9d5a3aba415f4bbdf2490d85a206125ab9ff69b1d0898e852dae701d02138815

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A83314F138B4AA615B9E4EFD98A82099.exe
Size

1.3MB
MD5

a83314f138b4aa615b9e4efd98a82099
SHA1

339aaf65de0c9eed077d8e2e7da49e1c561bf3c4
SHA256

9d5a3aba415f4bbdf2490d85a206125ab9ff69b1d0898e852dae701d02138815
SHA512

cff32841a5a2536cc53a755de64a19619a7fdd23148363e34b46c606a596fd5fe6af66b9f357373466f46e9ca9c327febf015f698fe6b5b0c423ccb48a947950
SSDEEP

24576:0yQrlJ7nU9WlIOb51yBY4S0GkkoFk03+5menPyPvFLLx2K:DClRnjBbLyBYih4j7nPyP9LF

Score

7^/10

collection persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	4Ru373mc.exe

Executes dropped EXE 4 IoCs

pid	Process
4532	ra4zw91.exe
3448	ZK3vC44.exe
3596	1ft22xw3.exe
3788	4Ru373mc.exe

Loads dropped DLL 1 IoCs

pid	Process
3788	4Ru373mc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4Ru373mc.exe
Key opened	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4Ru373mc.exe
Key opened	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4Ru373mc.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	A83314F138B4AA615B9E4EFD98A82099.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ra4zw91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ZK3vC44.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	4Ru373mc.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
188	ipinfo.io
190	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000002321c-20.dat	autoit_exe
behavioral2/files/0x000700000002321c-19.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
7544	schtasks.exe
7428	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983843758-932321429-1636175382-1000\{40234182-5B91-4D73-B729-379C1F748947}	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
5924	msedge.exe
5924	msedge.exe
5972	msedge.exe
5972	msedge.exe
5876	msedge.exe
5876	msedge.exe
6008	msedge.exe
6008	msedge.exe
6024	msedge.exe
6024	msedge.exe
6228	msedge.exe
6228	msedge.exe
3620	msedge.exe
3620	msedge.exe
1276	msedge.exe
1276	msedge.exe
3648	msedge.exe
3648	msedge.exe
8104	identity_helper.exe
8104	identity_helper.exe
6380	msedge.exe
6380	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	4Ru373mc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3596	1ft22xw3.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 4532	2004	A83314F138B4AA615B9E4EFD98A82099.exe	40
PID 2004 wrote to memory of 4532	2004	A83314F138B4AA615B9E4EFD98A82099.exe	40
PID 2004 wrote to memory of 4532	2004	A83314F138B4AA615B9E4EFD98A82099.exe	40
PID 4532 wrote to memory of 3448	4532	ra4zw91.exe	42
PID 4532 wrote to memory of 3448	4532	ra4zw91.exe	42
PID 4532 wrote to memory of 3448	4532	ra4zw91.exe	42
PID 3448 wrote to memory of 3596	3448	ZK3vC44.exe	41
PID 3448 wrote to memory of 3596	3448	ZK3vC44.exe	41
PID 3448 wrote to memory of 3596	3448	ZK3vC44.exe	41
PID 3596 wrote to memory of 4000	3596	1ft22xw3.exe	57
