Analysis

  • max time kernel
    31s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-12-2023 08:36

General

  • Target

    4224a95928d9161db16a1ac8e962cc19.exe

  • Size

    1.7MB

  • MD5

    4224a95928d9161db16a1ac8e962cc19

  • SHA1

    d26131abfb28e9ca7dab52936c3047477921bae4

  • SHA256

    78a2c197dcb65883cebc38339dd08b21f6dffb020d7cbb33a734ed969b1a5fb3

  • SHA512

    2a8d95ef20e4819a321abd3b6e2e9e58e60715ec2bb0acad8b4c9136d607990bff14aa003741a944b5e3849d60965d24927369fc46b8d4e2116dfbeae9f4f204

  • SSDEEP

    49152:MsIRMV+gVosI2h0LMuaiNWv8cDJrnD+iCiaO:eKrIq3oNg8cDJrniWaO

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

risepro

C2

193.233.132.51

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Downloads MZ/PE file
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Detected potential entity reuse from brand paypal.
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe
    "C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5092
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4144
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1164
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:260
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718
              6⤵
                PID:4552
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,4304714345733540530,193090130468500674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
                6⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:5376
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,4304714345733540530,193090130468500674,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
                6⤵
                  PID:5288
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1368
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718
                  6⤵
                    PID:4668
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,10639202077873554371,10099516084876874217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
                    6⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:5976
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,10639202077873554371,10099516084876874217,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
                    6⤵
                      PID:3720
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:472
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718
                      6⤵
                        PID:3656
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,14039042327584197474,4014683843161892875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
                        6⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:5916
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,14039042327584197474,4014683843161892875,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
                        6⤵
                          PID:4012
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
                        5⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3820
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718
                          6⤵
                            PID:4548
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,13012253398856202962,13884397092860204300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
                            6⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:5296
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,13012253398856202962,13884397092860204300,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
                            6⤵
                              PID:3980
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
                            5⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3488
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718
                              6⤵
                                PID:2960
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,15700618732999281648,8849714292379122342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
                                6⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:5304
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,15700618732999281648,8849714292379122342,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
                                6⤵
                                  PID:5272
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
                                5⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3136
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718
                                  6⤵
                                    PID:3016
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8111816433291045021,7103328906360231167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
                                    6⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:5472
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8111816433291045021,7103328906360231167,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
                                    6⤵
                                      PID:5156
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
                                    5⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:2404
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718
                                      6⤵
                                        PID:1096
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,9813241207518751847,3666483044513432041,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
                                        6⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:5360
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9813241207518751847,3666483044513432041,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
                                        6⤵
                                          PID:1496
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
                                        5⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:424
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718
                                          6⤵
                                            PID:5032
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,15293954855552875799,17207888902582791255,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
                                            6⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:6128
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15293954855552875799,17207888902582791255,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
                                            6⤵
                                              PID:2120
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
                                            5⤵
                                            • Enumerates system info in registry
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                            • Suspicious use of FindShellTrayWindow
                                            • Suspicious use of SendNotifyMessage
                                            • Suspicious use of WriteProcessMemory
                                            PID:4956
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718
                                              6⤵
                                                PID:4016
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
                                                6⤵
                                                  PID:4628
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
                                                  6⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:5384
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
                                                  6⤵
                                                    PID:5364
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
                                                    6⤵
                                                      PID:6720
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
                                                      6⤵
                                                        PID:6712
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
                                                        6⤵
                                                          PID:7896
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
                                                          6⤵
                                                            PID:7888
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
                                                            6⤵
                                                              PID:6544
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
                                                              6⤵
                                                                PID:7564
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
                                                                6⤵
                                                                  PID:7716
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
                                                                  6⤵
                                                                    PID:7796
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
                                                                    6⤵
                                                                      PID:5908
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
                                                                      6⤵
                                                                        PID:8132
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
                                                                        6⤵
                                                                          PID:7980
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
                                                                          6⤵
                                                                            PID:7776
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
                                                                            6⤵
                                                                              PID:7664
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
                                                                              6⤵
                                                                                PID:6644
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
                                                                                6⤵
                                                                                  PID:1944
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7404 /prefetch:1
                                                                                  6⤵
                                                                                    PID:7460
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7448 /prefetch:1
                                                                                    6⤵
                                                                                      PID:7468
                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7260 /prefetch:8
                                                                                      6⤵
                                                                                        PID:6552
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7260 /prefetch:8
                                                                                        6⤵
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        PID:2480
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
                                                                                        6⤵
                                                                                          PID:6232
                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:1
                                                                                          6⤵
                                                                                            PID:1944
                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
                                                                                          5⤵
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:2012
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718
                                                                                            6⤵
                                                                                              PID:1256
                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,11743381930618720387,10488798242232109620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
                                                                                              6⤵
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              PID:5952
                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,11743381930618720387,10488798242232109620,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
                                                                                              6⤵
                                                                                                PID:6112
                                                                                          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe
                                                                                            4⤵
                                                                                            • Modifies Windows Defender Real-time Protection settings
                                                                                            • Executes dropped EXE
                                                                                            • Windows security modification
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:5260
                                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4su368xu.exe
                                                                                          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4su368xu.exe
                                                                                          3⤵
                                                                                            PID:6836
                                                                                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ZT4XU63.exe
                                                                                          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ZT4XU63.exe
                                                                                          2⤵
                                                                                            PID:5692
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 624
                                                                                              3⤵
                                                                                              • Program crash
                                                                                              PID:5680
                                                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                          1⤵
                                                                                            PID:7984
                                                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                            1⤵
                                                                                              PID:7628
                                                                                            • C:\Windows\System32\sihclient.exe
                                                                                              C:\Windows\System32\sihclient.exe /cv ekjEeOYNcUuPzCbep7QeOQ.0.2
                                                                                              1⤵
                                                                                                PID:6720
                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5692 -ip 5692
                                                                                                1⤵
                                                                                                  PID:496
                                                                                                • C:\Users\Admin\AppData\Local\Temp\B2.exe
                                                                                                  C:\Users\Admin\AppData\Local\Temp\B2.exe
                                                                                                  1⤵
                                                                                                    PID:6212
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\9FD1.exe
                                                                                                    C:\Users\Admin\AppData\Local\Temp\9FD1.exe
                                                                                                    1⤵
                                                                                                      PID:7048
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
                                                                                                        2⤵
                                                                                                          PID:6724
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Broom.exe
                                                                                                            C:\Users\Admin\AppData\Local\Temp\Broom.exe
                                                                                                            3⤵
                                                                                                              PID:5752
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
                                                                                                            2⤵
                                                                                                              PID:5476
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
                                                                                                              2⤵
                                                                                                                PID:6732
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\tuc3.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
                                                                                                                2⤵
                                                                                                                  PID:5800
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-B53PG.tmp\tuc3.tmp
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-B53PG.tmp\tuc3.tmp" /SL5="$2028E,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
                                                                                                                    3⤵
                                                                                                                      PID:7172
                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                        "C:\Windows\system32\schtasks.exe" /Query
                                                                                                                        4⤵
                                                                                                                          PID:1028
                                                                                                                        • C:\Program Files (x86)\xrecode3\xrecode3.exe
                                                                                                                          "C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
                                                                                                                          4⤵
                                                                                                                            PID:2060
                                                                                                                          • C:\Program Files (x86)\xrecode3\xrecode3.exe
                                                                                                                            "C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
                                                                                                                            4⤵
                                                                                                                              PID:4776
                                                                                                                            • C:\Windows\SysWOW64\net.exe
                                                                                                                              "C:\Windows\system32\net.exe" helpmsg 1
                                                                                                                              4⤵
                                                                                                                                PID:7988
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\latestX.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
                                                                                                                            2⤵
                                                                                                                              PID:7184
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\CEB2.exe
                                                                                                                            C:\Users\Admin\AppData\Local\Temp\CEB2.exe
                                                                                                                            1⤵
                                                                                                                              PID:5232
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\D8B6.exe
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\D8B6.exe
                                                                                                                              1⤵
                                                                                                                                PID:4252
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E1CF.exe
                                                                                                                                C:\Users\Admin\AppData\Local\Temp\E1CF.exe
                                                                                                                                1⤵
                                                                                                                                  PID:1836

