mystic | a1d0f879aa5023488075c93718c6bac17d2056269fe3822c901d2b908bc13bbf

Analysis

max time kernel
244s
max time network
249s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2023, 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a1d0f879aa5023488075c93718c6bac17d2056269fe3822c901d2b908bc13bbf.exe
Size

1.3MB
MD5

ba2c77718bd6b44abb313b86974e99e8
SHA1

139e8c4262a2db1a5de407cbf99b380b0e93254e
SHA256

a1d0f879aa5023488075c93718c6bac17d2056269fe3822c901d2b908bc13bbf
SHA512

7c34b013642ab2ab86409e4b6e22628382ceb346aff4dda2f83c72bc0c3034a5c49be0f1c95c4d9e5b9dfa33471f80c0e56b95caea458d986b0651cfce58faeb
SSDEEP

24576:Py5t+MuTMCtJaeyIsOCUGsA1D3uAdru57lpuDGuoo2RnpHNWjOcrlpuThdR:a5tfulkeJRJGfzJdru5ruSuoNRptzTh

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/8008-285-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/8008-296-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/8008-297-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/8008-299-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 4 IoCs

pid	Process
4864	hC8bO21.exe
3996	SZ7Ah27.exe
4444	3pC909ct.exe
5848	4UR5OX4.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.a1d0f879aa5023488075c93718c6bac17d2056269fe3822c901d2b908bc13bbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	hC8bO21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	SZ7Ah27.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000022db4-19.dat	autoit_exe
behavioral1/files/0x0007000000022db4-20.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5848 set thread context of 8008	5848	4UR5OX4.exe	154

