaf0d4efef4f3b7889bc84a192f6dc60eb7a723be83e55ea788ed8179510937f39be4fa6b4a2318cfca8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0362c0f3e949fda7c58a1d2765b34420

SHA1
44692f29ebeccc3518772f307e5fe99ab05ba98e

SHA256
0789c8358aef5ded3a1064cda015e50e565031aa5aa701e4d3b1e6d6e5df504c

SHA512
24a4850f497f3a5fdf5b0d7bb547a2cb63a2a1515f4ebb14ceb77bb865c69cca67b05df029aa656e41d4f3a5aab3f947013c8b836dc885d53f40c8e1b7e84e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
3e176e0a0e0c3acaa392bfaf85f69d2b

SHA1
7a5f1c05657dc1019773ab42ce9822941b29b788

SHA256
15a2b395fcf43d70fe1a79da94779e96fa0d4195f459d24f39aabe3fcbcee7ba

SHA512
53ca16be40555317c53904ab38351d3a3af851b63506c8c4edecc2b19a1b0d9e382f4b15a847c380edc26ba506b3583485db4208beecae16f67eaa381f4a9973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
4e7f04e10e9ef8e7ebc3624f861a035b

SHA1
76608d473fdd9eb31ba9ad4502b12f1172ff59e9

SHA256
4b3b08eae1d53053e3bfff7611490f37ea9848e4eb1293927d8dde0108e2585e

SHA512
12764d351c28013f4f1cc0b44c8a0bf62c4f23b86dcaa59c33d860588336cf3a8dd93232e03faf90eb06fae81fabcbb8194ceb8f00e5fcc160482b2687bd2032

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
4e7f04e10e9ef8e7ebc3624f861a035b

SHA1
76608d473fdd9eb31ba9ad4502b12f1172ff59e9

SHA256
4b3b08eae1d53053e3bfff7611490f37ea9848e4eb1293927d8dde0108e2585e

SHA512
12764d351c28013f4f1cc0b44c8a0bf62c4f23b86dcaa59c33d860588336cf3a8dd93232e03faf90eb06fae81fabcbb8194ceb8f00e5fcc160482b2687bd2032

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
6c24d6a64f9997663d5f5ec382473b56

SHA1
3cb683340eaa94a498b76821eaa116b864c2d726

SHA256
0b9330d350e2fc85fcb818f82774b7d43dc08f0d89bbbdc7844428a71c52a7eb

SHA512
beb0241d1d78b33c7c2d9155689aa3d76e0e03148c337b211297cc7388f22c183787e9c611af3081f9a6f116537762cddfbb585623ea6c787f9cef579ebb6cda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
6c24d6a64f9997663d5f5ec382473b56

SHA1
3cb683340eaa94a498b76821eaa116b864c2d726

SHA256
0b9330d350e2fc85fcb818f82774b7d43dc08f0d89bbbdc7844428a71c52a7eb

SHA512
beb0241d1d78b33c7c2d9155689aa3d76e0e03148c337b211297cc7388f22c183787e9c611af3081f9a6f116537762cddfbb585623ea6c787f9cef579ebb6cda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
961a1c4e61a99f83008e3be4cc47875f

SHA1
07808722911d52919ea4e3d09c294236f299a4a3

SHA256
9c30db5b957c493722c6380c83e8afc7b45ea7ebddb55681f13f24c267e6e1ca

SHA512
1128215386e00b6ed3cfb3a273c87d584ce1a9b742a9d662b751933a0eb983daa3f394974ea0ef7eef83090b94e18525d2edbe7d38a05ebbd36029c519e99487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
3e176e0a0e0c3acaa392bfaf85f69d2b

SHA1
7a5f1c05657dc1019773ab42ce9822941b29b788

SHA256
15a2b395fcf43d70fe1a79da94779e96fa0d4195f459d24f39aabe3fcbcee7ba

SHA512
53ca16be40555317c53904ab38351d3a3af851b63506c8c4edecc2b19a1b0d9e382f4b15a847c380edc26ba506b3583485db4208beecae16f67eaa381f4a9973