                                                                                                                                Network

                                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                                Replay Monitor

                                                                                                                                Loading Replay Monitor...

                                                                                                                                Downloads

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2eca2ab5-c57a-4833-b263-b991841e6fc4.tmp

                                                                                                                                  Filesize

                                                                                                                                  2KB

                                                                                                                                  MD5

                                                                                                                                  30aa2d91908b65c51f4140948a4cae26

                                                                                                                                  SHA1

                                                                                                                                  6c5d2b01e7cbe692bd5af7b8d936e8731c532e56

                                                                                                                                  SHA256

                                                                                                                                  cf276102c29a58a268665078108bf9f1ca1de6e6118d5651ae0b8f3c5f8bbbb4

                                                                                                                                  SHA512

                                                                                                                                  9526914689c0d609c9bdbe4ed5a5e98b53f9c4fe5bf8ad92e76e44a34a6d2f13ab83229cdbff17d0547f39161a0b38761f7a55b008ae13b71210c69daa539c91

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\6a74c2a5-b103-43f0-9ad6-9a5cbaf93fb6.tmp

                                                                                                                                  Filesize

                                                                                                                                  10KB

                                                                                                                                  MD5

                                                                                                                                  83c6dc7027b65ac81c07e35a5dd49fad

                                                                                                                                  SHA1

                                                                                                                                  d596bb9a905c2a1e480f02a84d4d8bcd42669056

                                                                                                                                  SHA256

                                                                                                                                  0c040c3584aa47aec5ce2d9adebeff5a535458782bf84008eadcc88ecad6ba4c

                                                                                                                                  SHA512

                                                                                                                                  d2c5932c271b2aa9233f3afa242e2b9ea264ab87620769734a9910099f025b0be78fa7a23791936250ce02dea3d410d09075f3808a70ad4ffbedabab054b6b3f

