eternity | b82658962e00a3ca98342cb5ca49b7b3d84f439a0876de416e9b2d1d8d4add0c

Analysis

max time kernel
32s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2023 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b82658962e00a3ca98342cb5ca49b7b3d84f439a0876de416e9b2d1d8d4add0c.exe
Size

1.2MB
MD5

418e500d158af2528ed9f68738eff187
SHA1

b763bc802a126c217fd694a67ac2771de17560bd
SHA256

b82658962e00a3ca98342cb5ca49b7b3d84f439a0876de416e9b2d1d8d4add0c
SHA512

b94f853ddfcccb53bb647fbe2fe8d5a8188aa551be664cf401337d6e7f5ffb41869600c612213dc9e3e1df7058a8fdd09549f7414c74aaa5bd9ba32fe9bf15a0
SSDEEP

24576:7yiOew20WDNd4PRCXyWv16zK7BnMyX9grldicthYAqObyOK:uiOT2hWhWv16zK7ZerlLthfqObP

Score

10^/10

eternity glupteba privateloader redline risepro smokeloader @oleh_ps up3 backdoor dropper infostealer loader persistence stealer trojan

Malware Config

Extracted

Family

risepro

193.233.132.51

Extracted

Family

smokeloader

Version

2022

http://81.19.131.34/fks/index.php

rc4.i32

Extracted

Family

eternity

Wallets

47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q

Attributes

payload_urls
https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe

Extracted

Family

redline

Botnet

@oleh_ps

176.123.7.190:32927

Extracted

Family

smokeloader

Botnet

up3

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 1 IoCs

resource	yara_rule
behavioral1/memory/4636-1128-0x0000000002D90000-0x000000000367B000-memory.dmp	family_glupteba

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/5328-761-0x0000000000F70000-0x0000000000FAC000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
3884	PF2iZ70.exe
3496	1jK83LO7.exe
8	4zO117jK.exe
4592	6QN9dD0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b82658962e00a3ca98342cb5ca49b7b3d84f439a0876de416e9b2d1d8d4add0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	PF2iZ70.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00060000000230f0-23.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3156	3496	WerFault.exe	90

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4zO117jK.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4zO117jK.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4zO117jK.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6108	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
8	4zO117jK.exe
8	4zO117jK.exe
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found
3292	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
8	4zO117jK.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found
Token: SeShutdownPrivilege	3292	Process not Found
Token: SeCreatePagefilePrivilege	3292	Process not Found

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
4592	6QN9dD0.exe
3292	Process not Found
3292	Process not Found
4592	6QN9dD0.exe
4592	6QN9dD0.exe
4592	6QN9dD0.exe
4592	6QN9dD0.exe
4592	6QN9dD0.exe
4592	6QN9dD0.exe
4592	6QN9dD0.exe
4592	6QN9dD0.exe
4592	6QN9dD0.exe
4592	6QN9dD0.exe
3292	Process not Found
3292	Process not Found

