mystic | 134473b70083f20f2884ed3fd9a49f3dfcb9a8c3b6cfdcad8414ec9f0c4c11c6

Analysis

max time kernel
210s
max time network
227s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2023 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.134473b70083f20f2884ed3fd9a49f3dfcb9a8c3b6cfdcad8414ec9f0c4c11c6.exe
Size

1.3MB
MD5

93de95190406d77bed0efceb4c1dbf43
SHA1

4e355c118045771a2cc90272482fbc446d338a5c
SHA256

134473b70083f20f2884ed3fd9a49f3dfcb9a8c3b6cfdcad8414ec9f0c4c11c6
SHA512

8758327f924787878295fe97d7213071c470bd2454a7241c79f126cbfe8a553da1fc5dc10761fe76b36282a4de9def6e5703181d9f62c0769e4dd60101e932c5
SSDEEP

24576:uyYUHIfgZI9faepIstCiGldXD69ya6k6tGQtjZBSBgz5d:9Y0IfbCeS0LGP+UGQxZoBa5

Score

10^/10

mystic redline taiga infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/6180-188-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6180-206-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6180-207-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6180-209-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3232-263-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4240	ga5ll77.exe
2120	dm6fe56.exe
3560	10Mg26Lr.exe
4488	11DV2804.exe
7076	12sB802.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ga5ll77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	dm6fe56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.134473b70083f20f2884ed3fd9a49f3dfcb9a8c3b6cfdcad8414ec9f0c4c11c6.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000022dee-19.dat	autoit_exe
behavioral1/files/0x0007000000022dee-20.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4488 set thread context of 6180	4488	11DV2804.exe	133
PID 7076 set thread context of 3232	7076	12sB802.exe	156