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                  Filesize

                                                                                                                                  152B

                                                                                                                                  MD5

                                                                                                                                  5990c020b2d5158c9e2f12f42d296465

                                                                                                                                  SHA1

                                                                                                                                  dcb52612d301824d3a7fdfd0ea20c3fcfbb7a1b4

                                                                                                                                  SHA256

                                                                                                                                  2f33956ce5a0bb01abb3c0fee9a321c8f8f7abcf1d7535800bf25f1dc44b1643

                                                                                                                                  SHA512

                                                                                                                                  9efb70c4922365967c5fa7e89967e21eede96979a149e027099da786cd8b198d4e81bb3bf2b39c8d65a8796c5d72ca79241e66fc69e2502fdec8a0c5f230412c

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                  Filesize

                                                                                                                                  152B

                                                                                                                                  MD5

                                                                                                                                  208a234643c411e1b919e904ee20115e

                                                                                                                                  SHA1

                                                                                                                                  400b6e6860953f981bfe4716c345b797ed5b2b5b

                                                                                                                                  SHA256

                                                                                                                                  af80020ae43388bbd3db31c75aade369d489a30a933574dea19163e094d5f458

                                                                                                                                  SHA512

                                                                                                                                  2779b96325234c836cbb91820ee332ed56c15b534ec0c7770b322a5c03849ec3ee67b0ec7978e1fab563eeed1cea96f5155d7b942702555d9352ff6711a548d2

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

                                                                                                                                  Filesize

                                                                                                                                  20KB

                                                                                                                                  MD5

                                                                                                                                  923a543cc619ea568f91b723d9fb1ef0

                                                                                                                                  SHA1

                                                                                                                                  6f4ade25559645c741d7327c6e16521e43d7e1f9

                                                                                                                                  SHA256

                                                                                                                                  bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

                                                                                                                                  SHA512

                                                                                                                                  a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

                                                                                                                                  Filesize

                                                                                                                                  21KB

                                                                                                                                  MD5

                                                                                                                                  7d75a9eb3b38b5dd04b8a7ce4f1b87cc

                                                                                                                                  SHA1

                                                                                                                                  68f598c84936c9720c5ffd6685294f5c94000dff

                                                                                                                                  SHA256

                                                                                                                                  6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7

                                                                                                                                  SHA512

                                                                                                                                  cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

                                                                                                                                  Filesize

                                                                                                                                  190KB

                                                                                                                                  MD5

                                                                                                                                  d55250dc737ef207ba326220fff903d1

                                                                                                                                  SHA1

                                                                                                                                  cbdc4af13a2ca8219d5c0b13d2c091a4234347c6

                                                                                                                                  SHA256

                                                                                                                                  d3e913618a52fe57ab4320e62a5ace58a699d6bce8187164e198abe3279726fd

                                                                                                                                  SHA512

                                                                                                                                  13adff61e2cfa25dc535eba9d63209b7e7e9bd29fc4d6c868b057df7f680aa66ef5783a0e82a8367185debf7f6fe5bae89adc0770daff5317d2e16db5ad3ab39

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031

                                                                                                                                  Filesize

                                                                                                                                  33KB

                                                                                                                                  MD5

                                                                                                                                  909324d9c20060e3e73a7b5ff1f19dd8

                                                                                                                                  SHA1

                                                                                                                                  feea7790740db1e87419c8f5920859ea0234b76b

                                                                                                                                  SHA256

                                                                                                                                  dfc749d2afefe484d9aa9f8f06d461ad104a0ca9b75b46abfaaddda64a5e9278

                                                                                                                                  SHA512

                                                                                                                                  b64d2dce1f9a185fbb8a32adc1ff402d8045d379600bf3f9154bbde18303610f18af9fce258442db1e621ecf10b77aafe99cffedfcbe2a1490056c50cc42d0f9

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

                                                                                                                                  Filesize

                                                                                                                                  200KB

                                                                                                                                  MD5

                                                                                                                                  b3ba9decc3bb52ed5cca8158e05928a9

                                                                                                                                  SHA1

                                                                                                                                  19d045a3fbccbf788a29a4dba443d9ccf5a12fb0

                                                                                                                                  SHA256

                                                                                                                                  8bd1b2afcbe2fa046b0937197f1b2f393ef821ff89331f99754b9006f0114df4

                                                                                                                                  SHA512

                                                                                                                                  86a86d370e96fa29c0c1d12991c2287936b400830869ff7b5abe4de6f32db2df782b626d724496cd6de27f8cbd32101ba34cbcd4c650ef11afa26bc048d68529

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                                                  Filesize

                                                                                                                                  3KB

                                                                                                                                  MD5

                                                                                                                                  8b638872f714db07768ddbc06e46afd1

                                                                                                                                  SHA1

                                                                                                                                  904dba19ee65f9902fea18a4e6934a6d2857927f

                                                                                                                                  SHA256

                                                                                                                                  eeb85819edacf1e9d9adcb2f85f44feac01abb32cf44e3a85f08c550a82a281f

                                                                                                                                  SHA512

                                                                                                                                  190b2cdc98d1f0f94a84a5a52f5cbefa40419a4ddd3aa84b535e5541753f4572be548e74b46002a77902b7a4dc26b6f63eb63d21a1d258e26cde01af100a13a2

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                                                                  Filesize