PID 3596 wrote to memory of 4000	3596	1ft22xw3.exe	57
PID 3596 wrote to memory of 1136	3596	1ft22xw3.exe	64
PID 3596 wrote to memory of 1136	3596	1ft22xw3.exe	64
PID 3596 wrote to memory of 3620	3596	1ft22xw3.exe	59
PID 3596 wrote to memory of 3620	3596	1ft22xw3.exe	59
PID 3596 wrote to memory of 3676	3596	1ft22xw3.exe	60
PID 3596 wrote to memory of 3676	3596	1ft22xw3.exe	60
PID 3596 wrote to memory of 552	3596	1ft22xw3.exe	63
PID 3596 wrote to memory of 552	3596	1ft22xw3.exe	63
PID 3596 wrote to memory of 2420	3596	1ft22xw3.exe	61
PID 3596 wrote to memory of 2420	3596	1ft22xw3.exe	61
PID 3596 wrote to memory of 3432	3596	1ft22xw3.exe	62
PID 3596 wrote to memory of 3432	3596	1ft22xw3.exe	62
PID 3596 wrote to memory of 2964	3596	1ft22xw3.exe	102
PID 3596 wrote to memory of 2964	3596	1ft22xw3.exe	102
PID 3596 wrote to memory of 964	3596	1ft22xw3.exe	103
PID 3596 wrote to memory of 964	3596	1ft22xw3.exe	103
PID 3432 wrote to memory of 2588	3432	msedge.exe	112
PID 3432 wrote to memory of 2588	3432	msedge.exe	112
PID 1136 wrote to memory of 1784	1136	msedge.exe	111
PID 1136 wrote to memory of 1784	1136	msedge.exe	111
PID 2420 wrote to memory of 468	2420	msedge.exe	107
PID 2420 wrote to memory of 468	2420	msedge.exe	107
PID 552 wrote to memory of 2332	552	msedge.exe	106
PID 552 wrote to memory of 2332	552	msedge.exe	106
PID 2964 wrote to memory of 568	2964	msedge.exe	105
PID 2964 wrote to memory of 568	2964	msedge.exe	105
PID 3620 wrote to memory of 1584	3620	msedge.exe	109
PID 3620 wrote to memory of 1584	3620	msedge.exe	109
PID 3676 wrote to memory of 2380	3676	msedge.exe	108
PID 3676 wrote to memory of 2380	3676	msedge.exe	108
PID 4000 wrote to memory of 320	4000	msedge.exe	110
PID 4000 wrote to memory of 320	4000	msedge.exe	110
PID 964 wrote to memory of 3460	964	msedge.exe	104
PID 964 wrote to memory of 3460	964	msedge.exe	104
PID 3448 wrote to memory of 3788	3448	ZK3vC44.exe	114
PID 3448 wrote to memory of 3788	3448	ZK3vC44.exe	114
PID 3448 wrote to memory of 3788	3448	ZK3vC44.exe	114
PID 3620 wrote to memory of 5860	3620	msedge.exe	116
PID 3620 wrote to memory of 5860	3620	msedge.exe	116
PID 3620 wrote to memory of 5860	3620	msedge.exe	116
PID 3620 wrote to memory of 5860	3620	msedge.exe	116
PID 3620 wrote to memory of 5860	3620	msedge.exe	116
PID 3620 wrote to memory of 5860	3620	msedge.exe	116
PID 3620 wrote to memory of 5860	3620	msedge.exe	116
PID 3620 wrote to memory of 5860	3620	msedge.exe	116
PID 3620 wrote to memory of 5860	3620	msedge.exe	116
PID 3620 wrote to memory of 5860	3620	msedge.exe	116
PID 3620 wrote to memory of 5860	3620	msedge.exe	116
PID 3620 wrote to memory of 5860	3620	msedge.exe	116
PID 3620 wrote to memory of 5860	3620	msedge.exe	116
PID 3620 wrote to memory of 5860	3620	msedge.exe	116
PID 3620 wrote to memory of 5860	3620	msedge.exe	116
PID 3620 wrote to memory of 5860	3620	msedge.exe	116