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7108	6180	WerFault.exe	133

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
704	msedge.exe
704	msedge.exe
3076	msedge.exe
3076	msedge.exe
6804	msedge.exe
6804	msedge.exe
6404	msedge.exe
6404	msedge.exe
6468	msedge.exe
6468	msedge.exe
6812	msedge.exe
6812	msedge.exe
3400	msedge.exe
3400	msedge.exe
596	msedge.exe
596	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3560	10Mg26Lr.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 4240	2996	NEAS.134473b70083f20f2884ed3fd9a49f3dfcb9a8c3b6cfdcad8414ec9f0c4c11c6.exe	88
PID 2996 wrote to memory of 4240	2996	NEAS.134473b70083f20f2884ed3fd9a49f3dfcb9a8c3b6cfdcad8414ec9f0c4c11c6.exe	88
PID 2996 wrote to memory of 4240	2996	NEAS.134473b70083f20f2884ed3fd9a49f3dfcb9a8c3b6cfdcad8414ec9f0c4c11c6.exe	88
PID 4240 wrote to memory of 2120	4240	ga5ll77.exe	90
PID 4240 wrote to memory of 2120	4240	ga5ll77.exe	90
PID 4240 wrote to memory of 2120	4240	ga5ll77.exe	90
PID 2120 wrote to memory of 3560	2120	dm6fe56.exe	91
PID 2120 wrote to memory of 3560	2120	dm6fe56.exe	91
PID 2120 wrote to memory of 3560	2120	dm6fe56.exe	91
PID 3560 wrote to memory of 2596	3560	10Mg26Lr.exe	94
PID 3560 wrote to memory of 2596	3560	10Mg26Lr.exe	94
PID 3560 wrote to memory of 1868	3560	10Mg26Lr.exe	96
PID 3560 wrote to memory of 1868	3560	10Mg26Lr.exe	96
PID 3560 wrote to memory of 3076	3560	10Mg26Lr.exe	97
PID 3560 wrote to memory of 3076	3560	10Mg26Lr.exe	97
PID 3560 wrote to memory of 3276	3560	10Mg26Lr.exe	101
PID 3560 wrote to memory of 3276	3560	10Mg26Lr.exe	101
PID 2596 wrote to memory of 2960	2596	msedge.exe	100
PID 2596 wrote to memory of 2960	2596	msedge.exe	100
PID 1868 wrote to memory of 420	1868	msedge.exe	98
PID 1868 wrote to memory of 420	1868	msedge.exe	98
PID 3076 wrote to memory of 696	3076	msedge.exe	99
PID 3076 wrote to memory of 696	3076	msedge.exe	99
PID 3276 wrote to memory of 1036	3276	msedge.exe	102
PID 3276 wrote to memory of 1036	3276	msedge.exe	102
PID 3560 wrote to memory of 4688	3560	10Mg26Lr.exe	103
PID 3560 wrote to memory of 4688	3560	10Mg26Lr.exe	103
PID 4688 wrote to memory of 220	4688	msedge.exe	104
PID 4688 wrote to memory of 220	4688	msedge.exe	104
PID 3560 wrote to memory of 1844	3560	10Mg26Lr.exe	105
PID 3560 wrote to memory of 1844	3560	10Mg26Lr.exe	105
PID 1844 wrote to memory of 3144	1844	msedge.exe	106
PID 1844 wrote to memory of 3144	1844	msedge.exe	106
PID 3560 wrote to memory of 4352	3560	10Mg26Lr.exe	107
PID 3560 wrote to memory of 4352	3560	10Mg26Lr.exe	107
PID 4352 wrote to memory of 672	4352	msedge.exe	109
PID 4352 wrote to memory of 672	4352	msedge.exe	109
PID 3560 wrote to memory of 2360	3560	10Mg26Lr.exe	110
PID 3560 wrote to memory of 2360	3560	10Mg26Lr.exe	110
PID 2360 wrote to memory of 1816	2360	msedge.exe	111
PID 2360 wrote to memory of 1816	2360	msedge.exe	111
PID 3560 wrote to memory of 4696	3560	10Mg26Lr.exe	112
PID 3560 wrote to memory of 4696	3560	10Mg26Lr.exe	112
PID 4696 wrote to memory of 2060	4696	msedge.exe	113
PID 4696 wrote to memory of 2060	4696	msedge.exe	113
PID 3560 wrote to memory of 1404	3560	10Mg26Lr.exe	114
PID 3560 wrote to memory of 1404	3560	10Mg26Lr.exe	114
PID 3076 wrote to memory of 1676	3076	msedge.exe	115
PID 3076 wrote to memory of 1676	3076	msedge.exe	115
PID 3076 wrote to memory of 1676	3076	msedge.exe	115
PID 3076 wrote to memory of 1676	3076	msedge.exe	115
PID 3076 wrote to memory of 1676	3076	msedge.exe	115
PID 3076 wrote to memory of 1676	3076	msedge.exe	115
PID 3076 wrote to memory of 1676	3076	msedge.exe	115
PID 3076 wrote to memory of 1676	3076	msedge.exe	115
PID 3076 wrote to memory of 1676	3076	msedge.exe	115
PID 3076 wrote to memory of 1676	3076	msedge.exe	115
PID 3076 wrote to memory of 1676	3076	msedge.exe	115
PID 3076 wrote to memory of 1676	3076	msedge.exe	115
PID 3076 wrote to memory of 1676	3076	msedge.exe	115
PID 3076 wrote to memory of 1676	3076	msedge.exe	115
PID 3076 wrote to memory of 1676	3076	msedge.exe	115
PID 3076 wrote to memory of 1676	3076	msedge.exe	115
PID 3076 wrote to memory of 1676	3076	msedge.exe	115

C:\Users\Admin\AppData\Local\Temp\NEAS.134473b70083f20f2884ed3fd9a49f3dfcb9a8c3b6cfdcad8414ec9f0c4c11c6.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.134473b70083f20f2884ed3fd9a49f3dfcb9a8c3b6cfdcad8414ec9f0c4c11c6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ga5ll77.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ga5ll77.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dm6fe56.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dm6fe56.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\10Mg26Lr.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\10Mg26Lr.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcc50546f8,0x7ffcc5054708,0x7ffcc5054718
        6⤵
        
        PID:2960
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,4079570711211088379,17965607268637082291,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
        6⤵
        
        PID:6372
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,4079570711211088379,17965607268637082291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
        6⤵
        
        PID:6476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x13c,0x170,0x7ffcc50546f8,0x7ffcc5054708,0x7ffcc5054718
        6⤵
        