                                                                                                                                  3KB

                                                                                                                                  MD5

                                                                                                                                  baa0f4b7c9e69de04ec712c956aacf8d

                                                                                                                                  SHA1

                                                                                                                                  a7380a657c0e818bbccfd71d634ac798ebe31116

                                                                                                                                  SHA256

                                                                                                                                  f280876e9a5325731da26ab8d199f4c40b9a5ab40586763189bf3280dad90eea

                                                                                                                                  SHA512

                                                                                                                                  1f63676a1ca47d63544d4b23767d1ada5321c7d7466ac5d8d93f0b8a0f259ffc427e1dca09aa2a46b60e7d7fbf4eee28f9d6e7fb49ddb2dee7671e462b72de37

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                                                                  Filesize

                                                                                                                                  111B

                                                                                                                                  MD5

                                                                                                                                  285252a2f6327d41eab203dc2f402c67

                                                                                                                                  SHA1

                                                                                                                                  acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                                                                                                  SHA256

                                                                                                                                  5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                                                                                                  SHA512

                                                                                                                                  11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                  Filesize

                                                                                                                                  8KB

                                                                                                                                  MD5

                                                                                                                                  2371ef8758a70313d17174741adc4aef

                                                                                                                                  SHA1

                                                                                                                                  adb998d543f95a2b4ba57e94db7a2243e00da969

                                                                                                                                  SHA256

                                                                                                                                  1683de1df3aa2b1c6ab3d9bcd5e77bdaaab4e38f4c784c73e5a72674f93c824b

                                                                                                                                  SHA512

                                                                                                                                  9b5bd1b231d2f6f1cebf928530ff938e8a13f1f9aedc74484cf74a106140974f6652c32d407a728f299ad6c104a2042f026eb8d7ff0caa98edff55f7e9dea6e8

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                  Filesize

                                                                                                                                  5KB

                                                                                                                                  MD5

                                                                                                                                  eeea0f5b139eda900b56906bc5bebf82

                                                                                                                                  SHA1

                                                                                                                                  c219351634ef27b2873b90862936048783ad34a8

                                                                                                                                  SHA256

                                                                                                                                  aa18dd96703a1d1e876030d458b5ecc381ad793d36ce3091c45a5ae1cc3cf626

                                                                                                                                  SHA512

                                                                                                                                  88dc98ca6d127cecacbfa79b8e5d519d59d1a618f62042faa603d7a7eda7d4c47a9f16ec7618c0d55bb286f0f1c9371dd1d06388a0e63db3af8b0c10929bda99

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                  Filesize

                                                                                                                                  8KB

                                                                                                                                  MD5

                                                                                                                                  a27da36c9a6c38be91dda757c89c2671

                                                                                                                                  SHA1

                                                                                                                                  537248cd0be35c3b1bf6a467bd9e0625b0c1e1d6

                                                                                                                                  SHA256

                                                                                                                                  2dc7dfa5010d94b0b0686b989d8bf53c0230566053d0f3e92b02a9a85adfe446

                                                                                                                                  SHA512

                                                                                                                                  d36e131d302c3781fc9938b5457c8feeff3f5503bc80f07fdd527f68aff41cff1ebd49f53523ed057e325bae603f6037377440b56cc49d96dc687f1622724a6a

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                                                                                                                  Filesize

                                                                                                                                  24KB

                                                                                                                                  MD5

                                                                                                                                  5a6206a3489650bf4a9c3ce44a428126

                                                                                                                                  SHA1

                                                                                                                                  3137a909ef8b098687ec536c57caa1bacc77224b

                                                                                                                                  SHA256

                                                                                                                                  0a9e623c6df237c02a585539bffb8249de48949c6d074fe0aaf43063731a3e28

                                                                                                                                  SHA512

                                                                                                                                  980da83c3142bf08433ec1770a2ec5f5560daf3ee680466f89beae8290e921c0db677489daad055fbc1f196388f8bc4f60e050600381f860b06d330062440a78

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                                                  Filesize

                                                                                                                                  2KB

                                                                                                                                  MD5

                                                                                                                                  cccd14828348505e364ed80e73c56733

                                                                                                                                  SHA1

                                                                                                                                  e49628d1f15247ede0e029f8d23d46a69047e91f

                                                                                                                                  SHA256

                                                                                                                                  6af5e9517b8078c9c19812742156de0a686d43923ad19e84f00f418e71f2aef6

                                                                                                                                  SHA512

                                                                                                                                  33af3e558d5a7717ea2f5ce5a8437ed3e8c0953ad59429448836c4e98af04cd8976b8a793cbe8aedf9735cc3d1e8e990a6b037cde6c76541d813907c80296711

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                                                  Filesize

                                                                                                                                  3KB

                                                                                                                                  MD5

                                                                                                                                  a30fa1e961f152db953bf93336b2a1f1

                                                                                                                                  SHA1

                                                                                                                                  457b4bdb3000dab2178254e9e3db5c72088dec47

                                                                                                                                  SHA256

                                                                                                                                  d64ff85bcf01beb2461ef15e0c861e3d1fb6165f9ee63624d3b74a13ea245c53

                                                                                                                                  SHA512

                                                                                                                                  677e24aafb1cfb286a4ab70c31ef03c2eb1d4e4d43639d9515ce731a0e9ff828477d217131bcbf02ead4a22d97714a18536f06b501aedbfccd479f4cf39cd2fb

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                                                  Filesize

