eternity | 0c7117e7bd2eb23d5205b3dac031ad2ed5a636488c2f54eb3d6003262f03e2a2

Analysis

max time kernel
119s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
10/12/2023, 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0cc677c0ceaef03dfeb2e5289b284d1.exe
Size

1.2MB
MD5

e0cc677c0ceaef03dfeb2e5289b284d1
SHA1

2e1fb788ac3e08d4509df45e3126ab7deb257326
SHA256

0c7117e7bd2eb23d5205b3dac031ad2ed5a636488c2f54eb3d6003262f03e2a2
SHA512

5d09dd93d69c891c75c7dc65fc323966e9685eb91f239165808b7f9012bd4d62cac4fe9bb2cc7fe1a0c2e068d6de644abb1d5a800940cddf7e2e348d45156b9f
SSDEEP

24576:Ey9zT5od4AhLxkC35WI14z2V95wyXicnr9JqVrHA2b9Ok25BRIdAfo:T9z9o1h17WI14z2VDTrSqdkARh

Score

10^/10

eternity privateloader redline risepro smokeloader @oleh_ps backdoor infostealer loader persistence stealer trojan

Malware Config

Extracted

Family

risepro

193.233.132.51

Extracted

Family

smokeloader

Version

2022

http://81.19.131.34/fks/index.php

rc4.i32

Extracted

Family

eternity

Wallets

47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q

Attributes

payload_urls
https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe

Extracted

Family

redline

Botnet

@oleh_ps

176.123.7.190:32927

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/6676-851-0x0000000000E20000-0x0000000000E5C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
3548	AD2wC01.exe
2400	1ZQ12Tx4.exe
1432	4HP775hS.exe
3076	6eV4TL2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e0cc677c0ceaef03dfeb2e5289b284d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	AD2wC01.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0006000000023102-23.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4584	2400	WerFault.exe	90

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4HP775hS.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4HP775hS.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4HP775hS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1432	4HP775hS.exe
1432	4HP775hS.exe
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1432	4HP775hS.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3220	Process not Found
Token: SeCreatePagefilePrivilege	3220	Process not Found
Token: SeShutdownPrivilege	3220	Process not Found
Token: SeCreatePagefilePrivilege	3220	Process not Found

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
3076	6eV4TL2.exe
3220	Process not Found
3220	Process not Found
3076	6eV4TL2.exe
3076	6eV4TL2.exe
3076	6eV4TL2.exe
3076	6eV4TL2.exe
3076	6eV4TL2.exe
3076	6eV4TL2.exe
3220	Process not Found
3220	Process not Found