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
6108	msedge.exe
6108	msedge.exe
5672	msedge.exe
5672	msedge.exe
4868	msedge.exe
4868	msedge.exe
5668	msedge.exe
2216	msedge.exe
5668	msedge.exe
2216	msedge.exe
6260	msedge.exe
6260	msedge.exe
5728	msedge.exe
5728	msedge.exe
6088	msedge.exe
6088	msedge.exe
6340	msedge.exe
6340	msedge.exe
6440	msedge.exe
6440	msedge.exe
4164	msedge.exe
4164	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4444	3pC909ct.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 4864	3944	NEAS.a1d0f879aa5023488075c93718c6bac17d2056269fe3822c901d2b908bc13bbf.exe	88
PID 3944 wrote to memory of 4864	3944	NEAS.a1d0f879aa5023488075c93718c6bac17d2056269fe3822c901d2b908bc13bbf.exe	88
PID 3944 wrote to memory of 4864	3944	NEAS.a1d0f879aa5023488075c93718c6bac17d2056269fe3822c901d2b908bc13bbf.exe	88
PID 4864 wrote to memory of 3996	4864	hC8bO21.exe	89
PID 4864 wrote to memory of 3996	4864	hC8bO21.exe	89
PID 4864 wrote to memory of 3996	4864	hC8bO21.exe	89
PID 3996 wrote to memory of 4444	3996	SZ7Ah27.exe	91
PID 3996 wrote to memory of 4444	3996	SZ7Ah27.exe	91
PID 3996 wrote to memory of 4444	3996	SZ7Ah27.exe	91
PID 4444 wrote to memory of 3144	4444	3pC909ct.exe	93
PID 4444 wrote to memory of 3144	4444	3pC909ct.exe	93
PID 4444 wrote to memory of 4920	4444	3pC909ct.exe	95
PID 4444 wrote to memory of 4920	4444	3pC909ct.exe	95
PID 3144 wrote to memory of 4036	3144	msedge.exe	96
PID 3144 wrote to memory of 4036	3144	msedge.exe	96
PID 4920 wrote to memory of 4556	4920	msedge.exe	97
PID 4920 wrote to memory of 4556	4920	msedge.exe	97
PID 4444 wrote to memory of 912	4444	3pC909ct.exe	98
PID 4444 wrote to memory of 912	4444	3pC909ct.exe	98
PID 912 wrote to memory of 1892	912	msedge.exe	99
PID 912 wrote to memory of 1892	912	msedge.exe	99
PID 4444 wrote to memory of 3780	4444	3pC909ct.exe	100
PID 4444 wrote to memory of 3780	4444	3pC909ct.exe	100
PID 3780 wrote to memory of 3956	3780	msedge.exe	101
PID 3780 wrote to memory of 3956	3780	msedge.exe	101
PID 4444 wrote to memory of 1336	4444	3pC909ct.exe	102
PID 4444 wrote to memory of 1336	4444	3pC909ct.exe	102
PID 1336 wrote to memory of 220	1336	msedge.exe	103
PID 1336 wrote to memory of 220	1336	msedge.exe	103
PID 4444 wrote to memory of 2336	4444	3pC909ct.exe	104
PID 4444 wrote to memory of 2336	4444	3pC909ct.exe	104
PID 2336 wrote to memory of 2080	2336	msedge.exe	105
PID 2336 wrote to memory of 2080	2336	msedge.exe	105
PID 4444 wrote to memory of 2964	4444	3pC909ct.exe	106
PID 4444 wrote to memory of 2964	4444	3pC909ct.exe	106
PID 2964 wrote to memory of 1528	2964	msedge.exe	107
PID 2964 wrote to memory of 1528	2964	msedge.exe	107
PID 4444 wrote to memory of 3588	4444	3pC909ct.exe	108
PID 4444 wrote to memory of 3588	4444	3pC909ct.exe	108
PID 3588 wrote to memory of 4380	3588	msedge.exe	109
PID 3588 wrote to memory of 4380	3588	msedge.exe	109
PID 4444 wrote to memory of 4164	4444	3pC909ct.exe	110
PID 4444 wrote to memory of 4164	4444	3pC909ct.exe	110
PID 4164 wrote to memory of 3912	4164	msedge.exe	111
PID 4164 wrote to memory of 3912	4164	msedge.exe	111
PID 4444 wrote to memory of 3340	4444	3pC909ct.exe	112
PID 4444 wrote to memory of 3340	4444	3pC909ct.exe	112
PID 3340 wrote to memory of 1328	3340	msedge.exe	113
PID 3340 wrote to memory of 1328	3340	msedge.exe	113
PID 3996 wrote to memory of 5848	3996	SZ7Ah27.exe	114
PID 3996 wrote to memory of 5848	3996	SZ7Ah27.exe	114
PID 3996 wrote to memory of 5848	3996	SZ7Ah27.exe	114
PID 3144 wrote to memory of 5976	3144	msedge.exe	129
PID 3144 wrote to memory of 5976	3144	msedge.exe	129
PID 3144 wrote to memory of 5976	3144	msedge.exe	129
PID 3144 wrote to memory of 5976	3144	msedge.exe	129
PID 3144 wrote to memory of 5976	3144	msedge.exe	129
PID 3144 wrote to memory of 5976	3144	msedge.exe	129
PID 3144 wrote to memory of 5976	3144	msedge.exe	129
PID 3144 wrote to memory of 5976	3144	msedge.exe	129
PID 3144 wrote to memory of 5976	3144	msedge.exe	129
PID 3144 wrote to memory of 5976	3144	msedge.exe	129
PID 3144 wrote to memory of 5976	3144	msedge.exe	129
PID 3144 wrote to memory of 5976	3144	msedge.exe	129

C:\Users\Admin\AppData\Local\Temp\NEAS.a1d0f879aa5023488075c93718c6bac17d2056269fe3822c901d2b908bc13bbf.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a1d0f879aa5023488075c93718c6bac17d2056269fe3822c901d2b908bc13bbf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hC8bO21.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hC8bO21.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SZ7Ah27.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SZ7Ah27.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3pC909ct.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3pC909ct.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3144
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffb735646f8,0x7ffb73564708,0x7ffb73564718
        6⤵
        