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13gW496.exe

Filesize
624KB

MD5
24ee775949059a3d0ba0ca79f823c466

SHA1
9c48431ce8364cbc2fda259f46948ea531734346

SHA256
75c477c2bc653e5883831d71eb6add513d4729eb99b9818473b09b872897f9b3

SHA512
5886744e0f5ccd285d846ac67e52c0b4001dc1736553e57ce2dbb90a49504ccd603afff36ce314fb6684c0075a23892555a6ac57efd9376a4a5a60fba086127c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13gW496.exe

Filesize
624KB

MD5
24ee775949059a3d0ba0ca79f823c466

SHA1
9c48431ce8364cbc2fda259f46948ea531734346

SHA256
75c477c2bc653e5883831d71eb6add513d4729eb99b9818473b09b872897f9b3

SHA512
5886744e0f5ccd285d846ac67e52c0b4001dc1736553e57ce2dbb90a49504ccd603afff36ce314fb6684c0075a23892555a6ac57efd9376a4a5a60fba086127c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DM2gf65.exe

Filesize
877KB

MD5
2ff9355e9c3c1d418dc1954ae12be2ae

SHA1
abd823ba6f60d14335e982a044bbcef9cb4e2edd

SHA256
b0eee84b9233543dd0bf17ceefd6044c8605c1c17d26726d2d9e5f245be79ef0

SHA512
b7cc6cc925ca1a6f5ae54f7d7d911e16d647e21fc33025f1e9ec0dd61edead84902d0e40764c70f1964b8c9298134eab9fbdaa1df6bd0e17425ee91131caf342

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DM2gf65.exe

Filesize
877KB

MD5
2ff9355e9c3c1d418dc1954ae12be2ae

SHA1
abd823ba6f60d14335e982a044bbcef9cb4e2edd

SHA256
b0eee84b9233543dd0bf17ceefd6044c8605c1c17d26726d2d9e5f245be79ef0

SHA512
b7cc6cc925ca1a6f5ae54f7d7d911e16d647e21fc33025f1e9ec0dd61edead84902d0e40764c70f1964b8c9298134eab9fbdaa1df6bd0e17425ee91131caf342

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12cT536.exe

Filesize
315KB

MD5
2c4209e44e27938521b68cf9d3400937

SHA1
1e392e9ed2e05c795a659654c1e41482cf3d1718

SHA256
9c0072adf384d4c11712080817771f4391eed1a857d1f3cda79f8188939b531c

SHA512
475448274ae0b0ca892f8265e962470be5c7e151c846555dab65cea567526e018da60e22c71f6822681e8055c3c3901f7864cab5177079883c837a95d7c51dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12cT536.exe

Filesize
315KB

MD5
2c4209e44e27938521b68cf9d3400937

SHA1
1e392e9ed2e05c795a659654c1e41482cf3d1718

SHA256
9c0072adf384d4c11712080817771f4391eed1a857d1f3cda79f8188939b531c

SHA512
475448274ae0b0ca892f8265e962470be5c7e151c846555dab65cea567526e018da60e22c71f6822681e8055c3c3901f7864cab5177079883c837a95d7c51dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zi0AJ10.exe

Filesize
656KB

MD5
41a9f42cfc32c3b5bd78a64e9768b4f3

SHA1
c8f1d670a6b1c0e6e2faae2bcb137f044d5c4104

SHA256
55ba8037e6cc6a851855771b8ad86fbeb3bc97f50d682cb6c4f44bbbcfec2a2d

SHA512
8a76d1bfbd2189d19bba2ef5854a722672b7b7f9367cb833419422e0404cab229fe7d0b3adcd3f596d577010889ffbc1a5aff730d4208ff7d036847ac6b2e626