        PID:420
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,3974149495510646523,12102763820939939728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6804
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3974149495510646523,12102763820939939728,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        6⤵
        
        PID:6704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3076
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcc50546f8,0x7ffcc5054708,0x7ffcc5054718
        6⤵
        
        PID:696
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,12878604651169000595,8864919122435204341,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        6⤵
        
        PID:1676
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,12878604651169000595,8864919122435204341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:704
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,12878604651169000595,8864919122435204341,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
        6⤵
        
        PID:5328
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12878604651169000595,8864919122435204341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
        6⤵
        
        PID:5668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12878604651169000595,8864919122435204341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
        6⤵
        
        PID:5656
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12878604651169000595,8864919122435204341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
        6⤵
        
        PID:5896
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12878604651169000595,8864919122435204341,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
        6⤵
        
        PID:6504
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12878604651169000595,8864919122435204341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
        6⤵
        
        PID:6488
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12878604651169000595,8864919122435204341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1164 /prefetch:1
        6⤵
        
        PID:7000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3276
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffcc50546f8,0x7ffcc5054708,0x7ffcc5054718
        6⤵
        
        PID:1036
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,619954175576620087,11843344426634542187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
        6⤵
        
        PID:6644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4688
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffcc50546f8,0x7ffcc5054708,0x7ffcc5054718
        6⤵
        
        PID:220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,15708479528970724863,2818034215237666307,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
        6⤵
        
        PID:6388
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,15708479528970724863,2818034215237666307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1844
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffcc50546f8,0x7ffcc5054708,0x7ffcc5054718
        6⤵
        
        PID:3144
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,10068311843503477691,14489082849168106468,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2
        6⤵
        
        PID:6380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1832,10068311843503477691,14489082849168106468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4352
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7ffcc50546f8,0x7ffcc5054708,0x7ffcc5054718
        6⤵
        
        PID:672
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,3635578153369019754,6959279413029790325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6812
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,3635578153369019754,6959279413029790325,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        6⤵
        
        PID:6764
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,3635578153369019754,6959279413029790325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
        6⤵
        
        PID:6652
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3635578153369019754,6959279413029790325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
        6⤵
        
        PID:6824
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3635578153369019754,6959279413029790325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
        6⤵
        
        PID:6752
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3635578153369019754,6959279413029790325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
        6⤵
        
        PID:656
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3635578153369019754,6959279413029790325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
        6⤵
        
        PID:4144
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,3635578153369019754,6959279413029790325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
        6⤵
        
        PID:6440
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2360
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffcc50546f8,0x7ffcc5054708,0x7ffcc5054718
        6⤵
        
        PID:1816
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,8939402625539102015,5030427185823561112,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
        6⤵
        
        PID:6036
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,8939402625539102015,5030427185823561112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2692 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4696
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffcc50546f8,0x7ffcc5054708,0x7ffcc5054718
        6⤵
        
        PID:2060
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,263030797491175042,13605575932087340216,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
        6⤵
        
        PID:6396
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,263030797491175042,13605575932087340216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        
        PID:1404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffcc50546f8,0x7ffcc5054708,0x7ffcc5054718
        6⤵
        
        PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11DV2804.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11DV2804.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4488
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:6180
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6180 -s 556
        6⤵
        Program crash
        
        PID:7108
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12sB802.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12sB802.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:7076
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\4bfc8b6f-9c5c-4979-8ff2-b4fd1cea7118.tmp

Filesize
3KB

MD5
471f924a272acee3252fb7d000bee485

SHA1
18a86256fccd51b350186e7fa23e1cf04e03a733

SHA256
403329aaf95de98b58c8943213d771c9ea75a32b981828c1712198753f6271a2

SHA512
3746da06dcdbb0325f26b10ba0912568f59df9051b44862a3afefc6a23995621291bb45cd61c8efd81b19ba8600536afc0553dc5dec88a163976ea5b91f0545f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed1059501887ca58bf7183147bc7e9bd