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
4592	6QN9dD0.exe
4592	6QN9dD0.exe
4592	6QN9dD0.exe
4592	6QN9dD0.exe
4592	6QN9dD0.exe
4592	6QN9dD0.exe
4592	6QN9dD0.exe
4592	6QN9dD0.exe
4592	6QN9dD0.exe
4592	6QN9dD0.exe
4592	6QN9dD0.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 3884	4516	b82658962e00a3ca98342cb5ca49b7b3d84f439a0876de416e9b2d1d8d4add0c.exe	89
PID 4516 wrote to memory of 3884	4516	b82658962e00a3ca98342cb5ca49b7b3d84f439a0876de416e9b2d1d8d4add0c.exe	89
PID 4516 wrote to memory of 3884	4516	b82658962e00a3ca98342cb5ca49b7b3d84f439a0876de416e9b2d1d8d4add0c.exe	89
PID 3884 wrote to memory of 3496	3884	PF2iZ70.exe	90
PID 3884 wrote to memory of 3496	3884	PF2iZ70.exe	90
PID 3884 wrote to memory of 3496	3884	PF2iZ70.exe	90
PID 3884 wrote to memory of 8	3884	PF2iZ70.exe	94
PID 3884 wrote to memory of 8	3884	PF2iZ70.exe	94
PID 3884 wrote to memory of 8	3884	PF2iZ70.exe	94
PID 4516 wrote to memory of 4592	4516	b82658962e00a3ca98342cb5ca49b7b3d84f439a0876de416e9b2d1d8d4add0c.exe	104
PID 4516 wrote to memory of 4592	4516	b82658962e00a3ca98342cb5ca49b7b3d84f439a0876de416e9b2d1d8d4add0c.exe	104
PID 4516 wrote to memory of 4592	4516	b82658962e00a3ca98342cb5ca49b7b3d84f439a0876de416e9b2d1d8d4add0c.exe	104
PID 4592 wrote to memory of 2252	4592	6QN9dD0.exe	107
PID 4592 wrote to memory of 2252	4592	6QN9dD0.exe	107
PID 4592 wrote to memory of 3468	4592	6QN9dD0.exe	109
PID 4592 wrote to memory of 3468	4592	6QN9dD0.exe	109
PID 4592 wrote to memory of 3952	4592	6QN9dD0.exe	110
PID 4592 wrote to memory of 3952	4592	6QN9dD0.exe	110
PID 4592 wrote to memory of 1128	4592	6QN9dD0.exe	111
PID 4592 wrote to memory of 1128	4592	6QN9dD0.exe	111
PID 4592 wrote to memory of 2060	4592	6QN9dD0.exe	112
PID 4592 wrote to memory of 2060	4592	6QN9dD0.exe	112
PID 4592 wrote to memory of 1532	4592	6QN9dD0.exe	113
PID 4592 wrote to memory of 1532	4592	6QN9dD0.exe	113
PID 3468 wrote to memory of 3108	3468	msedge.exe	119
PID 3468 wrote to memory of 3108	3468	msedge.exe	119
PID 2252 wrote to memory of 3992	2252	msedge.exe	118
PID 2252 wrote to memory of 3992	2252	msedge.exe	118
PID 1532 wrote to memory of 1164	1532	msedge.exe	117
PID 1532 wrote to memory of 1164	1532	msedge.exe	117
PID 2060 wrote to memory of 3724	2060	msedge.exe	116
PID 2060 wrote to memory of 3724	2060	msedge.exe	116
PID 3952 wrote to memory of 4872	3952	msedge.exe	114
PID 3952 wrote to memory of 4872	3952	msedge.exe	114
PID 1128 wrote to memory of 1152	1128	msedge.exe	115
PID 1128 wrote to memory of 1152	1128	msedge.exe	115
PID 4592 wrote to memory of 4904	4592	6QN9dD0.exe	121
PID 4592 wrote to memory of 4904	4592	6QN9dD0.exe	121
PID 4904 wrote to memory of 1284	4904	msedge.exe	122
PID 4904 wrote to memory of 1284	4904	msedge.exe	122
PID 4592 wrote to memory of 2524	4592	6QN9dD0.exe	123
PID 4592 wrote to memory of 2524	4592	6QN9dD0.exe	123
PID 2524 wrote to memory of 4616	2524	msedge.exe	124
PID 2524 wrote to memory of 4616	2524	msedge.exe	124
PID 4592 wrote to memory of 2292	4592	6QN9dD0.exe	125
PID 4592 wrote to memory of 2292	4592	6QN9dD0.exe	125
PID 2292 wrote to memory of 3472	2292	msedge.exe	126
PID 2292 wrote to memory of 3472	2292	msedge.exe	126
PID 4592 wrote to memory of 4552	4592	6QN9dD0.exe	127
PID 4592 wrote to memory of 4552	4592	6QN9dD0.exe	127
PID 4552 wrote to memory of 4916	4552	msedge.exe	128
PID 4552 wrote to memory of 4916	4552	msedge.exe	128