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
3076	6eV4TL2.exe
3076	6eV4TL2.exe
3076	6eV4TL2.exe
3076	6eV4TL2.exe
3076	6eV4TL2.exe
3076	6eV4TL2.exe
3076	6eV4TL2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 3548	4912	e0cc677c0ceaef03dfeb2e5289b284d1.exe	89
PID 4912 wrote to memory of 3548	4912	e0cc677c0ceaef03dfeb2e5289b284d1.exe	89
PID 4912 wrote to memory of 3548	4912	e0cc677c0ceaef03dfeb2e5289b284d1.exe	89
PID 3548 wrote to memory of 2400	3548	AD2wC01.exe	90
PID 3548 wrote to memory of 2400	3548	AD2wC01.exe	90
PID 3548 wrote to memory of 2400	3548	AD2wC01.exe	90
PID 3548 wrote to memory of 1432	3548	AD2wC01.exe	95
PID 3548 wrote to memory of 1432	3548	AD2wC01.exe	95
PID 3548 wrote to memory of 1432	3548	AD2wC01.exe	95
PID 4912 wrote to memory of 3076	4912	e0cc677c0ceaef03dfeb2e5289b284d1.exe	105
PID 4912 wrote to memory of 3076	4912	e0cc677c0ceaef03dfeb2e5289b284d1.exe	105
PID 4912 wrote to memory of 3076	4912	e0cc677c0ceaef03dfeb2e5289b284d1.exe	105
PID 3076 wrote to memory of 3140	3076	6eV4TL2.exe	107
PID 3076 wrote to memory of 3140	3076	6eV4TL2.exe	107
PID 3076 wrote to memory of 992	3076	6eV4TL2.exe	109
PID 3076 wrote to memory of 992	3076	6eV4TL2.exe	109
PID 3140 wrote to memory of 4124	3140	msedge.exe	110
PID 3140 wrote to memory of 4124	3140	msedge.exe	110
PID 992 wrote to memory of 3584	992	msedge.exe	111
PID 992 wrote to memory of 3584	992	msedge.exe	111
PID 3076 wrote to memory of 2336	3076	6eV4TL2.exe	112
PID 3076 wrote to memory of 2336	3076	6eV4TL2.exe	112
PID 2336 wrote to memory of 3628	2336	msedge.exe	113
PID 2336 wrote to memory of 3628	2336	msedge.exe	113
PID 3076 wrote to memory of 2396	3076	6eV4TL2.exe	114
PID 3076 wrote to memory of 2396	3076	6eV4TL2.exe	114
PID 2396 wrote to memory of 1584	2396	msedge.exe	115
PID 2396 wrote to memory of 1584	2396	msedge.exe	115
PID 3076 wrote to memory of 4652	3076	6eV4TL2.exe	116
PID 3076 wrote to memory of 4652	3076	6eV4TL2.exe	116
PID 4652 wrote to memory of 4876	4652	msedge.exe	117
PID 4652 wrote to memory of 4876	4652	msedge.exe	117
PID 3076 wrote to memory of 3212	3076	6eV4TL2.exe	118
PID 3076 wrote to memory of 3212	3076	6eV4TL2.exe	118
PID 3212 wrote to memory of 4888	3212	msedge.exe	119
PID 3212 wrote to memory of 4888	3212	msedge.exe	119
PID 3076 wrote to memory of 2196	3076	6eV4TL2.exe	120
PID 3076 wrote to memory of 2196	3076	6eV4TL2.exe	120
PID 2196 wrote to memory of 3600	2196	msedge.exe	121
PID 2196 wrote to memory of 3600	2196	msedge.exe	121
PID 3076 wrote to memory of 4836	3076	6eV4TL2.exe	122
PID 3076 wrote to memory of 4836	3076	6eV4TL2.exe	122
PID 4836 wrote to memory of 444	4836	msedge.exe	123
PID 4836 wrote to memory of 444	4836	msedge.exe	123
PID 3076 wrote to memory of 4472	3076	6eV4TL2.exe	124
PID 3076 wrote to memory of 4472	3076	6eV4TL2.exe	124
PID 4472 wrote to memory of 4044	4472	msedge.exe	125
PID 4472 wrote to memory of 4044	4472	msedge.exe	125
PID 3076 wrote to memory of 4492	3076	6eV4TL2.exe	126
PID 3076 wrote to memory of 4492	3076	6eV4TL2.exe	126
PID 4492 wrote to memory of 4824	4492	msedge.exe	127
PID 4492 wrote to memory of 4824	4492	msedge.exe	127
PID 2396 wrote to memory of 6112	2396	msedge.exe	142
PID 2396 wrote to memory of 6112	2396	msedge.exe	142
PID 2396 wrote to memory of 6112	2396	msedge.exe	142
PID 2396 wrote to memory of 6112	2396	msedge.exe	142
PID 2396 wrote to memory of 6112	2396	msedge.exe	142
PID 2396 wrote to memory of 6112	2396	msedge.exe	142
PID 2396 wrote to memory of 6112	2396	msedge.exe	142
PID 2396 wrote to memory of 6112	2396	msedge.exe	142
PID 2396 wrote to memory of 6112	2396	msedge.exe	142
PID 2396 wrote to memory of 6112	2396	msedge.exe	142
PID 2396 wrote to memory of 6112	2396	msedge.exe	142
PID 2396 wrote to memory of 6112	2396	msedge.exe	142