        PID:4036
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,14903504818655543915,15827787403955062037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5672
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,14903504818655543915,15827787403955062037,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
        6⤵
        
        PID:5976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4920
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb735646f8,0x7ffb73564708,0x7ffb73564718
        6⤵
        
        PID:4556
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,57266716008043384,16970321935877679665,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6260
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,57266716008043384,16970321935877679665,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        6⤵
        
        PID:6252
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffb735646f8,0x7ffb73564708,0x7ffb73564718
        6⤵
        
        PID:1892
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,14282693232091419980,4577858982670110741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6088
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,14282693232091419980,4577858982670110741,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
        6⤵
        
        PID:6060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3780
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb735646f8,0x7ffb73564708,0x7ffb73564718
        6⤵
        
        PID:3956
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,3399024867215575916,9500297931776156362,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
        6⤵
        
        PID:5692
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,3399024867215575916,9500297931776156362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6340
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb735646f8,0x7ffb73564708,0x7ffb73564718
        6⤵
        
        PID:220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,5048886001560675896,8156010642713349160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,5048886001560675896,8156010642713349160,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
        6⤵
        
        PID:6096
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xa4,0xa0,0x9c,0x148,0x16c,0x7ffb735646f8,0x7ffb73564708,0x7ffb73564718
        6⤵
        
        PID:2080
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,1571839787242781386,12121580134108462971,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
        6⤵
        
        PID:5156
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,1571839787242781386,12121580134108462971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffb735646f8,0x7ffb73564708,0x7ffb73564718
        6⤵
        
        PID:1528
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,17277727671958288027,2388888550378894191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,17277727671958288027,2388888550378894191,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
        6⤵
        
        PID:3620
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3588
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb735646f8,0x7ffb73564708,0x7ffb73564718
        6⤵
        
        PID:4380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,6420551168867513270,17822658833516283430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6420551168867513270,17822658833516283430,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        6⤵
        
        PID:5724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb735646f8,0x7ffb73564708,0x7ffb73564718
        6⤵
        
        PID:3912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,3674546633551857426,12033185029642869388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6440
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,3674546633551857426,12033185029642869388,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
        6⤵
        
        PID:6432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,3674546633551857426,12033185029642869388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
        6⤵
        
        PID:6640
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3674546633551857426,12033185029642869388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
        6⤵
        
        PID:5484
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3674546633551857426,12033185029642869388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
        6⤵
        
        PID:2008
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3674546633551857426,12033185029642869388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
        6⤵
        
        PID:7416
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3674546633551857426,12033185029642869388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
        6⤵
        
        PID:7448
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3674546633551857426,12033185029642869388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
        6⤵
        
        PID:7720
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3674546633551857426,12033185029642869388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
        6⤵
        
        PID:7864
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3674546633551857426,12033185029642869388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
        6⤵
        
        PID:7988
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3674546633551857426,12033185029642869388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
        6⤵
        
        PID:7964
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3674546633551857426,12033185029642869388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
        6⤵
        
        PID:7956
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3674546633551857426,12033185029642869388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
        6⤵
        
        PID:7948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3674546633551857426,12033185029642869388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
        6⤵
        
        PID:7940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3674546633551857426,12033185029642869388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
        6⤵
        
        PID:5788
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3674546633551857426,12033185029642869388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7188 /prefetch:1
        6⤵
        
        PID:7888
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3674546633551857426,12033185029642869388,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
        6⤵
        
        PID:6008
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3674546633551857426,12033185029642869388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
        6⤵
        
        PID:6056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3674546633551857426,12033185029642869388,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
        6⤵
        
        PID:3120
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb735646f8,0x7ffb73564708,0x7ffb73564718
        6⤵
        
        PID:1328
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13247513770342754013,17619427630083473239,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4868
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13247513770342754013,17619427630083473239,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        6⤵
        
        PID:4756
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4UR5OX4.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4UR5OX4.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:5848
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:8008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\10e4c126-1b57-4747-8c21-678521054c3e.tmp