                                                                                                                                  3KB

                                                                                                                                  MD5

                                                                                                                                  961bebe211d9cee80afe7131128a5c8c

                                                                                                                                  SHA1

                                                                                                                                  26acee3e505f34b28b905a1bf05ae1edd5b9d48a

                                                                                                                                  SHA256

                                                                                                                                  bd98e7f59f1e2490a672337b1a612ec8300e6fedc06f457658ead21009f0d0cd

                                                                                                                                  SHA512

                                                                                                                                  bbdfb8e38c5a30c6873d39ebff127ba9ee9d5cf496d39e9db60b4827c3106b36a4d3ef56464d759c377ed61a52bb9345bd38aef6f98440213bb044d020f403ab

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                                                  Filesize

                                                                                                                                  2KB

                                                                                                                                  MD5

                                                                                                                                  0bc276513dedbdb78399ae4e20767db5

                                                                                                                                  SHA1

                                                                                                                                  9ca1c456c4d7269debd7c1988fd2b8acb9dde0cc

                                                                                                                                  SHA256

                                                                                                                                  1051f13f4a28468448a5d06fb417af339d977b8c893f997e911552086e135f43

                                                                                                                                  SHA512

                                                                                                                                  edf7d3fca947e878e476eb2c72a9944c0603363eef522c864797aaa6d1e73674866244fce9ca69fc96b3e1a702190fea634e20190bc77bd0c1d2fea1189399e2

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                                                  Filesize

                                                                                                                                  3KB

                                                                                                                                  MD5

                                                                                                                                  5d3d07317a5515c4c3810c107a7c48fb

                                                                                                                                  SHA1

                                                                                                                                  c352e5957b45604f0a433fd71f838422ca92d313

                                                                                                                                  SHA256

                                                                                                                                  5b2c6056e98ad2d96ae8b4fe3285cd0175d77bc235ae9a854b7f636a5c321921

                                                                                                                                  SHA512

                                                                                                                                  2a00f4772e55dd232e77a792ebce2df9d078b85181bbc5f4ffe3b2343f50d2475f8dae28c2496e902a5e8645dd26501054960e6c90aca25af30c214a499bc441

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                                                  Filesize

                                                                                                                                  3KB

                                                                                                                                  MD5

                                                                                                                                  a9e0278e3c5d331bb32ec7b3a94f299f

                                                                                                                                  SHA1

                                                                                                                                  6269234691537e4031f98d8c69f9362a46305096

                                                                                                                                  SHA256

                                                                                                                                  fc9179e6cd97d45732559b81eb1d07d694dc9f2d72cea8f1435fa99a61b87681

                                                                                                                                  SHA512

                                                                                                                                  8c97a748316957f36b68e76b877d97f4254d47473f3e31f416f178cd40c86e1a4aab04fa2bcbf447f0bed58d81916d46d599c9bcf53a0070eba021d8ef12aa82

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c03e.TMP

                                                                                                                                  Filesize

                                                                                                                                  1KB

                                                                                                                                  MD5

                                                                                                                                  b92932a80ffc79af19e6ea99c9daacf0

                                                                                                                                  SHA1

                                                                                                                                  6fdffde8307fb00be7249053a55830e04d8c4ff5

                                                                                                                                  SHA256

                                                                                                                                  2aaa797ee2ce9d3ab1e6f6b939b4a2ca095a50ffe897b19f3ce3eed79c6798f1

                                                                                                                                  SHA512

                                                                                                                                  9de98dcacb1bffafee26691f4d1f0e251156cb58ced1613966c0c97196ad678592900718e9bfa7dfb94ba02e7920347c1d577b6977e93c5f0c95ad2163df142e

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                                                                  Filesize

                                                                                                                                  16B

                                                                                                                                  MD5

                                                                                                                                  6752a1d65b201c13b62ea44016eb221f

                                                                                                                                  SHA1

                                                                                                                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                                                  SHA256

                                                                                                                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                                                  SHA512

                                                                                                                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                  Filesize

                                                                                                                                  2KB

                                                                                                                                  MD5

                                                                                                                                  5cb2acb83ee7d997fcdd5fe2b8d36b6f

                                                                                                                                  SHA1

                                                                                                                                  ca16513a5db8cbb33ea2b3110e4e05afba04d067

                                                                                                                                  SHA256

                                                                                                                                  c57d77c3b8e987f37c934bfb759f0c2fafe2797be76c1c24bd4e77b0173649d0

                                                                                                                                  SHA512

                                                                                                                                  d0b5169eb03a54e047137437319e1dc0ee0af95e7a1b3da416a5d6ade1149a518b8ad1dc7f3224125a81621699cf34da80160b9239c3a776ecf3db7d380c6a13

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                  Filesize

                                                                                                                                  2KB

                                                                                                                                  MD5

                                                                                                                                  c6327441806d94278e67bd7ab356e3c5

                                                                                                                                  SHA1

                                                                                                                                  b012c26a11916d640325dbd6d4b79123817ff221

                                                                                                                                  SHA256

                                                                                                                                  815d39448873cb0679b88c83d03f11a92849c4839d7f2950bdd36a50c7f68c44

                                                                                                                                  SHA512

                                                                                                                                  838daff10033e20fbadc93ed89c753afe4fa91c8330c6d088a296b5a53daddc85ac994ee1d1709afe35bccebf9ecfec9fd280909ed35d1362a11b259a75d03fa