C:\Users\Admin\AppData\Local\Temp\e0cc677c0ceaef03dfeb2e5289b284d1.exe
"C:\Users\Admin\AppData\Local\Temp\e0cc677c0ceaef03dfeb2e5289b284d1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AD2wC01.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AD2wC01.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ZQ12Tx4.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ZQ12Tx4.exe
    3⤵
    - Executes dropped EXE
    PID:2400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 608
      4⤵
      Program crash
      PID:4584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4HP775hS.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4HP775hS.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1432
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eV4TL2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eV4TL2.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffa1d7246f8,0x7ffa1d724708,0x7ffa1d724718
      4⤵
      PID:4124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,7507430151750597918,12191094860374915370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
      4⤵
      PID:5092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,7507430151750597918,12191094860374915370,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
      4⤵
      PID:2900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa1d7246f8,0x7ffa1d724708,0x7ffa1d724718
      4⤵
      PID:3584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,6849847852541340747,12461668997993868835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
      4⤵
      PID:448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,6849847852541340747,12461668997993868835,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
      4⤵
      PID:2940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa1d7246f8,0x7ffa1d724708,0x7ffa1d724718
      4⤵
      PID:3628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,7567924035315272042,1809923012056381909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
      4⤵
      PID:6324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,7567924035315272042,1809923012056381909,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
      4⤵
      PID:6316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x8c,0x16c,0x7ffa1d7246f8,0x7ffa1d724708,0x7ffa1d724718
      4⤵
      PID:1584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,9946421103921072487,12994215748306941854,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
      4⤵
      PID:6128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,9946421103921072487,12994215748306941854,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
      4⤵
      PID:6112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa1d7246f8,0x7ffa1d724708,0x7ffa1d724718
      4⤵
      PID:4876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,14041916484421706360,2323875614218597831,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
      4⤵
      PID:3772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,14041916484421706360,2323875614218597831,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
      4⤵
      PID:976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa1d7246f8,0x7ffa1d724708,0x7ffa1d724718
      4⤵
      PID:4888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,9738893475611804805,7589416876080931346,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
      4⤵
      PID:5732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,9738893475611804805,7589416876080931346,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
      4⤵
      PID:6392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa1d7246f8,0x7ffa1d724708,0x7ffa1d724718
      4⤵
      PID:3600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,8553712175422526499,15046610298532246538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
      4⤵
      PID:6136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8553712175422526499,15046610298532246538,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
      4⤵
      PID:6120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa1d7246f8,0x7ffa1d724708,0x7ffa1d724718
      4⤵
      PID:444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
      4⤵
      PID:4360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
      4⤵
      PID:1128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
      4⤵
      PID:5796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
      4⤵
      PID:6760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
      4⤵
      PID:6752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
      4⤵
      PID:7820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
      4⤵
      PID:8124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
      4⤵
      PID:7248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4400 /prefetch:1
      4⤵
      PID:7388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
      4⤵
      PID:7520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
      4⤵
      PID:5744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
      4⤵
      PID:5840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2324 /prefetch:1
      4⤵
      PID:7240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
      4⤵
      PID:5444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
      4⤵
      PID:7596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
      4⤵
      PID:7276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7068 /prefetch:8
      4⤵
      PID:8676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4012 /prefetch:8
      4⤵
      PID:9060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7944 /prefetch:1
      4⤵
      PID:7608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7908 /prefetch:1
      4⤵
      PID:5924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
      4⤵
      PID:9012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
      4⤵
      PID:5512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9304 /prefetch:8
      4⤵
      PID:5248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,5276835940698855856,15253704488378807772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9304 /prefetch:8
      4⤵
      PID:6812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa1d7246f8,0x7ffa1d724708,0x7ffa1d724718
      4⤵
      PID:4044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,11713302091160725793,18199455682229245335,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
      4⤵
      PID:7476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa1d7246f8,0x7ffa1d724708,0x7ffa1d724718
      4⤵
      PID:4824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,17452996330283140563,5483361334327537211,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
      4⤵
      PID:6528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,17452996330283140563,5483361334327537211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
      4⤵
      PID:6676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2400 -ip 2400
1⤵
PID:3564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7604

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x438 0x4bc
1⤵
PID:9020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\FF79.exe
C:\Users\Admin\AppData\Local\Temp\FF79.exe
1⤵
PID:9048

C:\Users\Admin\AppData\Local\Temp\D22C.exe
C:\Users\Admin\AppData\Local\Temp\D22C.exe
1⤵
PID:5296
- C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
  2⤵
  PID:9032
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    PID:1528
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:8480
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:6956
- C:\Users\Admin\AppData\Local\Temp\tuc3.exe
  "C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
  2⤵
  PID:5888
- - C:\Users\Admin\AppData\Local\Temp\is-JKBDV.tmp\tuc3.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-JKBDV.tmp\tuc3.tmp" /SL5="$302D0,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
    3⤵
    PID:6616
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Query
      4⤵
      PID:3548
  - - C:\Program Files (x86)\xrecode3\xrecode3.exe
      "C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
      4⤵
      PID:1176
- C:\Users\Admin\AppData\Local\Temp\latestX.exe
  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
  2⤵
  PID:6240

C:\Users\Admin\AppData\Local\Temp\D6F0.exe
C:\Users\Admin\AppData\Local\Temp\D6F0.exe
1⤵
PID:6268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:6416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"
    3⤵
    PID:5616
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1664

C:\Users\Admin\AppData\Local\Temp\D8D5.exe
C:\Users\Admin\AppData\Local\Temp\D8D5.exe
1⤵
PID:6676

C:\Users\Admin\AppData\Local\Temp\99A.exe
C:\Users\Admin\AppData\Local\Temp\99A.exe
1⤵
PID:5908