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4Ru373mc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4Ru373mc.exe

C:\Users\Admin\AppData\Local\Temp\A83314F138B4AA615B9E4EFD98A82099.exe
"C:\Users\Admin\AppData\Local\Temp\A83314F138B4AA615B9E4EFD98A82099.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra4zw91.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra4zw91.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZK3vC44.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZK3vC44.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ru373mc.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ru373mc.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Accesses Microsoft Outlook profiles
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:3788
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        
        PID:6072
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:7544
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        
        PID:7932
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:7428

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ft22xw3.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ft22xw3.exe
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffad89f46f8,0x7ffad89f4708,0x7ffad89f4718
    3⤵
    PID:320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,12099895918027961701,9640527612498991794,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
    3⤵
    PID:5204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,12099895918027961701,9640527612498991794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffad89f46f8,0x7ffad89f4708,0x7ffad89f4718
    3⤵
    PID:1584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
    3⤵
    PID:5860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
    3⤵
    PID:5992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    PID:6500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    PID:6248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
    3⤵
    PID:7012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
    3⤵
    PID:5604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
    3⤵
    PID:6984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
    3⤵
    PID:1316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
    3⤵
    PID:7400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
    3⤵
    PID:7392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
    3⤵
    PID:7708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
    3⤵
    PID:7732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
    3⤵
    PID:7984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
    3⤵
    PID:8072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
    3⤵
    PID:8164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
    3⤵
    PID:7196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
    3⤵
    PID:6072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
    3⤵
    PID:7900
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6688 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:8104
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6688 /prefetch:8
    3⤵
    PID:7068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7640 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:6380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7628 /prefetch:8
    3⤵
    PID:6584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2824 /prefetch:1
    3⤵
    PID:6872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1740 /prefetch:1
    3⤵
    PID:5568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,9545558467472823132,5875839762462584440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7984 /prefetch:1
    3⤵
    PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffad89f46f8,0x7ffad89f4708,0x7ffad89f4718
    3⤵
    PID:2380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,9177243749828319354,12372125278445748631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9177243749828319354,12372125278445748631,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
    3⤵
    PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffad89f46f8,0x7ffad89f4708,0x7ffad89f4718
    3⤵
    PID:468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,2145292102666910302,18292106077087401205,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
    3⤵
    PID:6976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,2145292102666910302,18292106077087401205,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffad89f46f8,0x7ffad89f4708,0x7ffad89f4718
    3⤵
    PID:2588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,9966891026383000164,15879168619337659284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,9966891026383000164,15879168619337659284,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
    3⤵
    PID:6216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffad89f46f8,0x7ffad89f4708,0x7ffad89f4718
    3⤵
    PID:2332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,986948179322770598,10051376122437130794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,986948179322770598,10051376122437130794,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
    3⤵
    PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffad89f46f8,0x7ffad89f4708,0x7ffad89f4718
    3⤵
    PID:1784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,6341157696634698762,3747918119386454244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
    3⤵
    PID:6392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,6341157696634698762,3747918119386454244,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
    3⤵
    PID:6384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x13c,0x170,0x7ffad89f46f8,0x7ffad89f4708,0x7ffad89f4718
    3⤵
    PID:568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,12720721084269525022,4192428173806012242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,12720721084269525022,4192428173806012242,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
    3⤵
    PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffad89f46f8,0x7ffad89f4708,0x7ffad89f4718
    3⤵
    PID:3460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,15040342293028862675,646781732039323325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,15040342293028862675,646781732039323325,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
    3⤵
    PID:6016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:7932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\4fec7d64-4c96-4881-9723-05b27ae4970c.tmp

Filesize
2KB

MD5
3fa6feb8b319ec56a25c8eb4076d4e9a

SHA1
fd315d2e4e0c5683f8c1f2876734741aafd42bc5

SHA256
dec1caeee6d58b5069565163f110a379253e05aafb2d93189c724a1a9e1a8f39

SHA512
5b2720d98e6763b8dbb142f5e3d536c3b55afa38632f020d603a1898cd81ee759159b35a257a10245d6cad75d1b00ccf33f4dfd7be54d71382f0b91619933efa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\64281797-760b-446f-99b1-083ba9e3025f.tmp

Filesize
2KB

MD5
cf53a948b67ab1f6beb21d5d4e141382

SHA1
a668c8962c4424d1d933fb2f34e9e172850c848d

SHA256
87ee76796248d3cc2ab3c7a8ad21f44d17f70ceb53be50cdd92bd03790d4116e

SHA512
80cce9dbabb496530a6c00e1f4a9550bed37d87e0ae711dc442c46c3f1f1e1491d449dea59f208b67f474eb47164cb6b00f4b012d5f2272b588a4227f47b062f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
576c26ee6b9afa995256adb0bf1921c9

SHA1
5409d75623f25059fe79a8e86139c854c834c6a0

SHA256
188d83fc73f8001fc0eac076d6859074000c57e1e33a65c83c73b4dab185f81e

SHA512
b9dbadb0f522eedb2bf28385f3ff41476caeedc048bc02988356b336e5cf526394a04b3bca5b3397af5dde4482e2851c18eca8aeaaf417a7536e7ea7718f9043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
011193d03a2492ca44f9a78bdfb8caa5

SHA1
71c9ead344657b55b635898851385b5de45c7604

SHA256
d21f642fdbc0f194081ffdd6a3d51b2781daef229ae6ba54c336156825b247a0

SHA512
239c7d603721c694b7902996ba576c9d56acddca4e2e7bbe500039d26d0c6edafbbdc2d9f326f01d71e162872d6ff3247366481828e0659703507878ed3dd210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000043