C:\Users\Admin\AppData\Local\Temp\b82658962e00a3ca98342cb5ca49b7b3d84f439a0876de416e9b2d1d8d4add0c.exe
"C:\Users\Admin\AppData\Local\Temp\b82658962e00a3ca98342cb5ca49b7b3d84f439a0876de416e9b2d1d8d4add0c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PF2iZ70.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PF2iZ70.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1jK83LO7.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1jK83LO7.exe
    3⤵
    - Executes dropped EXE
    PID:3496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 608
      4⤵
      Program crash
      PID:3156
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4zO117jK.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4zO117jK.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:8
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6QN9dD0.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6QN9dD0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff81d3746f8,0x7ff81d374708,0x7ff81d374718
      4⤵
      PID:3992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,2800397562748450288,5581249816957726093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
      4⤵
      PID:6308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,2800397562748450288,5581249816957726093,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
      4⤵
      PID:6292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff81d3746f8,0x7ff81d374708,0x7ff81d374718
      4⤵
      PID:3108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,17976531715994569336,8905384427224819413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
      4⤵
      PID:6284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,17976531715994569336,8905384427224819413,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
      4⤵
      PID:6268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff81d3746f8,0x7ff81d374708,0x7ff81d374718
      4⤵
      PID:4872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,10842646476336684060,17667758576054021451,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
      4⤵
      PID:6244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,10842646476336684060,17667758576054021451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
      4⤵
      PID:6252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x160,0x170,0x7ff81d3746f8,0x7ff81d374708,0x7ff81d374718
      4⤵
      PID:1152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,16481480857579241641,6488501391380003984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
      4⤵
      PID:6276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,16481480857579241641,6488501391380003984,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
      4⤵
      PID:6260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff81d3746f8,0x7ff81d374708,0x7ff81d374718
      4⤵
      PID:3724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
      4⤵
      PID:6632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
      4⤵
      PID:6352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
      4⤵
      PID:6328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
      4⤵
      PID:6724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
      4⤵
      PID:6584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
      4⤵
      PID:8104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
      4⤵
      PID:7668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:1
      4⤵
      PID:6124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
      4⤵
      PID:7624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
      4⤵
      PID:6288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
      4⤵
      PID:6020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
      4⤵
      PID:7852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
      4⤵
      PID:5988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
      4⤵
      PID:8288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
      4⤵
      PID:8504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
      4⤵
      PID:8480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
      4⤵
      PID:8648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4452 /prefetch:1
      4⤵
      PID:8928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
      4⤵
      PID:3876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
      4⤵
      PID:6900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9324 /prefetch:1
      4⤵
      PID:9144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9552 /prefetch:1
      4⤵
      PID:5556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9568 /prefetch:1
      4⤵
      PID:64
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
      4⤵
      PID:9212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9876 /prefetch:1
      4⤵
      PID:4008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9668 /prefetch:8
      4⤵
      PID:1880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9668 /prefetch:8
      4⤵
      PID:8016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13892184465792993547,12794941537638066516,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4836 /prefetch:2
      4⤵
      PID:5940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff81d3746f8,0x7ff81d374708,0x7ff81d374718
      4⤵
      PID:1164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,16337734100216306363,13400067855799494301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
      4⤵
      PID:6316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,16337734100216306363,13400067855799494301,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
      4⤵
      PID:6300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff81d3746f8,0x7ff81d374708,0x7ff81d374718
      4⤵
      PID:1284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,11926931139081262532,6811433697957264713,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
      4⤵
      PID:6224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,11926931139081262532,6811433697957264713,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
      4⤵
      PID:6208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff81d3746f8,0x7ff81d374708,0x7ff81d374718
      4⤵
      PID:4616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,10473061688288290616,11765816663808658276,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
      4⤵
      PID:7148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10473061688288290616,11765816663808658276,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
      4⤵
      PID:7140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff81d3746f8,0x7ff81d374708,0x7ff81d374718
      4⤵
      PID:3472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,7286059138926589161,14887078787528165937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
      4⤵
      PID:6488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,7286059138926589161,14887078787528165937,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
      4⤵
      PID:6480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff81d3746f8,0x7ff81d374708,0x7ff81d374718
      4⤵
      PID:4916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,9704470221611519537,12056500526421264105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
      4⤵
      PID:6344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,9704470221611519537,12056500526421264105,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
      4⤵
      PID:6336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3496 -ip 3496
1⤵
PID:2060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8088

C:\Users\Admin\AppData\Local\Temp\F70D.exe
C:\Users\Admin\AppData\Local\Temp\F70D.exe
1⤵
PID:8496

C:\Users\Admin\AppData\Local\Temp\283.exe
C:\Users\Admin\AppData\Local\Temp\283.exe
1⤵
PID:5456
- C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
  2⤵
  PID:7460
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    PID:7448
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:5816
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:9028
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:4636
- C:\Users\Admin\AppData\Local\Temp\tuc3.exe
  "C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
  2⤵
  PID:5192
- - C:\Users\Admin\AppData\Local\Temp\is-MRT52.tmp\tuc3.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-MRT52.tmp\tuc3.tmp" /SL5="$4027C,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
    3⤵
    PID:5308
  - - C:\Program Files (x86)\xrecode3\xrecode3.exe
      "C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
      4⤵
      PID:936
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Query
      4⤵
      PID:1808
  - - C:\Program Files (x86)\xrecode3\xrecode3.exe
      "C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
      4⤵
      PID:5776
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\system32\net.exe" helpmsg 1
      4⤵
      PID:5764
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 1
        5⤵
        
        PID:5804
- C:\Users\Admin\AppData\Local\Temp\latestX.exe
  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
  2⤵
  PID:8736

C:\Users\Admin\AppData\Local\Temp\841.exe
C:\Users\Admin\AppData\Local\Temp\841.exe
1⤵
PID:5992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:6804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"
    3⤵
    PID:6368
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:3760
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:6108

C:\Users\Admin\AppData\Local\Temp\DCF.exe
C:\Users\Admin\AppData\Local\Temp\DCF.exe
1⤵
PID:5328

C:\Users\Admin\AppData\Local\Temp\7034.exe
C:\Users\Admin\AppData\Local\Temp\7034.exe
1⤵
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\71a0eedf-e396-478c-a604-80ce5249c08b.tmp