C:\Users\Admin\AppData\Local\Temp\1F37.exe
C:\Users\Admin\AppData\Local\Temp\1F37.exe
1⤵
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5990c020b2d5158c9e2f12f42d296465

SHA1
dcb52612d301824d3a7fdfd0ea20c3fcfbb7a1b4

SHA256
2f33956ce5a0bb01abb3c0fee9a321c8f8f7abcf1d7535800bf25f1dc44b1643

SHA512
9efb70c4922365967c5fa7e89967e21eede96979a149e027099da786cd8b198d4e81bb3bf2b39c8d65a8796c5d72ca79241e66fc69e2502fdec8a0c5f230412c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
208a234643c411e1b919e904ee20115e

SHA1
400b6e6860953f981bfe4716c345b797ed5b2b5b

SHA256
af80020ae43388bbd3db31c75aade369d489a30a933574dea19163e094d5f458

SHA512
2779b96325234c836cbb91820ee332ed56c15b534ec0c7770b322a5c03849ec3ee67b0ec7978e1fab563eeed1cea96f5155d7b942702555d9352ff6711a548d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
21KB

MD5
7d75a9eb3b38b5dd04b8a7ce4f1b87cc

SHA1
68f598c84936c9720c5ffd6685294f5c94000dff

SHA256
6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7

SHA512
cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
33KB

MD5
909324d9c20060e3e73a7b5ff1f19dd8

SHA1
feea7790740db1e87419c8f5920859ea0234b76b

SHA256
dfc749d2afefe484d9aa9f8f06d461ad104a0ca9b75b46abfaaddda64a5e9278

SHA512
b64d2dce1f9a185fbb8a32adc1ff402d8045d379600bf3f9154bbde18303610f18af9fce258442db1e621ecf10b77aafe99cffedfcbe2a1490056c50cc42d0f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
190KB

MD5
d55250dc737ef207ba326220fff903d1

SHA1
cbdc4af13a2ca8219d5c0b13d2c091a4234347c6

SHA256
d3e913618a52fe57ab4320e62a5ace58a699d6bce8187164e198abe3279726fd

SHA512
13adff61e2cfa25dc535eba9d63209b7e7e9bd29fc4d6c868b057df7f680aa66ef5783a0e82a8367185debf7f6fe5bae89adc0770daff5317d2e16db5ad3ab39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
ef5d906d226b1b74485754e4451ae1c5

SHA1
ef028ae7b4a67438bbed4bad0daa76bddf382c6b

SHA256
dc4a015982f98e79a1c91864346399d024bb45d5e4069d5d2af6cd7efa75a9ef

SHA512
dfc8b100ce9ddc0302ec7ed11bd4a854fd5290ebcc26f489a1474f7c8ef8451d0d33529d519ad7d60a43ab111ce77b96d114e320f8c64e129032bba46e20a199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fb26c3dd58a9e6bfcd7c3a482f4ed822

SHA1
e9cf2d9d0502b3d383571329f744ab4c3c1d436a

SHA256
9e8bd30da8e3b946d5d35d847a467a8e33acbd4f5314e9e4fd7cb97e87009b0a

SHA512
5aa96aa54ef012ceb5b75c5283a01b3c0f81e2fc4548cebe4bbb50be9f74c78eb14852193d53ef9061aa82ddb02f3935d5a5422c081b3d540195c9b87db1c023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ad3cb169c0b6d339034659f75a55ad5c

SHA1
79868b1d2d4fbd23884e74efc52f57c443a0a1a2

SHA256
8cf5e1878d39a75108d2000ad369d231000887a9c354d10b4da011580b6a3c61

SHA512
cee27d4e98b83a13dc18c6fe9159281e02bafc1ff1b945fa00210190be972e4acd146cb7313f8e625d919d3b647710b64b5f174f0d5dfcf76ed6751f3b5ec947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
388a840ce583c35ff22237abb494c4df

SHA1
9336ddd6a31bfb7b8b1f01041c4f2b3a65a3b052

SHA256
0fa2794d5cb17f6b4af6a48cc7a46a3018f7d69c5994c76c135cf2937aff76f1

SHA512
670913567217bd71fd425e1c8a620ba541f12f1e171980e9c531f952e779977316273a9c66b489026686b5b626561643c32aec1c654380b7a9a5e041ec7eddce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5a6206a3489650bf4a9c3ce44a428126