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                  Filesize

                                                                                                                                  2KB

                                                                                                                                  MD5

                                                                                                                                  5ef0fee9354643d7ee3bbf2c3f15b8e1

                                                                                                                                  SHA1

                                                                                                                                  77dd77ba1c39952d86b32a3a75246711d200f8a5

                                                                                                                                  SHA256

                                                                                                                                  815f0762bff3169cea21a5f0f936cc0d558285dc5683f516001c25d2be1db120

                                                                                                                                  SHA512

                                                                                                                                  8ad461181c1185319d027c1904cede87bf58623b301b3839478d5a27deae8853347f87652f0687c276a0de9d289734e1e3a73403fac4aa1ec985ae8d1473b66c

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                  Filesize

                                                                                                                                  2KB

                                                                                                                                  MD5

                                                                                                                                  d43ff3010732f076a3fbba9d59363aea

                                                                                                                                  SHA1

                                                                                                                                  4a527ccf05ba863dda2b99924920d2d6b5aa2513

                                                                                                                                  SHA256

                                                                                                                                  4f5b60a0da509a7f08c11a9b66a82b6239b39fd6aec13c051347042d0527f1a6

                                                                                                                                  SHA512

                                                                                                                                  876d9d9e42b3a4fa92b98bb4a90ba9d090ca09a0e6d2910b6356ed75f17ceba907a889e9f03730d0602bceb79a63266d2e75bec9e4d0c8a63c4f56bea0e3657c

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                  Filesize

                                                                                                                                  10KB

                                                                                                                                  MD5

                                                                                                                                  3329648f304f79d2844be11b7feac651

                                                                                                                                  SHA1

                                                                                                                                  b125e8e85c28649be3f8b9678b84771f3f4506c6

                                                                                                                                  SHA256

                                                                                                                                  12a4bd47f967aabf3eb0b74d7b3ed92a88cc4c350a7a31933df5b13e989e4701

                                                                                                                                  SHA512

                                                                                                                                  d33f523abcc8454404cddffd7135ab1bd3c9e60253bc18e8de4405367d9bb042d3cb8feb7fd63a103152efc81771c9b41bf13e03406f49989467062ccb6dea92

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                  Filesize

                                                                                                                                  2KB

                                                                                                                                  MD5

                                                                                                                                  ff64937147b31861e0e0bd4a51abc139

                                                                                                                                  SHA1

                                                                                                                                  087d623ce65e970c72cec33897a2551795c19b1c

                                                                                                                                  SHA256

                                                                                                                                  95353d282fd2162e62a5724ace582f9b68916a40e250e86b91c2c5c32b2a4fcb

                                                                                                                                  SHA512

                                                                                                                                  3962ecf9b26c8df09ccdb8b95f4478b5cfb7992dfb33990e4839f37655b325389c6f41ee907fe46f768a78a91f0e34674d4baab9597cb30d9e15bfd1520f88b3

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c042c64b-c2c2-45a8-8c36-13ff69d3d1d7.tmp

                                                                                                                                  Filesize

                                                                                                                                  2KB

                                                                                                                                  MD5

                                                                                                                                  441789f7209423f0c994c0642a7ebef0

                                                                                                                                  SHA1

                                                                                                                                  6567a6e260ea8314c7333f3e879b81aa4b23be43

                                                                                                                                  SHA256

                                                                                                                                  9baac845b228f2c2c85572e13454f8bd0b04f0f3b79dd4dd2958fec404499dc1

                                                                                                                                  SHA512

                                                                                                                                  9ce464756593142a01c52b671b1c50d325e3efe25a206faf17c7e2b4bb17fc96f5c669f5d713a2b524f2f3345dd4e75dd734bf9cadc4fe1c4a674ada463ce8d1

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f595aee7-341f-4151-b7f5-56f41afefbcb.tmp

                                                                                                                                  Filesize

                                                                                                                                  2KB

                                                                                                                                  MD5

                                                                                                                                  a940005575a7ff24b41a8b3b51f715d9

                                                                                                                                  SHA1

                                                                                                                                  93e4930b96f0d83e0b10a56ac8acd0329f52dde7

                                                                                                                                  SHA256

                                                                                                                                  02dc2b8c1849e70f4433abacd74588eb1677b3fa5ae6c7638d1499e06e0e2c1f

                                                                                                                                  SHA512

                                                                                                                                  cbb7cf798db1ad76c1bb8fb81b2d1137a945788fe2a002d01899269931ae0dd5bbced4f36b8e92b4c0b620c765b2a8c5afe9f640c97b0b8708981293c20b7971

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f67005ca-f7ce-45da-b64d-73c976b43885.tmp

                                                                                                                                  Filesize

                                                                                                                                  2KB

                                                                                                                                  MD5

                                                                                                                                  2aec3a966d1a6824643188cd152ebbdb

                                                                                                                                  SHA1

                                                                                                                                  5956cc67d5d19365f984fe25fc2f77e12318c7c1

                                                                                                                                  SHA256

                                                                                                                                  0afc9e1df902aa7fa1d2ecfa4858fcfaa1dcdd4020e51c4c2d760f538efab83b

                                                                                                                                  SHA512

                                                                                                                                  66f3ed438924a8df44cf52443eba0bae76275aef994a007a242d2d078f699127df0eb40c92efb6d33b6551b88b3d47e51b2298601438c80395843b76a7cc2330