Filesize
2KB

MD5
aecdf6b15b14d998ed576e99dcd9f89e

SHA1
ebd485dd0d7a7437a457a1a4118b71f436dd7bd4

SHA256
611a00d7109a9c3c9fd2cb73b6f09d1307d50a358441863be5d2d1b120b443f4

SHA512
f97d879edbd892b1a12bbce0be36b812f3f874d086e7c9bedf0783047f3211ce20e39ab4fa3d2172ff081ebaf1e2a3c195132f1d5dcf4e13d5fcd09ec5e21e7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5990c020b2d5158c9e2f12f42d296465

SHA1
dcb52612d301824d3a7fdfd0ea20c3fcfbb7a1b4

SHA256
2f33956ce5a0bb01abb3c0fee9a321c8f8f7abcf1d7535800bf25f1dc44b1643

SHA512
9efb70c4922365967c5fa7e89967e21eede96979a149e027099da786cd8b198d4e81bb3bf2b39c8d65a8796c5d72ca79241e66fc69e2502fdec8a0c5f230412c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
208a234643c411e1b919e904ee20115e

SHA1
400b6e6860953f981bfe4716c345b797ed5b2b5b

SHA256
af80020ae43388bbd3db31c75aade369d489a30a933574dea19163e094d5f458

SHA512
2779b96325234c836cbb91820ee332ed56c15b534ec0c7770b322a5c03849ec3ee67b0ec7978e1fab563eeed1cea96f5155d7b942702555d9352ff6711a548d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5b406814-c5dc-4a57-8f84-09809dc14b6c.tmp

Filesize
8KB

MD5
9420329c4c84424ae183bbab23ccd6b7

SHA1
f98b8b8adf593cb64d791ee31775d7688187f322

SHA256
9fadb68c6033b9b5c425de72a10f91bb79744b62ce73352f6e2909cb5e3a01d3

SHA512
6229cbcd016132067633621f69e4bad88b4efc9f7eab09244c1ee5ceee58be49dd1bf8a6dae777f71e61ff122d6aa3cd3ee56037e295a2765a37d831a0c74886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
24KB

MD5
b82ca47ee5d42100e589bdd94e57936e

SHA1
0dad0cd7d0472248b9b409b02122d13bab513b4c

SHA256
d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d

SHA512
58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
200KB

MD5
b3ba9decc3bb52ed5cca8158e05928a9

SHA1
19d045a3fbccbf788a29a4dba443d9ccf5a12fb0

SHA256
8bd1b2afcbe2fa046b0937197f1b2f393ef821ff89331f99754b9006f0114df4

SHA512
86a86d370e96fa29c0c1d12991c2287936b400830869ff7b5abe4de6f32db2df782b626d724496cd6de27f8cbd32101ba34cbcd4c650ef11afa26bc048d68529

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
21KB

MD5
7d75a9eb3b38b5dd04b8a7ce4f1b87cc

SHA1
68f598c84936c9720c5ffd6685294f5c94000dff

SHA256
6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7

SHA512
cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
33KB

MD5
909324d9c20060e3e73a7b5ff1f19dd8

SHA1
feea7790740db1e87419c8f5920859ea0234b76b

SHA256
dfc749d2afefe484d9aa9f8f06d461ad104a0ca9b75b46abfaaddda64a5e9278

SHA512
b64d2dce1f9a185fbb8a32adc1ff402d8045d379600bf3f9154bbde18303610f18af9fce258442db1e621ecf10b77aafe99cffedfcbe2a1490056c50cc42d0f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
95e356d71240567ed999003d7cfefc68

SHA1
03eac24bcd1de1878f3955ffa2a59683f4534254

SHA256
0a71391f46664bce75726c9a6b4ea6e762f43ad54ac1f161c9e1c28c36f3916e

SHA512
5679a99ceadf2548db0a9d583c7e1e02165dfab88a2d8716a6f0727e49a69482112a910c73008a343104597fe6e9e12febc0871640b6b482da366bfa144d2bf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
7572b668fecfe06c4638964cb4e4e5d8

SHA1
c4ae7ea06391700070f65a93925cca4a51303255

SHA256
88df478e40edbfd8a6262c10061a03988d9c47f59cc1546db4b6a558b288a486

SHA512
86ab3c94adb6060afaaa8f13ea1b0a3e1be2cd044f42e7f636dbe5ae25a182ba8470d30dd8492c18bb25a2470f558515cc391b90791b5154c652a9151f6e12db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ed1e2e23ceec0a8bd846a1f12136dca6