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zi0AJ10.exe

Filesize
656KB

MD5
41a9f42cfc32c3b5bd78a64e9768b4f3

SHA1
c8f1d670a6b1c0e6e2faae2bcb137f044d5c4104

SHA256
55ba8037e6cc6a851855771b8ad86fbeb3bc97f50d682cb6c4f44bbbcfec2a2d

SHA512
8a76d1bfbd2189d19bba2ef5854a722672b7b7f9367cb833419422e0404cab229fe7d0b3adcd3f596d577010889ffbc1a5aff730d4208ff7d036847ac6b2e626

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\10bl57dV.exe

Filesize
895KB

MD5
80bc846dc2d499d68c73c9c4939af5be

SHA1
446a673598724502ac9e06d9db51398806fb7996

SHA256
5a04a6400e540249c3e38f80d0d870a0b7c3effc0729f17c522dbe6dfc78925f

SHA512
c69368efada6261c45bce6a25450148575f0598c0440dd7accb1e935a2ed9f5c2fb0ad980bc5004a9eab49906aae948b6517da129d4c0066a2a451ea4a7acacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\10bl57dV.exe

Filesize
895KB

MD5
80bc846dc2d499d68c73c9c4939af5be

SHA1
446a673598724502ac9e06d9db51398806fb7996

SHA256
5a04a6400e540249c3e38f80d0d870a0b7c3effc0729f17c522dbe6dfc78925f

SHA512
c69368efada6261c45bce6a25450148575f0598c0440dd7accb1e935a2ed9f5c2fb0ad980bc5004a9eab49906aae948b6517da129d4c0066a2a451ea4a7acacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11df5456.exe

Filesize
276KB

MD5
beea096a15f467fea8af7d3474af5691

SHA1
73de9b5ece6fa34af15f04256dd1a4db4b0695a1

SHA256
404e86439ee44bf67ac8b47ee5b04b0e4fc777729d470a22c7ee2de31495c645

SHA512
c0ed0ed2da15aeab4c5ceb2f6389f10250dbc271fc0117106702ee0bbc72b00f9e7596e391b87337c09cfffa2cc4631febe57605873fe18382decdc28c8905ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11df5456.exe

Filesize
276KB

MD5
beea096a15f467fea8af7d3474af5691

SHA1
73de9b5ece6fa34af15f04256dd1a4db4b0695a1

SHA256
404e86439ee44bf67ac8b47ee5b04b0e4fc777729d470a22c7ee2de31495c645

SHA512
c0ed0ed2da15aeab4c5ceb2f6389f10250dbc271fc0117106702ee0bbc72b00f9e7596e391b87337c09cfffa2cc4631febe57605873fe18382decdc28c8905ca

Download Submit
memory/6500-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6500-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6500-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6500-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6856-246-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/6856-242-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/6856-244-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/6856-243-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/7152-436-0x0000000007700000-0x0000000007710000-memory.dmp

Filesize
64KB

Download
memory/7152-238-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/7152-305-0x0000000007700000-0x0000000007710000-memory.dmp

Filesize
64KB

Download
memory/7152-431-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/7152-302-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/7152-558-0x0000000008600000-0x0000000008C18000-memory.dmp

Filesize
6.1MB

Download
memory/7152-559-0x0000000007FE0000-0x00000000080EA000-memory.dmp

Filesize
1.0MB

Download
memory/7152-560-0x0000000007960000-0x0000000007972000-memory.dmp

Filesize
72KB

Download
memory/7152-561-0x00000000079C0000-0x00000000079FC000-memory.dmp

Filesize
240KB

Download
memory/7152-562-0x00000000080F0000-0x000000000813C000-memory.dmp

Filesize
304KB

Download
memory/7152-303-0x0000000007A30000-0x0000000007FD4000-memory.dmp

Filesize
5.6MB

Download
memory/7152-321-0x00000000050E0000-0x00000000050EA000-memory.dmp

Filesize
40KB

Download
memory/7152-304-0x0000000007520000-0x00000000075B2000-memory.dmp

Filesize
584KB

Download