Filesize
201KB

MD5
e3038f6bc551682771347013cf7e4e4f

SHA1
f4593aba87d0a96d6f91f0e59464d7d4c74ed77e

SHA256
6a55e169bc14e97dfcd7352b9bc4b834da37dd1e561282d8f2cc1dbf9964d29a

SHA512
4bee876cea29ad19e6c41d57b3b7228f05f33f422e007dc1a8288fd1a207deb882c2789422e255a76c5bf21544f475689e7192b9a8a80dc2e87c94ee0bc6d75f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
20bd147dd3c0b274ccf727e0394ecad8

SHA1
2446a30a7eaa5fd98be4ccdf50158806205db3a8

SHA256
851828f786207ddb0ce3f828c611aa94b52d7a40dab7a9dc757d45ea0c6eb6ce

SHA512
a2186e91d3d1823e175550d840832ab6743cd6154941f9f479e3c30c2c604c5b8d9c844be7ecdd4378f34363185c9bad282a3cf28d5aa5c2c16edc4ce9ca8634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6409a9ed3b1bf5c02478f421fe86d504

SHA1
2d25a20052f12d78a466eef1b26e805206f26135

SHA256
be25d19c9e1223154bfd4b6eb22b604228e2aa02f2af946d846330948e256911

SHA512
f9bb536c6a82787ffcdf7fd23fe6e94e90aecdec492cd78a75f487381aac60ef156bc233e3ad5d12148d2d85a97932f65ff76013dc911100506d9db11852846e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e14ea37aaa0be3a44950b65a154bfa3a

SHA1
95ea8f772a8e5c35fc06d001d78b5600d12fac0a

SHA256
ccc06ef2581dec196205fad5eb08df364d80fddeae7d32a539cce117546314d2

SHA512
1d8260cf1a2fe13cc72ff9e2fda2f8cb88a65ceb8c16365128814ba6608b00b88f983f3f312c46fded8e88c10ea6cacea62653751190ac8fbbc7a175b4b0240f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
f4babd83ae996cdeb9339421288ef530

SHA1
f2b3e3b687c3215cfb90eda1fede2f53d6dc6e4f

SHA256
7e07332fe3e7a04a45cad86cbeaf4710259da2311ad9ca77799cb6eb4a22dbd1

SHA512
9ac88801c7ec1e72f310e24aa1f4afbf81aac3bc82c621d7bb5c77d839d75a846a325cd81c3213efce40778e51bdb5ebe310702b6a36b44a739f17feda116790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f5b764fa779a5880b1fbe26496fe2448

SHA1
aa46339e9208e7218fb66b15e62324eb1c0722e8

SHA256
97de05bd79a3fd624c0d06f4cb63c244b20a035308ab249a5ef3e503a9338f3d

SHA512
5bfc27e6164bcd0e42cd9aec04ba6bf3a82113ba4ad85aa5d34a550266e20ea6a6e55550ae669af4c2091319e505e1309d27b7c50269c157da0f004d246fe745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
8877a850bcb18f6402d1cbbe2b39ec94

SHA1
a9e580b7fa3f419775fd289ad4d2cd0f20b3811c

SHA256
c18637e3be99bbc030e54129af270916985e381c2c7df6b4c0773aafc6fde2db

SHA512
c827bb87ad469d3c33b3c46c9feb26728babf7f1c53569c333283ca22a6f1108665a44268fe70ccd669f3948125d37ae76cf8f5e97943033166560c41b80b71b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
49d4981def4756132b4ded766fbc2caf

SHA1
dc33d9cf1d1ee0c206a96b2f0b70bad1791eaa77

SHA256
8404889baec785fb2039512ed6f663649732a42bd369f19ab5d3d53d152fbdbe

SHA512
c139ae4e51fc8717c9d870db9364f5051231e3bb8b7d474cb14495127a07f50f627b853b50f24399fce5e9b99b71fe2004a0acefa0bed483131bfe3017e514b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
1451ead1ec2c39c8bc3adf67db52d209