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                                                                                                                  Filesize

                                                                                                                                  1.6MB

                                                                                                                                  MD5

                                                                                                                                  d81bf3932ef63c6c2cf0bf72b451db44

                                                                                                                                  SHA1

                                                                                                                                  9ef97783720d002fddd2f9ceed60072c7c2e6ca8

                                                                                                                                  SHA256

                                                                                                                                  a6b23f638c99c75baddd47066eba60ac63e4ad468c4dad9f26a0d0fbc72f7cf8

                                                                                                                                  SHA512

                                                                                                                                  d6e2f3820cda5a11a7b3fb15af277f76047e9db2ce84c41f793ca913e4a3f2b0622899d101abf43156164b091c43f9ec4ef207acf8682cb807564d7c10f7dbae

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe

                                                                                                                                  Filesize

                                                                                                                                  758KB

                                                                                                                                  MD5

                                                                                                                                  926ac8da1dbca4e291dddba0786293d4

                                                                                                                                  SHA1

                                                                                                                                  4c303a457f54ca87d0ff9431f1fbbbb6e73aa6e8

                                                                                                                                  SHA256

                                                                                                                                  e90b83cfdc6e845e22893ed218c0804fff357dcd89f1212b488e3f4925c99885

                                                                                                                                  SHA512

                                                                                                                                  ab09b01a13ddd61898849cd89464d3c0491f10a5b5b535a1332470d1c1b53e4ea15aa4603b9225d7102846b4e33c7a843cfbaba0e4d96dd3e3cb073bdfd609a7

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe

                                                                                                                                  Filesize

                                                                                                                                  634KB

                                                                                                                                  MD5

                                                                                                                                  b3532cf677a8ca4e9431179cec9ae5c5

                                                                                                                                  SHA1

                                                                                                                                  1877efbf018f4cc0cdaa64fd60572149572a2b23

                                                                                                                                  SHA256

                                                                                                                                  3a521694c5fed5a14f991b108d1b53a9137fc1e592e7a5630bfc9f7a06db3f4f

                                                                                                                                  SHA512

                                                                                                                                  4833f83004bc4d759bdf64a1022e535a09da61767bf5a3225f7f754a8f058efd0713b47933a0664ede6a3b9fa27b05f3c7f9fb6f99f15995d490400fdeb74927

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe

                                                                                                                                  Filesize

                                                                                                                                  898KB

                                                                                                                                  MD5

                                                                                                                                  44bd4ee1fe1417a751e520623210f59f

                                                                                                                                  SHA1

                                                                                                                                  be95a12db5450a83da5d50b3e438f3593dad81e6

                                                                                                                                  SHA256

                                                                                                                                  371ad66bfdf5131de720e466af5b4bfb1139397ee70169305a1cf801622aaed4

                                                                                                                                  SHA512

                                                                                                                                  a7c34447b38e753a5a809638430eecf310a6385ee5b6fb7cd9b80588c490b9df6189275aeb33ece6cb8f927e874e93306dbb2b4ebfc976a7a281c9547c781ec8

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe

                                                                                                                                  Filesize

                                                                                                                                  182KB

                                                                                                                                  MD5

                                                                                                                                  e2e2c57c90cb9f1f99da286756a0c7cb

                                                                                                                                  SHA1

                                                                                                                                  923c1cb68b19eab296e4f30c8d85c05cfea25b88

                                                                                                                                  SHA256

                                                                                                                                  b9a471a4a0df02ad0831f265adbbfc123a72d27fd16971e8c2c81cc6d850b171

                                                                                                                                  SHA512

                                                                                                                                  2d1a58a46d940e76e9b0752a46ea34262caadf4c50dc5c2afb48c1550215ccc9d00ec01a07bd9c92f3b3a8fb8c99c41e3da83829168318e8249d1e017d4548f4

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                                                                                                                                  Filesize

                                                                                                                                  2.1MB

                                                                                                                                  MD5

                                                                                                                                  7e23085391ec6f769f81d55520496c46

                                                                                                                                  SHA1

                                                                                                                                  cb2545c01d9bf54f30ee9636dded12387ee6bbe4

                                                                                                                                  SHA256

                                                                                                                                  3f50e08ded7a0974dafffd81ce0352fe15c372c864f4737d686af4c4e87ad964

                                                                                                                                  SHA512

                                                                                                                                  31b183f5bd6e13acfb9926ce788fdbab30a7d488aef9b5a16053d43daf1c68dbd8e213f07ad5352214f230a9e36186221fae4ccd2039f5000e65c4c5941eeded