SHA1
3137a909ef8b098687ec536c57caa1bacc77224b

SHA256
0a9e623c6df237c02a585539bffb8249de48949c6d074fe0aaf43063731a3e28

SHA512
980da83c3142bf08433ec1770a2ec5f5560daf3ee680466f89beae8290e921c0db677489daad055fbc1f196388f8bc4f60e050600381f860b06d330062440a78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9e1b4475-ece3-4e6b-aace-7c5c4c7bc7ac\index-dir\the-real-index

Filesize
2KB

MD5
a0d251d7d5cb9f62f1940cee2f8fee1c

SHA1
0261b5504e6f59f889217d3587e7cc2e7b40da0f

SHA256
f86a55b973b7d4fb2c4b875063e85e27604f2753cd1cd657e947afacb19b8a43

SHA512
913178b185d228e22fdbb6ea5ae543eb886f0c8f0115538dce0566bf96eb60a44a4e1a9214508b2b27f07223d631666eaad5f864a827bfad3950744e5bf8a6e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9e1b4475-ece3-4e6b-aace-7c5c4c7bc7ac\index-dir\the-real-index~RFe59450e.TMP

Filesize
48B

MD5
5d85b2e0f5f49629c1b599fccaa86710

SHA1
07e9ca10e314d8cf474d206d6fe7c2a242aa5983

SHA256
c34738b3bf2f55334f21a4b1ddc7775dee636b189ee2a34f2ddb69d9a3530caf

SHA512
cdada5186d36466e0699cc8de295d270ae09663780a5292caba9cbc70d084f4bcf8259e505123ad3ab4bb0763f6e693f09277c02386ec204bccc8a735980300a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
34954b4bef72616046b2d8df04380b82

SHA1
1ea491d0dbfef4efc1bbc86878ab8248d8e09f47

SHA256
67ae3cf132f271ade9f87f17071b77014263be63c568558fdc669d0f6745dbc2

SHA512
6c82927229ae434263bbdf335246ff1e30c07c6161ba0a3d07273b4b97fbdd28e0a69a734fe59c6f5c7c025174a440057eb8bf11b19ee211802cb7fd81e70c37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
e3db24d70a28b81aa9d82d42c82ac56f

SHA1
ec925313924f1fb7dee760714a595cdf5231a581

SHA256
a9b23f0ee5054268c4434fcf1198a1b79395d76f40a7b6553956732062871b1e

SHA512
16f2c8239494472a13b556650cd307023064a375f58a20983abb1fe778291bd8c3aaea9f2c163e7d216e5f6a6e2a648afe3878a3dc4377c0da2e2070c5b0f2bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
9c2cf31ac001756b2457445704b3a902

SHA1
6d1403e5abd7583e2b32624b2c5077d6690f96b5

SHA256
05780b2e0479e1bd977d638340abd4c6b3ef7003354ce8df4b45ef19f5bf69f5

SHA512
e7f39194c2b3a2ddf02b6784bca6f0fcc6d377f4dcd3e7e692fd96411ef6d0a7db54bac3bc6dee21d1c365079de53e48313670c5163e9a9860e1e4ecc1aeeb80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
afaa54d9babb85db7670856b6cccf7da

SHA1
b74fff2f789181051d43ea7f5b003c5dfc376da4

SHA256
1a5715538ee4b76e4696dbf27cde14398d46dda149bfd58db694201d65cff063

SHA512
86f8aaa1fe880f1b79565889a0b0476f4e70ac49cbc8ec66a9446cf49dca91d8094db35155e4dcb649ad85e77ab3989d2cb7e59beb8bafc20efdd0953fea4028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9cb90bef79b28f365a56a5390fd4f397

SHA1
151253e73f080144327559ec0ac503d1808951f2

SHA256
ca7709bce8ce88874f4471875ae26c9dd7886eab04d1241c486c7e17f97f769f

SHA512
97619ccbb834464f1f780859efd3c6b6ea7a2e1534c8c72000b7386fc0201c961b94b311a7bd9fc47e71a1e3a7100fe8814253cd9038dcf9d2647bfbe9188792

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe592b6b.TMP

Filesize
48B

MD5
7d9578649686fa332d5db3669025128d

SHA1
bb474dcb6d7000a45f47cd884258e28d639ff87c

SHA256
4a36e83049fa88985a7ff193c068c9b5a1c493c65749db005ff190b6a0473964

SHA512
d81b331d94604825660f3804ad3abf03c19291675287a4df848476f64deb7022a12a7cbffd3face05d091550b8d39048e4a68c9612a6ac7b6892222f0aa74ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
669abe512fc48cb7223e7de73c6a02e4