SHA1
ff1bba03583a17e78c2418b374be958d322df7db

SHA256
811091322388ed6d8984ceded75acb579cb67bb3a7df305098e5361057d50a14

SHA512
453bff6bd3de2bd8aec5a7b2ac150f5536f9a813c8a2fdc09109f4d0f487b89990cca8d7ac1138f5efbadbb3110c078c57fd9c4a9b14c57dc41a7f654defdb36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
57a8b26a53746e2beb7a4cacfdbedc88

SHA1
12ad7abb568f44d643095cec111eb40d42587cd3

SHA256
79206b7227fb5b09fdd2eb0bb5af28963b7296b0abbdbf5bbf7a36d4203dd534

SHA512
f6fc31ddf4573c3d37e67995b729a36cdfc3ac2b8ae9cb040908f9ae5ea87f1140cff13405ea63c39dad66a136ba22fa67e7254572370004364ded9a26ac0c54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
6e7942c92e1010cb1c22323ac8d1761f

SHA1
d71ad7059d0a2feab78f22a8d3be6247f6765441

SHA256
f57faee788d0f943b9a6ac9c67fd64d73ce866a852b5ab32034ac08bb2beaa3e

SHA512
f85f18197e8781b086852efd34195525d495478f7c4a74dbf4b3f51a1002316f2f65f1f5e1dabf35080145bbffc629d4455dcb4a5e74a3893ca5ee67f0317391

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
d54acc6a3d6cb692f2fff9255aed1e84

SHA1
4f7239622304bd7e96f3170dbab1c91e07b45a37

SHA256
07c044917103fd89c05c5fe6398f8ff164b60fcf57454ddc2d754e264f496cf8

SHA512
64b0e26b228e639a4c75cf34c69fe69b32e442dda263e4694eba1192432f9c99f679756a659c5dec0ea6a58b700004d841b9e16dbbb8f19093716cebe58c6d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5a6206a3489650bf4a9c3ce44a428126

SHA1
3137a909ef8b098687ec536c57caa1bacc77224b

SHA256
0a9e623c6df237c02a585539bffb8249de48949c6d074fe0aaf43063731a3e28

SHA512
980da83c3142bf08433ec1770a2ec5f5560daf3ee680466f89beae8290e921c0db677489daad055fbc1f196388f8bc4f60e050600381f860b06d330062440a78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c4cb8dac20172b74f718058e7984d258

SHA1
5f07074b04d190080ae02faf325f9cd38bb6b424

SHA256
45746213b8cbb0ff46f93d01308e54894b7b85eb7ccea56a77e528a88ca726c4

SHA512
80084f6684c2f04de16aa326a9062329a9a8a1a71a5953e5bd5907cc08ec42152fe6680af97cf42b1e3430bf417c7ac7c4313a75ee7a116f0073d8886f66afab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
cc4c449d7dd422bbbf97b539babbc4cf

SHA1
076782b668e43fb3ce0d3c0d51b0cf918674d6ac

SHA256
794703ace88323b3b7f9d3b66407638236c785eba1cd5937454ecac794a5bddf

SHA512
c1cd3a61e69a510a91da59420b1664cb0bcde1517aaae0c37ab3f3a393e42825f6c519192250d7aae9594837c802922ebe776dd8069db63fde14bd8c750ae466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
afc35a2f5c2465133ad40e53034dcdd6

SHA1
eedd606a67752cb8987e01c1cb79104ba8ae8b6e

SHA256
c4827e19545e95a6c5b233c9ac2cab3a9173bf2542249fe8e8683ae92c0b81c4

SHA512
7bccaf916ad82a18b5991851ce5e04e38fc361507d72b33f0de5ce61a5bbe4abab670ed2792c4159fd881c0180b95efce50ec95c29fabe3393e0b92550f55ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
11f2f18bc2dc6ff6b95c3e6021288d82

SHA1
b3dc4228a5e54c85f63b36583047464d70554f3a

SHA256
39a35d9cf489e14d8ebb5191b80e9bf9e05ff51c4e41f19046c6f46e93728032

SHA512
e9e6ac9d17cfcc04c2d54bbe1ec8378bb9301c8242b8ba8eb416d63a04784016955fd0cc702195d33b2fc3b418ab5bf34bba13f99ab85a4c7c36e7055f96e111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
badaaddc07f36aedb9641817442ade7c

SHA1
828b08d391c366619035d0daff6b335ee6185ce6

SHA256
ac382fa7b3c0dc19df06296cf9ae3d1dd33168bd96ac791b89061b9d3002ed6b

SHA512
dc0e31e9d15610f771ef26923ae7629ae8607577d0630d7e48b521af6dbc35a714131975ad575cbe5f5655f51bbe249bf860abebf2ed4826c8136ee222b809be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
33694f693098f189f49b8c3ff0ddf6d1