SHA1
2f3fae395180943a637a4ae1d3a4b374b5a13a42

SHA256
1292a748aa1f19560e5a5faee5d5c8d8e69fd5ebd83fb10451b8d213d085cd89

SHA512
d1f3897075f8c30c35ffd1aed9d60345eb924f362d50c5b35352a4e6a51cee770cb0b37394eb81d593644edf3fcb9c1b576f7db499226a9468e5b5f530dc734b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f30b8232b170bdbc7d9c741c82c4a73

SHA1
9abfca17624e13728bd7fa6547e7e26e0695d411

SHA256
0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb

SHA512
587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
8KB

MD5
bdc46107e9c51b87a804d38c6a1b7940

SHA1
0a29d720d3916bfaa98bcaec5885d9c673e319d6

SHA256
23aeaa865cf51ce4e669c5514cf9d81cbaaf9aeb786a23000afd8ea56fed58fe

SHA512
3bf3e7a4f254d1430fe66e4c9ebbb6e75b9a1056c027165653dfb5d29aca3d64b52e1da189605c7638479357556d7207be15d2ae10b0ffe544bfb94b05b33877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
da94ce1e2de86c2daf7fd1cfd4c61fc9

SHA1
aeb134d91fa1b54fc33aeb0b6840ca4a050e9291

SHA256
e840ddf25cd40b280d886f4e8530a0dd54787804f74e998723dc6996bbdcbfb6

SHA512
3b64742ea9495553e8b70f9138eea4992685d249989acd3c8d26c7179c897daee747e1effe41af2fe72433baba3829581a99ca0a3cbe8b3d61ba87e82d720dad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
457405b963830002e28611ca9c9ba990

SHA1
ccefb308242bf1b896fe8ec86b48b920490a17cd

SHA256
718ac458cd19f3df33023f7814e7595310828af1efab7e1f1ce2882d21b839d0

SHA512
d80576c5cbb93dbb6278430c526753c7165102c637100019a9fed74d7ccb40606c8f3bab2c9c578d2b4517cf924815c9a245d8119744b852166bec7e61829164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13344290038586566

Filesize
606B

MD5
714f814018e1c34e896eae63b10ec9b2

SHA1
5c0a3ed0e61186cbc764fdde8198893f94e112b9

SHA256
460cd72958a1e4fa79514592836453e97e7da4893dc85305b46a4e15157cc0d1

SHA512
bfc03e05612419191e28a580d827616c921ce5eaf63abf97b1fb138f3cf6b915f47c784a678f2c2987193fae6dc618c4f39aa8ecd8c51d36e61d0addcdd5fb1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13344290039100566

Filesize
1024B

MD5
b35971f0f5d0f96f371a1dbe3095c0e6

SHA1
d8bb4ee5a21bcd2a37d0d7358b9eb2ea4de43e86

SHA256
8b60d67e2d06e9a70acf5917293568fc7fdb3686d417813db95fb6b1effd4bd6

SHA512
43a24c7ee6e3cf03edac2cd3d416a7b0625039e9ee015fa5b9925223657c78cd5ba33741f0e4f18fe1b72379faa2e0d2b8b7d1d02ac0d3f240fce618a1c95aaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
1867ff07db677aeb60d89c0af33460bb

SHA1
94d282fee5f707492cc5154289a2fe67f369462a

SHA256
631a79c7ebec8a03a71d825eb1195dba733523de06cc7c7a3ba3f446713e620c

SHA512
da3ca0c97138ddae1a74f16e3c8e4a4b8fbbfb4bf863d13e690267be4f2c600e992f4b55a8d2c41c70246d4724198a3a7d8f1c2ef5d8c493745aca40c3458564

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
0929b0393fae44021f652ed63dc0c74b

SHA1
ddd371194bc2144c74d3b529224437e51154515b

SHA256
155c3c6dee6f39c80d09c0adff0e69fae3b6ff51d9497402d09da59c89e1c12f

SHA512
98d41e9d1c1812f3167311777a826eda4cd6740603d0e81ba43c4bbd4ac68bf3981347738d1098681a33beb47747105b122c75b7819172dac89fe333c7b83d73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
fe38303f2abaf6e09cae33081c840b01