SHA1
034a881107365a4b32f27c47e0a022daf5b91f07

SHA256
d170a75b4403f56225f7714f9101fc2612370573bcae53d312d49d66f0f343fe

SHA512
07aa0245eca3ef3164ffaac4e52732f70bd9a456e11f4285219b3e21a30f5b75c588a4b2f6aaf184c21e72abdc94bc3a31c8275eb663358467c0db4dc83911a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
02a0ec7c204a980c83ce25aac5617178

SHA1
cc27a4f248db8944cffcda6e7df837b323d9929a

SHA256
ba8eee4755e073039f93bba77e93d78e6096d4da1e6757ca9d0e987fcd092b02

SHA512
bf5437d745fbf8a569fde84a9460648c56de1edc914dcc08a4a69c4ddb573df49d8b3ce2cb35f9644e056dd7a60e19f0272e250bc31ba25618649dc003295ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59a697.TMP

Filesize
48B

MD5
6c1b16e59acc9ddbb80e0006bfe03e40

SHA1
f3ab63eea842f310f174e9d5e7eaa94c7e3e39d6

SHA256
c604e291281d3edb307536e63357015d9d79fef68f663a4d52824d90847927a9

SHA512
2e17c87dfd8e0f1a7fbadc222442a99e78e23e194c4d3760394f86c3ee74a2383d8ca27764813a673103804b3310e30c26a46f5a802184896546d7e522c1e255

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a30c4623a36865a928f9fe76f9cf6491

SHA1
85be321f5562f4354194f81a97c50b09d545a070

SHA256
a7a8556fefab71619c168432545117d68a76bbcebd72c1e61060f0d7f8539dd5

SHA512
43f02fba798533182c3c652e87dd8c77c20547667c42136671c5e572ab536335e6f181ef2112248065059fc04f928ab90abf05fc8511bd57c6ebb9986d364c36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
a2b073bc2883ffd4736dd7b9a62e3c9a

SHA1
3437e11d66e8fea5ce442d1941c74cb84110cb1b

SHA256
ab57c5bab048aa66c6ce29701cbd280a6aa6066320bf3b616f38625614d75d4c

SHA512
0c4f844022070dfe04ba7c1c6dfc5b2952e77bd7f9a61568b904d0a3c31c3207539d15ac74918a3f547beea15db47d37535e8f962924053d5640d5f31a5e63e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
ef454c098e74afc6fa9e2a5fbdda3738

SHA1
39d1a7c176b92be3bfe77986aec77c6c6f41d311

SHA256
da01cd5e86ccb50cc78848fc65b66073b99c873d4b0cc46f915385a3d0ce8e97

SHA512
0d58efc951910363d0ce022f23337f05e791fef00d98bf6205ec5c88752a27632bfb1273758cc2c5f1e9abe2a1bfbd212d173257a0344a00e564b4c83c95f9fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
3c5ea0f05978e727967b5185c5daee76

SHA1
6019b6d447ee6f21ef585a1ae88f9279eb66ea96

SHA256
6df7900d622cff979ddec5ee7f55f9ab8a4c44291dedca39d241e846c4d6d3f0

SHA512
9d52bfebbb0cb18d88097e2e7bd03cc7bbcf95feafcfd931276f0087d191e43b36cb7e53ec9b5c6e5a9b7914133863b097b72e55e3c393bb75ec0a898f2ff0b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f279.TMP

Filesize
1KB

MD5
5ce81316b5e565b8e79c8f53a96d4c73

SHA1
a5d4bf9caf658dc5fd6bcf21dc877f98c9b91cba

SHA256
9a4f60ebab6d13ac501477ad12973819ce189a30bd26029390f88c92260bf4bb

SHA512
0260d2a2f3fb39e277b58608dc4c5b195a26e829c552c7b8736bf7d1e01e1c9c123a561c49c1b3ac89709d4d7a44b69d3303d06d754705b2dbd43a750f69ba8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b3942b0bec00697c9ca76f18bb1240a2

SHA1
53ada72bd0880d3718168aa977892bfa504347ac

SHA256
c8998160716b9251f1c16d953975075be0241e5eb992c53bcfc3306b1f45d68a

SHA512
bc6f420dc772c771ed2bc2075dbf3a74df389a03df17be0868437a6da5e00760cd184d1d52e8a0107336a21c98793020a87735ccf698908cf762977438b11e11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
31fdfaf13e77719a7b45dd82323b507b