SHA1
4aee9616a6226ae483c8740b535951a5eb306885

SHA256
d649682b7ec923dbf4654db6607cf749c5ae5ff3c49815482ace897768d8c068

SHA512
8bebda68f620c5b861b2a55e74625f5cb2b15185c2cfed55351024258112805472ad977d1e55d74def5ad0fa69a07b2cca4871565f067a44830d518311da0221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7cdb654995370b78096a4e7932c2eadd

SHA1
7e0b9c9fb8ac6518857c9704454c183b3e9a85c2

SHA256
4796d7792167e6cc04871f66740491b324dca14b36b6550f9b5df06bf6fe655a

SHA512
88a157c993e8bd135647f69021e894c327e99824f2d22b144e25a114c379481074b478dc4cefac0f7d69f7849a3bf3d2770fc94f0f82c109d2efb94c98a6079a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
bd73def918f2a3873543448b22e19032

SHA1
1b3edd938abb98eba404dfcbb4ef73881888a980

SHA256
7288dde10dde0cd9d201f4eaf47411d8354bc25377db7b141150a1d15da74f94

SHA512
dd2b8112fc409721d0e421d43f86501126b7f2e8bd41a23443fb44698718339f3c0c0dbe5c9fce7000bc24f15dfd28b3414b7d7871c5a5fb736627b12913c40b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
799ee606c75a3cd680a8b49ba1f1880d

SHA1
446cd261e60a2e686d7cb909720dbb3a35a47f8b

SHA256
7917d7309b3f87c068ed451cda2f143db30b05096314431dbe8652bf9698a632

SHA512
4f88579767d17dc281a84374323fcc8853072eec7ef7077e593545d449887976ca811dab417568d37260f325a0df603a210b0e83c49b800b5fa38f2045fbb7a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8c40dddefa1d7927eb0aa547acf477f2

SHA1
44228247cb9824aa149d4442487a486827d652ad

SHA256
2dc77393e1ac540146ab0d9cfb1061e00dcd6c138162cc22e3040fe4d9705931

SHA512
dffa7745916ece1224445341363bcce8bad6ea3bea6401ccf10edeb763b94c152f3f582f0630f8d34b593d2dcd43d70064768fde8d56d5bd69f4e417320d983f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe590555.TMP

Filesize
1KB

MD5
b1c9ae249e99b41bee85687fb02366ef

SHA1
ce3500badbb85522f051dcefd346254c0d7cd3b8

SHA256
cf37b10c9298702577aa8df6ffea1b46b7ede5729d22bdba9e58e20c509153ec

SHA512
d40e1db58d1376276306bff2c9bfcbcd0cbb68f5e393526d19dc91843c248a2bb8bf7c9ba9a15fceefa7613200c0790a6fd0636146884f0d1a07a08419a04a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
8dae41a246ec7e3224c65da9154f8180

SHA1
51c793f0164553d2588a869d5c55321510237a6a

SHA256
ec4065cb8bef4ffe01d5ae3cdb82c367801affde81b1585bce00c5479ea9c242

SHA512
a959ab414fc0cf1f478c0d1f621aed49767d8a1e2420395662b0c5f23aee9e8b1e6a47aa89ac0d0bf99d94b7957cf0d3aa20239220e5856863bb523d55604260

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
7c0a5c0fdfc88e6f5c38ddeca81ae843

SHA1
90e4ce38595e321e5878ba4849d8aa3502b783af

SHA256
a62dd4aa26a9799c4adb56c24ebf73eacab5748aa1b6e8ffe824f15e2dbf31e8

SHA512
8a75a752e8b90430064006513723aa84e13e67a48579c369caa1ef6324455a7c454c27c274648f94e89e553357517c949ae0c961f1a1bdd1a31ec2c8ed91cff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
ad12ad1a97aa17901ab327626903ef6a

SHA1
38c9bae3df9d715b4334587cae0d7c6cb6d0dd5c

SHA256
9409be67e840ae75d2a74aedc987ed3e4b33617db31f789ed07b7394249621f9

SHA512
4150f2a2039c5771ea4423c4512d6c3949b91b0b9916648ccf403fb7ca6425a41687a37369b1b8aba2615e216518845c3214a242e2798a8f573e408350a1044b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
f5618542666cfd6fc2ba3eebe27d0cd0

SHA1
82950108519748bc8a6a3b29cf48f469592fa40c

SHA256
a6dd6fb01b676efeb4ffa27ceebdd5dd2d2b762320a7aeb6d316d54aa131317e

SHA512
45eeca6c3c595307a6f9a29518476d16630121c825e02d0f382114acfb3e8494dd5014b2ffc919b874cd5bbebe45fa99e1ffab694c679e38dd06a74591516557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
bc325ad4d851f5d676510ca98c6214dd