Filesize
2KB

MD5
90735d46f91e9e41763a8216297b32d4

SHA1
9766b436f08281d08a42c09b133053b3c183f2e0

SHA256
65fe2504547e89b389372abe8c67f5171535c3d1b12abecc6433644c6ab3e885

SHA512
75b07271172264e6b0d4b387bcb4570e05e1ca8b9f93a9b41c5b6df16a109e04f31bfde84e0df3c8fbe52f357c585c2bdefc85be85e729353df75916f9405431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2a1b69fb-4c24-46f2-b69a-be09cec70436.tmp

Filesize
2KB

MD5
c4fcfc0fb879302e1e6f40b56607f8b3

SHA1
62ffb6b5afb6c278a39ac8848796993bbfb418a7

SHA256
c347a52f307cabe692ea17df345a7a3038a22f6014ca050781a482130f9f216e

SHA512
1ca9053cb1969453e449399c32ff1664e9f28199113d7bebd5fe8669837964b44ec225dd40546d553ff0aebf8ddb52fbca462bbdd0c1eb1d71926563bbed16c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2ccd4297-344e-4813-9c64-63dda5dd0610.tmp

Filesize
2KB

MD5
e3477a0bb4a389c9b1dfa12dc1953d2a

SHA1
3347be1a896ddebbae598465efb9ce2009febcfa

SHA256
3ff3c5e4b6824320fea321975d29560faf21fcd1994ed74c42d80bd3d35d6b40

SHA512
762c4f33c3b0cede1fb3b3dedbd1aff4a8abd5a28d8dd66bc4958e93b2990fef7444d737fa287ccc455c5ecbe1daeb1ac5622c76f2765fa20eec5bae29085437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\30d48a73-a50f-4e00-acc3-89b5940b2b8a.tmp

Filesize
2KB

MD5
9944b2ab5ab54baceb393f26c31ab2bd

SHA1
149e816ed3ab89f7b5fe855786e9c30f45eac53e

SHA256
68d900854abfe8b11e7f81588994c44e303822cec4e419de61129f8834846768

SHA512
4b8751fc0a186e441172d45fa9bfc8c303ca3f0fb2f842bce2eaa4b3738e7c583ec6cfb5c339085b59965a36a34c01cf08e220db3faa4b2f43d7b1de5001105f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\5519207c-5e8f-4032-a995-f7ed9363263a.tmp

Filesize
2KB

MD5
89e0fb8e0655e036e268e71ecf913327

SHA1
a38e029922b96abdf3bf8d6149d6b9e23e699917

SHA256
12da66defb67f829093a974110041e2dfc0389e537c454f7413302fe295969c3

SHA512
e0816670294690605eabdc3579314b19fe0db32c567e36c2227a374008e77bee73bf39902bbd3d6da483043b884b6ac30b412d11d0d71d118842b03f02ea5504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\5df757f9-c1f0-497f-85b0-fdc7de29c5ec.tmp

Filesize
3KB

MD5
45aced509b92c57a4da9112c3b444592

SHA1
60dbb33549b275656a6a637d8332da094ce6d43b

SHA256
e1422afe0734248bb40af5429ba788d73d44c7b33e1714f126d59f758830b4a8

SHA512
70a69117e1f582d48d6bd1739343f776e34bee37fe5eb580446e639974a9becdd0c3ad954f4b3b87770e8117db4638978dd3c8c8a3ecff796e7839f745b490a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\99e96850-a3df-44e2-9c8c-13f7f7dbc189.tmp

Filesize
2KB

MD5
21396e165920086b338bdabaa291c54e

SHA1
2318d6b722e653fe18c74022ce5bb1f26ca99c50

SHA256
4116d3be483c749e32fb4e4955564b6f2cac6b2a4e3cd6300e2dba9859d4d8e4

SHA512
cd2d62da8ddcea4109e5b055d6693de7d0345004720bdfc586e4bf48c2b274081d9d44687f697fa30660c5edd9e7bb157a0016fb1ab2a68a9ca87d5c389ea59e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6045c02e7ac9cec94de97c1ec0197047