SHA1
567a275329912fd85a4c785954bfd1b73d22f119

SHA256
4fed96247c7062959fa2f76f0a1dbc483526d15e820d00b00a4ab3918aa7c6dc

SHA512
b6c662bc3f36bd535923f5177724d8f32f113ef1a44bef2b004942d9c221883a1bd989ec0f383ac26bfa75325c2e54af5146dd13951b1dd1e73dbd26311b398f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
a8bfa581304b35f67a4b223338e085b5

SHA1
a99559e4bf0351a44179bba8acdac58581c936a6

SHA256
05edb3536ae7d29f5c960061d410b36ab0f6e0681da314021b7dc38bf5156fa0

SHA512
744d6423e46a0b203ae92c02b9cef462e77a025f15aa406249eadc0a7fdd357ca3c47f39c0ed25d937a50b364345526ca03ca5c42bbadabe22d3a907dbfef128

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
b6f1f7a0e8a27720757aa99adacb0aab

SHA1
351ae6d6271302d5c45237c1969e0e7dea386b09

SHA256
90bfab24edd18e36b256bbc648fbc06b3c1c18596b98d2951506b4adfde36654

SHA512
8fcd315e348702635c0be1442f0277252ea29d61e49443627583fe824c0b54b73fc078ecb6ec14e494d3c56da26de254e13d38564537fd62ab2b36d156a584c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
c5e20c355889fe0e2188756a6b4e4375

SHA1
9b62b1d4384d08d6573b5b8d1e90574d0315f849

SHA256
77bb997dde313bc5da5b3fc22e100e19c178e1913eb9690898bee55e2a9c30bc

SHA512
556747f9896eb1841d0f4bf7f2fd2b50de486c42ee4c557fe7f1a290e6f5e45901a473501ab564b91863f20961bfea0b188760042ff08dffc37785941ed24328

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
e079b9514a3e4ea5b6910e11a625479a

SHA1
de71e5a947437363f2e207dbb8f853ec51c754e8

SHA256
b62fe41bafc4157113127660e2ff7d92e32da33b4c39a22a18f5fc017905cbb6

SHA512
471979dcf76c31c5e14ba263308f405cd15d5dd553d34e7be2411c8dbb05a61ce45624f633327b8f18841ce562109bab738ea99d07f61547f0c625a67d492ae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0788cb0c4ee5f5bdabdb5b90d0cd7aac

SHA1
f4919efc0f7b4cdcaf511a7e1effb546b9cd90ca

SHA256
3a70ec0e0691c39d242e6fd0043bf91865d90e8fffe07cf51aa7a9499c715c3c

SHA512
ebdb430a44e147c444f1d3d63a802dc35e22f6e676b207867e6ed568fe47714ba68974bc58bb6718b62050a396aa9421244c1b74d9660c8fb390673b2653fc63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
e1e0cea01cd95c93de71f78d34fa6c0f

SHA1
f0bef58d7ecde59941da5fc5fcb2e000047b9aef

SHA256
8184f9a9117da3e02e543beb8a28dc5a130d33234ece205d61ac5684dafacf52

SHA512
18e2028ad58b6160707c43a038cf274dd6afa3177f807e2cbaf8dd2aafbeac417de6e78d863e3dc5954be3718a9ff0ddfc399dddf6d6aa7e5105a1f435785687

Download Submit
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
260KB

MD5
c73b0c3ee36cbd0c5c8fe29a1791a70c

SHA1
a25b7e38d9576c42779e09c777ecb12ff598705f

SHA256
990018f323d46b756e10e87edbcdaee3ae0b3dce9e0d5a8638b9b4994b323d30

SHA512
0812dc0bdc2854c2cc368e87c2ba3c1fa3881ab4bafe8f8528a78a896a2edc72eaa420448b2ea763447d221b826a61430cca7d20cb94272369e2f1a1a772aeef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra4zw91.exe

Filesize
57KB

MD5
de7f3ec262f89745164efb2d6b33609e

SHA1
b2c07567026e3f9d5f32be0f152d2270e49e077d

SHA256
afa6ee86166373bafdd134dbac3c1c520f896f033af1650c82d72f39863ab4f9

SHA512
e7f5920b0566c239d83c4f514e6bbfa887d7d7deb8a7f936e8a2da977c6dfd08cf2f4ea36e5c36c886786de7ac205a39fd6eed3ab28799a660e2bb80d7ecb412