SHA1
0abab4ce5378fbea697f236ad5648b55376b3b40

SHA256
9e4f4bd14b94b6454afb2b403e871b66d473769802b073ffd07451a2cb30600f

SHA512
f45ff9bf8c5a69e103a1776a019420d0719e1910ff6d40a1fb89985c2923d29e90f7384f597c794578791637e0c7afed7ec46dc36c588e1031e34f98792a884f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b30470c0e35f4e2def91758cc66f2248

SHA1
59546bf09ff1aa8f29d72bc3a8aa56b242c8d46a

SHA256
1aaf612f7cd4c8af591e4e2d6629276365b04156359393d05d05d18b65743108

SHA512
a2c9112701be892f00682c263011f0d31ad80ec138510d88b693aeaaa5380ceeef25049c6e31ea2d7c7b187bb1a4596e29e55f7dcaf0464af504c34491314d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cbbf75d30a36bb5b6c22380c14137603

SHA1
77527fd23bbe5f57f53927ac5e95ff7f53109bca

SHA256
9e63e2a6b6593176869cd6a3a5ca95547c00682539a95a781436cdcd7524d5b4

SHA512
990377f7da2a282bd8d191d7cc79dc5cedaf41178b6490dae8e1058305ac036c295ae38be512c202ee85d16b8ac2ce614c1ba69067c312761095fb7eefec73ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59501a.TMP

Filesize
1KB

MD5
3b036d38ea876facabde59f2dfc2ff90

SHA1
853582d0c4772f8562a73db569808a779fe2d27f

SHA256
52b07fcaa78a3b07321759633eac6bbc8481a844bd7e4f57878f8af14ff6829e

SHA512
07e7897dc894481a2522c26d2e3aa200215b85d814a45dea7567701b3f961804d0331ca23bf71130eee8fb984360718dc65fde4da63baf7c7b48b4b2edf22e16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
507de8dff5d5f0d4dcabac4b226ba3b0

SHA1
47d8ad07989825a5b71bf7595b683f709f6cecf7

SHA256
9a73bb561a18254b81a8a05a2f870206ccf82104c9f4ad348b0afb795593ef62

SHA512
149108aba0a8dc73a953aa7016e48a749092d69ac457d168c5d9609b554df1ed152244c3c9745e1c242434a0a6c103c1f431dd6fd5c5deb32a1d250fe170b7be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
4f12eda1b67edfc91786f20f4a10e790

SHA1
c098b0bd3c766f77f0524b8926b6e2cddcacb067

SHA256
24ec3f0cca49e73bb1b13261e34d37f34dbfebe63f346b354074dd86acc5ea63

SHA512
2d8899c2f809b17c32fdd6302ef9d942b5e1609753c25cfa963c1c1e0251d4dd08049af5334dd1b4e7e63f7e2b1077061aafbd9a5c5597611bacde27406afe67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
346e1f1f12e1c1af8e7edc758207a5e1

SHA1
052cae09823409b4605378011ae5cdb7ea67181b

SHA256
e41561e667c14a8a857f10d634bfb881dc686abdbc06f26024c410549c053f31

SHA512
3051d2c0ae1e9e486bd2160ed219fb2d79771a6e20986cc4f8de82971d0d5a5b0d4f6fe70face1b882f94f7ad4e604323af528eb384abba418ac77aa07202827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
0e807b9bdcd1cb94e5c94e46a0c46766

SHA1
6949e3882e176f0587ee38a8e659a86242a6e010

SHA256
afc1b202321c8db6c300ae2ab1213256669187ea52131fa8c88aec4a2dba8019

SHA512
394e84aca79f50eae155a00b215f1df49c06f535c0b9184526225f127b6e4b02a792659aa9611a038173833509a9ddd5614acacf7b7baac6d05c7267bc8faf00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
eaa673fcacf97a84869639192737de41

SHA1
5f74082c238d73f1cf4f81b3bff66f8c3d0c91f2

SHA256
e2ccff8da45234e86a9bcaa3d70244bf1a80aa810b77d60a3a69e754eca984cb

SHA512
5229d3a5fb8e7354f088b727a0efcae7f935ff20559fa81197cec3e496401bd04a44efe3570353e8dd189a1639d111dfde4dacadb50daa34d55e752aa572af22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
22c82e657d36002abd808a6db13272a2

SHA1
cb97d2e7c24852dc894df4e737eeaa79bd97bd6b

SHA256
727eb0b8bca3e28f2a07aa6f3a52eaa42c7a5d734e0b86ab27020260a0601aa7

SHA512
675db5a97c4cb646ca942c83cbc8197e183a8fe0af337f1ba615a96a4585a66a89e3c182c3dd5ce116f4031a34e3a6934b84e6de6fb1cd7efa30e854e468460b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
36e3e75f66a6d00661f7eb6d3673adfd