SHA1
e5d59cf2a1969bfb1ee892cb1613eeec47a67963

SHA256
514a79441655556b726e72ccbcb2e82e31d73dee6e80437fe64bf17c6d7550d9

SHA512
a8170d32c3b76b98a2613e989a2895823e41d9afaa57ecbe36b46fa00d3e0d0042f9eff10c9d5be97735ec303bcc7d1f27b37bbea56542a316967cb0cfc3ef48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
390392062cbd726f40e28405be37fc76

SHA1
029fcbf6d52772a4e074c3c36d6eaeda428ce577

SHA256
f10617210aff738cb8f569c23adcff2bf10e8e0a76985bbf430fbbabbe0735da

SHA512
8d683cbe92e0f0e0ee09241d115fb2db7a91f63899d4d9c1fa1bf79e195e71d77e1b6b3dc77166d60320329e3852d9696438d2958485a64f1d36f6d4acc42bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fd916a0c3f3c2f7aa90e4e361619df60

SHA1
973aacefeeb3ebf103ae2727564cb3ff9fe0aac5

SHA256
15b2bbae505e183867c4caad51f0faaa3738418af913634ef322aa5dd2c90c0a

SHA512
4a5b48ff85390ffc901552a442db5a9c728bd4b984315353d470eb7fc30549969c1ad4f8ed6693d100cb43ff40a63fef67e54dddd8919de35b596ccc1ef1b833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
a3dfa58a9f7ead13d05498c2b43e4a35

SHA1
249985b15d6097d363ebc8d94fec5a80ee1cc5da

SHA256
8b4c9e6048cccbf986e6a66e0ae865973ca510c850400ea4b5129aee4f9ff317

SHA512
4184ed916666726421c4eb6ac6582029a068c585756bfc79b9b6594e5ed4ce2cda9d8bd003c26a8bb78840b0144914f059960a7f54898aefa4ae03e7899cefd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
8fae9f862d6e33d7d51a0cbff7b15c4d

SHA1
730d4ea77f4ceea2501fda9f3b98e3d32fb62e39

SHA256
f5ae6ce166bd8be1ed961791a8dd5c7acdd08e37f0db4b2b6171d0ffc3083de3

SHA512
0722f957afbc78a21b3cf6fdad45d89131dec7e5d523cab789a7261956246ea617073c9c04d5b5199a012da45908e27f268ecacf329ad34f4ed52a5b35128703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\de7b2ffe-ba6c-41ef-b6bd-073971d35ddc.tmp

Filesize
2KB

MD5
d021078106d2c9fa04c95488203775e7

SHA1
22687f0d79fd46cd9cb6f40a8b750d6585167899

SHA256
6f237216cbfab3951e64d6f61a28903af77f7ffa8feb71a1ff3eaae1af5e74d5

SHA512
54e4cfe820c9bbe20dac0982d31d9a51b2829d1690f905cf51320e1239695da2c5ee368c69d0720640548a4f14fe94278e121a838ec346ba2b8f2e9e1c3eb580

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
704KB

MD5
c2f66d15f2d6c660047154704e7d186c

SHA1
36f72e94b82ed17f36d0ca722ada953b0ebc5bf4

SHA256
8cf00f2d21fe713193ada5cb47b37be9d872fbff4d025ed14567785c09411f1c

SHA512
3126404938b881d2d5520a1f5e2a5274d4bad56556087f7702a620256930736e10db1ac324e2c46991a7322a99270eef47087dc7d8c405691a683db012cf4f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6eV4TL2.exe

Filesize
898KB

MD5
0277cb848ae683761925b8a5e7587008

SHA1
8f8f4b4dedb02ce5a57e79b476392c64355e278a

SHA256
fefbc0ff6f6747f540702fce938cf2a9d144751801cf3293ab527398bff7b1f9

SHA512
efc19f4e2b115eb8b40a1c5068f09042f811c3a5b9127617658d63e1b88d83de9080bb8a8a19b865348f796b5c222f928e1c2da4f25ac5a6828610c37f3d4cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AD2wC01.exe

Filesize
789KB

MD5
334f15943c07385a58df35a525be82ca

SHA1
5e6bae7226a7521eae184bebe45a06c8e2bfd359

SHA256
116cca59c0a9a87322738bcb8a1f0f0bf886253283ab667436ff08fecb7d2e55

SHA512
3ae157816732cca2381f419cacb26a1c0dd2f3f674a672062d93b5022101947066ab1fd6370c7bb231ec1a7e9e2b6cfd463e242ab1c0cbfc999ee68c41919b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ZQ12Tx4.exe