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ra4zw91.exe

Filesize
5KB

MD5
4dceafe5168df3f8e2a1dec1d5cef26c

SHA1
1fed98d30b13f2b258095894d3af2ff8d986a652

SHA256
76f9e30df6d514902f9404b292c0cba53782e9617d90ed6f31e2646f8836ad59

SHA512
6e66f7a8d92e9100cce563ef79868ed24b03ec1945ef82cddbd412cd90684e172a2a399b8c0e6f3235448216168ee9ebb07fd364e46c5a7f4ea2b255020dedde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZK3vC44.exe

Filesize
5KB

MD5
90d1da80fe4648edf8d3df220a9aa869

SHA1
21939d39c669240df990754944efe5dcd1b4a39e

SHA256
f80f3800b11480bbda0675d15804f67d1bbe0cfd65aa7771da4d74bb66bb4e6a

SHA512
3ff5eb9c4dcdfd6bc3ed73cf21a85fe4ff6257474eff068ddc2fc67ff728be721fad5326ab83bea1e602212b02fcc0765c5d50b07e5ea1003c54ea00e9084097

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ft22xw3.exe

Filesize
1KB

MD5
b9ffb9bd071a071dee71d159f458a84b

SHA1
e0819c0f23e44bb88d156df4012fee715f437478

SHA256
b1ff05b94d3af6d33e1db08b25493c90a23f053e84e79927f3a535d90d79377a

SHA512
2743fe667d88458d3971e713045ab5a5b44a34e6862181b031dad5d9891364381b4c3e0435dfa8d3dca1f121b460cd2f5f4fef38275d718fe1fd91ea0eed10d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ft22xw3.exe

Filesize
42KB

MD5
4864a84301e15c971599801e8049b251

SHA1
79e9b3499bf12c2906b81dce6a2b94d1ece84118

SHA256
967dff275617d8c3e6bc855d00570ab9fb0059067e3f7be76141331aa11134bb

SHA512
41bf670827222eeaf815f39096356b3a356184100db863d32bbb221bb014b8765d2d5950001e9e1e6a265285d7e98ef4b08a396b8a2f944b0300842c25f8e6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Ru373mc.exe

Filesize
802KB

MD5
c27ad4078641061c0e777add1c7e912f

SHA1
3bafdef76913c28097ca5854910a3de317df4c8f

SHA256
9f2bd0d3b103a8b4e9a45a0381974efa444e807719f5d9cf3243fa73982e69dd

SHA512
07053240d7ae8abb840a3477e1eecfe43adc131d47fc9d40f12b75c1021fdc1451cc35f5036fa47c9c402b7d132ee01434a02c754ae51a3fe1b26ecb352f88f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSWZd8VCt7X0wy\jqa7PNg6bmUoWeb Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSWZd8VCt7X0wy\po24w5eYM4DDWeb Data

Filesize
92KB

MD5
c6c5ad70d4f8fc27c565aae65886d0bd

SHA1
a408150acc675f7b5060bcd273465637a206603f

SHA256
5fc567b8258c2c7cd4432aa44b93b3a6c62cea31e97565e1d7742d0136a540de

SHA512
e2b895d46a761c6bdae176fb59b7a596e4368595420925de80d1fbb44f635e3cf168130386d9c4bb31c4e4b8085c8ed417371752448a5338376cfe8be979191a

Download Submit
memory/3788-87-0x0000000007430000-0x00000000074A6000-memory.dmp

Filesize
472KB

Download
memory/3788-827-0x0000000004FA0000-0x0000000005006000-memory.dmp

Filesize
408KB

Download
memory/3788-698-0x0000000008970000-0x0000000008CC4000-memory.dmp

Filesize
3.3MB

Download
memory/3788-664-0x0000000000D80000-0x0000000000D9E000-memory.dmp

Filesize
120KB

Download
memory/3788-502-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/3788-438-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3788-88-0x0000000007420000-0x0000000007430000-memory.dmp

Filesize
64KB

Download
memory/3788-86-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3788-85-0x0000000000610000-0x00000000006DE000-memory.dmp

Filesize
824KB

Download