SHA1
30479b0749d1fd4e564a865dda03b8487b5a8c3d

SHA256
8672ef6610d0c58bf0970290044ca4fe84a666d04b94e1b82b534a9df32b22d7

SHA512
d2448048cbefda37bd362cb8043dae2cb97cc48657efdf7ae8463bcf61082d8e7e8ed10d8d73337211a313a486da4b6d4fa52df7be677880fcaec1a1840c4d18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
599eee1ad254cdb0a0c8f02e9c5ee9ff

SHA1
415591eb6cb4257481c4fb8b363837024331ee67

SHA256
4c78eb3978395631dbf710c8b1f720488a6b3b2bd415cf621c56749bd3a8aef1

SHA512
74e1d35ed24eaff72049a54f08914266c2b9e98c2bb5e6f524fd286f14e8816ce42cadd993b8e188e417c331287c0663f8a5cc8484682761b16ffa542b97f217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0dddc5963de67c5c25e17c3b703051ea

SHA1
b5725cb3a2db29f2304cca5d4b01db96e7642d00

SHA256
541c809c092d8feff359f4764cb85d35d3eeaffbaf1b957e26e0ab0d7383b6ed

SHA512
ab05550562376d328306ff7dd1ed45852a832a46dc914718977084119bf55e7865425c269574bc4eb68459ed4a2a9df4722b17426dcdc237088b554513939e29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4a0b4807fe9931a1974e8ef755df2017

SHA1
cbdb4768b495ebc377565440b6d23b268601c150

SHA256
546dfa3210da765dca16f1b4d8000ba3966c756f2d18268144c8d664ba928e53

SHA512
f487fbc8a89f135d32c769579c7058ce473a1845b727bdc25e66e8a21dd9ed74689821186b64b22da8c9695ac4e841bb316198c581fdc8014b0ac588b7977ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b40f0ebcc5660b3987e329feeb12cf32

SHA1
b1e787f778076e6e4b0db4d28071a65f37453404

SHA256
35a8b11757becde20b57d2bb911dfe1790ccf60327b4c25f8f6f200a17f9b248

SHA512
d2060541b8727815147023558759d9b7df8cb12e4a3299e3704173e602a7fc58c02852bda54ae722a4ce82d43a611fe79b747875bc7462fb585cd61f35a8b898

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
832KB

MD5
4a9e40fa8264d6e63bf044600ae92ec1

SHA1
917d952821b9c1ae38205a036ee4540afdf48f8a

SHA256
611487839bfadd009afa344945503a08ea240b2b966b924ab6c0cc160995798d

SHA512
1a1a1eb60e1710e6ad89bc3c4e7d87d032a463f905d03ff7f1a8bfc18ed81cb96951fe315659526b2ce40a55d05de3601c19643a17b915c1bb4efed43aaeea20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6QN9dD0.exe

Filesize
898KB

MD5
3e46869ce9387bc292740c4db5c7adf8

SHA1
7376a4b0cc3a3fbb01df550156adc6e5fa1dfc02

SHA256
c9a903535345f300bb71a8b7fbb48320a0f2b79f59fcb00b50b85bde68a3f030

SHA512
db69d6c3bc781c70131d894690841e8443de92289b35479ab03952e34ba98f1fe47507bd2b78254c7a33aaf44fb79b0bc1dffe3765360a7c563498c9330afd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PF2iZ70.exe

Filesize
789KB

MD5
06abac249be4ce1fb8f8bfbe8f943587

SHA1
368691631b0c130cc48c90b3af763f483f669b40

SHA256
5ddfbf5dfe56f9fde9603fc8b47ab484312db9e2300b5db1bba777637395cb19

SHA512
7ac5cccb5bda58e3e43bc78034e9a2566a73d55385489c744631f2bd716ba4413ba8e0a9ced20908d77a4a4e8c67b7d4b6748f064fcbd5f14718263ccb93f8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1jK83LO7.exe

Filesize
1.6MB

MD5
738d5ecf522006384698060c52fe9ba9

SHA1
17e815d807387bfdf457ac5b5636a3dc37862d67

SHA256
162800e7b59f211b1695a4b14ae2ce6d0605bedda50c991eaa963303fcf5b94d

SHA512
6d3e1068d50f0ade272af1d48badcaa9216a577b8ec2554075444bfedb5659a38e0ea368cfd20e7145c50c57b4f7e9622f27aa95f55c74e023d8dc0486516f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4zO117jK.exe

Filesize
37KB

MD5
ca759eba870f1f7608683cd52c06a418

SHA1
ea8e103fa7986888eef38d76b98c250267f1e266

SHA256
71392b1f714c9c271a4bc9e79f8736062719d004ba8a5ad4c9332a40f95d482b

SHA512
15eeb1829517bc9280d72ad723e81e3f49101e2b4802980db3b6729f4dfd02f9fde9f88f1e729c6b79778e9ff24c474d6013a6c5939ccdd8bfc6f5e515207b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