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\latestX.exe

                                                                                                                                  Filesize

                                                                                                                                  640KB

                                                                                                                                  MD5

                                                                                                                                  a1c4a4980ebfdc7e721ffaed87900dc5

                                                                                                                                  SHA1

                                                                                                                                  16a46aafc07c511af8b6da8973d2b78292de4378

                                                                                                                                  SHA256

                                                                                                                                  d5f1484ac14dfce241ffee57cc478f1fba084ebe7d43dbdb83371482551a58b9

                                                                                                                                  SHA512

                                                                                                                                  913d6122f1181419a68d5a2a35e7f4bb5a897ee41686ebe70b039e5b83e45ba239ccc1bffa3896edbb1757daca520f57a19a1ab7ff148dee605cdb0bfbe842fd

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                  MD5

                                                                                                                                  5dd44d0509871eec95c758d40f525d79

                                                                                                                                  SHA1

                                                                                                                                  73d493c6884b96f179180e5850d6334a7814c930

                                                                                                                                  SHA256

                                                                                                                                  fbfbdfa46ed671e652c67a4fddcf548ecadd8c9be6ef3e2c33e3163f2c147282

                                                                                                                                  SHA512

                                                                                                                                  ca51000cc3e2e9c2b9a38a258b1288abe6428947a2c9ffeb05d226199a24d1df6c5eb6795fcd735bcf0a98ce9d0e18bd8adcd1977aa8580cf591b6de20e2e27a

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\tuc3.exe

                                                                                                                                  Filesize

                                                                                                                                  1.4MB

                                                                                                                                  MD5

                                                                                                                                  1ac6f91f68a718573bc6e310e5267f9c

                                                                                                                                  SHA1

                                                                                                                                  a30f1f046da88ec78fcab903e37f0b8520625d5d

                                                                                                                                  SHA256

                                                                                                                                  4dfa49ef5ea03ebc0e710e29dd0a95653d606a3fce17d08c4ac6b1d9919dae8a

                                                                                                                                  SHA512

                                                                                                                                  023438ea1a126fa0b87f95a5f9a23a7ab298a68747c2bda95657a1f7a48e68a236a9077c058676b4dc974ad567dccf56640740233343109a4a585aef3bb11381

                                                                                                                                • memory/2060-1201-0x0000000000400000-0x0000000000785000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  3.5MB

                                                                                                                                • memory/2060-1200-0x0000000000400000-0x0000000000785000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  3.5MB

                                                                                                                                • memory/2060-1206-0x0000000000400000-0x0000000000785000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  3.5MB

                                                                                                                                • memory/3408-660-0x0000000002720000-0x0000000002736000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  88KB

                                                                                                                                • memory/4252-1208-0x00000000749D0000-0x0000000075180000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  7.7MB

                                                                                                                                • memory/4252-1209-0x0000000000990000-0x00000000009CC000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  240KB

                                                                                                                                • memory/4776-1210-0x0000000000400000-0x0000000000785000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  3.5MB

                                                                                                                                • memory/5232-1205-0x0000000004E70000-0x0000000004E80000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                • memory/5232-1207-0x0000000005020000-0x000000000502A000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  40KB

                                                                                                                                • memory/5232-1199-0x0000000005210000-0x00000000052AC000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  624KB

                                                                                                                                • memory/5232-1183-0x00000000749D0000-0x0000000075180000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  7.7MB

                                                                                                                                • memory/5232-1187-0x0000000005070000-0x0000000005102000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  584KB

                                                                                                                                • memory/5232-1173-0x0000000000210000-0x0000000000704000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  5.0MB

                                                                                                                                • memory/5260-400-0x0000000002540000-0x000000000255A000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  104KB

                                                                                                                                • memory/5260-367-0x0000000004AF0000-0x0000000004B00000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                • memory/5260-365-0x0000000004AF0000-0x0000000004B00000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                • memory/5260-596-0x0000000074200000-0x00000000749B0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  7.7MB

                                                                                                                                • memory/5260-174-0x0000000074200000-0x00000000749B0000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  7.7MB

                                                                                                                                • memory/5260-394-0x0000000004B00000-0x00000000050A4000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  5.6MB

                                                                                                                                • memory/5260-368-0x0000000004AF0000-0x0000000004B00000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                • memory/5260-366-0x0000000002460000-0x000000000247C000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  112KB

                                                                                                                                • memory/5692-701-0x0000000002690000-0x0000000002825000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.6MB

                                                                                                                                • memory/5692-666-0x00000000025B0000-0x000000000268B000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  876KB

                                                                                                                                • memory/5692-667-0x0000000002690000-0x0000000002825000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  1.6MB

                                                                                                                                • memory/5692-668-0x0000000000400000-0x0000000000919000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  5.1MB

                                                                                                                                • memory/5752-1023-0x0000000000B10000-0x0000000000B11000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                • memory/5800-1034-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  80KB

                                                                                                                                • memory/6836-600-0x0000000000400000-0x000000000040B000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  44KB

                                                                                                                                • memory/6836-662-0x0000000000400000-0x000000000040B000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  44KB

                                                                                                                                • memory/7048-999-0x0000000000470000-0x0000000001926000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  20.7MB

                                                                                                                                • memory/7048-998-0x0000000074A60000-0x0000000075210000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  7.7MB

                                                                                                                                • memory/7048-1058-0x0000000074A60000-0x0000000075210000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  7.7MB

                                                                                                                                • memory/7172-1057-0x0000000000540000-0x0000000000541000-memory.dmp

                                                                                                                                  Filesize

                                                                                                                                  4KB