SHA1
94fd283170f2f080b13db43a77e94435fde380b5

SHA256
3062afaf804101d38993288ed2f8b01d8a49225c0c6f000cd939d9efee98c58b

SHA512
aa148ece1285dafea5aac67e404171df614b87f47e150196323d1391af2a71897795a0467f6dbdda127d7798691cd50e9b9756ef063808a129eb480a46bdb1a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
fe38303f2abaf6e09cae33081c840b01

SHA1
94fd283170f2f080b13db43a77e94435fde380b5

SHA256
3062afaf804101d38993288ed2f8b01d8a49225c0c6f000cd939d9efee98c58b

SHA512
aa148ece1285dafea5aac67e404171df614b87f47e150196323d1391af2a71897795a0467f6dbdda127d7798691cd50e9b9756ef063808a129eb480a46bdb1a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
07f6891e740c531139d3c8bc1a6c1292

SHA1
461b3bfedd74f4f8fb82ecc976caa3717ccebd5c

SHA256
18f7fe0f860040e8471d15b4f2e2a1943e8f802ab37d05360623ce719c509399

SHA512
4642b22516e4e9742ba653eec602abceb595b3ab78596bb6b2e5a1bc652be9d58953705b7cdcef0d361d31ee134bf7b46fbbb89bd0d4cd596593988767501aed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
07f6891e740c531139d3c8bc1a6c1292

SHA1
461b3bfedd74f4f8fb82ecc976caa3717ccebd5c

SHA256
18f7fe0f860040e8471d15b4f2e2a1943e8f802ab37d05360623ce719c509399

SHA512
4642b22516e4e9742ba653eec602abceb595b3ab78596bb6b2e5a1bc652be9d58953705b7cdcef0d361d31ee134bf7b46fbbb89bd0d4cd596593988767501aed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
4ac5e228141028fb2b0995e454f131b4

SHA1
871cc1ff47e21ff77fe9c7ace23dadff15216e61

SHA256
e32a70b060a5bd64978852f19fe9b27dc8a07879827005496101508c19a5e326

SHA512
ea304ca07bd3eddfb69f791a6761524a125a77b2af4c6e82efda992566443c64b49bd3a371e09da80f42921bb39e4c0ce7bb6d04dd4dab630f73396e960b9689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
4ac5e228141028fb2b0995e454f131b4

SHA1
871cc1ff47e21ff77fe9c7ace23dadff15216e61

SHA256
e32a70b060a5bd64978852f19fe9b27dc8a07879827005496101508c19a5e326

SHA512
ea304ca07bd3eddfb69f791a6761524a125a77b2af4c6e82efda992566443c64b49bd3a371e09da80f42921bb39e4c0ce7bb6d04dd4dab630f73396e960b9689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
4ac5e228141028fb2b0995e454f131b4

SHA1
871cc1ff47e21ff77fe9c7ace23dadff15216e61

SHA256
e32a70b060a5bd64978852f19fe9b27dc8a07879827005496101508c19a5e326

SHA512
ea304ca07bd3eddfb69f791a6761524a125a77b2af4c6e82efda992566443c64b49bd3a371e09da80f42921bb39e4c0ce7bb6d04dd4dab630f73396e960b9689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
fe38303f2abaf6e09cae33081c840b01

SHA1
94fd283170f2f080b13db43a77e94435fde380b5

SHA256
3062afaf804101d38993288ed2f8b01d8a49225c0c6f000cd939d9efee98c58b

SHA512
aa148ece1285dafea5aac67e404171df614b87f47e150196323d1391af2a71897795a0467f6dbdda127d7798691cd50e9b9756ef063808a129eb480a46bdb1a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
471f924a272acee3252fb7d000bee485

SHA1
18a86256fccd51b350186e7fa23e1cf04e03a733

SHA256
403329aaf95de98b58c8943213d771c9ea75a32b981828c1712198753f6271a2

SHA512
3746da06dcdbb0325f26b10ba0912568f59df9051b44862a3afefc6a23995621291bb45cd61c8efd81b19ba8600536afc0553dc5dec88a163976ea5b91f0545f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ga5ll77.exe