Filesize
1.2MB

MD5
59d0b1da6248e22c448668eef019c82a

SHA1
61dc1313fc9c90a39a54ce248882f93d929b00fb

SHA256
db5a2f1340e0394a0c5400f893a62f5f2f4b9d2fadd9a01c72322f235abe2d08

SHA512
9204c6caf33d40afa12abeb14a35dec1d341ee3a8c196e4a8ae6b041af4c8d5560356f598a4c43d9adb46f6cc5150541149c534170076a2dcef80ca012ae40e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
832KB

MD5
99a4172e07fb4619e4e2960607f082f2

SHA1
0f827a54a776bc65c319f165ab8568db550f2897

SHA256
5c5d53c2d27b987dd03014bd1627b6af11248612dfe101e6f84cd450a03658cd

SHA512
01121b0cdad5a9c8b7acd8e77c236104441cc242699e4aa38f6f5cec9832a297c3a45f4955f36b150687c7046110bbd42f9dd4b366790d17f88adbe482e5ccbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
291KB

MD5
cde750f39f58f1ec80ef41ce2f4f1db9

SHA1
942ea40349b0e5af7583fd34f4d913398a9c3b96

SHA256
0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094

SHA512
c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc3.exe

Filesize
1.2MB

MD5
312dbad72fbc4a4a97c1c269e0ecae76

SHA1
1d5864b8eb96c1c4fd45667b0a0981643183fa10

SHA256
3afa784ee5c99abf77ca1e6037d2603f9ec187658e854d3ec509164ed858e01b

SHA512
9d2ae8933d0425ae0a71e502b378c2e958a2274f8ce97c40e07e6e9bf9353bc748e0665e9b6f5c7aba0426b180510d2c419616f0167b13ac56398fc88dd31d02

Download Submit
memory/8-20-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/8-17-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/936-1065-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/936-1066-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/936-1069-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/2056-1083-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/2056-1084-0x0000000000680000-0x0000000000C32000-memory.dmp

Filesize
5.7MB

Download
memory/2056-1089-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/2056-1087-0x00000000057A0000-0x000000000583C000-memory.dmp

Filesize
624KB

Download
memory/3292-18-0x0000000002390000-0x00000000023A6000-memory.dmp

Filesize
88KB

Download
memory/4636-1123-0x0000000002990000-0x0000000002D8F000-memory.dmp

Filesize
4.0MB

Download
memory/4636-1128-0x0000000002D90000-0x000000000367B000-memory.dmp

Filesize
8.9MB

Download
memory/4636-1129-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5192-1141-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5192-890-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5308-913-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/5308-1145-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/5328-761-0x0000000000F70000-0x0000000000FAC000-memory.dmp

Filesize
240KB

Download
memory/5328-1088-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/5328-770-0x0000000007D20000-0x0000000007DB2000-memory.dmp

Filesize
584KB

Download
memory/5328-803-0x0000000007F40000-0x0000000007F50000-memory.dmp

Filesize
64KB

Download
memory/5328-821-0x0000000007EE0000-0x0000000007EEA000-memory.dmp

Filesize
40KB

Download
memory/5328-764-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/5328-1122-0x0000000007F40000-0x0000000007F50000-memory.dmp

Filesize
64KB

Download
memory/5328-1076-0x00000000088E0000-0x0000000008946000-memory.dmp

Filesize
408KB

Download
memory/5328-846-0x0000000008DC0000-0x00000000093D8000-memory.dmp

Filesize
6.1MB

Download
memory/5328-859-0x00000000081A0000-0x00000000081EC000-memory.dmp

Filesize
304KB

Download
memory/5328-857-0x0000000008020000-0x000000000805C000-memory.dmp

Filesize
240KB

Download
memory/5328-851-0x0000000007FC0000-0x0000000007FD2000-memory.dmp

Filesize
72KB

Download
memory/5328-848-0x0000000008090000-0x000000000819A000-memory.dmp

Filesize
1.0MB

Download
memory/5456-755-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/5456-906-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/5456-762-0x0000000000E40000-0x00000000022F6000-memory.dmp

Filesize
20.7MB

Download
memory/5776-1075-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/5816-1142-0x0000000000AB0000-0x0000000000BB0000-memory.dmp

Filesize
1024KB

Download
memory/5816-1143-0x0000000000A40000-0x0000000000A49000-memory.dmp

Filesize
36KB

Download
memory/6804-839-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/6804-759-0x00000000056F0000-0x0000000005C94000-memory.dmp

Filesize
5.6MB

Download
memory/6804-760-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/6804-756-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/7448-1127-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/7448-863-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/9028-1144-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/9028-1149-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download