SHA1
e908cbbe21bbe96b72df37c17e5424324202df2b

SHA256
36785d7df5689264dba44af45037efe331725d34d7b84462e1a410a4005804f5

SHA512
33231fa595c497e720d0e2262f815fac3d2e689acdb704a00d17bc8807ff9248abbe53736e1f8bc33aa1bfd313fe1b18f8aaff71f3cec1078589a88363e6cbea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
45aced509b92c57a4da9112c3b444592

SHA1
60dbb33549b275656a6a637d8332da094ce6d43b

SHA256
e1422afe0734248bb40af5429ba788d73d44c7b33e1714f126d59f758830b4a8

SHA512
70a69117e1f582d48d6bd1739343f776e34bee37fe5eb580446e639974a9becdd0c3ad954f4b3b87770e8117db4638978dd3c8c8a3ecff796e7839f745b490a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
04fab98b4811685fa1265855d139e0ea

SHA1
457ea7cdf0c2239e928fbde9bba17ba7cbf51b96

SHA256
19fb0550806933d192f20a2769859414f3e822dce6cde3c2da5e58270ed886cb

SHA512
3610615d4abf7676482467b395609d571ff4bd13ce387f374d7d0b01d24e48216735c721d0f557407ef2b15c1f505f55736ecba8f87d31eba798fd5a8801133e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
065e0156c5beff942d63ef2a7185c96b

SHA1
a7dff23be94f5b80b948f6826242a70b90d10d60

SHA256
7350f3c78f4b44adf1a768f7d4945cc839cd1e998874882644aa9b964c3c7a6d

SHA512
5f1a00dfac64a22706fd8459b80eef899e61754b7a78eb3cec7f65934c02132168b003dcd16f6b3a17f000910b435e5db564a0088b3e2630558be39e597ae888

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
21396e165920086b338bdabaa291c54e

SHA1
2318d6b722e653fe18c74022ce5bb1f26ca99c50

SHA256
4116d3be483c749e32fb4e4955564b6f2cac6b2a4e3cd6300e2dba9859d4d8e4

SHA512
cd2d62da8ddcea4109e5b055d6693de7d0345004720bdfc586e4bf48c2b274081d9d44687f697fa30660c5edd9e7bb157a0016fb1ab2a68a9ca87d5c389ea59e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\a0c62f67-a763-4b6a-81fe-3d977921f0c5.tmp

Filesize
2KB

MD5
065e0156c5beff942d63ef2a7185c96b

SHA1
a7dff23be94f5b80b948f6826242a70b90d10d60

SHA256
7350f3c78f4b44adf1a768f7d4945cc839cd1e998874882644aa9b964c3c7a6d

SHA512
5f1a00dfac64a22706fd8459b80eef899e61754b7a78eb3cec7f65934c02132168b003dcd16f6b3a17f000910b435e5db564a0088b3e2630558be39e597ae888

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\d6046164-c281-4c37-b59c-3deb92be6fc0.tmp

Filesize
2KB

MD5
3095a6222fcc609ee5b88df862852f07

SHA1
157131b2eb491020494b53ba9838c50141994d99

SHA256
664ed396f2562182d4af89221c96a7a2392c9a9acf25bc62aef995d19fd1c07d

SHA512
4dd638d8143a85db6f200db98470788172fbc9c2258bafca9d39b5d262a23a35790f7f2dc86f4041bebbe833e6c8562273fd902763764bb40ab124b5e0ed8ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hC8bO21.exe

Filesize
917KB

MD5
a6663585a20dd82a04535b9a96228518

SHA1
21231978e6e815675ebfc72ed544e90a227b0375

SHA256
8c8ed0eaec15c8e8c8d8e3053d72547077d96064de06acd82ed5d7f7e079644f

SHA512
eea1db7cd6478ea4d0bb416c93bf6e93b8aa0c37741b8b58b1455e80b1ee571bb085f7ad5c5c1dbaf4a79bd39bd42eb4377a3259281fcc55c144dd73cc5f902f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hC8bO21.exe