Filesize
878KB

MD5
696e4144d78d2b39cc3ff73c85952f77

SHA1
fa6d210b1a759f1834b234e24ab0cb1dd491cd2a

SHA256
03ae27a35cfbd31132e775d84affb3000e5a5a8174c098f666f7877b26fb59a0

SHA512
bb3b7d9ce0475760ac99dd8503b5b553559ab84bf49ded2995fceb27c2186796d085f5c8b3d1ed3e50489dc8e88cde61153a738023572b3ba733e6407e742572

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ga5ll77.exe

Filesize
878KB

MD5
696e4144d78d2b39cc3ff73c85952f77

SHA1
fa6d210b1a759f1834b234e24ab0cb1dd491cd2a

SHA256
03ae27a35cfbd31132e775d84affb3000e5a5a8174c098f666f7877b26fb59a0

SHA512
bb3b7d9ce0475760ac99dd8503b5b553559ab84bf49ded2995fceb27c2186796d085f5c8b3d1ed3e50489dc8e88cde61153a738023572b3ba733e6407e742572

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dm6fe56.exe

Filesize
656KB

MD5
783a4d1dc281f30713e2dc1f40119d7f

SHA1
7ac55c1ee1f3578f0efb20fcc341cc7808dbc12d

SHA256
5dc5856a908e051b5cb99970b0a75abd446df7c4fdfa491383b700e10e9efd83

SHA512
d49a530af8867924cb5ddeacd8d3bff8f40cd3cf1dcfa7d294687c0e3b7f4f5fa24fd5efe4da2ace400bad5a7e605d3b47dc359895faa4c31e927e1b48ee7ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dm6fe56.exe

Filesize
656KB

MD5
783a4d1dc281f30713e2dc1f40119d7f

SHA1
7ac55c1ee1f3578f0efb20fcc341cc7808dbc12d

SHA256
5dc5856a908e051b5cb99970b0a75abd446df7c4fdfa491383b700e10e9efd83

SHA512
d49a530af8867924cb5ddeacd8d3bff8f40cd3cf1dcfa7d294687c0e3b7f4f5fa24fd5efe4da2ace400bad5a7e605d3b47dc359895faa4c31e927e1b48ee7ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\10Mg26Lr.exe

Filesize
895KB

MD5
09de80c94881008b33f27428f6dd451e

SHA1
78f82f25911fc144f64c1d3c03fbd8b89db0a342

SHA256
e2d390d5a837185919332a2f1c842783501398c0e3065a1baeeb5e2590821bdc

SHA512
1020b8c516dc619a042bdada83ed4e4c4ee4d1e3c7ce7b3295e7ecc196645f36fa95f78fd74631c5329a1f081f148273d758bc9c6adce3e6dce9d1a65df61716

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\10Mg26Lr.exe

Filesize
895KB

MD5
09de80c94881008b33f27428f6dd451e

SHA1
78f82f25911fc144f64c1d3c03fbd8b89db0a342

SHA256
e2d390d5a837185919332a2f1c842783501398c0e3065a1baeeb5e2590821bdc

SHA512
1020b8c516dc619a042bdada83ed4e4c4ee4d1e3c7ce7b3295e7ecc196645f36fa95f78fd74631c5329a1f081f148273d758bc9c6adce3e6dce9d1a65df61716

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11DV2804.exe

Filesize
276KB

MD5
ce65c2fc85de51fa27050b395154af05

SHA1
2101086e6d1188afef3bf4f1fb74621f3acab012

SHA256
7afb69c6bbd827cd7faf140c68b57c0ceee883129e9eb2e46369d3d98bfe931f

SHA512
faf7ac85d1e7715efbfecf077c241523c9443c47fb77c687b3d747f7d14ad9979286307325a9d9b3d1ed1c586511074e138b6a3ff3c7035644bf7808919d109d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11DV2804.exe

Filesize
276KB

MD5
ce65c2fc85de51fa27050b395154af05

SHA1
2101086e6d1188afef3bf4f1fb74621f3acab012

SHA256
7afb69c6bbd827cd7faf140c68b57c0ceee883129e9eb2e46369d3d98bfe931f

SHA512
faf7ac85d1e7715efbfecf077c241523c9443c47fb77c687b3d747f7d14ad9979286307325a9d9b3d1ed1c586511074e138b6a3ff3c7035644bf7808919d109d

Download Submit
memory/3232-263-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6180-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6180-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6180-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6180-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download