Filesize
1.6MB

MD5
6de2b1be9c682e67206a88a9ea6383a9

SHA1
5be95e9e344aeb11cbcda3f2c09dfd61575c4276

SHA256
5a2b75ddc0529bfbe106085aad0e8038c175a048bcf39152345c977ad2914db7

SHA512
cace1efdfd705753e6d2d295a97b895fd78c84e5cd7b11d6e772a183f8752176e4548651312cc57ec1b45176561fd620514d216569543ae2dd0f1db7037a50d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4HP775hS.exe

Filesize
37KB

MD5
57df87898b1d24fdb814deb03a0f299e

SHA1
51c1bc099df92143888371c2e6e0322e7c370ee4

SHA256
27f1141ef0567cd7cea9a4c45dccb6954950a1413cd075e1156577b5d3edc741

SHA512
3b1d5634df89e90f5765a3f4fc05767a55d48e7623f3ec78587359056f27cff2891829de261cf3b51a332d33465be6697c48d2d9b44d3f48b1f5602e9158b9a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

Filesize
1.2MB

MD5
0a56821104ab48512292bcf741bd4300

SHA1
5d828f3e40953d8f0dca23f279135a426e7d6972

SHA256
b06e0cc64c39887853e503556b9300f3ed6231a2b0a660753a514a0a664af94c

SHA512
367df162068ce90fa907188819c29dd7f5664351b88f1d1cd40d6a22889d6b34f30d140fbd9ba160f63bb90e99ba39da5459e7a9a5bd6cd72934bfb20777bab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
512KB

MD5
8e7743d807112cd3b9e0e5aedaea9085

SHA1
f4a641c5fcf31677a7a14aa469bf2898b28aaa14

SHA256
28a6ac13a45e96a06a88d5dcd5ab66bec44a1a0ee87e3b9828cfd87ad8b37631

SHA512
952d645be27206ae50339ecb105613bc026d07503336b4adcbb716a6308f459552e92fa48b7e2ad0bb69141c6e8420028357a1393af5038bfa73858eec79715d

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
291KB

MD5
cde750f39f58f1ec80ef41ce2f4f1db9

SHA1
942ea40349b0e5af7583fd34f4d913398a9c3b96

SHA256
0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094

SHA512
c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc3.exe

Filesize
128KB

MD5
5a3179d15184b45850bf245e892f98b3

SHA1
c897b5644d8eb2b7a271c959bbd651509af1cc44

SHA256
b49e0cc77cacc82ebcf1cc86e57d3265915561fca32a72d42a60fd0253c6559d

SHA512
18bc62ac3b4a85bfa272c28763999741631e1e5da7df61aa85b6f9b9b4d381b9818e7b6dde3f1114dfe7f34a44e68eda016be6d69bc2a8ac40ecac0cb60da1da

Download Submit
memory/1432-20-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1432-16-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1528-925-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/3220-18-0x0000000002CC0000-0x0000000002CD6000-memory.dmp

Filesize
88KB

Download
memory/5296-840-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/5296-866-0x00000000006D0000-0x0000000001B86000-memory.dmp

Filesize
20.7MB

Download
memory/5296-951-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/5888-926-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5888-923-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5908-953-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/5908-970-0x0000000000290000-0x0000000000842000-memory.dmp

Filesize
5.7MB

Download
memory/5908-1043-0x0000000005380000-0x000000000541C000-memory.dmp

Filesize
624KB

Download
memory/6416-837-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/6416-879-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/6416-850-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/6416-853-0x00000000053B0000-0x0000000005954000-memory.dmp

Filesize
5.6MB

Download
memory/6616-948-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/6676-869-0x0000000007D90000-0x0000000007D9A000-memory.dmp

Filesize
40KB

Download
memory/6676-922-0x0000000007ED0000-0x0000000007F0C000-memory.dmp

Filesize
240KB

Download
memory/6676-909-0x0000000007E70000-0x0000000007E82000-memory.dmp

Filesize
72KB

Download
memory/6676-905-0x0000000007F40000-0x000000000804A000-memory.dmp

Filesize
1.0MB

Download
memory/6676-929-0x0000000008050000-0x000000000809C000-memory.dmp

Filesize
304KB

Download
memory/6676-889-0x0000000008D50000-0x0000000009368000-memory.dmp

Filesize
6.1MB

Download
memory/6676-867-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/6676-865-0x0000000007BD0000-0x0000000007C62000-memory.dmp

Filesize
584KB

Download
memory/6676-851-0x0000000000E20000-0x0000000000E5C000-memory.dmp

Filesize
240KB

Download
memory/6676-852-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download