Filesize
917KB

MD5
a6663585a20dd82a04535b9a96228518

SHA1
21231978e6e815675ebfc72ed544e90a227b0375

SHA256
8c8ed0eaec15c8e8c8d8e3053d72547077d96064de06acd82ed5d7f7e079644f

SHA512
eea1db7cd6478ea4d0bb416c93bf6e93b8aa0c37741b8b58b1455e80b1ee571bb085f7ad5c5c1dbaf4a79bd39bd42eb4377a3259281fcc55c144dd73cc5f902f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SZ7Ah27.exe

Filesize
674KB

MD5
e00b13768d63db914f7b5594f0c69ab2

SHA1
5f4fde767445490c6a27ea99431ac1852dd14745

SHA256
f93a129ea237310def03e0c32c67c47b9393f765359e19ee074a950ab19f9f20

SHA512
3d5e42f3c9321873534b62fdf1a2daba3b86b14a91e73d488f71ef121ba4c9709e75f782496095097452ffdb0b209db8d7a9b323b9506db8548eb0baa84dd6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SZ7Ah27.exe

Filesize
674KB

MD5
e00b13768d63db914f7b5594f0c69ab2

SHA1
5f4fde767445490c6a27ea99431ac1852dd14745

SHA256
f93a129ea237310def03e0c32c67c47b9393f765359e19ee074a950ab19f9f20

SHA512
3d5e42f3c9321873534b62fdf1a2daba3b86b14a91e73d488f71ef121ba4c9709e75f782496095097452ffdb0b209db8d7a9b323b9506db8548eb0baa84dd6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3pC909ct.exe

Filesize
895KB

MD5
0ef9edc509096c96ca9e7c5a46e1aebc

SHA1
6bf41873594bf97c5e6e25f4545bea82b0b50a3b

SHA256
c31dc86665ec4718ef06733b113e9fed3e0a2ab2f8bcb27549ca4ff997df1bc6

SHA512
b6f39aa8c5361685c0367cf16d741fb587b1bf6c229c4f1f4a62de1736d079280f9f77b8e308670672c4500aba1889b2ad5d131cb9073a780548da774c2c321e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3pC909ct.exe

Filesize
895KB

MD5
0ef9edc509096c96ca9e7c5a46e1aebc

SHA1
6bf41873594bf97c5e6e25f4545bea82b0b50a3b

SHA256
c31dc86665ec4718ef06733b113e9fed3e0a2ab2f8bcb27549ca4ff997df1bc6

SHA512
b6f39aa8c5361685c0367cf16d741fb587b1bf6c229c4f1f4a62de1736d079280f9f77b8e308670672c4500aba1889b2ad5d131cb9073a780548da774c2c321e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4UR5OX4.exe

Filesize
310KB

MD5
53e53441ccf57c4514c76a1e6edd03e1

SHA1
332f92ef37ddb9572426ceefd0102e85ddfebf5d

SHA256
eb293f0994af49eb78b6c5e7f76db249e92ec1d7cfa2d917dcfe14a379d09e02

SHA512
37ab83beeebc5fc38cba8c158e6ca7b743cb10c017ab5b72bb7189bf12f72818106b835749228bf897ebbe47effb853140cc1e8018b7d79e71add01def3956b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4UR5OX4.exe

Filesize
310KB

MD5
53e53441ccf57c4514c76a1e6edd03e1

SHA1
332f92ef37ddb9572426ceefd0102e85ddfebf5d

SHA256
eb293f0994af49eb78b6c5e7f76db249e92ec1d7cfa2d917dcfe14a379d09e02

SHA512
37ab83beeebc5fc38cba8c158e6ca7b743cb10c017ab5b72bb7189bf12f72818106b835749228bf897ebbe47effb853140cc1e8018b7d79e71add01def3956b0

Download Submit
memory/8008-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8008-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8008-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8008-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download